... | ... |
@@ -24,6 +24,8 @@ |
24 | 24 |
#include "clamav-config.h" |
25 | 25 |
#endif |
26 | 26 |
|
27 |
+#define _XOPEN_SOURCE 500 |
|
28 |
+ |
|
27 | 29 |
#include <sys/types.h> |
28 | 30 |
#include <sys/stat.h> |
29 | 31 |
#include <fcntl.h> |
... | ... |
@@ -197,3 +199,53 @@ int cli_scanishield_msi(int desc, cli_ctx *ctx, off_t off) { |
197 | 197 |
} |
198 | 198 |
return CL_CLEAN; |
199 | 199 |
} |
200 |
+ |
|
201 |
+ |
|
202 |
+int cli_scanishield(int desc, cli_ctx *ctx, off_t off, size_t sz) { |
|
203 |
+ char *fname, *path, *version, *strsz, *eostr, *data; |
|
204 |
+ char buf[2048]; |
|
205 |
+ int rd; |
|
206 |
+ long int fsize; |
|
207 |
+ off_t coff = off; |
|
208 |
+ |
|
209 |
+ while(1) { |
|
210 |
+ rd = pread(desc, buf, sizeof(buf), coff); |
|
211 |
+ if(rd <= 0) |
|
212 |
+ break; |
|
213 |
+ |
|
214 |
+ fname = buf; |
|
215 |
+ if(!*fname) break; |
|
216 |
+ path = memchr(fname, 0, rd); |
|
217 |
+ if(!path) |
|
218 |
+ break; |
|
219 |
+ |
|
220 |
+ path++; |
|
221 |
+ rd -= (path - buf); |
|
222 |
+ if(rd<=0 || !(version = memchr(path, 0, rd))) |
|
223 |
+ break; |
|
224 |
+ |
|
225 |
+ version++; |
|
226 |
+ rd -= (version - path); |
|
227 |
+ if(rd<=0 || !(strsz = memchr(version, 0, rd))) |
|
228 |
+ break; |
|
229 |
+ |
|
230 |
+ strsz++; |
|
231 |
+ rd -= (strsz - version); |
|
232 |
+ if(rd<=0 || !(data = memchr(strsz, 0, rd))) |
|
233 |
+ break; |
|
234 |
+ |
|
235 |
+ data++; |
|
236 |
+ fsize = strtol(strsz, &eostr, 10); |
|
237 |
+ if(fsize == LONG_MIN || fsize == LONG_MAX || !*strsz || !eostr || eostr == strsz || *eostr) |
|
238 |
+ break; |
|
239 |
+ |
|
240 |
+ if((data - buf) + fsize > sz) |
|
241 |
+ break; |
|
242 |
+ |
|
243 |
+ cli_errmsg("@%x: found file %s (%s) - version %s - size %u\n", coff, fname, path, version, fsize); |
|
244 |
+ sz -= (data - buf) + fsize; |
|
245 |
+ coff += (data - buf) + fsize; |
|
246 |
+ |
|
247 |
+ } |
|
248 |
+ return CL_CLEAN; |
|
249 |
+} |
... | ... |
@@ -57,6 +57,7 @@ |
57 | 57 |
#include "matcher-bm.h" |
58 | 58 |
#include "disasm.h" |
59 | 59 |
#include "special.h" |
60 |
+#include "ishield.h" |
|
60 | 61 |
|
61 | 62 |
#ifndef O_BINARY |
62 | 63 |
#define O_BINARY 0 |
... | ... |
@@ -436,7 +437,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
436 | 436 |
char sname[9], buff[4096], epbuff[4096], *tempfile; |
437 | 437 |
uint32_t epsize; |
438 | 438 |
ssize_t bytes; |
439 |
- unsigned int i, found, upx_success = 0, min = 0, max = 0, err; |
|
439 |
+ unsigned int i, found, upx_success = 0, min = 0, max = 0, err, overlays = 0; |
|
440 | 440 |
unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0; |
441 | 441 |
int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL; |
442 | 442 |
char *src = NULL, *dest = NULL; |
... | ... |
@@ -976,8 +977,10 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
976 | 976 |
if(exe_sections[i].rva < min) |
977 | 977 |
min = exe_sections[i].rva; |
978 | 978 |
|
979 |
- if(exe_sections[i].rva + exe_sections[i].rsz > max) |
|
979 |
+ if(exe_sections[i].rva + exe_sections[i].rsz > max) { |
|
980 | 980 |
max = exe_sections[i].rva + exe_sections[i].rsz; |
981 |
+ overlays = exe_sections[i].raw + exe_sections[i].rsz; |
|
982 |
+ } |
|
981 | 983 |
} |
982 | 984 |
} |
983 | 985 |
|
... | ... |
@@ -1016,6 +1019,12 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1016 | 1016 |
return ret; |
1017 | 1017 |
} |
1018 | 1018 |
|
1019 |
+ if(overlays) { |
|
1020 |
+ int overlays_sz = fsize - overlays; |
|
1021 |
+ if(overlays_sz > 0) |
|
1022 |
+ cli_scanishield(desc, ctx, overlays, overlays_sz); |
|
1023 |
+ } |
|
1024 |
+ |
|
1019 | 1025 |
/* Attempt to detect some popular polymorphic viruses */ |
1020 | 1026 |
|
1021 | 1027 |
/* W32.Parite.B */ |