1. clamav-devel
  2. Commit 5f9d4c3b3d67c82fc79ee12712e1fe4d2534be04
Browse code

detect damaged infections of Magistr

git-svn: trunk@2524

Tomasz Kojm authored on 2006/11/28 09:49:50
Showing 3 changed files
clamav-devel/ChangeLog
History View file @ 5f9d4c3
... ... 
@@ -1,3 +1,7 @@
1 
+Tue Nov 28 01:47:08 CET 2006 (tk)
2 
+---------------------------------
3 
+  * libclamav/pe.c: detect damaged infections of Magistr
4 
+
1 5 
 Mon Nov 27 16:51:43 CET 2006 (acab)
2 6 
 -----------------------------------
3 7 
   * libclamav/pe.c: Fix merge bug in new PE model
clamav-devel/libclamav/execs.h
History View file @ 5f9d4c3
... ... 
@@ -28,6 +28,7 @@ struct cli_exe_section {
28 28 
     uint32_t uvsz; /* unaligned vsz */
29 29 
     uint32_t raw;
30 30 
     uint32_t rsz;
31 
+    uint32_t ursz;
31 32 
 };
32 33
33 34 
 struct cli_exe_info {
clamav-devel/libclamav/pe.c
History View file @ 5f9d4c3
... ... 
@@ -634,6 +634,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
634 634 
 	exe_sections[i].uvsz = EC32(section_hdr[i].VirtualSize);
635 635 
 	exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);
636 636 
 	exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);
637 
+	exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData);
637 638 
 	if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))
638 639 
 	    exe_sections[i].rsz = fsize - exe_sections[i].raw;
639 640
... ... 
@@ -854,18 +855,22 @@ int cli_scanpe(int desc, cli_ctx *ctx)
854 854
855 855 
     /* W32.Magistr.A/B */
856 856 
     if(SCAN_ALGO && !dll && (EC32(section_hdr[nsections - 1].Characteristics) & 0x80000000)) {
857 
-	    uint32_t rsize, vsize;
857 
+	    uint32_t rsize, vsize, dam = 0;
858 858
859 
-	rsize = exe_sections[nsections - 1].rsz;
860 859 
 	vsize = exe_sections[nsections - 1].uvsz;
860 
+	rsize = exe_sections[nsections - 1].rsz;
861 
+	if(rsize < exe_sections[nsections - 1].ursz) {
862 
+	    rsize = exe_sections[nsections - 1].ursz;
863 
+	    dam = 1;
864 
+	}
861 865
862 
-	if(rsize >= 0x612c && vsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
866 
+	if(vsize >= 0x612c && rsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
863 867 
 		int bw = rsize < 0x7000 ? rsize : 0x7000;
864 868
865 869 
 	    lseek(desc, exe_sections[nsections - 1].raw + rsize - bw, SEEK_SET);
866 870 
 	    if(cli_readn(desc, buff, 4096) == 4096) {
867 871 
 		if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
868 
-		    *ctx->virname = "W32.Magistr.A";
872 
+		    *ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
869 873 
 		    free(section_hdr);
870 874 
 		    free(exe_sections);
871 875 
 		    return CL_VIRUS;
... ... 
@@ -878,7 +883,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
878 878 
 	    lseek(desc, exe_sections[nsections - 1].raw + rsize - bw, SEEK_SET);
879 879 
 	    if(cli_readn(desc, buff, 4096) == 4096) {
880 880 
 		if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
881 
-		    *ctx->virname = "W32.Magistr.B";
881 
+		    *ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
882 882 
 		    free(section_hdr);
883 883 
 		    free(exe_sections);
884 884 
 		    return CL_VIRUS;