...
|
...
|
@@ -722,49 +722,49 @@ static void add_section_info(cli_ctx *ctx, struct cli_exe_section *s)
|
722
|
722
|
|
723
|
723
|
int cli_scanpe(cli_ctx *ctx)
|
724
|
724
|
{
|
725
|
|
- uint16_t e_magic; /* DOS signature ("MZ") */
|
726
|
|
- uint16_t nsections;
|
727
|
|
- uint32_t e_lfanew; /* address of new exe header */
|
728
|
|
- uint32_t ep, vep; /* entry point (raw, virtual) */
|
729
|
|
- uint8_t polipos = 0;
|
730
|
|
- time_t timestamp;
|
731
|
|
- struct pe_image_file_hdr file_hdr;
|
732
|
|
- union {
|
733
|
|
- struct pe_image_optional_hdr64 opt64;
|
734
|
|
- struct pe_image_optional_hdr32 opt32;
|
735
|
|
- } pe_opt;
|
736
|
|
- struct pe_image_section_hdr *section_hdr;
|
737
|
|
- char sname[9], epbuff[4096], *tempfile;
|
738
|
|
- uint32_t epsize;
|
739
|
|
- ssize_t bytes, at;
|
740
|
|
- unsigned int i, j, found, upx_success = 0, min = 0, max = 0, err, overlays = 0, rescan = 1;
|
741
|
|
- unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0, corrupted_cur;
|
742
|
|
- int (*upxfn)(const char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;
|
743
|
|
- const char *src = NULL;
|
744
|
|
- char *dest = NULL;
|
745
|
|
- int ndesc, ret = CL_CLEAN, upack = 0, native=0;
|
746
|
|
- size_t fsize;
|
747
|
|
- uint32_t valign, falign, hdr_size;
|
748
|
|
- struct cli_exe_section *exe_sections;
|
749
|
|
- char timestr[32];
|
750
|
|
- struct pe_image_data_dir *dirs;
|
751
|
|
- struct cli_bc_ctx *bc_ctx;
|
752
|
|
- fmap_t *map;
|
753
|
|
- struct cli_pe_hook_data pedata;
|
|
725
|
+ uint16_t e_magic; /* DOS signature ("MZ") */
|
|
726
|
+ uint16_t nsections;
|
|
727
|
+ uint32_t e_lfanew; /* address of new exe header */
|
|
728
|
+ uint32_t ep, vep; /* entry point (raw, virtual) */
|
|
729
|
+ uint8_t polipos = 0;
|
|
730
|
+ time_t timestamp;
|
|
731
|
+ struct pe_image_file_hdr file_hdr;
|
|
732
|
+ union {
|
|
733
|
+ struct pe_image_optional_hdr64 opt64;
|
|
734
|
+ struct pe_image_optional_hdr32 opt32;
|
|
735
|
+ } pe_opt;
|
|
736
|
+ struct pe_image_section_hdr *section_hdr;
|
|
737
|
+ char sname[9], epbuff[4096], *tempfile;
|
|
738
|
+ uint32_t epsize;
|
|
739
|
+ ssize_t bytes, at;
|
|
740
|
+ unsigned int i, j, found, upx_success = 0, min = 0, max = 0, err, overlays = 0, rescan = 1;
|
|
741
|
+ unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0, corrupted_cur;
|
|
742
|
+ int (*upxfn)(const char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;
|
|
743
|
+ const char *src = NULL;
|
|
744
|
+ char *dest = NULL;
|
|
745
|
+ int ndesc, ret = CL_CLEAN, upack = 0, native=0;
|
|
746
|
+ size_t fsize;
|
|
747
|
+ uint32_t valign, falign, hdr_size;
|
|
748
|
+ struct cli_exe_section *exe_sections;
|
|
749
|
+ char timestr[32];
|
|
750
|
+ struct pe_image_data_dir *dirs;
|
|
751
|
+ struct cli_bc_ctx *bc_ctx;
|
|
752
|
+ fmap_t *map;
|
|
753
|
+ struct cli_pe_hook_data pedata;
|
754
|
754
|
#ifdef HAVE__INTERNAL__SHA_COLLECT
|
755
|
|
- int sha_collect = ctx->sha_collect;
|
|
755
|
+ int sha_collect = ctx->sha_collect;
|
756
|
756
|
#endif
|
757
|
757
|
const char *archtype=NULL, *subsystem=NULL;
|
758
|
|
- uint32_t viruses_found = 0;
|
|
758
|
+ uint32_t viruses_found = 0;
|
759
|
759
|
#if HAVE_JSON
|
760
|
|
- int toval = 0;
|
761
|
|
- struct json_object *pe_json=NULL;
|
762
|
|
- char jsonbuf[128];
|
|
760
|
+ int toval = 0;
|
|
761
|
+ struct json_object *pe_json=NULL;
|
|
762
|
+ char jsonbuf[128];
|
763
|
763
|
#endif
|
764
|
764
|
|
765
|
765
|
if(!ctx) {
|
766
|
|
- cli_errmsg("cli_scanpe: ctx == NULL\n");
|
767
|
|
- return CL_ENULLARG;
|
|
766
|
+ cli_errmsg("cli_scanpe: ctx == NULL\n");
|
|
767
|
+ return CL_ENULLARG;
|
768
|
768
|
}
|
769
|
769
|
|
770
|
770
|
#if HAVE_JSON
|
...
|
...
|
@@ -778,41 +778,42 @@ int cli_scanpe(cli_ctx *ctx)
|
778
|
778
|
#endif
|
779
|
779
|
map = *ctx->fmap;
|
780
|
780
|
if(fmap_readn(map, &e_magic, 0, sizeof(e_magic)) != sizeof(e_magic)) {
|
781
|
|
- cli_dbgmsg("Can't read DOS signature\n");
|
782
|
|
- return CL_CLEAN;
|
|
781
|
+ cli_dbgmsg("Can't read DOS signature\n");
|
|
782
|
+ return CL_CLEAN;
|
783
|
783
|
}
|
784
|
784
|
|
785
|
785
|
if(EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE && EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE_OLD) {
|
786
|
|
- cli_dbgmsg("Invalid DOS signature\n");
|
787
|
|
- return CL_CLEAN;
|
|
786
|
+ cli_dbgmsg("Invalid DOS signature\n");
|
|
787
|
+ return CL_CLEAN;
|
788
|
788
|
}
|
789
|
789
|
|
790
|
790
|
if(fmap_readn(map, &e_lfanew, 58 + sizeof(e_magic), sizeof(e_lfanew)) != sizeof(e_lfanew)) {
|
791
|
|
- cli_dbgmsg("Can't read new header address\n");
|
792
|
|
- /* truncated header? */
|
793
|
|
- if(DETECT_BROKEN_PE) {
|
794
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
795
|
|
- return CL_VIRUS;
|
796
|
|
- }
|
797
|
|
- return CL_CLEAN;
|
|
791
|
+ cli_dbgmsg("Can't read new header address\n");
|
|
792
|
+ /* truncated header? */
|
|
793
|
+ if(DETECT_BROKEN_PE) {
|
|
794
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
795
|
+ return CL_VIRUS;
|
|
796
|
+ }
|
|
797
|
+
|
|
798
|
+ return CL_CLEAN;
|
798
|
799
|
}
|
799
|
800
|
|
800
|
801
|
e_lfanew = EC32(e_lfanew);
|
801
|
802
|
cli_dbgmsg("e_lfanew == %d\n", e_lfanew);
|
802
|
803
|
if(!e_lfanew) {
|
803
|
|
- cli_dbgmsg("Not a PE file\n");
|
804
|
|
- return CL_CLEAN;
|
|
804
|
+ cli_dbgmsg("Not a PE file\n");
|
|
805
|
+ return CL_CLEAN;
|
805
|
806
|
}
|
806
|
807
|
|
807
|
808
|
if(fmap_readn(map, &file_hdr, e_lfanew, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr)) {
|
808
|
|
- /* bad information in e_lfanew - probably not a PE file */
|
809
|
|
- cli_dbgmsg("Can't read file header\n");
|
810
|
|
- return CL_CLEAN;
|
|
809
|
+ /* bad information in e_lfanew - probably not a PE file */
|
|
810
|
+ cli_dbgmsg("Can't read file header\n");
|
|
811
|
+ return CL_CLEAN;
|
811
|
812
|
}
|
812
|
813
|
|
813
|
814
|
if(EC32(file_hdr.Magic) != PE_IMAGE_NT_SIGNATURE) {
|
814
|
|
- cli_dbgmsg("Invalid PE signature (probably NE file)\n");
|
815
|
|
- return CL_CLEAN;
|
|
815
|
+ cli_dbgmsg("Invalid PE signature (probably NE file)\n");
|
|
816
|
+ return CL_CLEAN;
|
816
|
817
|
}
|
817
|
818
|
|
818
|
819
|
if(EC16(file_hdr.Characteristics) & 0x2000) {
|
...
|
...
|
@@ -820,108 +821,108 @@ int cli_scanpe(cli_ctx *ctx)
|
820
|
820
|
if ((pe_json))
|
821
|
821
|
cli_jsonstr(pe_json, "Type", "DLL");
|
822
|
822
|
#endif
|
823
|
|
- cli_dbgmsg("File type: DLL\n");
|
824
|
|
- dll = 1;
|
|
823
|
+ cli_dbgmsg("File type: DLL\n");
|
|
824
|
+ dll = 1;
|
825
|
825
|
} else if(EC16(file_hdr.Characteristics) & 0x01) {
|
826
|
826
|
#if HAVE_JSON
|
827
|
827
|
if ((pe_json))
|
828
|
828
|
cli_jsonstr(pe_json, "Type", "EXE");
|
829
|
829
|
#endif
|
830
|
|
- cli_dbgmsg("File type: Executable\n");
|
|
830
|
+ cli_dbgmsg("File type: Executable\n");
|
831
|
831
|
}
|
832
|
832
|
|
833
|
833
|
switch(EC16(file_hdr.Machine)) {
|
834
|
|
- case 0x0:
|
|
834
|
+ case 0x0:
|
835
|
835
|
archtype = "Unknown";
|
836
|
|
- break;
|
837
|
|
- case 0x14c:
|
|
836
|
+ break;
|
|
837
|
+ case 0x14c:
|
838
|
838
|
archtype = "80386";
|
839
|
|
- break;
|
840
|
|
- case 0x14d:
|
|
839
|
+ break;
|
|
840
|
+ case 0x14d:
|
841
|
841
|
archtype = "80486";
|
842
|
|
- break;
|
843
|
|
- case 0x14e:
|
|
842
|
+ break;
|
|
843
|
+ case 0x14e:
|
844
|
844
|
archtype = "80586";
|
845
|
|
- break;
|
846
|
|
- case 0x160:
|
|
845
|
+ break;
|
|
846
|
+ case 0x160:
|
847
|
847
|
archtype = "R30000 (big-endian)";
|
848
|
|
- break;
|
849
|
|
- case 0x162:
|
|
848
|
+ break;
|
|
849
|
+ case 0x162:
|
850
|
850
|
archtype = "R3000";
|
851
|
|
- break;
|
852
|
|
- case 0x166:
|
|
851
|
+ break;
|
|
852
|
+ case 0x166:
|
853
|
853
|
archtype = "R4000";
|
854
|
|
- break;
|
855
|
|
- case 0x168:
|
|
854
|
+ break;
|
|
855
|
+ case 0x168:
|
856
|
856
|
archtype = "R10000";
|
857
|
|
- break;
|
858
|
|
- case 0x184:
|
|
857
|
+ break;
|
|
858
|
+ case 0x184:
|
859
|
859
|
archtype = "DEC Alpha AXP";
|
860
|
|
- break;
|
861
|
|
- case 0x284:
|
|
860
|
+ break;
|
|
861
|
+ case 0x284:
|
862
|
862
|
archtype = "DEC Alpha AXP 64bit";
|
863
|
|
- break;
|
864
|
|
- case 0x1f0:
|
|
863
|
+ break;
|
|
864
|
+ case 0x1f0:
|
865
|
865
|
archtype = "PowerPC";
|
866
|
|
- break;
|
867
|
|
- case 0x200:
|
|
866
|
+ break;
|
|
867
|
+ case 0x200:
|
868
|
868
|
archtype = "IA64";
|
869
|
|
- break;
|
870
|
|
- case 0x268:
|
|
869
|
+ break;
|
|
870
|
+ case 0x268:
|
871
|
871
|
archtype = "M68k";
|
872
|
|
- break;
|
873
|
|
- case 0x266:
|
|
872
|
+ break;
|
|
873
|
+ case 0x266:
|
874
|
874
|
archtype = "MIPS16";
|
875
|
|
- break;
|
876
|
|
- case 0x366:
|
|
875
|
+ break;
|
|
876
|
+ case 0x366:
|
877
|
877
|
archtype = "MIPS+FPU";
|
878
|
|
- break;
|
879
|
|
- case 0x466:
|
|
878
|
+ break;
|
|
879
|
+ case 0x466:
|
880
|
880
|
archtype = "MIPS16+FPU";
|
881
|
|
- break;
|
882
|
|
- case 0x1a2:
|
|
881
|
+ break;
|
|
882
|
+ case 0x1a2:
|
883
|
883
|
archtype = "Hitachi SH3";
|
884
|
|
- break;
|
885
|
|
- case 0x1a3:
|
|
884
|
+ break;
|
|
885
|
+ case 0x1a3:
|
886
|
886
|
archtype = "Hitachi SH3-DSP";
|
887
|
|
- break;
|
888
|
|
- case 0x1a4:
|
|
887
|
+ break;
|
|
888
|
+ case 0x1a4:
|
889
|
889
|
archtype = "Hitachi SH3-E";
|
890
|
|
- break;
|
891
|
|
- case 0x1a6:
|
|
890
|
+ break;
|
|
891
|
+ case 0x1a6:
|
892
|
892
|
archtype = "Hitachi SH4";
|
893
|
|
- break;
|
894
|
|
- case 0x1a8:
|
|
893
|
+ break;
|
|
894
|
+ case 0x1a8:
|
895
|
895
|
archtype = "Hitachi SH5";
|
896
|
|
- break;
|
897
|
|
- case 0x1c0:
|
|
896
|
+ break;
|
|
897
|
+ case 0x1c0:
|
898
|
898
|
archtype = "ARM";
|
899
|
|
- break;
|
900
|
|
- case 0x1c2:
|
|
899
|
+ break;
|
|
900
|
+ case 0x1c2:
|
901
|
901
|
archtype = "THUMB";
|
902
|
|
- break;
|
903
|
|
- case 0x1d3:
|
|
902
|
+ break;
|
|
903
|
+ case 0x1d3:
|
904
|
904
|
archtype = "AM33";
|
905
|
|
- break;
|
906
|
|
- case 0x520:
|
|
905
|
+ break;
|
|
906
|
+ case 0x520:
|
907
|
907
|
archtype = "Infineon TriCore";
|
908
|
|
- break;
|
909
|
|
- case 0xcef:
|
|
908
|
+ break;
|
|
909
|
+ case 0xcef:
|
910
|
910
|
archtype = "CEF";
|
911
|
|
- break;
|
912
|
|
- case 0xebc:
|
|
911
|
+ break;
|
|
912
|
+ case 0xebc:
|
913
|
913
|
archtype = "EFI Byte Code";
|
914
|
|
- break;
|
915
|
|
- case 0x9041:
|
|
914
|
+ break;
|
|
915
|
+ case 0x9041:
|
916
|
916
|
archtype = "M32R";
|
917
|
|
- break;
|
918
|
|
- case 0xc0ee:
|
|
917
|
+ break;
|
|
918
|
+ case 0xc0ee:
|
919
|
919
|
archtype = "CEEE";
|
920
|
|
- break;
|
921
|
|
- case 0x8664:
|
|
920
|
+ break;
|
|
921
|
+ case 0x8664:
|
922
|
922
|
archtype = "AMD64";
|
923
|
|
- break;
|
924
|
|
- default:
|
|
923
|
+ break;
|
|
924
|
+ default:
|
925
|
925
|
archtype = "Unknown";
|
926
|
926
|
}
|
927
|
927
|
|
...
|
...
|
@@ -937,18 +938,21 @@ int cli_scanpe(cli_ctx *ctx)
|
937
|
937
|
#if HAVE_JSON
|
938
|
938
|
pe_add_heuristic_property(ctx, "BadNumberOfSections");
|
939
|
939
|
#endif
|
940
|
|
- if(DETECT_BROKEN_PE) {
|
941
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
942
|
|
- return CL_VIRUS;
|
943
|
|
- }
|
944
|
|
- if(!ctx->corrupted_input) {
|
945
|
|
- if(nsections)
|
946
|
|
- cli_warnmsg("PE file contains %d sections\n", nsections);
|
947
|
|
- else
|
948
|
|
- cli_warnmsg("PE file contains no sections\n");
|
949
|
|
- }
|
950
|
|
- return CL_CLEAN;
|
|
940
|
+ if(DETECT_BROKEN_PE) {
|
|
941
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
942
|
+ return CL_VIRUS;
|
|
943
|
+ }
|
|
944
|
+
|
|
945
|
+ if(!ctx->corrupted_input) {
|
|
946
|
+ if(nsections)
|
|
947
|
+ cli_warnmsg("PE file contains %d sections\n", nsections);
|
|
948
|
+ else
|
|
949
|
+ cli_warnmsg("PE file contains no sections\n");
|
|
950
|
+ }
|
|
951
|
+
|
|
952
|
+ return CL_CLEAN;
|
951
|
953
|
}
|
|
954
|
+
|
952
|
955
|
cli_dbgmsg("NumberOfSections: %d\n", nsections);
|
953
|
956
|
|
954
|
957
|
timestamp = (time_t) EC32(file_hdr.TimeDateStamp);
|
...
|
...
|
@@ -969,21 +973,23 @@ int cli_scanpe(cli_ctx *ctx)
|
969
|
969
|
pe_add_heuristic_property(ctx, "BadOptionalHeaderSize");
|
970
|
970
|
#endif
|
971
|
971
|
cli_dbgmsg("SizeOfOptionalHeader too small\n");
|
972
|
|
- if(DETECT_BROKEN_PE) {
|
973
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
974
|
|
- return CL_VIRUS;
|
975
|
|
- }
|
976
|
|
- return CL_CLEAN;
|
|
972
|
+ if(DETECT_BROKEN_PE) {
|
|
973
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
974
|
+ return CL_VIRUS;
|
|
975
|
+ }
|
|
976
|
+
|
|
977
|
+ return CL_CLEAN;
|
977
|
978
|
}
|
978
|
979
|
|
979
|
980
|
at = e_lfanew + sizeof(struct pe_image_file_hdr);
|
980
|
981
|
if(fmap_readn(map, &optional_hdr32, at, sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr32)) {
|
981
|
982
|
cli_dbgmsg("Can't read optional file header\n");
|
982
|
|
- if(DETECT_BROKEN_PE) {
|
983
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
984
|
|
- return CL_VIRUS;
|
985
|
|
- }
|
986
|
|
- return CL_CLEAN;
|
|
983
|
+ if(DETECT_BROKEN_PE) {
|
|
984
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
985
|
+ return CL_VIRUS;
|
|
986
|
+ }
|
|
987
|
+
|
|
988
|
+ return CL_CLEAN;
|
987
|
989
|
}
|
988
|
990
|
at += sizeof(struct pe_image_optional_hdr32);
|
989
|
991
|
|
...
|
...
|
@@ -993,125 +999,129 @@ int cli_scanpe(cli_ctx *ctx)
|
993
|
993
|
pe_add_heuristic_property(ctx, "BadOptionalHeaderSizePE32Plus");
|
994
|
994
|
#endif
|
995
|
995
|
if(EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr64)) {
|
996
|
|
- /* FIXME: need to play around a bit more with xp64 */
|
997
|
|
- cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+\n");
|
998
|
|
- if(DETECT_BROKEN_PE) {
|
999
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
1000
|
|
- return CL_VIRUS;
|
1001
|
|
- }
|
1002
|
|
- return CL_CLEAN;
|
1003
|
|
- }
|
1004
|
|
- pe_plus = 1;
|
|
996
|
+ /* FIXME: need to play around a bit more with xp64 */
|
|
997
|
+ cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+\n");
|
|
998
|
+
|
|
999
|
+ if(DETECT_BROKEN_PE) {
|
|
1000
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
1001
|
+ return CL_VIRUS;
|
|
1002
|
+ }
|
|
1003
|
+
|
|
1004
|
+ return CL_CLEAN;
|
|
1005
|
+ }
|
|
1006
|
+ pe_plus = 1;
|
1005
|
1007
|
}
|
1006
|
1008
|
|
1007
|
1009
|
if(!pe_plus) { /* PE */
|
1008
|
|
- if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
|
1009
|
|
- /* Seek to the end of the long header */
|
1010
|
|
- at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32);
|
1011
|
|
- }
|
|
1010
|
+ if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
|
|
1011
|
+ /* Seek to the end of the long header */
|
|
1012
|
+ at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32);
|
|
1013
|
+ }
|
1012
|
1014
|
|
1013
|
|
- if(DCONF & PE_CONF_UPACK)
|
1014
|
|
- upack = (EC16(file_hdr.SizeOfOptionalHeader)==0x148);
|
|
1015
|
+ if(DCONF & PE_CONF_UPACK)
|
|
1016
|
+ upack = (EC16(file_hdr.SizeOfOptionalHeader)==0x148);
|
1015
|
1017
|
|
1016
|
|
- vep = EC32(optional_hdr32.AddressOfEntryPoint);
|
1017
|
|
- hdr_size = EC32(optional_hdr32.SizeOfHeaders);
|
1018
|
|
- cli_dbgmsg("File format: PE\n");
|
1019
|
|
-
|
1020
|
|
- cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr32.MajorLinkerVersion);
|
1021
|
|
- cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr32.MinorLinkerVersion);
|
1022
|
|
- cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr32.SizeOfCode));
|
1023
|
|
- cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfInitializedData));
|
1024
|
|
- cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfUninitializedData));
|
1025
|
|
- cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
1026
|
|
- cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr32.BaseOfCode));
|
1027
|
|
- cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr32.SectionAlignment));
|
1028
|
|
- cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr32.FileAlignment));
|
1029
|
|
- cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr32.MajorSubsystemVersion));
|
1030
|
|
- cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr32.MinorSubsystemVersion));
|
1031
|
|
- cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr32.SizeOfImage));
|
1032
|
|
- cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
1033
|
|
- cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr32.NumberOfRvaAndSizes));
|
1034
|
|
- dirs = optional_hdr32.DataDirectory;
|
|
1018
|
+ vep = EC32(optional_hdr32.AddressOfEntryPoint);
|
|
1019
|
+ hdr_size = EC32(optional_hdr32.SizeOfHeaders);
|
|
1020
|
+ cli_dbgmsg("File format: PE\n");
|
|
1021
|
+
|
|
1022
|
+ cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr32.MajorLinkerVersion);
|
|
1023
|
+ cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr32.MinorLinkerVersion);
|
|
1024
|
+ cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr32.SizeOfCode));
|
|
1025
|
+ cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfInitializedData));
|
|
1026
|
+ cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfUninitializedData));
|
|
1027
|
+ cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
|
1028
|
+ cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr32.BaseOfCode));
|
|
1029
|
+ cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr32.SectionAlignment));
|
|
1030
|
+ cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr32.FileAlignment));
|
|
1031
|
+ cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr32.MajorSubsystemVersion));
|
|
1032
|
+ cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr32.MinorSubsystemVersion));
|
|
1033
|
+ cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr32.SizeOfImage));
|
|
1034
|
+ cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
|
1035
|
+ cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr32.NumberOfRvaAndSizes));
|
|
1036
|
+ dirs = optional_hdr32.DataDirectory;
|
1035
|
1037
|
#if HAVE_JSON
|
1036
|
|
- cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr32.MajorLinkerVersion);
|
1037
|
|
- cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr32.MinorLinkerVersion);
|
1038
|
|
- cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr32.SizeOfCode));
|
1039
|
|
- cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr32.SizeOfInitializedData));
|
1040
|
|
- cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr32.SizeOfUninitializedData));
|
1041
|
|
- cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr32.NumberOfRvaAndSizes));
|
1042
|
|
- cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr32.MajorSubsystemVersion));
|
1043
|
|
- cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr32.MinorSubsystemVersion));
|
|
1038
|
+ cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr32.MajorLinkerVersion);
|
|
1039
|
+ cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr32.MinorLinkerVersion);
|
|
1040
|
+ cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr32.SizeOfCode));
|
|
1041
|
+ cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr32.SizeOfInitializedData));
|
|
1042
|
+ cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr32.SizeOfUninitializedData));
|
|
1043
|
+ cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr32.NumberOfRvaAndSizes));
|
|
1044
|
+ cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr32.MajorSubsystemVersion));
|
|
1045
|
+ cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr32.MinorSubsystemVersion));
|
1044
|
1046
|
|
1045
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.BaseOfCode));
|
1046
|
|
- cli_jsonstr(pe_json, "BaseOfCode", jsonbuf);
|
|
1047
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.BaseOfCode));
|
|
1048
|
+ cli_jsonstr(pe_json, "BaseOfCode", jsonbuf);
|
1047
|
1049
|
|
1048
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SectionAlignment));
|
1049
|
|
- cli_jsonstr(pe_json, "SectionAlignment", jsonbuf);
|
|
1050
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SectionAlignment));
|
|
1051
|
+ cli_jsonstr(pe_json, "SectionAlignment", jsonbuf);
|
1050
|
1052
|
|
1051
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.FileAlignment));
|
1052
|
|
- cli_jsonstr(pe_json, "FileAlignment", jsonbuf);
|
|
1053
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.FileAlignment));
|
|
1054
|
+ cli_jsonstr(pe_json, "FileAlignment", jsonbuf);
|
1053
|
1055
|
|
1054
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SizeOfImage));
|
1055
|
|
- cli_jsonstr(pe_json, "SizeOfImage", jsonbuf);
|
|
1056
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SizeOfImage));
|
|
1057
|
+ cli_jsonstr(pe_json, "SizeOfImage", jsonbuf);
|
1056
|
1058
|
|
1057
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size);
|
1058
|
|
- cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf);
|
|
1059
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size);
|
|
1060
|
+ cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf);
|
1059
|
1061
|
#endif
|
1060
|
1062
|
|
1061
|
1063
|
} else { /* PE+ */
|
1062
|
|
- /* read the remaining part of the header */
|
1063
|
|
- if(fmap_readn(map, &optional_hdr32 + 1, at, sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) {
|
1064
|
|
- cli_dbgmsg("Can't read optional file header\n");
|
1065
|
|
- if(DETECT_BROKEN_PE) {
|
1066
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
1067
|
|
- return CL_VIRUS;
|
1068
|
|
- }
|
1069
|
|
- return CL_CLEAN;
|
1070
|
|
- }
|
1071
|
|
- at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);
|
1072
|
|
- vep = EC32(optional_hdr64.AddressOfEntryPoint);
|
1073
|
|
- hdr_size = EC32(optional_hdr64.SizeOfHeaders);
|
1074
|
|
- cli_dbgmsg("File format: PE32+\n");
|
1075
|
|
-
|
1076
|
|
- cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr64.MajorLinkerVersion);
|
1077
|
|
- cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr64.MinorLinkerVersion);
|
1078
|
|
- cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr64.SizeOfCode));
|
1079
|
|
- cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfInitializedData));
|
1080
|
|
- cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfUninitializedData));
|
1081
|
|
- cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
1082
|
|
- cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr64.BaseOfCode));
|
1083
|
|
- cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr64.SectionAlignment));
|
1084
|
|
- cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr64.FileAlignment));
|
1085
|
|
- cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr64.MajorSubsystemVersion));
|
1086
|
|
- cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr64.MinorSubsystemVersion));
|
1087
|
|
- cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr64.SizeOfImage));
|
1088
|
|
- cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
1089
|
|
- cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
1090
|
|
- dirs = optional_hdr64.DataDirectory;
|
|
1064
|
+ /* read the remaining part of the header */
|
|
1065
|
+ if(fmap_readn(map, &optional_hdr32 + 1, at, sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) {
|
|
1066
|
+ cli_dbgmsg("Can't read optional file header\n");
|
|
1067
|
+ if(DETECT_BROKEN_PE) {
|
|
1068
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
1069
|
+ return CL_VIRUS;
|
|
1070
|
+ }
|
|
1071
|
+
|
|
1072
|
+ return CL_CLEAN;
|
|
1073
|
+ }
|
|
1074
|
+
|
|
1075
|
+ at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);
|
|
1076
|
+ vep = EC32(optional_hdr64.AddressOfEntryPoint);
|
|
1077
|
+ hdr_size = EC32(optional_hdr64.SizeOfHeaders);
|
|
1078
|
+ cli_dbgmsg("File format: PE32+\n");
|
|
1079
|
+
|
|
1080
|
+ cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr64.MajorLinkerVersion);
|
|
1081
|
+ cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr64.MinorLinkerVersion);
|
|
1082
|
+ cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr64.SizeOfCode));
|
|
1083
|
+ cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfInitializedData));
|
|
1084
|
+ cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfUninitializedData));
|
|
1085
|
+ cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
|
1086
|
+ cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr64.BaseOfCode));
|
|
1087
|
+ cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr64.SectionAlignment));
|
|
1088
|
+ cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr64.FileAlignment));
|
|
1089
|
+ cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr64.MajorSubsystemVersion));
|
|
1090
|
+ cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr64.MinorSubsystemVersion));
|
|
1091
|
+ cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr64.SizeOfImage));
|
|
1092
|
+ cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
|
1093
|
+ cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
|
1094
|
+ dirs = optional_hdr64.DataDirectory;
|
1091
|
1095
|
#if HAVE_JSON
|
1092
|
|
- cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr64.MajorLinkerVersion);
|
1093
|
|
- cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr64.MinorLinkerVersion);
|
1094
|
|
- cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr64.SizeOfCode));
|
1095
|
|
- cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr64.SizeOfInitializedData));
|
1096
|
|
- cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr64.SizeOfUninitializedData));
|
1097
|
|
- cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
1098
|
|
- cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr64.MajorSubsystemVersion));
|
1099
|
|
- cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr64.MinorSubsystemVersion));
|
|
1096
|
+ cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr64.MajorLinkerVersion);
|
|
1097
|
+ cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr64.MinorLinkerVersion);
|
|
1098
|
+ cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr64.SizeOfCode));
|
|
1099
|
+ cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr64.SizeOfInitializedData));
|
|
1100
|
+ cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr64.SizeOfUninitializedData));
|
|
1101
|
+ cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
|
1102
|
+ cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr64.MajorSubsystemVersion));
|
|
1103
|
+ cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr64.MinorSubsystemVersion));
|
1100
|
1104
|
|
1101
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.BaseOfCode));
|
1102
|
|
- cli_jsonstr(pe_json, "BaseOfCode", jsonbuf);
|
|
1105
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.BaseOfCode));
|
|
1106
|
+ cli_jsonstr(pe_json, "BaseOfCode", jsonbuf);
|
1103
|
1107
|
|
1104
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SectionAlignment));
|
1105
|
|
- cli_jsonstr(pe_json, "SectionAlignment", jsonbuf);
|
|
1108
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SectionAlignment));
|
|
1109
|
+ cli_jsonstr(pe_json, "SectionAlignment", jsonbuf);
|
1106
|
1110
|
|
1107
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.FileAlignment));
|
1108
|
|
- cli_jsonstr(pe_json, "FileAlignment", jsonbuf);
|
|
1111
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.FileAlignment));
|
|
1112
|
+ cli_jsonstr(pe_json, "FileAlignment", jsonbuf);
|
1109
|
1113
|
|
1110
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SizeOfImage));
|
1111
|
|
- cli_jsonstr(pe_json, "SizeOfImage", jsonbuf);
|
|
1114
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SizeOfImage));
|
|
1115
|
+ cli_jsonstr(pe_json, "SizeOfImage", jsonbuf);
|
1112
|
1116
|
|
1113
|
|
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size);
|
1114
|
|
- cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf);
|
|
1117
|
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size);
|
|
1118
|
+ cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf);
|
1115
|
1119
|
#endif
|
1116
|
1120
|
}
|
1117
|
1121
|
|
...
|
...
|
@@ -1124,50 +1134,50 @@ int cli_scanpe(cli_ctx *ctx)
|
1124
|
1124
|
|
1125
|
1125
|
|
1126
|
1126
|
switch(pe_plus ? EC16(optional_hdr64.Subsystem) : EC16(optional_hdr32.Subsystem)) {
|
1127
|
|
- case 0:
|
|
1127
|
+ case 0:
|
1128
|
1128
|
subsystem = "Unknown";
|
1129
|
|
- break;
|
1130
|
|
- case 1:
|
|
1129
|
+ break;
|
|
1130
|
+ case 1:
|
1131
|
1131
|
subsystem = "Native (svc)";
|
1132
|
|
- native = 1;
|
1133
|
|
- break;
|
1134
|
|
- case 2:
|
|
1132
|
+ native = 1;
|
|
1133
|
+ break;
|
|
1134
|
+ case 2:
|
1135
|
1135
|
subsystem = "Win32 GUI";
|
1136
|
|
- break;
|
1137
|
|
- case 3:
|
|
1136
|
+ break;
|
|
1137
|
+ case 3:
|
1138
|
1138
|
subsystem = "Win32 console";
|
1139
|
|
- break;
|
1140
|
|
- case 5:
|
|
1139
|
+ break;
|
|
1140
|
+ case 5:
|
1141
|
1141
|
subsystem = "OS/2 console";
|
1142
|
|
- break;
|
1143
|
|
- case 7:
|
|
1142
|
+ break;
|
|
1143
|
+ case 7:
|
1144
|
1144
|
subsystem = "POSIX console";
|
1145
|
|
- break;
|
1146
|
|
- case 8:
|
|
1145
|
+ break;
|
|
1146
|
+ case 8:
|
1147
|
1147
|
subsystem = "Native Win9x driver";
|
1148
|
|
- break;
|
1149
|
|
- case 9:
|
|
1148
|
+ break;
|
|
1149
|
+ case 9:
|
1150
|
1150
|
subsystem = "WinCE GUI";
|
1151
|
|
- break;
|
1152
|
|
- case 10:
|
|
1151
|
+ break;
|
|
1152
|
+ case 10:
|
1153
|
1153
|
subsystem = "EFI application";
|
1154
|
|
- break;
|
1155
|
|
- case 11:
|
|
1154
|
+ break;
|
|
1155
|
+ case 11:
|
1156
|
1156
|
subsystem = "EFI driver";
|
1157
|
|
- break;
|
1158
|
|
- case 12:
|
|
1157
|
+ break;
|
|
1158
|
+ case 12:
|
1159
|
1159
|
subsystem = "EFI runtime driver";
|
1160
|
|
- break;
|
1161
|
|
- case 13:
|
|
1160
|
+ break;
|
|
1161
|
+ case 13:
|
1162
|
1162
|
subsystem = "EFI ROM image";
|
1163
|
|
- break;
|
1164
|
|
- case 14:
|
|
1163
|
+ break;
|
|
1164
|
+ case 14:
|
1165
|
1165
|
subsystem = "Xbox";
|
1166
|
|
- break;
|
1167
|
|
- case 16:
|
|
1166
|
+ break;
|
|
1167
|
+ case 16:
|
1168
|
1168
|
subsystem = "Boot application";
|
1169
|
|
- break;
|
1170
|
|
- default:
|
|
1169
|
+ break;
|
|
1170
|
+ default:
|
1171
|
1171
|
subsystem = "Unknown";
|
1172
|
1172
|
}
|
1173
|
1173
|
|
...
|
...
|
@@ -1181,14 +1191,14 @@ int cli_scanpe(cli_ctx *ctx)
|
1181
|
1181
|
|
1182
|
1182
|
if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
|
1183
|
1183
|
cli_dbgmsg("Bad virtual alignemnt\n");
|
1184
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
1185
|
|
- return CL_VIRUS;
|
|
1184
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
1185
|
+ return CL_VIRUS;
|
1186
|
1186
|
}
|
1187
|
1187
|
|
1188
|
1188
|
if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
|
1189
|
1189
|
cli_dbgmsg("Bad file alignemnt\n");
|
1190
|
|
- cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
1191
|
|
- return CL_VIRUS;
|
|
1190
|
+ cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
|
1191
|
+ return CL_VIRUS;
|
1192
|
1192
|
}
|
1193
|
1193
|
|
1194
|
1194
|
fsize = map->len;
|
...
|
...
|
@@ -1196,16 +1206,16 @@ int cli_scanpe(cli_ctx *ctx)
|
1196
|
1196
|
section_hdr = (struct pe_image_section_hdr *) cli_calloc(nsections, sizeof(struct pe_image_section_hdr));
|
1197
|
1197
|
|
1198
|
1198
|
if(!section_hdr) {
|
1199
|
|
- cli_dbgmsg("Can't allocate memory for section headers\n");
|
1200
|
|
- return CL_EMEM;
|
|
1199
|
+ cli_dbgmsg("Can't allocate memory for section headers\n");
|
|
1200
|
+ return CL_EMEM;
|
1201
|
1201
|
}
|
1202
|
1202
|
|
1203
|
1203
|
exe_sections = (struct cli_exe_section *) cli_calloc(nsections, sizeof(struct cli_exe_section));
|
1204
|
1204
|
|
1205
|
1205
|
if(!exe_sections) {
|
1206
|
|
- cli_dbgmsg("Can't allocate memory for section headers\n");
|
1207
|
|
- free(section_hdr);
|
1208
|
|
- return CL_EMEM;
|
|
1206
|
+ cli_dbgmsg("Can't allocate memory for section headers\n");
|
|
1207
|
+ free(section_hdr);
|
|
1208
|
+ return CL_EMEM;
|
1209
|
1209
|
}
|
1210
|
1210
|
|
1211
|
1211
|
valign = (pe_plus)?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment);
|
...
|
...
|
@@ -1213,23 +1223,27 @@ int cli_scanpe(cli_ctx *ctx)
|
1213
|
1213
|
|
1214
|
1214
|
if(fmap_readn(map, section_hdr, at, sizeof(struct pe_image_section_hdr)*nsections) != (int)(nsections*sizeof(struct pe_image_section_hdr))) {
|
1215
|
1215
|
cli_dbgmsg("Can't read section header\n");
|
1216
|
|
- cli_dbgmsg("Possibly broken PE file\n");
|
1217
|
|
- free(section_hdr);
|
1218
|
|
- free(exe_sections);
|
1219
|
|
- if(DETECT_BROKEN_PE) {
|
1220
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
1221
|
|
- return CL_VIRUS;
|
1222
|
|
- }
|
1223
|
|
- return CL_CLEAN;
|
|
1216
|
+ cli_dbgmsg("Possibly broken PE file\n");
|
|
1217
|
+
|
|
1218
|
+ free(section_hdr);
|
|
1219
|
+ free(exe_sections);
|
|
1220
|
+
|
|
1221
|
+ if(DETECT_BROKEN_PE) {
|
|
1222
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
1223
|
+ return CL_VIRUS;
|
|
1224
|
+ }
|
|
1225
|
+
|
|
1226
|
+ return CL_CLEAN;
|
1224
|
1227
|
}
|
|
1228
|
+
|
1225
|
1229
|
at += sizeof(struct pe_image_section_hdr)*nsections;
|
1226
|
1230
|
|
1227
|
1231
|
for(i = 0; falign!=0x200 && i<nsections; i++) {
|
1228
|
|
- /* file alignment fallback mode - blah */
|
1229
|
|
- if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200)) {
|
1230
|
|
- cli_dbgmsg("Found misaligned section, using 0x200\n");
|
1231
|
|
- falign = 0x200;
|
1232
|
|
- }
|
|
1232
|
+ /* file alignment fallback mode - blah */
|
|
1233
|
+ if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200)) {
|
|
1234
|
+ cli_dbgmsg("Found misaligned section, using 0x200\n");
|
|
1235
|
+ falign = 0x200;
|
|
1236
|
+ }
|
1233
|
1237
|
}
|
1234
|
1238
|
|
1235
|
1239
|
hdr_size = PESALIGN(hdr_size, valign); /* Aligned headers virtual size */
|
...
|
...
|
@@ -1281,7 +1295,7 @@ int cli_scanpe(cli_ctx *ctx)
|
1281
|
1281
|
}
|
1282
|
1282
|
}
|
1283
|
1283
|
|
1284
|
|
- for(i = 0; i < nsections; i++) {
|
|
1284
|
+ for(i = 0; i < nsections; i++) {
|
1285
|
1285
|
strncpy(sname, (char *) section_hdr[i].Name, 8);
|
1286
|
1286
|
sname[8] = 0;
|
1287
|
1287
|
|
...
|
...
|
@@ -1295,115 +1309,120 @@ int cli_scanpe(cli_ctx *ctx)
|
1295
|
1295
|
}
|
1296
|
1296
|
#endif
|
1297
|
1297
|
|
1298
|
|
- if (!exe_sections[i].vsz && exe_sections[i].rsz)
|
1299
|
|
- exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);
|
1300
|
|
-
|
1301
|
|
- if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))
|
1302
|
|
- exe_sections[i].rsz = fsize - exe_sections[i].raw;
|
1303
|
|
-
|
1304
|
|
- cli_dbgmsg("Section %d\n", i);
|
1305
|
|
- cli_dbgmsg("Section name: %s\n", sname);
|
1306
|
|
- cli_dbgmsg("Section data (from headers - in memory)\n");
|
1307
|
|
- cli_dbgmsg("VirtualSize: 0x%x 0x%x\n", exe_sections[i].uvsz, exe_sections[i].vsz);
|
1308
|
|
- cli_dbgmsg("VirtualAddress: 0x%x 0x%x\n", exe_sections[i].urva, exe_sections[i].rva);
|
1309
|
|
- cli_dbgmsg("SizeOfRawData: 0x%x 0x%x\n", exe_sections[i].ursz, exe_sections[i].rsz);
|
1310
|
|
- cli_dbgmsg("PointerToRawData: 0x%x 0x%x\n", exe_sections[i].uraw, exe_sections[i].raw);
|
1311
|
|
-
|
1312
|
|
- if(exe_sections[i].chr & 0x20) {
|
1313
|
|
- cli_dbgmsg("Section contains executable code\n");
|
1314
|
|
-
|
1315
|
|
- if(exe_sections[i].vsz < exe_sections[i].rsz) {
|
1316
|
|
- cli_dbgmsg("Section contains free space\n");
|
1317
|
|
- /*
|
1318
|
|
- cli_dbgmsg("Dumping %d bytes\n", section_hdr.SizeOfRawData - section_hdr.VirtualSize);
|
1319
|
|
- ddump(desc, section_hdr.PointerToRawData + section_hdr.VirtualSize, section_hdr.SizeOfRawData - section_hdr.VirtualSize, cli_gentemp(NULL));
|
1320
|
|
- */
|
|
1298
|
+ if (!exe_sections[i].vsz && exe_sections[i].rsz)
|
|
1299
|
+ exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);
|
1321
|
1300
|
|
1322
|
|
- }
|
1323
|
|
- }
|
|
1301
|
+ if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))
|
|
1302
|
+ exe_sections[i].rsz = fsize - exe_sections[i].raw;
|
|
1303
|
+
|
|
1304
|
+ cli_dbgmsg("Section %d\n", i);
|
|
1305
|
+ cli_dbgmsg("Section name: %s\n", sname);
|
|
1306
|
+ cli_dbgmsg("Section data (from headers - in memory)\n");
|
|
1307
|
+ cli_dbgmsg("VirtualSize: 0x%x 0x%x\n", exe_sections[i].uvsz, exe_sections[i].vsz);
|
|
1308
|
+ cli_dbgmsg("VirtualAddress: 0x%x 0x%x\n", exe_sections[i].urva, exe_sections[i].rva);
|
|
1309
|
+ cli_dbgmsg("SizeOfRawData: 0x%x 0x%x\n", exe_sections[i].ursz, exe_sections[i].rsz);
|
|
1310
|
+ cli_dbgmsg("PointerToRawData: 0x%x 0x%x\n", exe_sections[i].uraw, exe_sections[i].raw);
|
|
1311
|
+
|
|
1312
|
+ if(exe_sections[i].chr & 0x20) {
|
|
1313
|
+ cli_dbgmsg("Section contains executable code\n");
|
|
1314
|
+
|
|
1315
|
+ if(exe_sections[i].vsz < exe_sections[i].rsz) {
|
|
1316
|
+ cli_dbgmsg("Section contains free space\n");
|
|
1317
|
+ /*
|
|
1318
|
+ cli_dbgmsg("Dumping %d bytes\n", section_hdr.SizeOfRawData - section_hdr.VirtualSize);
|
|
1319
|
+ ddump(desc, section_hdr.PointerToRawData + section_hdr.VirtualSize, section_hdr.SizeOfRawData - section_hdr.VirtualSize, cli_gentemp(NULL));
|
|
1320
|
+ */
|
|
1321
|
+ }
|
|
1322
|
+ }
|
1324
|
1323
|
|
1325
|
|
- if(exe_sections[i].chr & 0x20000000)
|
1326
|
|
- cli_dbgmsg("Section's memory is executable\n");
|
|
1324
|
+ if(exe_sections[i].chr & 0x20000000)
|
|
1325
|
+ cli_dbgmsg("Section's memory is executable\n");
|
1327
|
1326
|
|
1328
|
|
- if(exe_sections[i].chr & 0x80000000)
|
1329
|
|
- cli_dbgmsg("Section's memory is writeable\n");
|
|
1327
|
+ if(exe_sections[i].chr & 0x80000000)
|
|
1328
|
+ cli_dbgmsg("Section's memory is writeable\n");
|
1330
|
1329
|
|
1331
|
|
- if (DETECT_BROKEN_PE && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
|
1332
|
|
- cli_dbgmsg("VirtualAddress is misaligned\n");
|
1333
|
|
- cli_dbgmsg("------------------------------------\n");
|
1334
|
|
- cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
1335
|
|
- free(section_hdr);
|
1336
|
|
- free(exe_sections);
|
1337
|
|
- return CL_VIRUS;
|
1338
|
|
- }
|
|
1330
|
+ if (DETECT_BROKEN_PE && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
|
|
1331
|
+ cli_dbgmsg("VirtualAddress is misaligned\n");
|
|
1332
|
+ cli_dbgmsg("------------------------------------\n");
|
|
1333
|
+ cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
|
1334
|
+ free(section_hdr);
|
|
1335
|
+ free(exe_sections);
|
|
1336
|
+ return CL_VIRUS;
|
|
1337
|
+ }
|
1339
|
1338
|
|
1340
|
|
- if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
1341
|
|
- if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i;
|
1342
|
|
-
|
1343
|
|
- /* check hash section sigs */
|
1344
|
|
- if((DCONF & PE_CONF_MD5SECT) && ctx->engine->hm_mdb) {
|
1345
|
|
- ret = scan_pe_mdb(ctx, &exe_sections[i]);
|
1346
|
|
- if (ret != CL_CLEAN) {
|
1347
|
|
- if (ret != CL_VIRUS)
|
1348
|
|
- cli_errmsg("scan_pe: scan_pe_mdb failed: %s!\n", cl_strerror(ret));
|
1349
|
|
- cli_dbgmsg("------------------------------------\n");
|
1350
|
|
- free(section_hdr);
|
1351
|
|
- free(exe_sections);
|
1352
|
|
- return ret;
|
1353
|
|
- }
|
1354
|
|
- }
|
1355
|
|
- }
|
1356
|
|
- cli_dbgmsg("------------------------------------\n");
|
|
1339
|
+ if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
|
1340
|
+ if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i;
|
1357
|
1341
|
|
1358
|
|
- if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
|
1359
|
|
- cli_dbgmsg("Found PE values with sign bit set\n");
|
1360
|
|
- free(section_hdr);
|
1361
|
|
- free(exe_sections);
|
1362
|
|
- if(DETECT_BROKEN_PE) {
|
1363
|
|
- cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
1364
|
|
- return CL_VIRUS;
|
1365
|
|
- }
|
1366
|
|
- return CL_CLEAN;
|
1367
|
|
- }
|
|
1342
|
+ /* check hash section sigs */
|
|
1343
|
+ if((DCONF & PE_CONF_MD5SECT) && ctx->engine->hm_mdb) {
|
|
1344
|
+ ret = scan_pe_mdb(ctx, &exe_sections[i]);
|
|
1345
|
+ if (ret != CL_CLEAN) {
|
|
1346
|
+ if (ret != CL_VIRUS)
|
|
1347
|
+ cli_errmsg("scan_pe: scan_pe_mdb failed: %s!\n", cl_strerror(ret));
|
1368
|
1348
|
|
1369
|
|
- if(!i) {
|
1370
|
|
- if (DETECT_BROKEN_PE && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */
|
1371
|
|
- cli_dbgmsg("First section is in the wrong place\n");
|
1372
|
|
- cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
1373
|
|
- free(section_hdr);
|
1374
|
|
- free(exe_sections);
|
1375
|
|
- return CL_VIRUS;
|
1376
|
|
- }
|
1377
|
|
- min = exe_sections[i].rva;
|
1378
|
|
- max = exe_sections[i].rva + exe_sections[i].rsz;
|
1379
|
|
- } else {
|
1380
|
|
- if (DETECT_BROKEN_PE && exe_sections[i].urva - exe_sections[i-1].urva != exe_sections[i-1].vsz) { /* No holes, no overlapping, no virtual disorder */
|
1381
|
|
- cli_dbgmsg("Virtually misplaced section (wrong order, overlapping, non contiguous)\n");
|
1382
|
|
- cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
1383
|
|
- free(section_hdr);
|
1384
|
|
- free(exe_sections);
|
1385
|
|
- return CL_VIRUS;
|
1386
|
|
- }
|
1387
|
|
- if(exe_sections[i].rva < min)
|
1388
|
|
- min = exe_sections[i].rva;
|
|
1349
|
+ cli_dbgmsg("------------------------------------\n");
|
|
1350
|
+ free(section_hdr);
|
|
1351
|
+ free(exe_sections);
|
|
1352
|
+ return ret;
|
|
1353
|
+ }
|
|
1354
|
+ }
|
|
1355
|
+ }
|
|
1356
|
+ cli_dbgmsg("------------------------------------\n");
|
1389
|
1357
|
|
1390
|
|
- if(exe_sections[i].rva + exe_sections[i].rsz > max) {
|
1391
|
|
- max = exe_sections[i].rva + exe_sections[i].rsz;
|
1392
|
|
- overlays = exe_sections[i].raw + exe_sections[i].rsz;
|
1393
|
|
- }
|
1394
|
|
- }
|
|
1358
|
+ if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
|
|
1359
|
+ cli_dbgmsg("Found PE values with sign bit set\n");
|
|
1360
|
+
|
|
1361
|
+ free(section_hdr);
|
|
1362
|
+ free(exe_sections);
|
|
1363
|
+ if(DETECT_BROKEN_PE) {
|
|
1364
|
+ cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
|
1365
|
+ return CL_VIRUS;
|
|
1366
|
+ }
|
|
1367
|
+
|
|
1368
|
+ return CL_CLEAN;
|
|
1369
|
+ }
|
|
1370
|
+
|
|
1371
|
+ if(!i) {
|
|
1372
|
+ if (DETECT_BROKEN_PE && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */
|
|
1373
|
+ cli_dbgmsg("First section is in the wrong place\n");
|
|
1374
|
+ cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
|
1375
|
+ free(section_hdr);
|
|
1376
|
+ free(exe_sections);
|
|
1377
|
+ return CL_VIRUS;
|
|
1378
|
+ }
|
|
1379
|
+
|
|
1380
|
+ min = exe_sections[i].rva;
|
|
1381
|
+ max = exe_sections[i].rva + exe_sections[i].rsz;
|
|
1382
|
+ } else {
|
|
1383
|
+ if (DETECT_BROKEN_PE && exe_sections[i].urva - exe_sections[i-1].urva != exe_sections[i-1].vsz) { /* No holes, no overlapping, no virtual disorder */
|
|
1384
|
+ cli_dbgmsg("Virtually misplaced section (wrong order, overlapping, non contiguous)\n");
|
|
1385
|
+ cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
|
1386
|
+ free(section_hdr);
|
|
1387
|
+ free(exe_sections);
|
|
1388
|
+ return CL_VIRUS;
|
|
1389
|
+ }
|
|
1390
|
+
|
|
1391
|
+ if(exe_sections[i].rva < min)
|
|
1392
|
+ min = exe_sections[i].rva;
|
|
1393
|
+
|
|
1394
|
+ if(exe_sections[i].rva + exe_sections[i].rsz > max) {
|
|
1395
|
+ max = exe_sections[i].rva + exe_sections[i].rsz;
|
|
1396
|
+ overlays = exe_sections[i].raw + exe_sections[i].rsz;
|
|
1397
|
+ }
|
|
1398
|
+ }
|
1395
|
1399
|
}
|
1396
|
1400
|
|
1397
|
1401
|
free(section_hdr);
|
1398
|
1402
|
|
1399
|
1403
|
if(!(ep = cli_rawaddr(vep, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
|
1400
|
|
- cli_dbgmsg("EntryPoint out of file\n");
|
1401
|
|
- free(exe_sections);
|
1402
|
|
- if(DETECT_BROKEN_PE) {
|
1403
|
|
- cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
1404
|
|
- return CL_VIRUS;
|
1405
|
|
- }
|
1406
|
|
- return CL_CLEAN;
|
|
1404
|
+ cli_dbgmsg("EntryPoint out of file\n");
|
|
1405
|
+ free(exe_sections);
|
|
1406
|
+ if(DETECT_BROKEN_PE) {
|
|
1407
|
+ cli_append_virus(ctx,"Heuristics.Broken.Executable");
|
|
1408
|
+ return CL_VIRUS;
|
|
1409
|
+ }
|
|
1410
|
+
|
|
1411
|
+ return CL_CLEAN;
|
1407
|
1412
|
}
|
1408
|
1413
|
|
1409
|
1414
|
#if HAVE_JSON
|
...
|
...
|
@@ -1417,8 +1436,8 @@ int cli_scanpe(cli_ctx *ctx)
|
1417
|
1417
|
cli_dbgmsg("EntryPoint offset: 0x%x (%d)\n", ep, ep);
|
1418
|
1418
|
|
1419
|
1419
|
if(pe_plus) { /* Do not continue for PE32+ files */
|
1420
|
|
- free(exe_sections);
|
1421
|
|
- return CL_CLEAN;
|
|
1420
|
+ free(exe_sections);
|
|
1421
|
+ return CL_CLEAN;
|
1422
|
1422
|
}
|
1423
|
1423
|
|
1424
|
1424
|
epsize = fmap_readn(map, epbuff, ep, 4096);
|
...
|
...
|
@@ -1438,14 +1457,14 @@ int cli_scanpe(cli_ctx *ctx)
|
1438
|
1438
|
/* } */
|
1439
|
1439
|
|
1440
|
1440
|
if(overlays) {
|
1441
|
|
- int overlays_sz = fsize - overlays;
|
1442
|
|
- if(overlays_sz > 0) {
|
1443
|
|
- ret = cli_scanishield(ctx, overlays, overlays_sz);
|
1444
|
|
- if(ret != CL_CLEAN) {
|
1445
|
|
- free(exe_sections);
|
1446
|
|
- return ret;
|
1447
|
|
- }
|
1448
|
|
- }
|
|
1441
|
+ int overlays_sz = fsize - overlays;
|
|
1442
|
+ if(overlays_sz > 0) {
|
|
1443
|
+ ret = cli_scanishield(ctx, overlays, overlays_sz);
|
|
1444
|
+ if(ret != CL_CLEAN) {
|
|
1445
|
+ free(exe_sections);
|
|
1446
|
+ return ret;
|
|
1447
|
+ }
|
|
1448
|
+ }
|
1449
|
1449
|
}
|
1450
|
1450
|
|
1451
|
1451
|
pedata.nsections = nsections;
|
...
|
...
|
@@ -1463,10 +1482,11 @@ int cli_scanpe(cli_ctx *ctx)
|
1463
|
1463
|
/* Bytecode BC_PE_ALL hook */
|
1464
|
1464
|
bc_ctx = cli_bytecode_context_alloc();
|
1465
|
1465
|
if (!bc_ctx) {
|
1466
|
|
- cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
1467
|
|
- free(exe_sections);
|
1468
|
|
- return CL_EMEM;
|
|
1466
|
+ cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
|
1467
|
+ free(exe_sections);
|
|
1468
|
+ return CL_EMEM;
|
1469
|
1469
|
}
|
|
1470
|
+
|
1470
|
1471
|
cli_bytecode_context_setpe(bc_ctx, &pedata, exe_sections);
|
1471
|
1472
|
cli_bytecode_context_setctx(bc_ctx, ctx);
|
1472
|
1473
|
ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_ALL, map);
|
...
|
...
|
@@ -1486,228 +1506,284 @@ int cli_scanpe(cli_ctx *ctx)
|
1486
|
1486
|
/* W32.Parite.B */
|
1487
|
1487
|
if(SCAN_ALGO && (DCONF & PE_CONF_PARITE) && !dll && epsize == 4096 && ep == exe_sections[nsections - 1].raw) {
|
1488
|
1488
|
const char *pt = cli_memstr(epbuff, 4040, "\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00", 15);
|
1489
|
|
- if(pt) {
|
1490
|
|
- pt += 15;
|
1491
|
|
- if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
|
1492
|
|
- cli_append_virus(ctx,"Heuristics.W32.Parite.B");
|
1493
|
|
- if (!SCAN_ALL) {
|
1494
|
|
- free(exe_sections);
|
1495
|
|
- return CL_VIRUS;
|
1496
|
|
- }
|
1497
|
|
- viruses_found++;
|
1498
|
|
- }
|
1499
|
|
- }
|
|
1489
|
+ if(pt) {
|
|
1490
|
+ pt += 15;
|
|
1491
|
+ if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
|
|
1492
|
+ cli_append_virus(ctx,"Heuristics.W32.Parite.B");
|
|
1493
|
+ if (!SCAN_ALL) {
|
|
1494
|
+ free(exe_sections);
|
|
1495
|
+ return CL_VIRUS;
|
|
1496
|
+ }
|
|
1497
|
+
|
|
1498
|
+ viruses_found++;
|
|
1499
|
+ }
|
|
1500
|
+ }
|
1500
|
1501
|
}
|
1501
|
1502
|
|
1502
|
1503
|
/* Kriz */
|
1503
|
1504
|
if(SCAN_ALGO && (DCONF & PE_CONF_KRIZ) && epsize >= 200 && CLI_ISCONTAINED(exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz, ep, 0x0fd2) && epbuff[1]=='\x9c' && epbuff[2]=='\x60') {
|
1504
|
|
- enum {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSXORPRFX,KZSXOR,KZSDDELTA,KZSLOOP,KZSTOP};
|
1505
|
|
- uint8_t kzs[] = {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSTRASH,KZSXORPRFX,KZSXOR,KZSTRASH,KZSDDELTA,KZSTRASH,KZSLOOP,KZSTOP};
|
1506
|
|
- uint8_t *kzstate = kzs;
|
1507
|
|
- uint8_t *kzcode = (uint8_t *)epbuff + 3;
|
1508
|
|
- uint8_t kzdptr=0xff, kzdsize=0xff;
|
1509
|
|
- int kzlen = 197, kzinitlen=0xffff, kzxorlen=-1;
|
1510
|
|
- cli_dbgmsg("in kriz\n");
|
1511
|
|
-
|
1512
|
|
- while(*kzstate!=KZSTOP) {
|
1513
|
|
- uint8_t op;
|
1514
|
|
- if(kzlen<=6) break;
|
1515
|
|
- op = *kzcode++;
|
1516
|
|
- kzlen--;
|
1517
|
|
- switch (*kzstate) {
|
1518
|
|
- case KZSTRASH: case KZSGETSIZE: {
|
1519
|
|
- int opsz=0;
|
1520
|
|
- switch(op) {
|
1521
|
|
- case 0x81:
|
1522
|
|
- kzcode+=5;
|
1523
|
|
- kzlen-=5;
|
1524
|
|
- break;
|
1525
|
|
- case 0xb8: case 0xb9: case 0xba: case 0xbb: case 0xbd: case 0xbe: case 0xbf:
|
1526
|
|
- if(*kzstate==KZSGETSIZE && cli_readint32(kzcode)==0x0fd2) {
|
1527
|
|
- kzinitlen = kzlen-5;
|
1528
|
|
- kzdsize=op-0xb8;
|
1529
|
|
- kzstate++;
|
1530
|
|
- op=4; /* fake the register to avoid breaking out */
|
1531
|
|
- cli_dbgmsg("kriz: using #%d as size counter\n", kzdsize);
|
1532
|
|
- }
|
1533
|
|
- opsz=4;
|
1534
|
|
- case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4d: case 0x4e: case 0x4f:
|
1535
|
|
- op&=7;
|
1536
|
|
- if(op!=kzdptr && op!=kzdsize) {
|
1537
|
|
- kzcode+=opsz;
|
1538
|
|
- kzlen-=opsz;
|
1539
|
|
- break;
|
1540
|
|
- }
|
1541
|
|
- default:
|
1542
|
|
- kzcode--;
|
1543
|
|
- kzlen++;
|
1544
|
|
- kzstate++;
|
1545
|
|
- }
|
1546
|
|
- break;
|
1547
|
|
- }
|
1548
|
|
- case KZSCDELTA:
|
1549
|
|
- if(op==0xe8 && (uint32_t)cli_readint32(kzcode) < 0xff) {
|
1550
|
|
- kzlen-=*kzcode+4;
|
1551
|
|
- kzcode+=*kzcode+4;
|
1552
|
|
- kzstate++;
|
1553
|
|
- } else *kzstate=KZSTOP;
|
1554
|
|
- break;
|
1555
|
|
- case KZSPDELTA:
|
1556
|
|
- if((op&0xf8)==0x58 && (kzdptr=op-0x58)!=4) {
|
1557
|
|
- kzstate++;
|
1558
|
|
- cli_dbgmsg("kriz: using #%d as pointer\n", kzdptr);
|
1559
|
|
- } else *kzstate=KZSTOP;
|
1560
|
|
- break;
|
1561
|
|
- case KZSXORPRFX:
|
1562
|
|
- kzstate++;
|
1563
|
|
- if(op==0x3e) break;
|
1564
|
|
- case KZSXOR:
|
1565
|
|
- if (op==0x80 && *kzcode==kzdptr+0xb0) {
|
1566
|
|
- kzxorlen=kzlen;
|
1567
|
|
- kzcode+=+6;
|
1568
|
|
- kzlen-=+6;
|
1569
|
|
- kzstate++;
|
1570
|
|
- } else *kzstate=KZSTOP;
|
1571
|
|
- break;
|
1572
|
|
- case KZSDDELTA:
|
1573
|
|
- if (op==kzdptr+0x48) kzstate++;
|
1574
|
|
- else *kzstate=KZSTOP;
|
1575
|
|
- break;
|
1576
|
|
- case KZSLOOP:
|
1577
|
|
- if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
|
1578
|
|
- cli_append_virus(ctx,"Heuristics.W32.Kriz");
|
1579
|
|
- if (!SCAN_ALL) {
|
1580
|
|
- free(exe_sections);
|
1581
|
|
- return CL_VIRUS;
|
1582
|
|
- }
|
1583
|
|
- viruses_found++;
|
1584
|
|
- }
|
1585
|
|
- cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
|
1586
|
|
- kzstate++;
|
1587
|
|
- }
|
1588
|
|
- }
|
|
1505
|
+ enum {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSXORPRFX,KZSXOR,KZSDDELTA,KZSLOOP,KZSTOP};
|
|
1506
|
+ uint8_t kzs[] = {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSTRASH,KZSXORPRFX,KZSXOR,KZSTRASH,KZSDDELTA,KZSTRASH,KZSLOOP,KZSTOP};
|
|
1507
|
+ uint8_t *kzstate = kzs;
|
|
1508
|
+ uint8_t *kzcode = (uint8_t *)epbuff + 3;
|
|
1509
|
+ uint8_t kzdptr=0xff, kzdsize=0xff;
|
|
1510
|
+ int kzlen = 197, kzinitlen=0xffff, kzxorlen=-1;
|
|
1511
|
+ cli_dbgmsg("in kriz\n");
|
|
1512
|
+
|
|
1513
|
+ while(*kzstate!=KZSTOP) {
|
|
1514
|
+ uint8_t op;
|
|
1515
|
+ if(kzlen<=6)
|
|
1516
|
+ break;
|
|
1517
|
+
|
|
1518
|
+ op = *kzcode++;
|
|
1519
|
+ kzlen--;
|
|
1520
|
+
|
|
1521
|
+ switch (*kzstate) {
|
|
1522
|
+ case KZSTRASH:
|
|
1523
|
+ case KZSGETSIZE: {
|
|
1524
|
+ int opsz=0;
|
|
1525
|
+ switch(op) {
|
|
1526
|
+ case 0x81:
|
|
1527
|
+ kzcode+=5;
|
|
1528
|
+ kzlen-=5;
|
|
1529
|
+ break;
|
|
1530
|
+ case 0xb8:
|
|
1531
|
+ case 0xb9:
|
|
1532
|
+ case 0xba:
|
|
1533
|
+ case 0xbb:
|
|
1534
|
+ case 0xbd:
|
|
1535
|
+ case 0xbe:
|
|
1536
|
+ case 0xbf:
|
|
1537
|
+ if(*kzstate==KZSGETSIZE && cli_readint32(kzcode)==0x0fd2) {
|
|
1538
|
+ kzinitlen = kzlen-5;
|
|
1539
|
+ kzdsize=op-0xb8;
|
|
1540
|
+ kzstate++;
|
|
1541
|
+ op=4; /* fake the register to avoid breaking out */
|
|
1542
|
+
|
|
1543
|
+ cli_dbgmsg("kriz: using #%d as size counter\n", kzdsize);
|
|
1544
|
+ }
|
|
1545
|
+ opsz=4;
|
|
1546
|
+ case 0x48:
|
|
1547
|
+ case 0x49:
|
|
1548
|
+ case 0x4a:
|
|
1549
|
+ case 0x4b:
|
|
1550
|
+ case 0x4d:
|
|
1551
|
+ case 0x4e:
|
|
1552
|
+ case 0x4f:
|
|
1553
|
+ op&=7;
|
|
1554
|
+ if(op!=kzdptr && op!=kzdsize) {
|
|
1555
|
+ kzcode+=opsz;
|
|
1556
|
+ kzlen-=opsz;
|
|
1557
|
+ break;
|
|
1558
|
+ }
|
|
1559
|
+ default:
|
|
1560
|
+ kzcode--;
|
|
1561
|
+ kzlen++;
|
|
1562
|
+ kzstate++;
|
|
1563
|
+ }
|
|
1564
|
+
|
|
1565
|
+ break;
|
|
1566
|
+ }
|
|
1567
|
+ case KZSCDELTA:
|
|
1568
|
+ if(op==0xe8 && (uint32_t)cli_readint32(kzcode) < 0xff) {
|
|
1569
|
+ kzlen-=*kzcode+4;
|
|
1570
|
+ kzcode+=*kzcode+4;
|
|
1571
|
+ kzstate++;
|
|
1572
|
+ } else {
|
|
1573
|
+ *kzstate=KZSTOP;
|
|
1574
|
+ }
|
|
1575
|
+
|
|
1576
|
+ break;
|
|
1577
|
+ case KZSPDELTA:
|
|
1578
|
+ if((op&0xf8)==0x58 && (kzdptr=op-0x58)!=4) {
|
|
1579
|
+ kzstate++;
|
|
1580
|
+ cli_dbgmsg("kriz: using #%d as pointer\n", kzdptr);
|
|
1581
|
+ } else {
|
|
1582
|
+ *kzstate=KZSTOP;
|
|
1583
|
+ }
|
|
1584
|
+
|
|
1585
|
+ break;
|
|
1586
|
+ case KZSXORPRFX:
|
|
1587
|
+ kzstate++;
|
|
1588
|
+ if(op==0x3e)
|
|
1589
|
+ break;
|
|
1590
|
+ case KZSXOR:
|
|
1591
|
+ if (op==0x80 && *kzcode==kzdptr+0xb0) {
|
|
1592
|
+ kzxorlen=kzlen;
|
|
1593
|
+ kzcode+=+6;
|
|
1594
|
+ kzlen-=+6;
|
|
1595
|
+ kzstate++;
|
|
1596
|
+ } else {
|
|
1597
|
+ *kzstate=KZSTOP;
|
|
1598
|
+ }
|
|
1599
|
+
|
|
1600
|
+ break;
|
|
1601
|
+ case KZSDDELTA:
|
|
1602
|
+ if (op==kzdptr+0x48)
|
|
1603
|
+ kzstate++;
|
|
1604
|
+ else
|
|
1605
|
+ *kzstate=KZSTOP;
|
|
1606
|
+
|
|
1607
|
+ break;
|
|
1608
|
+ case KZSLOOP:
|
|
1609
|
+ if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
|
|
1610
|
+ cli_append_virus(ctx,"Heuristics.W32.Kriz");
|
|
1611
|
+ if (!SCAN_ALL) {
|
|
1612
|
+ free(exe_sections);
|
|
1613
|
+ return CL_VIRUS;
|
|
1614
|
+ }
|
|
1615
|
+
|
|
1616
|
+ viruses_found++;
|
|
1617
|
+ }
|
|
1618
|
+
|
|
1619
|
+ cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
|
|
1620
|
+ kzstate++;
|
|
1621
|
+ }
|
|
1622
|
+ }
|
1589
|
1623
|
}
|
1590
|
1624
|
|
1591
|
1625
|
/* W32.Magistr.A/B */
|
1592
|
1626
|
if(SCAN_ALGO && (DCONF & PE_CONF_MAGISTR) && !dll && (nsections>1) && (exe_sections[nsections - 1].chr & 0x80000000)) {
|
1593
|
1627
|
uint32_t rsize, vsize, dam = 0;
|
1594
|
1628
|
|
1595
|
|
- vsize = exe_sections[nsections - 1].uvsz;
|
1596
|
|
- rsize = exe_sections[nsections - 1].rsz;
|
1597
|
|
- if(rsize < exe_sections[nsections - 1].ursz) {
|
1598
|
|
- rsize = exe_sections[nsections - 1].ursz;
|
1599
|
|
- dam = 1;
|
1600
|
|
- }
|
|
1629
|
+ vsize = exe_sections[nsections - 1].uvsz;
|
|
1630
|
+ rsize = exe_sections[nsections - 1].rsz;
|
|
1631
|
+ if(rsize < exe_sections[nsections - 1].ursz) {
|
|
1632
|
+ rsize = exe_sections[nsections - 1].ursz;
|
|
1633
|
+ dam = 1;
|
|
1634
|
+ }
|
1601
|
1635
|
|
1602
|
|
- if(vsize >= 0x612c && rsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
|
1603
|
|
- int bw = rsize < 0x7000 ? rsize : 0x7000;
|
1604
|
|
- const char *tbuff;
|
|
1636
|
+ if(vsize >= 0x612c && rsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
|
|
1637
|
+ int bw = rsize < 0x7000 ? rsize : 0x7000;
|
|
1638
|
+ const char *tbuff;
|
1605
|
1639
|
|
1606
|
|
- if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
1607
|
|
- if(cli_memstr(tbuff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
|
1608
|
|
- cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A");
|
1609
|
|
- if (!SCAN_ALL) {
|
1610
|
|
- free(exe_sections);
|
1611
|
|
- return CL_VIRUS;
|
1612
|
|
- }
|
1613
|
|
- viruses_found++;
|
1614
|
|
- }
|
1615
|
|
- }
|
|
1640
|
+ if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
|
1641
|
+ if(cli_memstr(tbuff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
|
|
1642
|
+ cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A");
|
|
1643
|
+ if (!SCAN_ALL) {
|
|
1644
|
+ free(exe_sections);
|
|
1645
|
+ return CL_VIRUS;
|
|
1646
|
+ }
|
1616
|
1647
|
|
1617
|
|
- } else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) {
|
1618
|
|
- int bw = rsize < 0x8000 ? rsize : 0x8000;
|
1619
|
|
- const char *tbuff;
|
|
1648
|
+ viruses_found++;
|
|
1649
|
+ }
|
|
1650
|
+ }
|
|
1651
|
+ } else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) {
|
|
1652
|
+ int bw = rsize < 0x8000 ? rsize : 0x8000;
|
|
1653
|
+ const char *tbuff;
|
|
1654
|
+
|
|
1655
|
+ if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
|
1656
|
+ if(cli_memstr(tbuff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
|
|
1657
|
+ cli_append_virus(ctx,dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B");
|
|
1658
|
+ if (!SCAN_ALL) {
|
|
1659
|
+ free(exe_sections);
|
|
1660
|
+ return CL_VIRUS;
|
|
1661
|
+ }
|
1620
|
1662
|
|
1621
|
|
- if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
1622
|
|
- if(cli_memstr(tbuff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
|
1623
|
|
- cli_append_virus(ctx,dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B");
|
1624
|
|
- if (!SCAN_ALL) {
|
1625
|
|
- free(exe_sections);
|
1626
|
|
- return CL_VIRUS;
|
1627
|
|
- }
|
1628
|
|
- viruses_found++;
|
1629
|
|
- }
|
1630
|
|
- }
|
1631
|
|
- }
|
|
1663
|
+ viruses_found++;
|
|
1664
|
+ }
|
|
1665
|
+ }
|
|
1666
|
+ }
|
1632
|
1667
|
}
|
1633
|
1668
|
|
1634
|
1669
|
/* W32.Polipos.A */
|
1635
|
1670
|
while(polipos && !dll && nsections > 2 && nsections < 13 && e_lfanew <= 0x800 && (EC16(optional_hdr32.Subsystem) == 2 || EC16(optional_hdr32.Subsystem) == 3) && EC16(file_hdr.Machine) == 0x14c && optional_hdr32.SizeOfStackReserve >= 0x80000) {
|
1636
|
|
- uint32_t jump, jold, *jumps = NULL;
|
1637
|
|
- const uint8_t *code;
|
1638
|
|
- unsigned int xsjs = 0;
|
1639
|
|
-
|
1640
|
|
- if(exe_sections[0].rsz > CLI_MAX_ALLOCATION) break;
|
1641
|
|
-
|
1642
|
|
- if(!exe_sections[0].rsz) break;
|
1643
|
|
- if(!(code=fmap_need_off_once(map, exe_sections[0].raw, exe_sections[0].rsz))) break;
|
1644
|
|
- for(i=0; i<exe_sections[0].rsz - 5; i++) {
|
1645
|
|
- if((uint8_t)(code[i]-0xe8) > 1) continue;
|
1646
|
|
- jump = cli_rawaddr(exe_sections[0].rva+i+5+cli_readint32(&code[i+1]), exe_sections, nsections, &err, fsize, hdr_size);
|
1647
|
|
- if(err || !CLI_ISCONTAINED(exe_sections[polipos].raw, exe_sections[polipos].rsz, jump, 9)) continue;
|
1648
|
|
- if(xsjs % 128 == 0) {
|
1649
|
|
- if(xsjs == 1280) break;
|
1650
|
|
- if(!(jumps=(uint32_t *)cli_realloc2(jumps, (xsjs+128)*sizeof(uint32_t)))) {
|
1651
|
|
- free(exe_sections);
|
1652
|
|
- return CL_EMEM;
|
1653
|
|
- }
|
1654
|
|
- }
|
1655
|
|
- j=0;
|
1656
|
|
- for(; j<xsjs; j++) {
|
1657
|
|
- if(jumps[j]<jump) continue;
|
1658
|
|
- if(jumps[j]==jump) {
|
1659
|
|
- xsjs--;
|
1660
|
|
- break;
|
1661
|
|
- }
|
1662
|
|
- jold=jumps[j];
|
1663
|
|
- jumps[j]=jump;
|
1664
|
|
- jump=jold;
|
1665
|
|
- }
|
1666
|
|
- jumps[j]=jump;
|
1667
|
|
- xsjs++;
|
1668
|
|
- }
|
1669
|
|
- if(!xsjs) break;
|
1670
|
|
- cli_dbgmsg("Polipos: Checking %d xsect jump(s)\n", xsjs);
|
1671
|
|
- for(i=0;i<xsjs;i++) {
|
1672
|
|
- if(!(code = fmap_need_off_once(map, jumps[i], 9))) continue;
|
1673
|
|
- if((jump=cli_readint32(code))==0x60ec8b55 || (code[4]==0x0ec && ((jump==0x83ec8b55 && code[6]==0x60) || (jump==0x81ec8b55 && !code[7] && !code[8])))) {
|
1674
|
|
- cli_append_virus(ctx,"Heuristics.W32.Polipos.A");
|
1675
|
|
- if (!SCAN_ALL) {
|
1676
|
|
- free(jumps);
|
1677
|
|
- free(exe_sections);
|
1678
|
|
- return CL_VIRUS;
|
1679
|
|
- }
|
1680
|
|
- viruses_found++;
|
1681
|
|
- }
|
1682
|
|
- }
|
1683
|
|
- free(jumps);
|
1684
|
|
- break;
|
|
1671
|
+ uint32_t jump, jold, *jumps = NULL;
|
|
1672
|
+ const uint8_t *code;
|
|
1673
|
+ unsigned int xsjs = 0;
|
|
1674
|
+
|
|
1675
|
+ if(exe_sections[0].rsz > CLI_MAX_ALLOCATION)
|
|
1676
|
+ break;
|
|
1677
|
+ if(!exe_sections[0].rsz)
|
|
1678
|
+ break;
|
|
1679
|
+ if(!(code=fmap_need_off_once(map, exe_sections[0].raw, exe_sections[0].rsz)))
|
|
1680
|
+ break;
|
|
1681
|
+
|
|
1682
|
+ for(i=0; i<exe_sections[0].rsz - 5; i++) {
|
|
1683
|
+ if((uint8_t)(code[i]-0xe8) > 1)
|
|
1684
|
+ continue;
|
|
1685
|
+
|
|
1686
|
+ jump = cli_rawaddr(exe_sections[0].rva+i+5+cli_readint32(&code[i+1]), exe_sections, nsections, &err, fsize, hdr_size);
|
|
1687
|
+ if(err || !CLI_ISCONTAINED(exe_sections[polipos].raw, exe_sections[polipos].rsz, jump, 9))
|
|
1688
|
+ continue;
|
|
1689
|
+
|
|
1690
|
+ if(xsjs % 128 == 0) {
|
|
1691
|
+ if(xsjs == 1280)
|
|
1692
|
+ break;
|
|
1693
|
+
|
|
1694
|
+ if(!(jumps=(uint32_t *)cli_realloc2(jumps, (xsjs+128)*sizeof(uint32_t)))) {
|
|
1695
|
+ free(exe_sections);
|
|
1696
|
+ return CL_EMEM;
|
|
1697
|
+ }
|
|
1698
|
+ }
|
|
1699
|
+
|
|
1700
|
+ j=0;
|
|
1701
|
+ for(; j<xsjs; j++) {
|
|
1702
|
+ if(jumps[j]<jump)
|
|
1703
|
+ continue;
|
|
1704
|
+ if(jumps[j]==jump) {
|
|
1705
|
+ xsjs--;
|
|
1706
|
+ break;
|
|
1707
|
+ }
|
|
1708
|
+
|
|
1709
|
+ jold=jumps[j];
|
|
1710
|
+ jumps[j]=jump;
|
|
1711
|
+ jump=jold;
|
|
1712
|
+ }
|
|
1713
|
+
|
|
1714
|
+ jumps[j]=jump;
|
|
1715
|
+ xsjs++;
|
|
1716
|
+ }
|
|
1717
|
+
|
|
1718
|
+ if(!xsjs)
|
|
1719
|
+ break;
|
|
1720
|
+
|
|
1721
|
+ cli_dbgmsg("Polipos: Checking %d xsect jump(s)\n", xsjs);
|
|
1722
|
+ for(i=0;i<xsjs;i++) {
|
|
1723
|
+ if(!(code = fmap_need_off_once(map, jumps[i], 9)))
|
|
1724
|
+ continue;
|
|
1725
|
+
|
|
1726
|
+ if((jump=cli_readint32(code))==0x60ec8b55 || (code[4]==0x0ec && ((jump==0x83ec8b55 && code[6]==0x60) || (jump==0x81ec8b55 && !code[7] && !code[8])))) {
|
|
1727
|
+ cli_append_virus(ctx,"Heuristics.W32.Polipos.A");
|
|
1728
|
+ if (!SCAN_ALL) {
|
|
1729
|
+ free(jumps);
|
|
1730
|
+ free(exe_sections);
|
|
1731
|
+ return CL_VIRUS;
|
|
1732
|
+ }
|
|
1733
|
+
|
|
1734
|
+ viruses_found++;
|
|
1735
|
+ }
|
|
1736
|
+ }
|
|
1737
|
+
|
|
1738
|
+ free(jumps);
|
|
1739
|
+ break;
|
1685
|
1740
|
}
|
1686
|
1741
|
|
1687
|
1742
|
/* Trojan.Swizzor.Gen */
|
1688
|
1743
|
if (SCAN_ALGO && (DCONF & PE_CONF_SWIZZOR) && nsections > 1 && fsize > 64*1024 && fsize < 4*1024*1024) {
|
1689
|
|
- if(dirs[2].Size) {
|
1690
|
|
- struct swizz_stats *stats = cli_calloc(1, sizeof(*stats));
|
1691
|
|
- unsigned int m = 1000;
|
1692
|
|
- ret = CL_CLEAN;
|
1693
|
|
-
|
1694
|
|
- if (!stats)
|
1695
|
|
- ret = CL_EMEM;
|
1696
|
|
- else {
|
1697
|
|
- cli_parseres_special(EC32(dirs[2].VirtualAddress), EC32(dirs[2].VirtualAddress), map, exe_sections, nsections, fsize, hdr_size, 0, 0, &m, stats);
|
1698
|
|
- if ((ret = cli_detect_swizz(stats)) == CL_VIRUS) {
|
1699
|
|
- cli_append_virus(ctx,"Heuristics.Trojan.Swizzor.Gen");
|
1700
|
|
- }
|
1701
|
|
- free(stats);
|
1702
|
|
- }
|
1703
|
|
- if (ret != CL_CLEAN) {
|
1704
|
|
- if (!(ret == CL_VIRUS && SCAN_ALL)) {
|
1705
|
|
- free(exe_sections);
|
1706
|
|
- return ret;
|
1707
|
|
- }
|
1708
|
|
- viruses_found++;
|
1709
|
|
- }
|
1710
|
|
- }
|
|
1744
|
+ if(dirs[2].Size) {
|
|
1745
|
+ struct swizz_stats *stats = cli_calloc(1, sizeof(*stats));
|
|
1746
|
+ unsigned int m = 1000;
|
|
1747
|
+ ret = CL_CLEAN;
|
|
1748
|
+
|
|
1749
|
+ if (!stats) {
|
|
1750
|
+ ret = CL_EMEM;
|
|
1751
|
+ } else {
|
|
1752
|
+ cli_parseres_special(EC32(dirs[2].VirtualAddress), EC32(dirs[2].VirtualAddress), map, exe_sections, nsections, fsize, hdr_size, 0, 0, &m, stats);
|
|
1753
|
+ if ((ret = cli_detect_swizz(stats)) == CL_VIRUS)
|
|
1754
|
+ cli_append_virus(ctx,"Heuristics.Trojan.Swizzor.Gen");
|
|
1755
|
+
|
|
1756
|
+ free(stats);
|
|
1757
|
+ }
|
|
1758
|
+ if (ret != CL_CLEAN) {
|
|
1759
|
+ if (!(ret == CL_VIRUS && SCAN_ALL)) {
|
|
1760
|
+ free(exe_sections);
|
|
1761
|
+ return ret;
|
|
1762
|
+ }
|
|
1763
|
+
|
|
1764
|
+ viruses_found++;
|
|
1765
|
+ }
|
|
1766
|
+ }
|
1711
|
1767
|
}
|
1712
|
1768
|
|
1713
|
1769
|
|
...
|
...
|
@@ -1721,722 +1797,733 @@ int cli_scanpe(cli_ctx *ctx)
|
1721
|
1721
|
/* try to find the first section with physical size == 0 */
|
1722
|
1722
|
found = 0;
|
1723
|
1723
|
if(DCONF & (PE_CONF_UPX | PE_CONF_FSG | PE_CONF_MEW)) {
|
1724
|
|
- for(i = 0; i < (unsigned int) nsections - 1; i++) {
|
1725
|
|
- if(!exe_sections[i].rsz && exe_sections[i].vsz && exe_sections[i + 1].rsz && exe_sections[i + 1].vsz) {
|
1726
|
|
- found = 1;
|
1727
|
|
- cli_dbgmsg("UPX/FSG/MEW: empty section found - assuming compression\n");
|
|
1724
|
+ for(i = 0; i < (unsigned int) nsections - 1; i++) {
|
|
1725
|
+ if(!exe_sections[i].rsz && exe_sections[i].vsz && exe_sections[i + 1].rsz && exe_sections[i + 1].vsz) {
|
|
1726
|
+ found = 1;
|
|
1727
|
+ cli_dbgmsg("UPX/FSG/MEW: empty section found - assuming compression\n");
|
1728
|
1728
|
#if HAVE_JSON
|
1729
|
|
- cli_jsonbool(pe_json, "HasEmptySection", 1);
|
|
1729
|
+ cli_jsonbool(pe_json, "HasEmptySection", 1);
|
1730
|
1730
|
#endif
|
1731
|
|
- break;
|
1732
|
|
- }
|
1733
|
|
- }
|
|
1731
|
+ break;
|
|
1732
|
+ }
|
|
1733
|
+ }
|
1734
|
1734
|
}
|
1735
|
1735
|
|
1736
|
1736
|
/* MEW support */
|
1737
|
1737
|
if (found && (DCONF & PE_CONF_MEW) && epsize>=16 && epbuff[0]=='\xe9') {
|
1738
|
|
- uint32_t fileoffset;
|
1739
|
|
- const char *tbuff;
|
|
1738
|
+ uint32_t fileoffset;
|
|
1739
|
+ const char *tbuff;
|
1740
|
1740
|
|
1741
|
|
- fileoffset = (vep + cli_readint32(epbuff + 1) + 5);
|
1742
|
|
- while (fileoffset == 0x154 || fileoffset == 0x158) {
|
1743
|
|
- char *src;
|
1744
|
|
- uint32_t offdiff, uselzma;
|
|
1741
|
+ fileoffset = (vep + cli_readint32(epbuff + 1) + 5);
|
|
1742
|
+ while (fileoffset == 0x154 || fileoffset == 0x158) {
|
|
1743
|
+ char *src;
|
|
1744
|
+ uint32_t offdiff, uselzma;
|
1745
|
1745
|
|
1746
|
|
- cli_dbgmsg ("MEW: found MEW characteristics %08X + %08X + 5 = %08X\n",
|
1747
|
|
- cli_readint32(epbuff + 1), vep, cli_readint32(epbuff + 1) + vep + 5);
|
|
1746
|
+ cli_dbgmsg ("MEW: found MEW characteristics %08X + %08X + 5 = %08X\n",
|
|
1747
|
+ cli_readint32(epbuff + 1), vep, cli_readint32(epbuff + 1) + vep + 5);
|
1748
|
1748
|
|
1749
|
|
- if(!(tbuff = fmap_need_off_once(map, fileoffset, 0xb0)))
|
1750
|
|
- break;
|
1751
|
|
- if (fileoffset == 0x154) cli_dbgmsg("MEW: Win9x compatibility was set!\n");
|
1752
|
|
- else cli_dbgmsg("MEW: Win9x compatibility was NOT set!\n");
|
|
1749
|
+ if(!(tbuff = fmap_need_off_once(map, fileoffset, 0xb0)))
|
|
1750
|
+ break;
|
1753
|
1751
|
|
1754
|
|
- if((offdiff = cli_readint32(tbuff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4) {
|
1755
|
|
- cli_dbgmsg("MEW: ESI is not in proper section\n");
|
1756
|
|
- break;
|
1757
|
|
- }
|
1758
|
|
- offdiff -= exe_sections[i + 1].rva;
|
|
1752
|
+ if (fileoffset == 0x154)
|
|
1753
|
+ cli_dbgmsg("MEW: Win9x compatibility was set!\n");
|
|
1754
|
+ else
|
|
1755
|
+ cli_dbgmsg("MEW: Win9x compatibility was NOT set!\n");
|
1759
|
1756
|
|
1760
|
|
- if(!exe_sections[i + 1].rsz) {
|
1761
|
|
- cli_dbgmsg("MEW: mew section is empty\n");
|
1762
|
|
- break;
|
1763
|
|
- }
|
1764
|
|
- ssize = exe_sections[i + 1].vsz;
|
1765
|
|
- dsize = exe_sections[i].vsz;
|
|
1757
|
+ if((offdiff = cli_readint32(tbuff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4) {
|
|
1758
|
+ cli_dbgmsg("MEW: ESI is not in proper section\n");
|
|
1759
|
+ break;
|
|
1760
|
+ }
|
1766
|
1761
|
|
1767
|
|
- cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
|
|
1762
|
+ offdiff -= exe_sections[i + 1].rva;
|
1768
|
1763
|
|
1769
|
|
- CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
|
1770
|
|
- CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
|
|
1764
|
+ if(!exe_sections[i + 1].rsz) {
|
|
1765
|
+ cli_dbgmsg("MEW: mew section is empty\n");
|
|
1766
|
+ break;
|
|
1767
|
+ }
|
1771
|
1768
|
|
1772
|
|
- if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize) {
|
1773
|
|
- cli_dbgmsg("MEW: Size mismatch: %08x\n", exe_sections[i + 1].rsz);
|
1774
|
|
- break;
|
1775
|
|
- }
|
|
1769
|
+ ssize = exe_sections[i + 1].vsz;
|
|
1770
|
+ dsize = exe_sections[i].vsz;
|
1776
|
1771
|
|
1777
|
|
- /* allocate needed buffer */
|
1778
|
|
- if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
|
1779
|
|
- free(exe_sections);
|
1780
|
|
- return CL_EMEM;
|
1781
|
|
- }
|
|
1772
|
+ cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
|
1782
|
1773
|
|
1783
|
|
- if((bytes = fmap_readn(map, src + dsize, exe_sections[i + 1].raw, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) {
|
1784
|
|
- cli_dbgmsg("MEW: Can't read %d bytes [read: %lu]\n", exe_sections[i + 1].rsz, (unsigned long)bytes);
|
1785
|
|
- free(exe_sections);
|
1786
|
|
- free(src);
|
1787
|
|
- return CL_EREAD;
|
1788
|
|
- }
|
1789
|
|
- cli_dbgmsg("MEW: %u (%08x) bytes read\n", (unsigned int)bytes, (unsigned int)bytes);
|
1790
|
|
-
|
1791
|
|
- /* count offset to lzma proc, if lzma used, 0xe8 -> call */
|
1792
|
|
- if (tbuff[0x7b] == '\xe8') {
|
1793
|
|
- if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(tbuff + 0x7c) + fileoffset + 0x80, 4)) {
|
1794
|
|
- cli_dbgmsg("MEW: lzma proc out of bounds!\n");
|
1795
|
|
- free(src);
|
1796
|
|
- break; /* to next unpacker in chain */
|
1797
|
|
- }
|
1798
|
|
- uselzma = cli_readint32(tbuff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80);
|
1799
|
|
- } else {
|
1800
|
|
- uselzma = 0;
|
1801
|
|
- }
|
|
1774
|
+ CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
|
|
1775
|
+ CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
|
|
1776
|
+
|
|
1777
|
+ if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize) {
|
|
1778
|
+ cli_dbgmsg("MEW: Size mismatch: %08x\n", exe_sections[i + 1].rsz);
|
|
1779
|
+ break;
|
|
1780
|
+ }
|
|
1781
|
+
|
|
1782
|
+ /* allocate needed buffer */
|
|
1783
|
+ if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
|
|
1784
|
+ free(exe_sections);
|
|
1785
|
+ return CL_EMEM;
|
|
1786
|
+ }
|
|
1787
|
+
|
|
1788
|
+ if((bytes = fmap_readn(map, src + dsize, exe_sections[i + 1].raw, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) {
|
|
1789
|
+ cli_dbgmsg("MEW: Can't read %d bytes [read: %lu]\n", exe_sections[i + 1].rsz, (unsigned long)bytes);
|
|
1790
|
+ free(exe_sections);
|
|
1791
|
+ free(src);
|
|
1792
|
+ return CL_EREAD;
|
|
1793
|
+ }
|
|
1794
|
+
|
|
1795
|
+ cli_dbgmsg("MEW: %u (%08x) bytes read\n", (unsigned int)bytes, (unsigned int)bytes);
|
|
1796
|
+
|
|
1797
|
+ /* count offset to lzma proc, if lzma used, 0xe8 -> call */
|
|
1798
|
+ if (tbuff[0x7b] == '\xe8') {
|
|
1799
|
+ if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(tbuff + 0x7c) + fileoffset + 0x80, 4)) {
|
|
1800
|
+ cli_dbgmsg("MEW: lzma proc out of bounds!\n");
|
|
1801
|
+ free(src);
|
|
1802
|
+ break; /* to next unpacker in chain */
|
|
1803
|
+ }
|
|
1804
|
+
|
|
1805
|
+ uselzma = cli_readint32(tbuff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80);
|
|
1806
|
+ } else {
|
|
1807
|
+ uselzma = 0;
|
|
1808
|
+ }
|
1802
|
1809
|
|
1803
|
1810
|
#if HAVE_JSON
|
1804
|
|
- cli_jsonstr(pe_json, "Packer", "MEW");
|
|
1811
|
+ cli_jsonstr(pe_json, "Packer", "MEW");
|
1805
|
1812
|
#endif
|
1806
|
1813
|
|
1807
|
|
- CLI_UNPTEMP("MEW",(src,exe_sections,0));
|
1808
|
|
- CLI_UNPRESULTS("MEW",(unmew11(src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, ndesc)),1,(src,0));
|
1809
|
|
- break;
|
1810
|
|
- }
|
|
1814
|
+ CLI_UNPTEMP("MEW",(src,exe_sections,0));
|
|
1815
|
+ CLI_UNPRESULTS("MEW",(unmew11(src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, ndesc)),1,(src,0));
|
|
1816
|
+ break;
|
|
1817
|
+ }
|
1811
|
1818
|
}
|
1812
|
1819
|
|
1813
|
1820
|
if(epsize<168) {
|
1814
|
|
- free(exe_sections);
|
1815
|
|
- return CL_CLEAN;
|
|
1821
|
+ free(exe_sections);
|
|
1822
|
+ return CL_CLEAN;
|
1816
|
1823
|
}
|
1817
|
1824
|
|
1818
|
1825
|
if (found || upack) {
|
1819
|
|
- /* Check EP for UPX vs. FSG vs. Upack */
|
1820
|
|
-
|
1821
|
|
- /* Upack 0.39 produces 2 types of executables
|
1822
|
|
- * 3 sections: | 2 sections (one empty, I don't chech found if !upack, since it's in OR above):
|
1823
|
|
- * mov esi, value | pusha
|
1824
|
|
- * lodsd | call $+0x9
|
1825
|
|
- * push eax |
|
1826
|
|
- *
|
1827
|
|
- * Upack 1.1/1.2 Beta produces [based on 2 samples (sUx) provided by aCaB]:
|
1828
|
|
- * 2 sections
|
1829
|
|
- * mov esi, value
|
1830
|
|
- * loads
|
1831
|
|
- * mov edi, eax
|
1832
|
|
- *
|
1833
|
|
- * Upack unknown [sample 0297729]
|
1834
|
|
- * 3 sections
|
1835
|
|
- * mov esi, value
|
1836
|
|
- * push [esi]
|
1837
|
|
- * jmp
|
1838
|
|
- *
|
1839
|
|
- */
|
1840
|
|
- /* upack 0.39-3s + sample 0151477*/
|
1841
|
|
- while(((upack && nsections == 3) && /* 3 sections */
|
1842
|
|
- ((
|
1843
|
|
- epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */
|
1844
|
|
- epbuff[5] == '\xad' && epbuff[6] == '\x50' /* lodsd; push eax */
|
1845
|
|
- )
|
1846
|
|
- ||
|
1847
|
|
- /* based on 0297729 sample from aCaB */
|
1848
|
|
- (epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */
|
1849
|
|
- epbuff[5] == '\xff' && epbuff[6] == '\x36' /* push [esi] */
|
1850
|
|
- )
|
1851
|
|
- ))
|
1852
|
|
- ||
|
1853
|
|
- ((!upack && nsections == 2) && /* 2 sections */
|
1854
|
|
- (( /* upack 0.39-2s */
|
1855
|
|
- epbuff[0] == '\x60' && epbuff[1] == '\xe8' && cli_readint32(epbuff+2) == 0x9 /* pusha; call+9 */
|
1856
|
|
- )
|
1857
|
|
- ||
|
1858
|
|
- ( /* upack 1.1/1.2, based on 2 samples */
|
1859
|
|
- epbuff[0] == '\xbe' && cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase) < min && /* mov esi */
|
1860
|
|
- cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > 0 &&
|
1861
|
|
- epbuff[5] == '\xad' && epbuff[6] == '\x8b' && epbuff[7] == '\xf8' /* loads; mov edi, eax */
|
1862
|
|
- )
|
1863
|
|
- ))
|
1864
|
|
- ) {
|
1865
|
|
- uint32_t vma, off;
|
1866
|
|
- int a,b,c;
|
1867
|
|
-
|
1868
|
|
- cli_dbgmsg("Upack characteristics found.\n");
|
1869
|
|
- a = exe_sections[0].vsz;
|
1870
|
|
- b = exe_sections[1].vsz;
|
1871
|
|
- if (upack) {
|
1872
|
|
- cli_dbgmsg("Upack: var set\n");
|
1873
|
|
- c = exe_sections[2].vsz;
|
1874
|
|
- ssize = exe_sections[0].ursz + exe_sections[0].uraw;
|
1875
|
|
- off = exe_sections[0].rva;
|
1876
|
|
- vma = EC32(optional_hdr32.ImageBase) + exe_sections[0].rva;
|
1877
|
|
- } else {
|
1878
|
|
- cli_dbgmsg("Upack: var NOT set\n");
|
1879
|
|
- c = exe_sections[1].rva;
|
1880
|
|
- ssize = exe_sections[1].uraw;
|
1881
|
|
- off = 0;
|
1882
|
|
- vma = exe_sections[1].rva - exe_sections[1].uraw;
|
1883
|
|
- }
|
|
1826
|
+ /* Check EP for UPX vs. FSG vs. Upack */
|
|
1827
|
+
|
|
1828
|
+ /* Upack 0.39 produces 2 types of executables
|
|
1829
|
+ * 3 sections: | 2 sections (one empty, I don't chech found if !upack, since it's in OR above):
|
|
1830
|
+ * mov esi, value | pusha
|
|
1831
|
+ * lodsd | call $+0x9
|
|
1832
|
+ * push eax |
|
|
1833
|
+ *
|
|
1834
|
+ * Upack 1.1/1.2 Beta produces [based on 2 samples (sUx) provided by aCaB]:
|
|
1835
|
+ * 2 sections
|
|
1836
|
+ * mov esi, value
|
|
1837
|
+ * loads
|
|
1838
|
+ * mov edi, eax
|
|
1839
|
+ *
|
|
1840
|
+ * Upack unknown [sample 0297729]
|
|
1841
|
+ * 3 sections
|
|
1842
|
+ * mov esi, value
|
|
1843
|
+ * push [esi]
|
|
1844
|
+ * jmp
|
|
1845
|
+ *
|
|
1846
|
+ */
|
|
1847
|
+ /* upack 0.39-3s + sample 0151477*/
|
|
1848
|
+ while(((upack && nsections == 3) && /* 3 sections */
|
|
1849
|
+ ((
|
|
1850
|
+ epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */
|
|
1851
|
+ epbuff[5] == '\xad' && epbuff[6] == '\x50' /* lodsd; push eax */
|
|
1852
|
+ )
|
|
1853
|
+ ||
|
|
1854
|
+ /* based on 0297729 sample from aCaB */
|
|
1855
|
+ (epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */
|
|
1856
|
+ epbuff[5] == '\xff' && epbuff[6] == '\x36' /* push [esi] */
|
|
1857
|
+ )
|
|
1858
|
+ ))
|
|
1859
|
+ ||
|
|
1860
|
+ ((!upack && nsections == 2) && /* 2 sections */
|
|
1861
|
+ (( /* upack 0.39-2s */
|
|
1862
|
+ epbuff[0] == '\x60' && epbuff[1] == '\xe8' && cli_readint32(epbuff+2) == 0x9 /* pusha; call+9 */
|
|
1863
|
+ )
|
|
1864
|
+ ||
|
|
1865
|
+ ( /* upack 1.1/1.2, based on 2 samples */
|
|
1866
|
+ epbuff[0] == '\xbe' && cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase) < min && /* mov esi */
|
|
1867
|
+ cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > 0 &&
|
|
1868
|
+ epbuff[5] == '\xad' && epbuff[6] == '\x8b' && epbuff[7] == '\xf8' /* loads; mov edi, eax */
|
|
1869
|
+ )
|
|
1870
|
+ ))
|
|
1871
|
+ ) {
|
|
1872
|
+ uint32_t vma, off;
|
|
1873
|
+ int a,b,c;
|
|
1874
|
+
|
|
1875
|
+ cli_dbgmsg("Upack characteristics found.\n");
|
|
1876
|
+ a = exe_sections[0].vsz;
|
|
1877
|
+ b = exe_sections[1].vsz;
|
|
1878
|
+ if (upack) {
|
|
1879
|
+ cli_dbgmsg("Upack: var set\n");
|
|
1880
|
+
|
|
1881
|
+ c = exe_sections[2].vsz;
|
|
1882
|
+ ssize = exe_sections[0].ursz + exe_sections[0].uraw;
|
|
1883
|
+ off = exe_sections[0].rva;
|
|
1884
|
+ vma = EC32(optional_hdr32.ImageBase) + exe_sections[0].rva;
|
|
1885
|
+ } else {
|
|
1886
|
+ cli_dbgmsg("Upack: var NOT set\n");
|
|
1887
|
+ c = exe_sections[1].rva;
|
|
1888
|
+ ssize = exe_sections[1].uraw;
|
|
1889
|
+ off = 0;
|
|
1890
|
+ vma = exe_sections[1].rva - exe_sections[1].uraw;
|
|
1891
|
+ }
|
1884
|
1892
|
|
1885
|
|
- dsize = a+b+c;
|
|
1893
|
+ dsize = a+b+c;
|
1886
|
1894
|
|
1887
|
|
- CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));
|
|
1895
|
+ CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));
|
1888
|
1896
|
|
1889
|
|
- if (!CLI_ISCONTAINED(0, dsize, exe_sections[1].rva - off, exe_sections[1].ursz) || (upack && !CLI_ISCONTAINED(0, dsize, exe_sections[2].rva - exe_sections[0].rva, ssize)) || ssize > dsize) {
|
1890
|
|
- cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");
|
1891
|
|
- break;
|
1892
|
|
- }
|
1893
|
|
-
|
1894
|
|
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
1895
|
|
- free(exe_sections);
|
1896
|
|
- return CL_EMEM;
|
1897
|
|
- }
|
|
1897
|
+ if (!CLI_ISCONTAINED(0, dsize, exe_sections[1].rva - off, exe_sections[1].ursz) || (upack && !CLI_ISCONTAINED(0, dsize, exe_sections[2].rva - exe_sections[0].rva, ssize)) || ssize > dsize) {
|
|
1898
|
+ cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");
|
|
1899
|
+ break;
|
|
1900
|
+ }
|
|
1901
|
+
|
|
1902
|
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
1903
|
+ free(exe_sections);
|
|
1904
|
+ return CL_EMEM;
|
|
1905
|
+ }
|
1898
|
1906
|
|
1899
|
|
- if((unsigned int)fmap_readn(map, dest, 0, ssize) != ssize) {
|
1900
|
|
- cli_dbgmsg("Upack: Can't read raw data of section 0\n");
|
1901
|
|
- free(dest);
|
1902
|
|
- break;
|
1903
|
|
- }
|
|
1907
|
+ if((unsigned int)fmap_readn(map, dest, 0, ssize) != ssize) {
|
|
1908
|
+ cli_dbgmsg("Upack: Can't read raw data of section 0\n");
|
|
1909
|
+ free(dest);
|
|
1910
|
+ break;
|
|
1911
|
+ }
|
1904
|
1912
|
|
1905
|
|
- if(upack) memmove(dest + exe_sections[2].rva - exe_sections[0].rva, dest, ssize);
|
|
1913
|
+ if(upack)
|
|
1914
|
+ memmove(dest + exe_sections[2].rva - exe_sections[0].rva, dest, ssize);
|
1906
|
1915
|
|
1907
|
|
- if((unsigned int)fmap_readn(map, dest + exe_sections[1].rva - off, exe_sections[1].uraw, exe_sections[1].ursz) != exe_sections[1].ursz) {
|
1908
|
|
- cli_dbgmsg("Upack: Can't read raw data of section 1\n");
|
1909
|
|
- free(dest);
|
1910
|
|
- break;
|
1911
|
|
- }
|
|
1916
|
+ if((unsigned int)fmap_readn(map, dest + exe_sections[1].rva - off, exe_sections[1].uraw, exe_sections[1].ursz) != exe_sections[1].ursz) {
|
|
1917
|
+ cli_dbgmsg("Upack: Can't read raw data of section 1\n");
|
|
1918
|
+ free(dest);
|
|
1919
|
+ break;
|
|
1920
|
+ }
|
1912
|
1921
|
|
1913
|
1922
|
#if HAVE_JSON
|
1914
|
|
- cli_jsonstr(pe_json, "Packer", "Upack");
|
|
1923
|
+ cli_jsonstr(pe_json, "Packer", "Upack");
|
1915
|
1924
|
#endif
|
1916
|
1925
|
|
1917
|
|
- CLI_UNPTEMP("Upack",(dest,exe_sections,0));
|
1918
|
|
- CLI_UNPRESULTS("Upack",(unupack(upack, dest, dsize, epbuff, vma, ep, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, ndesc)),1,(dest,0));
|
1919
|
|
- break;
|
1920
|
|
- }
|
1921
|
|
- }
|
|
1926
|
+ CLI_UNPTEMP("Upack",(dest,exe_sections,0));
|
|
1927
|
+ CLI_UNPRESULTS("Upack",(unupack(upack, dest, dsize, epbuff, vma, ep, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, ndesc)),1,(dest,0));
|
1922
|
1928
|
|
|
1929
|
+ break;
|
|
1930
|
+ }
|
|
1931
|
+ }
|
1923
|
1932
|
|
1924
|
1933
|
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == '\x87' && epbuff[1] == '\x25') {
|
1925
|
|
- const char *dst;
|
1926
|
|
-
|
1927
|
|
- /* FSG v2.0 support - thanks to aCaB ! */
|
|
1934
|
+ const char *dst;
|
|
1935
|
+ uint32_t newesi, newedi, newebx, newedx;
|
1928
|
1936
|
|
1929
|
|
- uint32_t newesi, newedi, newebx, newedx;
|
1930
|
|
-
|
1931
|
|
- ssize = exe_sections[i + 1].rsz;
|
1932
|
|
- dsize = exe_sections[i].vsz;
|
|
1937
|
+ /* FSG v2.0 support - thanks to aCaB ! */
|
|
1938
|
+
|
|
1939
|
+ ssize = exe_sections[i + 1].rsz;
|
|
1940
|
+ dsize = exe_sections[i].vsz;
|
1933
|
1941
|
|
1934
|
|
- CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
1942
|
+ CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
1935
|
1943
|
|
1936
|
|
- if(ssize <= 0x19 || dsize <= ssize) {
|
1937
|
|
- cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
1938
|
|
- free(exe_sections);
|
1939
|
|
- return CL_CLEAN;
|
1940
|
|
- }
|
1941
|
|
-
|
1942
|
|
- newedx = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase);
|
1943
|
|
- if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
1944
|
|
- cli_dbgmsg("FSG: xchg out of bounds (%x), giving up\n", newedx);
|
1945
|
|
- break;
|
1946
|
|
- }
|
1947
|
|
-
|
1948
|
|
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
1949
|
|
- cli_dbgmsg("Can't read raw data of section %d\n", i + 1);
|
1950
|
|
- free(exe_sections);
|
1951
|
|
- return CL_ESEEK;
|
1952
|
|
- }
|
|
1944
|
+ if(ssize <= 0x19 || dsize <= ssize) {
|
|
1945
|
+ cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
1946
|
+ free(exe_sections);
|
|
1947
|
+ return CL_CLEAN;
|
|
1948
|
+ }
|
|
1949
|
+
|
|
1950
|
+ newedx = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase);
|
|
1951
|
+ if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
|
1952
|
+ cli_dbgmsg("FSG: xchg out of bounds (%x), giving up\n", newedx);
|
|
1953
|
+ break;
|
|
1954
|
+ }
|
|
1955
|
+
|
|
1956
|
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
1957
|
+ cli_dbgmsg("Can't read raw data of section %d\n", i + 1);
|
|
1958
|
+ free(exe_sections);
|
|
1959
|
+ return CL_ESEEK;
|
|
1960
|
+ }
|
1953
|
1961
|
|
1954
|
|
- dst = src + newedx - exe_sections[i + 1].rva;
|
1955
|
|
- if(newedx < exe_sections[i + 1].rva || !CLI_ISCONTAINED(src, ssize, dst, 4)) {
|
1956
|
|
- cli_dbgmsg("FSG: New ESP out of bounds\n");
|
1957
|
|
- break;
|
1958
|
|
- }
|
|
1962
|
+ dst = src + newedx - exe_sections[i + 1].rva;
|
|
1963
|
+ if(newedx < exe_sections[i + 1].rva || !CLI_ISCONTAINED(src, ssize, dst, 4)) {
|
|
1964
|
+ cli_dbgmsg("FSG: New ESP out of bounds\n");
|
|
1965
|
+ break;
|
|
1966
|
+ }
|
1959
|
1967
|
|
1960
|
|
- newedx = cli_readint32(dst) - EC32(optional_hdr32.ImageBase);
|
1961
|
|
- if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
1962
|
|
- cli_dbgmsg("FSG: New ESP (%x) is wrong\n", newedx);
|
1963
|
|
- break;
|
1964
|
|
- }
|
1965
|
|
-
|
1966
|
|
- dst = src + newedx - exe_sections[i + 1].rva;
|
1967
|
|
- if(!CLI_ISCONTAINED(src, ssize, dst, 32)) {
|
1968
|
|
- cli_dbgmsg("FSG: New stack out of bounds\n");
|
1969
|
|
- break;
|
1970
|
|
- }
|
|
1968
|
+ newedx = cli_readint32(dst) - EC32(optional_hdr32.ImageBase);
|
|
1969
|
+ if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
|
1970
|
+ cli_dbgmsg("FSG: New ESP (%x) is wrong\n", newedx);
|
|
1971
|
+ break;
|
|
1972
|
+ }
|
|
1973
|
+
|
|
1974
|
+ dst = src + newedx - exe_sections[i + 1].rva;
|
|
1975
|
+ if(!CLI_ISCONTAINED(src, ssize, dst, 32)) {
|
|
1976
|
+ cli_dbgmsg("FSG: New stack out of bounds\n");
|
|
1977
|
+ break;
|
|
1978
|
+ }
|
1971
|
1979
|
|
1972
|
|
- newedi = cli_readint32(dst) - EC32(optional_hdr32.ImageBase);
|
1973
|
|
- newesi = cli_readint32(dst + 4) - EC32(optional_hdr32.ImageBase);
|
1974
|
|
- newebx = cli_readint32(dst + 16) - EC32(optional_hdr32.ImageBase);
|
1975
|
|
- newedx = cli_readint32(dst + 20);
|
|
1980
|
+ newedi = cli_readint32(dst) - EC32(optional_hdr32.ImageBase);
|
|
1981
|
+ newesi = cli_readint32(dst + 4) - EC32(optional_hdr32.ImageBase);
|
|
1982
|
+ newebx = cli_readint32(dst + 16) - EC32(optional_hdr32.ImageBase);
|
|
1983
|
+ newedx = cli_readint32(dst + 20);
|
1976
|
1984
|
|
1977
|
|
- if(newedi != exe_sections[i].rva) {
|
1978
|
|
- cli_dbgmsg("FSG: Bad destination buffer (edi is %x should be %x)\n", newedi, exe_sections[i].rva);
|
1979
|
|
- break;
|
1980
|
|
- }
|
|
1985
|
+ if(newedi != exe_sections[i].rva) {
|
|
1986
|
+ cli_dbgmsg("FSG: Bad destination buffer (edi is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
1987
|
+ break;
|
|
1988
|
+ }
|
1981
|
1989
|
|
1982
|
|
- if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
1983
|
|
- cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
1984
|
|
- break;
|
1985
|
|
- }
|
|
1990
|
+ if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
|
1991
|
+ cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
1992
|
+ break;
|
|
1993
|
+ }
|
1986
|
1994
|
|
1987
|
|
- if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newebx, 16)) {
|
1988
|
|
- cli_dbgmsg("FSG: Array of functions out of bounds\n");
|
1989
|
|
- break;
|
1990
|
|
- }
|
|
1995
|
+ if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newebx, 16)) {
|
|
1996
|
+ cli_dbgmsg("FSG: Array of functions out of bounds\n");
|
|
1997
|
+ break;
|
|
1998
|
+ }
|
1991
|
1999
|
|
1992
|
|
- newedx=cli_readint32(newebx + 12 - exe_sections[i + 1].rva + src) - EC32(optional_hdr32.ImageBase);
|
1993
|
|
- cli_dbgmsg("FSG: found old EP @%x\n",newedx);
|
|
2000
|
+ newedx=cli_readint32(newebx + 12 - exe_sections[i + 1].rva + src) - EC32(optional_hdr32.ImageBase);
|
|
2001
|
+ cli_dbgmsg("FSG: found old EP @%x\n",newedx);
|
1994
|
2002
|
|
1995
|
|
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
1996
|
|
- free(exe_sections);
|
1997
|
|
- return CL_EMEM;
|
1998
|
|
- }
|
|
2003
|
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
2004
|
+ free(exe_sections);
|
|
2005
|
+ return CL_EMEM;
|
|
2006
|
+ }
|
1999
|
2007
|
|
2000
|
2008
|
#if HAVE_JSON
|
2001
|
|
- cli_jsonstr(pe_json, "Packer", "FSG");
|
|
2009
|
+ cli_jsonstr(pe_json, "Packer", "FSG");
|
2002
|
2010
|
#endif
|
2003
|
2011
|
|
2004
|
|
- CLI_UNPTEMP("FSG",(dest,exe_sections,0));
|
2005
|
|
- CLI_UNPRESULTSFSG2("FSG",(unfsg_200(newesi - exe_sections[i + 1].rva + src, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, newedi, EC32(optional_hdr32.ImageBase), newedx, ndesc)),1,(dest,0));
|
2006
|
|
- break;
|
|
2012
|
+ CLI_UNPTEMP("FSG",(dest,exe_sections,0));
|
|
2013
|
+ CLI_UNPRESULTSFSG2("FSG",(unfsg_200(newesi - exe_sections[i + 1].rva + src, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, newedi, EC32(optional_hdr32.ImageBase), newedx, ndesc)),1,(dest,0));
|
|
2014
|
+ break;
|
2007
|
2015
|
}
|
2008
|
2016
|
|
2009
|
2017
|
|
2010
|
2018
|
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) < min) {
|
|
2019
|
+ int sectcnt = 0;
|
|
2020
|
+ const char *support;
|
|
2021
|
+ uint32_t newesi, newedi, oldep, gp, t;
|
|
2022
|
+ struct cli_exe_section *sections;
|
2011
|
2023
|
|
2012
|
|
- /* FSG support - v. 1.33 (thx trog for the many samples) */
|
2013
|
|
-
|
2014
|
|
- int sectcnt = 0;
|
2015
|
|
- const char *support;
|
2016
|
|
- uint32_t newesi, newedi, oldep, gp, t;
|
2017
|
|
- struct cli_exe_section *sections;
|
|
2024
|
+ /* FSG support - v. 1.33 (thx trog for the many samples) */
|
2018
|
2025
|
|
2019
|
|
- ssize = exe_sections[i + 1].rsz;
|
2020
|
|
- dsize = exe_sections[i].vsz;
|
|
2026
|
+ ssize = exe_sections[i + 1].rsz;
|
|
2027
|
+ dsize = exe_sections[i].vsz;
|
2021
|
2028
|
|
2022
|
|
- CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
2029
|
+ CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
2023
|
2030
|
|
2024
|
|
- if(ssize <= 0x19 || dsize <= ssize) {
|
2025
|
|
- cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
2026
|
|
- free(exe_sections);
|
2027
|
|
- return CL_CLEAN;
|
2028
|
|
- }
|
|
2031
|
+ if(ssize <= 0x19 || dsize <= ssize) {
|
|
2032
|
+ cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
2033
|
+ free(exe_sections);
|
|
2034
|
+ return CL_CLEAN;
|
|
2035
|
+ }
|
2029
|
2036
|
|
2030
|
|
- if(!(t = cli_rawaddr(cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size)) && err ) {
|
2031
|
|
- cli_dbgmsg("FSG: Support data out of padding area\n");
|
2032
|
|
- break;
|
2033
|
|
- }
|
|
2037
|
+ if(!(t = cli_rawaddr(cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size)) && err ) {
|
|
2038
|
+ cli_dbgmsg("FSG: Support data out of padding area\n");
|
|
2039
|
+ break;
|
|
2040
|
+ }
|
2034
|
2041
|
|
2035
|
|
- gp = exe_sections[i + 1].raw - t;
|
|
2042
|
+ gp = exe_sections[i + 1].raw - t;
|
2036
|
2043
|
|
2037
|
|
- CLI_UNPSIZELIMITS("FSG", gp);
|
|
2044
|
+ CLI_UNPSIZELIMITS("FSG", gp);
|
2038
|
2045
|
|
2039
|
|
- if(!(support = fmap_need_off_once(map, t, gp))) {
|
2040
|
|
- cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
2041
|
|
- free(exe_sections);
|
2042
|
|
- return CL_EREAD;
|
2043
|
|
- }
|
|
2046
|
+ if(!(support = fmap_need_off_once(map, t, gp))) {
|
|
2047
|
+ cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
|
2048
|
+ free(exe_sections);
|
|
2049
|
+ return CL_EREAD;
|
|
2050
|
+ }
|
2044
|
2051
|
|
2045
|
|
- /* newebx = cli_readint32(support) - EC32(optional_hdr32.ImageBase); Unused */
|
2046
|
|
- newedi = cli_readint32(support + 4) - EC32(optional_hdr32.ImageBase); /* 1st dest */
|
2047
|
|
- newesi = cli_readint32(support + 8) - EC32(optional_hdr32.ImageBase); /* Source */
|
|
2052
|
+ /* newebx = cli_readint32(support) - EC32(optional_hdr32.ImageBase); Unused */
|
|
2053
|
+ newedi = cli_readint32(support + 4) - EC32(optional_hdr32.ImageBase); /* 1st dest */
|
|
2054
|
+ newesi = cli_readint32(support + 8) - EC32(optional_hdr32.ImageBase); /* Source */
|
2048
|
2055
|
|
2049
|
|
- if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
2050
|
|
- cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
2051
|
|
- break;
|
2052
|
|
- }
|
|
2056
|
+ if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
|
2057
|
+ cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
2058
|
+ break;
|
|
2059
|
+ }
|
2053
|
2060
|
|
2054
|
|
- if(newedi != exe_sections[i].rva) {
|
2055
|
|
- cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
2056
|
|
- break;
|
2057
|
|
- }
|
|
2061
|
+ if(newedi != exe_sections[i].rva) {
|
|
2062
|
+ cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
2063
|
+ break;
|
|
2064
|
+ }
|
2058
|
2065
|
|
2059
|
|
- /* Counting original sections */
|
2060
|
|
- for(t = 12; t < gp - 4; t += 4) {
|
2061
|
|
- uint32_t rva = cli_readint32(support+t);
|
|
2066
|
+ /* Counting original sections */
|
|
2067
|
+ for(t = 12; t < gp - 4; t += 4) {
|
|
2068
|
+ uint32_t rva = cli_readint32(support+t);
|
2062
|
2069
|
|
2063
|
|
- if(!rva)
|
2064
|
|
- break;
|
|
2070
|
+ if(!rva)
|
|
2071
|
+ break;
|
2065
|
2072
|
|
2066
|
|
- rva -= EC32(optional_hdr32.ImageBase)+1;
|
2067
|
|
- sectcnt++;
|
|
2073
|
+ rva -= EC32(optional_hdr32.ImageBase)+1;
|
|
2074
|
+ sectcnt++;
|
2068
|
2075
|
|
2069
|
|
- if(rva % 0x1000) cli_dbgmsg("FSG: Original section %d is misaligned\n", sectcnt);
|
|
2076
|
+ if(rva % 0x1000)
|
|
2077
|
+ cli_dbgmsg("FSG: Original section %d is misaligned\n", sectcnt);
|
2070
|
2078
|
|
2071
|
|
- if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
2072
|
|
- cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
2073
|
|
- break;
|
2074
|
|
- }
|
2075
|
|
- }
|
|
2079
|
+ if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
|
2080
|
+ cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
|
2081
|
+ break;
|
|
2082
|
+ }
|
|
2083
|
+ }
|
2076
|
2084
|
|
2077
|
|
- if(t >= gp - 4 || cli_readint32(support + t)) {
|
2078
|
|
- break;
|
2079
|
|
- }
|
|
2085
|
+ if(t >= gp - 4 || cli_readint32(support + t)) {
|
|
2086
|
+ break;
|
|
2087
|
+ }
|
2080
|
2088
|
|
2081
|
|
- if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
2082
|
|
- cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
2083
|
|
- free(exe_sections);
|
2084
|
|
- return CL_EMEM;
|
2085
|
|
- }
|
|
2089
|
+ if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
|
2090
|
+ cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
|
2091
|
+ free(exe_sections);
|
|
2092
|
+ return CL_EMEM;
|
|
2093
|
+ }
|
2086
|
2094
|
|
2087
|
|
- sections[0].rva = newedi;
|
2088
|
|
- for(t = 1; t <= (uint32_t)sectcnt; t++)
|
2089
|
|
- sections[t].rva = cli_readint32(support + 8 + t * 4) - 1 - EC32(optional_hdr32.ImageBase);
|
|
2095
|
+ sections[0].rva = newedi;
|
|
2096
|
+ for(t = 1; t <= (uint32_t)sectcnt; t++)
|
|
2097
|
+ sections[t].rva = cli_readint32(support + 8 + t * 4) - 1 - EC32(optional_hdr32.ImageBase);
|
2090
|
2098
|
|
2091
|
|
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
2092
|
|
- cli_dbgmsg("Can't read raw data of section %d\n", i);
|
2093
|
|
- free(exe_sections);
|
2094
|
|
- free(sections);
|
2095
|
|
- return CL_EREAD;
|
2096
|
|
- }
|
|
2099
|
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
2100
|
+ cli_dbgmsg("Can't read raw data of section %d\n", i);
|
|
2101
|
+ free(exe_sections);
|
|
2102
|
+ free(sections);
|
|
2103
|
+ return CL_EREAD;
|
|
2104
|
+ }
|
2097
|
2105
|
|
2098
|
|
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
2099
|
|
- free(exe_sections);
|
2100
|
|
- free(sections);
|
2101
|
|
- return CL_EMEM;
|
2102
|
|
- }
|
|
2106
|
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
2107
|
+ free(exe_sections);
|
|
2108
|
+ free(sections);
|
|
2109
|
+ return CL_EMEM;
|
|
2110
|
+ }
|
2103
|
2111
|
|
2104
|
|
- oldep = vep + 161 + 6 + cli_readint32(epbuff+163);
|
2105
|
|
- cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
|
2112
|
+ oldep = vep + 161 + 6 + cli_readint32(epbuff+163);
|
|
2113
|
+ cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
2106
|
2114
|
|
2107
|
2115
|
#if HAVE_JSON
|
2108
|
|
- cli_jsonstr(pe_json, "Packer", "FSG");
|
|
2116
|
+ cli_jsonstr(pe_json, "Packer", "FSG");
|
2109
|
2117
|
#endif
|
2110
|
2118
|
|
2111
|
|
- CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
2112
|
|
- CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
2113
|
|
- break; /* were done with 1.33 */
|
|
2119
|
+ CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
|
2120
|
+ CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
|
2121
|
+ break; /* were done with 1.33 */
|
2114
|
2122
|
}
|
2115
|
2123
|
|
2116
|
|
-
|
2117
|
2124
|
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == '\xbb' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) < min && epbuff[5] == '\xbf' && epbuff[10] == '\xbe' && vep >= exe_sections[i + 1].rva && vep - exe_sections[i + 1].rva > exe_sections[i + 1].rva - 0xe0 ) {
|
|
2125
|
+ int sectcnt = 0;
|
|
2126
|
+ uint32_t gp, t = cli_rawaddr(cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size);
|
|
2127
|
+ const char *support;
|
|
2128
|
+ uint32_t newesi = cli_readint32(epbuff+11) - EC32(optional_hdr32.ImageBase);
|
|
2129
|
+ uint32_t newedi = cli_readint32(epbuff+6) - EC32(optional_hdr32.ImageBase);
|
|
2130
|
+ uint32_t oldep = vep - exe_sections[i + 1].rva;
|
|
2131
|
+ struct cli_exe_section *sections;
|
2118
|
2132
|
|
2119
|
|
- /* FSG support - v. 1.31 */
|
2120
|
|
-
|
2121
|
|
- int sectcnt = 0;
|
2122
|
|
- uint32_t gp, t = cli_rawaddr(cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size);
|
2123
|
|
- const char *support;
|
2124
|
|
- uint32_t newesi = cli_readint32(epbuff+11) - EC32(optional_hdr32.ImageBase);
|
2125
|
|
- uint32_t newedi = cli_readint32(epbuff+6) - EC32(optional_hdr32.ImageBase);
|
2126
|
|
- uint32_t oldep = vep - exe_sections[i + 1].rva;
|
2127
|
|
- struct cli_exe_section *sections;
|
|
2133
|
+ /* FSG support - v. 1.31 */
|
2128
|
2134
|
|
2129
|
|
- ssize = exe_sections[i + 1].rsz;
|
2130
|
|
- dsize = exe_sections[i].vsz;
|
|
2135
|
+ ssize = exe_sections[i + 1].rsz;
|
|
2136
|
+ dsize = exe_sections[i].vsz;
|
2131
|
2137
|
|
2132
|
|
- if(err) {
|
2133
|
|
- cli_dbgmsg("FSG: Support data out of padding area\n");
|
2134
|
|
- break;
|
2135
|
|
- }
|
|
2138
|
+ if(err) {
|
|
2139
|
+ cli_dbgmsg("FSG: Support data out of padding area\n");
|
|
2140
|
+ break;
|
|
2141
|
+ }
|
2136
|
2142
|
|
2137
|
|
- if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].raw) {
|
2138
|
|
- cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
2139
|
|
- break;
|
2140
|
|
- }
|
|
2143
|
+ if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].raw) {
|
|
2144
|
+ cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
2145
|
+ break;
|
|
2146
|
+ }
|
2141
|
2147
|
|
2142
|
|
- if(newedi != exe_sections[i].rva) {
|
2143
|
|
- cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
2144
|
|
- break;
|
2145
|
|
- }
|
|
2148
|
+ if(newedi != exe_sections[i].rva) {
|
|
2149
|
+ cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
2150
|
+ break;
|
|
2151
|
+ }
|
2146
|
2152
|
|
2147
|
|
- CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
2153
|
+ CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
2148
|
2154
|
|
2149
|
|
- if(ssize <= 0x19 || dsize <= ssize) {
|
2150
|
|
- cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
2151
|
|
- free(exe_sections);
|
2152
|
|
- return CL_CLEAN;
|
2153
|
|
- }
|
|
2155
|
+ if(ssize <= 0x19 || dsize <= ssize) {
|
|
2156
|
+ cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
2157
|
+ free(exe_sections);
|
|
2158
|
+ return CL_CLEAN;
|
|
2159
|
+ }
|
2154
|
2160
|
|
2155
|
|
- gp = exe_sections[i + 1].raw - t;
|
|
2161
|
+ gp = exe_sections[i + 1].raw - t;
|
2156
|
2162
|
|
2157
|
|
- CLI_UNPSIZELIMITS("FSG", gp)
|
|
2163
|
+ CLI_UNPSIZELIMITS("FSG", gp)
|
2158
|
2164
|
|
2159
|
|
- if(!(support = fmap_need_off_once(map, t, gp))) {
|
2160
|
|
- cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
2161
|
|
- free(exe_sections);
|
2162
|
|
- return CL_EREAD;
|
2163
|
|
- }
|
|
2165
|
+ if(!(support = fmap_need_off_once(map, t, gp))) {
|
|
2166
|
+ cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
|
2167
|
+ free(exe_sections);
|
|
2168
|
+ return CL_EREAD;
|
|
2169
|
+ }
|
2164
|
2170
|
|
2165
|
|
- /* Counting original sections */
|
2166
|
|
- for(t = 0; t < gp - 2; t += 2) {
|
2167
|
|
- uint32_t rva = support[t]|(support[t+1]<<8);
|
|
2171
|
+ /* Counting original sections */
|
|
2172
|
+ for(t = 0; t < gp - 2; t += 2) {
|
|
2173
|
+ uint32_t rva = support[t]|(support[t+1]<<8);
|
2168
|
2174
|
|
2169
|
|
- if (rva == 2 || rva == 1)
|
2170
|
|
- break;
|
|
2175
|
+ if (rva == 2 || rva == 1)
|
|
2176
|
+ break;
|
2171
|
2177
|
|
2172
|
|
- rva = ((rva-2)<<12) - EC32(optional_hdr32.ImageBase);
|
2173
|
|
- sectcnt++;
|
|
2178
|
+ rva = ((rva-2)<<12) - EC32(optional_hdr32.ImageBase);
|
|
2179
|
+ sectcnt++;
|
2174
|
2180
|
|
2175
|
|
- if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
2176
|
|
- cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
2177
|
|
- break;
|
2178
|
|
- }
|
2179
|
|
- }
|
|
2181
|
+ if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
|
2182
|
+ cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
|
2183
|
+ break;
|
|
2184
|
+ }
|
|
2185
|
+ }
|
2180
|
2186
|
|
2181
|
|
- if(t >= gp-10 || cli_readint32(support + t + 6) != 2) {
|
2182
|
|
- break;
|
2183
|
|
- }
|
|
2187
|
+ if(t >= gp-10 || cli_readint32(support + t + 6) != 2)
|
|
2188
|
+ break;
|
2184
|
2189
|
|
2185
|
|
- if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
2186
|
|
- cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
2187
|
|
- free(exe_sections);
|
2188
|
|
- return CL_EMEM;
|
2189
|
|
- }
|
|
2190
|
+ if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
|
2191
|
+ cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
|
2192
|
+ free(exe_sections);
|
|
2193
|
+ return CL_EMEM;
|
|
2194
|
+ }
|
2190
|
2195
|
|
2191
|
|
- sections[0].rva = newedi;
|
2192
|
|
- for(t = 0; t <= (uint32_t)sectcnt - 1; t++) {
|
2193
|
|
- sections[t+1].rva = (((support[t*2]|(support[t*2+1]<<8))-2)<<12)-EC32(optional_hdr32.ImageBase);
|
2194
|
|
- }
|
|
2196
|
+ sections[0].rva = newedi;
|
|
2197
|
+ for(t = 0; t <= (uint32_t)sectcnt - 1; t++)
|
|
2198
|
+ sections[t+1].rva = (((support[t*2]|(support[t*2+1]<<8))-2)<<12)-EC32(optional_hdr32.ImageBase);
|
2195
|
2199
|
|
2196
|
|
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
2197
|
|
- cli_dbgmsg("FSG: Can't read raw data of section %d\n", i);
|
2198
|
|
- free(exe_sections);
|
2199
|
|
- free(sections);
|
2200
|
|
- return CL_EREAD;
|
2201
|
|
- }
|
|
2200
|
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
2201
|
+ cli_dbgmsg("FSG: Can't read raw data of section %d\n", i);
|
|
2202
|
+ free(exe_sections);
|
|
2203
|
+ free(sections);
|
|
2204
|
+ return CL_EREAD;
|
|
2205
|
+ }
|
2202
|
2206
|
|
2203
|
|
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
2204
|
|
- free(exe_sections);
|
2205
|
|
- free(sections);
|
2206
|
|
- return CL_EMEM;
|
2207
|
|
- }
|
|
2207
|
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
2208
|
+ free(exe_sections);
|
|
2209
|
+ free(sections);
|
|
2210
|
+ return CL_EMEM;
|
|
2211
|
+ }
|
2208
|
2212
|
|
2209
|
|
- gp = 0xda + 6*(epbuff[16]=='\xe8');
|
2210
|
|
- oldep = vep + gp + 6 + cli_readint32(src+gp+2+oldep);
|
2211
|
|
- cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
|
2213
|
+ gp = 0xda + 6*(epbuff[16]=='\xe8');
|
|
2214
|
+ oldep = vep + gp + 6 + cli_readint32(src+gp+2+oldep);
|
|
2215
|
+ cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
2212
|
2216
|
|
2213
|
2217
|
#if HAVE_JSON
|
2214
|
|
- cli_jsonstr(pe_json, "Packer", "FSG");
|
|
2218
|
+ cli_jsonstr(pe_json, "Packer", "FSG");
|
2215
|
2219
|
#endif
|
2216
|
2220
|
|
2217
|
|
- CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
2218
|
|
- CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
2219
|
|
- break; /* were done with 1.31 */
|
|
2221
|
+ CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
|
2222
|
+ CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
|
2223
|
+
|
|
2224
|
+ break; /* were done with 1.31 */
|
2220
|
2225
|
}
|
2221
|
2226
|
|
2222
|
2227
|
|
2223
|
2228
|
if(found && (DCONF & PE_CONF_UPX)) {
|
|
2229
|
+ ssize = exe_sections[i + 1].rsz;
|
|
2230
|
+ dsize = exe_sections[i].vsz + exe_sections[i + 1].vsz;
|
2224
|
2231
|
|
2225
|
|
- /* UPX support */
|
|
2232
|
+ /*
|
|
2233
|
+ * UPX support
|
|
2234
|
+ * we assume (i + 1) is UPX1
|
|
2235
|
+ */
|
2226
|
2236
|
|
2227
|
|
- /* we assume (i + 1) is UPX1 */
|
2228
|
|
- ssize = exe_sections[i + 1].rsz;
|
2229
|
|
- dsize = exe_sections[i].vsz + exe_sections[i + 1].vsz;
|
|
2237
|
+ /* cli_dbgmsg("UPX: ssize %u dsize %u\n", ssize, dsize); */
|
2230
|
2238
|
|
2231
|
|
- /* cli_dbgmsg("UPX: ssize %u dsize %u\n", ssize, dsize); */
|
|
2239
|
+ CLI_UNPSIZELIMITS("UPX", MAX(dsize, ssize));
|
2232
|
2240
|
|
2233
|
|
- CLI_UNPSIZELIMITS("UPX", MAX(dsize, ssize));
|
|
2241
|
+ if(ssize <= 0x19 || dsize <= ssize || dsize > CLI_MAX_ALLOCATION ) {
|
|
2242
|
+ cli_dbgmsg("UPX: Size mismatch or dsize too big (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
2243
|
+ free(exe_sections);
|
|
2244
|
+ return CL_CLEAN;
|
|
2245
|
+ }
|
2234
|
2246
|
|
2235
|
|
- if(ssize <= 0x19 || dsize <= ssize || dsize > CLI_MAX_ALLOCATION ) {
|
2236
|
|
- cli_dbgmsg("UPX: Size mismatch or dsize too big (ssize: %d, dsize: %d)\n", ssize, dsize);
|
2237
|
|
- free(exe_sections);
|
2238
|
|
- return CL_CLEAN;
|
2239
|
|
- }
|
|
2247
|
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
2248
|
+ cli_dbgmsg("UPX: Can't read raw data of section %d\n", i+1);
|
|
2249
|
+ free(exe_sections);
|
|
2250
|
+ return CL_EREAD;
|
|
2251
|
+ }
|
2240
|
2252
|
|
2241
|
|
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
2242
|
|
- cli_dbgmsg("UPX: Can't read raw data of section %d\n", i+1);
|
2243
|
|
- free(exe_sections);
|
2244
|
|
- return CL_EREAD;
|
2245
|
|
- }
|
|
2253
|
+ if((dest = (char *) cli_calloc(dsize + 8192, sizeof(char))) == NULL) {
|
|
2254
|
+ free(exe_sections);
|
|
2255
|
+ return CL_EMEM;
|
|
2256
|
+ }
|
2246
|
2257
|
|
2247
|
|
- if((dest = (char *) cli_calloc(dsize + 8192, sizeof(char))) == NULL) {
|
2248
|
|
- free(exe_sections);
|
2249
|
|
- return CL_EMEM;
|
2250
|
|
- }
|
|
2258
|
+ /* try to detect UPX code */
|
|
2259
|
+ if(cli_memstr(UPX_NRV2B, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, epbuff + 0x69 + 8, 13)) {
|
|
2260
|
+ cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");
|
|
2261
|
+ upxfn = upx_inflate2b;
|
|
2262
|
+ } else if(cli_memstr(UPX_NRV2D, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, epbuff + 0x69 + 8, 13)) {
|
|
2263
|
+ cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");
|
|
2264
|
+ upxfn = upx_inflate2d;
|
|
2265
|
+ } else if(cli_memstr(UPX_NRV2E, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, epbuff + 0x69 + 8, 13)) {
|
|
2266
|
+ cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");
|
|
2267
|
+ upxfn = upx_inflate2e;
|
|
2268
|
+ }
|
2251
|
2269
|
|
2252
|
|
- /* try to detect UPX code */
|
2253
|
|
- if(cli_memstr(UPX_NRV2B, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, epbuff + 0x69 + 8, 13)) {
|
2254
|
|
- cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");
|
2255
|
|
- upxfn = upx_inflate2b;
|
2256
|
|
- } else if(cli_memstr(UPX_NRV2D, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, epbuff + 0x69 + 8, 13)) {
|
2257
|
|
- cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");
|
2258
|
|
- upxfn = upx_inflate2d;
|
2259
|
|
- } else if(cli_memstr(UPX_NRV2E, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, epbuff + 0x69 + 8, 13)) {
|
2260
|
|
- cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");
|
2261
|
|
- upxfn = upx_inflate2e;
|
2262
|
|
- }
|
|
2270
|
+ if(upxfn) {
|
|
2271
|
+ int skew = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase) - exe_sections[i + 1].rva;
|
2263
|
2272
|
|
2264
|
|
- if(upxfn) {
|
2265
|
|
- int skew = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase) - exe_sections[i + 1].rva;
|
|
2273
|
+ if(epbuff[1] != '\xbe' || skew <= 0 || skew > 0xfff) {
|
|
2274
|
+ /* FIXME: legit skews?? */
|
|
2275
|
+ skew = 0;
|
|
2276
|
+ } else if ((unsigned int)skew > ssize) {
|
|
2277
|
+ /* Ignore suggested skew larger than section size */
|
|
2278
|
+ skew = 0;
|
|
2279
|
+ } else {
|
|
2280
|
+ cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
|
|
2281
|
+ }
|
2266
|
2282
|
|
2267
|
|
- if(epbuff[1] != '\xbe' || skew <= 0 || skew > 0xfff) { /* FIXME: legit skews?? */
|
2268
|
|
- skew = 0;
|
2269
|
|
- } else if ((unsigned int)skew > ssize) {
|
2270
|
|
- /* Ignore suggested skew larger than section size */
|
2271
|
|
- skew = 0;
|
2272
|
|
- } else {
|
2273
|
|
- cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
|
2274
|
|
- }
|
|
2283
|
+ /* Try skewed first (skew may be zero) */
|
|
2284
|
+ if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0) {
|
|
2285
|
+ upx_success = 1;
|
|
2286
|
+ }
|
|
2287
|
+ /* If skew not successful and non-zero, try no skew */
|
|
2288
|
+ else if(skew && (upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
|
|
2289
|
+ upx_success = 1;
|
|
2290
|
+ }
|
2275
|
2291
|
|
2276
|
|
- /* Try skewed first (skew may be zero) */
|
2277
|
|
- if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0) {
|
2278
|
|
- upx_success = 1;
|
2279
|
|
- }
|
2280
|
|
- /* If skew not successful and non-zero, try no skew */
|
2281
|
|
- else if(skew && (upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
|
2282
|
|
- upx_success = 1;
|
2283
|
|
- }
|
|
2292
|
+ if(upx_success)
|
|
2293
|
+ cli_dbgmsg("UPX: Successfully decompressed\n");
|
|
2294
|
+ else
|
|
2295
|
+ cli_dbgmsg("UPX: Preferred decompressor failed\n");
|
|
2296
|
+ }
|
2284
|
2297
|
|
2285
|
|
- if(upx_success)
|
2286
|
|
- cli_dbgmsg("UPX: Successfully decompressed\n");
|
2287
|
|
- else
|
2288
|
|
- cli_dbgmsg("UPX: Preferred decompressor failed\n");
|
2289
|
|
- }
|
|
2298
|
+ if(!upx_success && upxfn != upx_inflate2b) {
|
|
2299
|
+ if(upx_inflate2b(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2b(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
2290
|
2300
|
|
2291
|
|
- if(!upx_success && upxfn != upx_inflate2b) {
|
2292
|
|
- if(upx_inflate2b(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2b(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
2301
|
+ cli_dbgmsg("UPX: NRV2B decompressor failed\n");
|
|
2302
|
+ } else {
|
|
2303
|
+ upx_success = 1;
|
|
2304
|
+ cli_dbgmsg("UPX: Successfully decompressed with NRV2B\n");
|
|
2305
|
+ }
|
|
2306
|
+ }
|
2293
|
2307
|
|
2294
|
|
- cli_dbgmsg("UPX: NRV2B decompressor failed\n");
|
2295
|
|
- } else {
|
2296
|
|
- upx_success = 1;
|
2297
|
|
- cli_dbgmsg("UPX: Successfully decompressed with NRV2B\n");
|
2298
|
|
- }
|
2299
|
|
- }
|
|
2308
|
+ if(!upx_success && upxfn != upx_inflate2d) {
|
|
2309
|
+ if(upx_inflate2d(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2d(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
2300
|
2310
|
|
2301
|
|
- if(!upx_success && upxfn != upx_inflate2d) {
|
2302
|
|
- if(upx_inflate2d(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2d(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
2311
|
+ cli_dbgmsg("UPX: NRV2D decompressor failed\n");
|
|
2312
|
+ } else {
|
|
2313
|
+ upx_success = 1;
|
|
2314
|
+ cli_dbgmsg("UPX: Successfully decompressed with NRV2D\n");
|
|
2315
|
+ }
|
|
2316
|
+ }
|
2303
|
2317
|
|
2304
|
|
- cli_dbgmsg("UPX: NRV2D decompressor failed\n");
|
2305
|
|
- } else {
|
2306
|
|
- upx_success = 1;
|
2307
|
|
- cli_dbgmsg("UPX: Successfully decompressed with NRV2D\n");
|
2308
|
|
- }
|
2309
|
|
- }
|
|
2318
|
+ if(!upx_success && upxfn != upx_inflate2e) {
|
|
2319
|
+ if(upx_inflate2e(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2e(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
2320
|
+ cli_dbgmsg("UPX: NRV2E decompressor failed\n");
|
|
2321
|
+ } else {
|
|
2322
|
+ upx_success = 1;
|
|
2323
|
+ cli_dbgmsg("UPX: Successfully decompressed with NRV2E\n");
|
|
2324
|
+ }
|
|
2325
|
+ }
|
2310
|
2326
|
|
2311
|
|
- if(!upx_success && upxfn != upx_inflate2e) {
|
2312
|
|
- if(upx_inflate2e(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2e(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
2313
|
|
- cli_dbgmsg("UPX: NRV2E decompressor failed\n");
|
2314
|
|
- } else {
|
2315
|
|
- upx_success = 1;
|
2316
|
|
- cli_dbgmsg("UPX: Successfully decompressed with NRV2E\n");
|
2317
|
|
- }
|
2318
|
|
- }
|
|
2327
|
+ if(cli_memstr(UPX_LZMA2, 20, epbuff + 0x2f, 20)) {
|
|
2328
|
+ uint32_t strictdsize=cli_readint32(epbuff+0x21), skew = 0;
|
|
2329
|
+ if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
|
2330
|
+ skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase;
|
|
2331
|
+ if(skew!=0x15)
|
|
2332
|
+ skew = 0;
|
|
2333
|
+ }
|
2319
|
2334
|
|
2320
|
|
- if(cli_memstr(UPX_LZMA2, 20, epbuff + 0x2f, 20)) {
|
2321
|
|
- uint32_t strictdsize=cli_readint32(epbuff+0x21), skew = 0;
|
2322
|
|
- if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
2323
|
|
- skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase;
|
2324
|
|
- if(skew!=0x15) skew = 0;
|
2325
|
|
- }
|
2326
|
|
- if(strictdsize<=dsize)
|
2327
|
|
- upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0;
|
2328
|
|
- } else if (cli_memstr(UPX_LZMA1, 20, epbuff + 0x39, 20)) {
|
2329
|
|
- uint32_t strictdsize=cli_readint32(epbuff+0x2b), skew = 0;
|
2330
|
|
- if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
2331
|
|
- skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase;
|
2332
|
|
- if(skew!=0x15) skew = 0;
|
2333
|
|
- }
|
2334
|
|
- if(strictdsize<=dsize)
|
2335
|
|
- upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0;
|
2336
|
|
- }
|
|
2335
|
+ if(strictdsize<=dsize)
|
|
2336
|
+ upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0;
|
|
2337
|
+ } else if (cli_memstr(UPX_LZMA1, 20, epbuff + 0x39, 20)) {
|
|
2338
|
+ uint32_t strictdsize=cli_readint32(epbuff+0x2b), skew = 0;
|
|
2339
|
+ if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
|
2340
|
+ skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase;
|
|
2341
|
+ if(skew!=0x15)
|
|
2342
|
+ skew = 0;
|
|
2343
|
+ }
|
2337
|
2344
|
|
2338
|
|
- if(!upx_success) {
|
2339
|
|
- cli_dbgmsg("UPX: All decompressors failed\n");
|
2340
|
|
- free(dest);
|
2341
|
|
- }
|
|
2345
|
+ if(strictdsize<=dsize)
|
|
2346
|
+ upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0;
|
|
2347
|
+ }
|
|
2348
|
+
|
|
2349
|
+ if(!upx_success) {
|
|
2350
|
+ cli_dbgmsg("UPX: All decompressors failed\n");
|
|
2351
|
+ free(dest);
|
|
2352
|
+ }
|
2342
|
2353
|
}
|
2343
|
2354
|
|
2344
|
2355
|
if(upx_success) {
|
2345
|
|
- free(exe_sections);
|
|
2356
|
+ free(exe_sections);
|
2346
|
2357
|
|
2347
|
|
- CLI_UNPTEMP("UPX/FSG",(dest,0));
|
|
2358
|
+ CLI_UNPTEMP("UPX/FSG",(dest,0));
|
2348
|
2359
|
#if HAVE_JSON
|
2349
|
|
- cli_jsonstr(pe_json, "Packer", "UPX");
|
|
2360
|
+ cli_jsonstr(pe_json, "Packer", "UPX");
|
2350
|
2361
|
#endif
|
2351
|
2362
|
|
2352
|
|
- if((unsigned int) write(ndesc, dest, dsize) != dsize) {
|
2353
|
|
- cli_dbgmsg("UPX/FSG: Can't write %d bytes\n", dsize);
|
2354
|
|
- free(tempfile);
|
2355
|
|
- free(dest);
|
2356
|
|
- close(ndesc);
|
2357
|
|
- return CL_EWRITE;
|
2358
|
|
- }
|
|
2363
|
+ if((unsigned int) write(ndesc, dest, dsize) != dsize) {
|
|
2364
|
+ cli_dbgmsg("UPX/FSG: Can't write %d bytes\n", dsize);
|
|
2365
|
+ free(tempfile);
|
|
2366
|
+ free(dest);
|
|
2367
|
+ close(ndesc);
|
|
2368
|
+ return CL_EWRITE;
|
|
2369
|
+ }
|
2359
|
2370
|
|
2360
|
|
- free(dest);
|
2361
|
|
- if (lseek(ndesc, 0, SEEK_SET) == -1) {
|
2362
|
|
- cli_dbgmsg("UPX/FSG: lseek() failed\n");
|
2363
|
|
- close(ndesc);
|
2364
|
|
- CLI_TMPUNLK();
|
2365
|
|
- free(tempfile);
|
2366
|
|
- SHA_RESET;
|
2367
|
|
- return CL_ESEEK;
|
2368
|
|
- }
|
|
2371
|
+ free(dest);
|
|
2372
|
+ if (lseek(ndesc, 0, SEEK_SET) == -1) {
|
|
2373
|
+ cli_dbgmsg("UPX/FSG: lseek() failed\n");
|
|
2374
|
+ close(ndesc);
|
|
2375
|
+ CLI_TMPUNLK();
|
|
2376
|
+ free(tempfile);
|
|
2377
|
+ SHA_RESET;
|
|
2378
|
+ return CL_ESEEK;
|
|
2379
|
+ }
|
2369
|
2380
|
|
2370
|
|
- if(ctx->engine->keeptmp)
|
2371
|
|
- cli_dbgmsg("UPX/FSG: Decompressed data saved in %s\n", tempfile);
|
|
2381
|
+ if(ctx->engine->keeptmp)
|
|
2382
|
+ cli_dbgmsg("UPX/FSG: Decompressed data saved in %s\n", tempfile);
|
2372
|
2383
|
|
2373
|
|
- cli_dbgmsg("***** Scanning decompressed file *****\n");
|
2374
|
|
- SHA_OFF;
|
2375
|
|
- if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS) {
|
2376
|
|
- close(ndesc);
|
2377
|
|
- CLI_TMPUNLK();
|
2378
|
|
- free(tempfile);
|
2379
|
|
- SHA_RESET;
|
2380
|
|
- return CL_VIRUS;
|
2381
|
|
- }
|
|
2384
|
+ cli_dbgmsg("***** Scanning decompressed file *****\n");
|
|
2385
|
+ SHA_OFF;
|
|
2386
|
+ if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS) {
|
|
2387
|
+ close(ndesc);
|
|
2388
|
+ CLI_TMPUNLK();
|
|
2389
|
+ free(tempfile);
|
|
2390
|
+ SHA_RESET;
|
|
2391
|
+ return CL_VIRUS;
|
|
2392
|
+ }
|
2382
|
2393
|
|
2383
|
|
- SHA_RESET;
|
2384
|
|
- close(ndesc);
|
2385
|
|
- CLI_TMPUNLK();
|
2386
|
|
- free(tempfile);
|
2387
|
|
- return ret;
|
|
2394
|
+ SHA_RESET;
|
|
2395
|
+ close(ndesc);
|
|
2396
|
+ CLI_TMPUNLK();
|
|
2397
|
+ free(tempfile);
|
|
2398
|
+ return ret;
|
2388
|
2399
|
}
|
2389
|
2400
|
|
2390
|
2401
|
|
2391
|
2402
|
/* Petite */
|
2392
|
2403
|
|
2393
|
2404
|
if(epsize<200) {
|
2394
|
|
- free(exe_sections);
|
2395
|
|
- return CL_CLEAN;
|
|
2405
|
+ free(exe_sections);
|
|
2406
|
+ return CL_CLEAN;
|
2396
|
2407
|
}
|
2397
|
2408
|
|
2398
|
2409
|
found = 2;
|
2399
|
2410
|
|
2400
|
2411
|
if(epbuff[0] != '\xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 1].rva + EC32(optional_hdr32.ImageBase)) {
|
2401
|
|
- if(nsections < 2 || epbuff[0] != '\xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 2].rva + EC32(optional_hdr32.ImageBase))
|
2402
|
|
- found = 0;
|
2403
|
|
- else
|
2404
|
|
- found = 1;
|
|
2412
|
+ if(nsections < 2 || epbuff[0] != '\xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 2].rva + EC32(optional_hdr32.ImageBase))
|
|
2413
|
+ found = 0;
|
|
2414
|
+ else
|
|
2415
|
+ found = 1;
|
2405
|
2416
|
}
|
2406
|
2417
|
|
2407
|
2418
|
if(found && (DCONF & PE_CONF_PETITE)) {
|
2408
|
|
- cli_dbgmsg("Petite: v2.%d compression detected\n", found);
|
|
2419
|
+ cli_dbgmsg("Petite: v2.%d compression detected\n", found);
|
2409
|
2420
|
|
2410
|
|
- if(cli_readint32(epbuff + 0x80) == 0x163c988d) {
|
2411
|
|
- cli_dbgmsg("Petite: level zero compression is not supported yet\n");
|
2412
|
|
- } else {
|
2413
|
|
- dsize = max - min;
|
|
2421
|
+ if(cli_readint32(epbuff + 0x80) == 0x163c988d) {
|
|
2422
|
+ cli_dbgmsg("Petite: level zero compression is not supported yet\n");
|
|
2423
|
+ } else {
|
|
2424
|
+ dsize = max - min;
|
2414
|
2425
|
|
2415
|
|
- CLI_UNPSIZELIMITS("Petite", dsize);
|
|
2426
|
+ CLI_UNPSIZELIMITS("Petite", dsize);
|
2416
|
2427
|
|
2417
|
|
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
2418
|
|
- cli_dbgmsg("Petite: Can't allocate %d bytes\n", dsize);
|
2419
|
|
- free(exe_sections);
|
2420
|
|
- return CL_EMEM;
|
2421
|
|
- }
|
|
2428
|
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
2429
|
+ cli_dbgmsg("Petite: Can't allocate %d bytes\n", dsize);
|
|
2430
|
+ free(exe_sections);
|
|
2431
|
+ return CL_EMEM;
|
|
2432
|
+ }
|
2422
|
2433
|
|
2423
|
|
- for(i = 0 ; i < nsections; i++) {
|
2424
|
|
- if(exe_sections[i].raw) {
|
2425
|
|
- if(!exe_sections[i].rsz || (unsigned int)fmap_readn(map, dest + exe_sections[i].rva - min, exe_sections[i].raw, exe_sections[i].ursz) != exe_sections[i].ursz) {
|
2426
|
|
- free(exe_sections);
|
2427
|
|
- free(dest);
|
2428
|
|
- return CL_CLEAN;
|
2429
|
|
- }
|
2430
|
|
- }
|
2431
|
|
- }
|
|
2434
|
+ for(i = 0 ; i < nsections; i++) {
|
|
2435
|
+ if(exe_sections[i].raw) {
|
|
2436
|
+ if(!exe_sections[i].rsz || (unsigned int)fmap_readn(map, dest + exe_sections[i].rva - min, exe_sections[i].raw, exe_sections[i].ursz) != exe_sections[i].ursz) {
|
|
2437
|
+ free(exe_sections);
|
|
2438
|
+ free(dest);
|
|
2439
|
+ return CL_CLEAN;
|
|
2440
|
+ }
|
|
2441
|
+ }
|
|
2442
|
+ }
|
2432
|
2443
|
|
2433
|
2444
|
#if HAVE_JSON
|
2434
|
|
- cli_jsonstr(pe_json, "Packer", "Petite");
|
|
2445
|
+ cli_jsonstr(pe_json, "Packer", "Petite");
|
2435
|
2446
|
#endif
|
2436
|
2447
|
|
2437
|
|
- CLI_UNPTEMP("Petite",(dest,exe_sections,0));
|
2438
|
|
- CLI_UNPRESULTS("Petite",(petite_inflate2x_1to9(dest, min, max - min, exe_sections, nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),EC32(optional_hdr32.DataDirectory[2].Size))),0,(dest,0));
|
2439
|
|
- }
|
|
2448
|
+ CLI_UNPTEMP("Petite",(dest,exe_sections,0));
|
|
2449
|
+ CLI_UNPRESULTS("Petite",(petite_inflate2x_1to9(dest, min, max - min, exe_sections, nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),EC32(optional_hdr32.DataDirectory[2].Size))),0,(dest,0));
|
|
2450
|
+ }
|
2440
|
2451
|
}
|
2441
|
2452
|
|
2442
|
2453
|
/* PESpin 1.1 */
|
...
|
...
|
@@ -2446,29 +2533,29 @@ int cli_scanpe(cli_ctx *ctx)
|
2446
|
2446
|
vep < exe_sections[nsections - 1].rva + exe_sections[nsections - 1].rsz - 0x3217 - 4 &&
|
2447
|
2447
|
memcmp(epbuff+4, "\xe8\x00\x00\x00\x00\x8b\x1c\x24\x83\xc3", 10) == 0) {
|
2448
|
2448
|
|
2449
|
|
- char *spinned;
|
|
2449
|
+ char *spinned;
|
2450
|
2450
|
|
2451
|
|
- CLI_UNPSIZELIMITS("PEspin", fsize);
|
|
2451
|
+ CLI_UNPSIZELIMITS("PEspin", fsize);
|
2452
|
2452
|
|
2453
|
|
- if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
2454
|
|
- cli_errmsg("PESping: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
2455
|
|
- free(exe_sections);
|
2456
|
|
- return CL_EMEM;
|
2457
|
|
- }
|
|
2453
|
+ if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
|
2454
|
+ cli_errmsg("PESping: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
|
2455
|
+ free(exe_sections);
|
|
2456
|
+ return CL_EMEM;
|
|
2457
|
+ }
|
2458
|
2458
|
|
2459
|
|
- if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
2460
|
|
- cli_dbgmsg("PESpin: Can't read %lu bytes\n", (unsigned long)fsize);
|
2461
|
|
- free(spinned);
|
2462
|
|
- free(exe_sections);
|
2463
|
|
- return CL_EREAD;
|
2464
|
|
- }
|
|
2459
|
+ if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
|
2460
|
+ cli_dbgmsg("PESpin: Can't read %lu bytes\n", (unsigned long)fsize);
|
|
2461
|
+ free(spinned);
|
|
2462
|
+ free(exe_sections);
|
|
2463
|
+ return CL_EREAD;
|
|
2464
|
+ }
|
2465
|
2465
|
|
2466
|
2466
|
#if HAVE_JSON
|
2467
|
|
- cli_jsonstr(pe_json, "Packer", "PEspin");
|
|
2467
|
+ cli_jsonstr(pe_json, "Packer", "PEspin");
|
2468
|
2468
|
#endif
|
2469
|
2469
|
|
2470
|
|
- CLI_UNPTEMP("PESpin",(spinned,exe_sections,0));
|
2471
|
|
- CLI_UNPRESULTS_("PEspin",SPINCASE(),(unspin(spinned, fsize, exe_sections, nsections - 1, vep, ndesc, ctx)),0,(spinned,0));
|
|
2470
|
+ CLI_UNPTEMP("PESpin",(spinned,exe_sections,0));
|
|
2471
|
+ CLI_UNPRESULTS_("PEspin",SPINCASE(),(unspin(spinned, fsize, exe_sections, nsections - 1, vep, ndesc, ctx)),0,(spinned,0));
|
2472
|
2472
|
}
|
2473
|
2473
|
|
2474
|
2474
|
|
...
|
...
|
@@ -2476,69 +2563,69 @@ int cli_scanpe(cli_ctx *ctx)
|
2476
|
2476
|
if((DCONF & PE_CONF_YC) && nsections > 1 &&
|
2477
|
2477
|
(EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60)) {
|
2478
|
2478
|
|
2479
|
|
- uint32_t ecx = 0;
|
2480
|
|
- int16_t offset;
|
|
2479
|
+ uint32_t ecx = 0;
|
|
2480
|
+ int16_t offset;
|
2481
|
2481
|
|
2482
|
|
- /* yC 1.3 */
|
2483
|
|
- if (!memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED", 15) &&
|
2484
|
|
- !memcmp(epbuff+0x26, "\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 13) &&
|
2485
|
|
- ((uint8_t)epbuff[0x13] == 0xB9) &&
|
2486
|
|
- ((uint16_t)(cli_readint16(epbuff+0x18)) == 0xE981) &&
|
2487
|
|
- !memcmp(epbuff+0x1e,"\x8B\xD5\x81\xC2", 4)) {
|
|
2482
|
+ /* yC 1.3 */
|
|
2483
|
+ if (!memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED", 15) &&
|
|
2484
|
+ !memcmp(epbuff+0x26, "\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 13) &&
|
|
2485
|
+ ((uint8_t)epbuff[0x13] == 0xB9) &&
|
|
2486
|
+ ((uint16_t)(cli_readint16(epbuff+0x18)) == 0xE981) &&
|
|
2487
|
+ !memcmp(epbuff+0x1e,"\x8B\xD5\x81\xC2", 4)) {
|
2488
|
2488
|
|
2489
|
|
- offset = 0;
|
2490
|
|
- if (0x6c - cli_readint32(epbuff+0xf) + cli_readint32(epbuff+0x22) == 0xC6)
|
2491
|
|
- ecx = cli_readint32(epbuff+0x14) - cli_readint32(epbuff+0x1a);
|
2492
|
|
- }
|
|
2489
|
+ offset = 0;
|
|
2490
|
+ if (0x6c - cli_readint32(epbuff+0xf) + cli_readint32(epbuff+0x22) == 0xC6)
|
|
2491
|
+ ecx = cli_readint32(epbuff+0x14) - cli_readint32(epbuff+0x1a);
|
|
2492
|
+ }
|
2493
|
2493
|
|
2494
|
|
- /* yC 1.3 variant */
|
2495
|
|
- if (!ecx && !memcmp(epbuff, "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57", 9) &&
|
2496
|
|
- !memcmp(epbuff+0x17, "\xe8\x00\x00\x00\x00\x5d\x81\xed", 8) &&
|
2497
|
|
- ((uint8_t)epbuff[0x23] == 0xB9)) {
|
|
2494
|
+ /* yC 1.3 variant */
|
|
2495
|
+ if (!ecx && !memcmp(epbuff, "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57", 9) &&
|
|
2496
|
+ !memcmp(epbuff+0x17, "\xe8\x00\x00\x00\x00\x5d\x81\xed", 8) &&
|
|
2497
|
+ ((uint8_t)epbuff[0x23] == 0xB9)) {
|
2498
|
2498
|
|
2499
|
|
- offset = 0x10;
|
2500
|
|
- if (0x6c - cli_readint32(epbuff+0x1f) + cli_readint32(epbuff+0x32) == 0xC6)
|
2501
|
|
- ecx = cli_readint32(epbuff+0x24) - cli_readint32(epbuff+0x2a);
|
2502
|
|
- }
|
|
2499
|
+ offset = 0x10;
|
|
2500
|
+ if (0x6c - cli_readint32(epbuff+0x1f) + cli_readint32(epbuff+0x32) == 0xC6)
|
|
2501
|
+ ecx = cli_readint32(epbuff+0x24) - cli_readint32(epbuff+0x2a);
|
|
2502
|
+ }
|
2503
|
2503
|
|
2504
|
|
- /* yC 1.x/modified */
|
2505
|
|
- if (!ecx && !memcmp(epbuff, "\x60\xe8\x00\x00\x00\x00\x5d\x81\xed",9) &&
|
2506
|
|
- ((uint8_t)epbuff[0xd] == 0xb9) &&
|
2507
|
|
- ((uint16_t)cli_readint16(epbuff + 0x12)== 0xbd8d) &&
|
2508
|
|
- !memcmp(epbuff+0x18, "\x8b\xf7\xac", 3)) {
|
|
2504
|
+ /* yC 1.x/modified */
|
|
2505
|
+ if (!ecx && !memcmp(epbuff, "\x60\xe8\x00\x00\x00\x00\x5d\x81\xed",9) &&
|
|
2506
|
+ ((uint8_t)epbuff[0xd] == 0xb9) &&
|
|
2507
|
+ ((uint16_t)cli_readint16(epbuff + 0x12)== 0xbd8d) &&
|
|
2508
|
+ !memcmp(epbuff+0x18, "\x8b\xf7\xac", 3)) {
|
2509
|
2509
|
|
2510
|
|
- offset = -0x18;
|
2511
|
|
- if (0x66 - cli_readint32(epbuff+0x9) + cli_readint32(epbuff+0x14) == 0xae)
|
2512
|
|
- ecx = cli_readint32(epbuff+0xe);
|
2513
|
|
- }
|
|
2510
|
+ offset = -0x18;
|
|
2511
|
+ if (0x66 - cli_readint32(epbuff+0x9) + cli_readint32(epbuff+0x14) == 0xae)
|
|
2512
|
+ ecx = cli_readint32(epbuff+0xe);
|
|
2513
|
+ }
|
2514
|
2514
|
|
2515
|
|
- if (ecx > 0x800 && ecx < 0x2000 &&
|
2516
|
|
- !memcmp(epbuff+0x63+offset, "\xaa\xe2\xcc", 3) &&
|
2517
|
|
- (fsize >= exe_sections[nsections-1].raw + 0xC6 + ecx + offset)) {
|
|
2515
|
+ if (ecx > 0x800 && ecx < 0x2000 &&
|
|
2516
|
+ !memcmp(epbuff+0x63+offset, "\xaa\xe2\xcc", 3) &&
|
|
2517
|
+ (fsize >= exe_sections[nsections-1].raw + 0xC6 + ecx + offset)) {
|
2518
|
2518
|
|
2519
|
|
- char *spinned;
|
|
2519
|
+ char *spinned;
|
2520
|
2520
|
|
2521
|
|
- if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
2522
|
|
- cli_errmsg("yC: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
2523
|
|
- free(exe_sections);
|
2524
|
|
- return CL_EMEM;
|
2525
|
|
- }
|
|
2521
|
+ if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
|
2522
|
+ cli_errmsg("yC: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
|
2523
|
+ free(exe_sections);
|
|
2524
|
+ return CL_EMEM;
|
|
2525
|
+ }
|
2526
|
2526
|
|
2527
|
|
- if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
2528
|
|
- cli_dbgmsg("yC: Can't read %lu bytes\n", (unsigned long)fsize);
|
2529
|
|
- free(spinned);
|
2530
|
|
- free(exe_sections);
|
2531
|
|
- return CL_EREAD;
|
2532
|
|
- }
|
|
2527
|
+ if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
|
2528
|
+ cli_dbgmsg("yC: Can't read %lu bytes\n", (unsigned long)fsize);
|
|
2529
|
+ free(spinned);
|
|
2530
|
+ free(exe_sections);
|
|
2531
|
+ return CL_EREAD;
|
|
2532
|
+ }
|
2533
|
2533
|
|
2534
|
2534
|
#if HAVE_JSON
|
2535
|
|
- cli_jsonstr(pe_json, "Packer", "yC");
|
|
2535
|
+ cli_jsonstr(pe_json, "Packer", "yC");
|
2536
|
2536
|
#endif
|
2537
|
2537
|
|
2538
|
|
- cli_dbgmsg("%d,%d,%d,%d\n", nsections-1, e_lfanew, ecx, offset);
|
2539
|
|
- CLI_UNPTEMP("yC",(spinned,exe_sections,0));
|
2540
|
|
- CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));
|
2541
|
|
- }
|
|
2538
|
+ cli_dbgmsg("%d,%d,%d,%d\n", nsections-1, e_lfanew, ecx, offset);
|
|
2539
|
+ CLI_UNPTEMP("yC",(spinned,exe_sections,0));
|
|
2540
|
+ CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));
|
|
2541
|
+ }
|
2542
|
2542
|
}
|
2543
|
2543
|
|
2544
|
2544
|
/* WWPack */
|
...
|
...
|
@@ -2547,87 +2634,111 @@ int cli_scanpe(cli_ctx *ctx)
|
2547
|
2547
|
vep == exe_sections[nsections - 1].rva &&
|
2548
|
2548
|
memcmp(epbuff, "\x53\x55\x8b\xe8\x33\xdb\xeb", 7) == 0 &&
|
2549
|
2549
|
memcmp(epbuff+0x68, "\xe8\x00\x00\x00\x00\x58\x2d\x6d\x00\x00\x00\x50\x60\x33\xc9\x50\x58\x50\x50", 19) == 0) {
|
2550
|
|
- uint32_t head = exe_sections[nsections - 1].raw;
|
|
2550
|
+ uint32_t head = exe_sections[nsections - 1].raw;
|
2551
|
2551
|
uint8_t *packer;
|
2552
|
|
- char *src;
|
2553
|
|
-
|
2554
|
|
- ssize = 0;
|
2555
|
|
- for(i=0 ; ; i++) {
|
2556
|
|
- if(exe_sections[i].raw<head)
|
2557
|
|
- head=exe_sections[i].raw;
|
2558
|
|
- if(i+1==nsections) break;
|
2559
|
|
- if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
|
2560
|
|
- ssize=exe_sections[i].rva+exe_sections[i].vsz;
|
2561
|
|
- }
|
2562
|
|
- if(!head || !ssize || head>ssize) break;
|
|
2552
|
+ char *src;
|
|
2553
|
+
|
|
2554
|
+ ssize = 0;
|
|
2555
|
+ for(i=0 ; ; i++) {
|
|
2556
|
+ if(exe_sections[i].raw<head)
|
|
2557
|
+ head=exe_sections[i].raw;
|
|
2558
|
+
|
|
2559
|
+ if(i+1==nsections)
|
|
2560
|
+ break;
|
|
2561
|
+
|
|
2562
|
+ if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
|
|
2563
|
+ ssize=exe_sections[i].rva+exe_sections[i].vsz;
|
|
2564
|
+ }
|
2563
|
2565
|
|
2564
|
|
- CLI_UNPSIZELIMITS("WWPack", ssize);
|
|
2566
|
+ if(!head || !ssize || head>ssize)
|
|
2567
|
+ break;
|
|
2568
|
+
|
|
2569
|
+ CLI_UNPSIZELIMITS("WWPack", ssize);
|
2565
|
2570
|
|
2566
|
2571
|
if(!(src=(char *)cli_calloc(ssize, sizeof(char)))) {
|
2567
|
|
- free(exe_sections);
|
2568
|
|
- return CL_EMEM;
|
2569
|
|
- }
|
2570
|
|
- if((size_t) fmap_readn(map, src, 0, head) != head) {
|
2571
|
|
- cli_dbgmsg("WWPack: Can't read %d bytes from headers\n", head);
|
2572
|
|
- free(src);
|
2573
|
|
- free(exe_sections);
|
2574
|
|
- return CL_EREAD;
|
2575
|
|
- }
|
|
2572
|
+ free(exe_sections);
|
|
2573
|
+ return CL_EMEM;
|
|
2574
|
+ }
|
|
2575
|
+
|
|
2576
|
+ if((size_t) fmap_readn(map, src, 0, head) != head) {
|
|
2577
|
+ cli_dbgmsg("WWPack: Can't read %d bytes from headers\n", head);
|
|
2578
|
+ free(src);
|
|
2579
|
+ free(exe_sections);
|
|
2580
|
+ return CL_EREAD;
|
|
2581
|
+ }
|
|
2582
|
+
|
2576
|
2583
|
for(i = 0 ; i < (unsigned int)nsections-1; i++) {
|
2577
|
|
- if(!exe_sections[i].rsz) continue;
|
2578
|
|
- if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) break;
|
2579
|
|
- if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz) break;
|
|
2584
|
+ if(!exe_sections[i].rsz)
|
|
2585
|
+ continue;
|
|
2586
|
+
|
|
2587
|
+ if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz))
|
|
2588
|
+ break;
|
|
2589
|
+
|
|
2590
|
+ if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz)
|
|
2591
|
+ break;
|
2580
|
2592
|
}
|
|
2593
|
+
|
2581
|
2594
|
if(i+1!=nsections) {
|
2582
|
2595
|
cli_dbgmsg("WWpack: Probably hacked/damaged file.\n");
|
2583
|
2596
|
free(src);
|
2584
|
2597
|
break;
|
2585
|
2598
|
}
|
2586
|
|
- if((packer = (uint8_t *) cli_calloc(exe_sections[nsections - 1].rsz, sizeof(char))) == NULL) {
|
2587
|
|
- free(src);
|
2588
|
|
- free(exe_sections);
|
2589
|
|
- return CL_EMEM;
|
2590
|
|
- }
|
2591
|
|
- if(!exe_sections[nsections - 1].rsz || (size_t) fmap_readn(map, packer, exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz) != exe_sections[nsections - 1].rsz) {
|
2592
|
|
- cli_dbgmsg("WWPack: Can't read %d bytes from wwpack sect\n", exe_sections[nsections - 1].rsz);
|
2593
|
|
- free(src);
|
2594
|
|
- free(packer);
|
2595
|
|
- free(exe_sections);
|
2596
|
|
- return CL_EREAD;
|
2597
|
|
- }
|
|
2599
|
+
|
|
2600
|
+ if((packer = (uint8_t *) cli_calloc(exe_sections[nsections - 1].rsz, sizeof(char))) == NULL) {
|
|
2601
|
+ free(src);
|
|
2602
|
+ free(exe_sections);
|
|
2603
|
+ return CL_EMEM;
|
|
2604
|
+ }
|
|
2605
|
+
|
|
2606
|
+ if(!exe_sections[nsections - 1].rsz || (size_t) fmap_readn(map, packer, exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz) != exe_sections[nsections - 1].rsz) {
|
|
2607
|
+ cli_dbgmsg("WWPack: Can't read %d bytes from wwpack sect\n", exe_sections[nsections - 1].rsz);
|
|
2608
|
+ free(src);
|
|
2609
|
+ free(packer);
|
|
2610
|
+ free(exe_sections);
|
|
2611
|
+ return CL_EREAD;
|
|
2612
|
+ }
|
2598
|
2613
|
|
2599
|
2614
|
#if HAVE_JSON
|
2600
|
|
- cli_jsonstr(pe_json, "Packer", "WWPack");
|
|
2615
|
+ cli_jsonstr(pe_json, "Packer", "WWPack");
|
2601
|
2616
|
#endif
|
2602
|
2617
|
|
2603
|
|
- CLI_UNPTEMP("WWPack",(src,packer,exe_sections,0));
|
2604
|
|
- CLI_UNPRESULTS("WWPack",(wwunpack((uint8_t *)src, ssize, packer, exe_sections, nsections-1, e_lfanew, ndesc)),0,(src,packer,0));
|
2605
|
|
- break;
|
|
2618
|
+ CLI_UNPTEMP("WWPack",(src,packer,exe_sections,0));
|
|
2619
|
+ CLI_UNPRESULTS("WWPack",(wwunpack((uint8_t *)src, ssize, packer, exe_sections, nsections-1, e_lfanew, ndesc)),0,(src,packer,0));
|
|
2620
|
+ break;
|
2606
|
2621
|
}
|
2607
|
2622
|
|
2608
|
2623
|
|
2609
|
2624
|
/* ASPACK support */
|
2610
|
2625
|
while((DCONF & PE_CONF_ASPACK) && ep+58+0x70e < fsize && !memcmp(epbuff,"\x60\xe8\x03\x00\x00\x00\xe9\xeb",8)) {
|
2611
|
|
- char *src;
|
|
2626
|
+ char *src;
|
2612
|
2627
|
|
2613
|
|
- if(epsize<0x3bf || memcmp(epbuff+0x3b9, "\x68\x00\x00\x00\x00\xc3",6)) break;
|
2614
|
|
- ssize = 0;
|
2615
|
|
- for(i=0 ; i< nsections ; i++)
|
2616
|
|
- if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
|
2617
|
|
- ssize=exe_sections[i].rva+exe_sections[i].vsz;
|
2618
|
|
- if(!ssize) break;
|
|
2628
|
+ if(epsize<0x3bf || memcmp(epbuff+0x3b9, "\x68\x00\x00\x00\x00\xc3",6))
|
|
2629
|
+ break;
|
|
2630
|
+ ssize = 0;
|
|
2631
|
+ for(i=0 ; i< nsections ; i++)
|
|
2632
|
+ if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
|
|
2633
|
+ ssize=exe_sections[i].rva+exe_sections[i].vsz;
|
|
2634
|
+
|
|
2635
|
+ if(!ssize)
|
|
2636
|
+ break;
|
2619
|
2637
|
|
2620
|
|
- CLI_UNPSIZELIMITS("Aspack", ssize);
|
|
2638
|
+ CLI_UNPSIZELIMITS("Aspack", ssize);
|
2621
|
2639
|
|
2622
|
2640
|
if(!(src=(char *)cli_calloc(ssize, sizeof(char)))) {
|
2623
|
|
- free(exe_sections);
|
2624
|
|
- return CL_EMEM;
|
2625
|
|
- }
|
|
2641
|
+ free(exe_sections);
|
|
2642
|
+ return CL_EMEM;
|
|
2643
|
+ }
|
2626
|
2644
|
for(i = 0 ; i < (unsigned int)nsections; i++) {
|
2627
|
|
- if(!exe_sections[i].rsz) continue;
|
2628
|
|
- if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) break;
|
2629
|
|
- if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz) break;
|
|
2645
|
+ if(!exe_sections[i].rsz)
|
|
2646
|
+ continue;
|
|
2647
|
+
|
|
2648
|
+ if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz))
|
|
2649
|
+ break;
|
|
2650
|
+
|
|
2651
|
+ if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz)
|
|
2652
|
+ break;
|
2630
|
2653
|
}
|
|
2654
|
+
|
2631
|
2655
|
if(i!=nsections) {
|
2632
|
2656
|
cli_dbgmsg("Aspack: Probably hacked/damaged Aspack file.\n");
|
2633
|
2657
|
free(src);
|
...
|
...
|
@@ -2638,122 +2749,137 @@ int cli_scanpe(cli_ctx *ctx)
|
2638
|
2638
|
cli_jsonstr(pe_json, "Packer", "Aspack");
|
2639
|
2639
|
#endif
|
2640
|
2640
|
|
2641
|
|
- CLI_UNPTEMP("Aspack",(src,exe_sections,0));
|
2642
|
|
- CLI_UNPRESULTS("Aspack",(unaspack212((uint8_t *)src, ssize, exe_sections, nsections, vep-1, EC32(optional_hdr32.ImageBase), ndesc)),1,(src,0));
|
2643
|
|
- break;
|
|
2641
|
+ CLI_UNPTEMP("Aspack",(src,exe_sections,0));
|
|
2642
|
+ CLI_UNPRESULTS("Aspack",(unaspack212((uint8_t *)src, ssize, exe_sections, nsections, vep-1, EC32(optional_hdr32.ImageBase), ndesc)),1,(src,0));
|
|
2643
|
+ break;
|
2644
|
2644
|
}
|
2645
|
2645
|
|
2646
|
2646
|
/* NsPack */
|
2647
|
2647
|
|
2648
|
2648
|
while (DCONF & PE_CONF_NSPACK) {
|
2649
|
|
- uint32_t eprva = vep;
|
2650
|
|
- uint32_t start_of_stuff, rep = ep;
|
2651
|
|
- unsigned int nowinldr;
|
2652
|
|
- const char *nbuff;
|
2653
|
|
-
|
2654
|
|
- src=epbuff;
|
2655
|
|
- if (*epbuff=='\xe9') { /* bitched headers */
|
2656
|
|
- eprva = cli_readint32(epbuff+1)+vep+5;
|
2657
|
|
- if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) break;
|
2658
|
|
- if (!(nbuff = fmap_need_off_once(map, rep, 24))) break;
|
2659
|
|
- src = nbuff;
|
2660
|
|
- }
|
|
2649
|
+ uint32_t eprva = vep;
|
|
2650
|
+ uint32_t start_of_stuff, rep = ep;
|
|
2651
|
+ unsigned int nowinldr;
|
|
2652
|
+ const char *nbuff;
|
|
2653
|
+
|
|
2654
|
+ src=epbuff;
|
|
2655
|
+ if (*epbuff=='\xe9') { /* bitched headers */
|
|
2656
|
+ eprva = cli_readint32(epbuff+1)+vep+5;
|
|
2657
|
+ if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err)
|
|
2658
|
+ break;
|
2661
|
2659
|
|
2662
|
|
- if (memcmp(src, "\x9c\x60\xe8\x00\x00\x00\x00\x5d\xb8\x07\x00\x00\x00", 13)) break;
|
|
2660
|
+ if (!(nbuff = fmap_need_off_once(map, rep, 24)))
|
|
2661
|
+ break;
|
2663
|
2662
|
|
2664
|
|
- nowinldr = 0x54-cli_readint32(src+17);
|
2665
|
|
- cli_dbgmsg("NsPack: Found *start_of_stuff @delta-%x\n", nowinldr);
|
|
2663
|
+ src = nbuff;
|
|
2664
|
+ }
|
2666
|
2665
|
|
2667
|
|
- if(!(nbuff = fmap_need_off_once(map, rep-nowinldr, 4))) break;
|
2668
|
|
- start_of_stuff=rep+cli_readint32(nbuff);
|
2669
|
|
- if(!(nbuff = fmap_need_off_once(map, start_of_stuff, 20))) break;
|
2670
|
|
- src = nbuff;
|
2671
|
|
- if (!cli_readint32(nbuff)) {
|
2672
|
|
- start_of_stuff+=4; /* FIXME: more to do */
|
2673
|
|
- src+=4;
|
2674
|
|
- }
|
|
2666
|
+ if (memcmp(src, "\x9c\x60\xe8\x00\x00\x00\x00\x5d\xb8\x07\x00\x00\x00", 13))
|
|
2667
|
+ break;
|
2675
|
2668
|
|
2676
|
|
- ssize = cli_readint32(src+5)|0xff;
|
2677
|
|
- dsize = cli_readint32(src+9);
|
|
2669
|
+ nowinldr = 0x54-cli_readint32(src+17);
|
|
2670
|
+ cli_dbgmsg("NsPack: Found *start_of_stuff @delta-%x\n", nowinldr);
|
2678
|
2671
|
|
2679
|
|
- CLI_UNPSIZELIMITS("NsPack", MAX(ssize,dsize));
|
|
2672
|
+ if(!(nbuff = fmap_need_off_once(map, rep-nowinldr, 4)))
|
|
2673
|
+ break;
|
2680
|
2674
|
|
2681
|
|
- if (!ssize || !dsize || dsize != exe_sections[0].vsz) break;
|
2682
|
|
- if (!(dest=cli_malloc(dsize))) {
|
2683
|
|
- cli_errmsg("NsPack: Unable to allocate memory for dest %u\n", dsize);
|
2684
|
|
- break;
|
2685
|
|
- }
|
2686
|
|
- /* memset(dest, 0xfc, dsize); */
|
|
2675
|
+ start_of_stuff=rep+cli_readint32(nbuff);
|
|
2676
|
+ if(!(nbuff = fmap_need_off_once(map, start_of_stuff, 20)))
|
|
2677
|
+ break;
|
2687
|
2678
|
|
2688
|
|
- if(!(src = fmap_need_off(map, start_of_stuff, ssize))) {
|
2689
|
|
- free(dest);
|
2690
|
|
- break;
|
2691
|
|
- }
|
2692
|
|
- /* memset(src, 0x00, ssize); */
|
|
2679
|
+ src = nbuff;
|
|
2680
|
+ if (!cli_readint32(nbuff)) {
|
|
2681
|
+ start_of_stuff+=4; /* FIXME: more to do */
|
|
2682
|
+ src+=4;
|
|
2683
|
+ }
|
2693
|
2684
|
|
2694
|
|
- eprva+=0x27a;
|
2695
|
|
- if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
|
2696
|
|
- free(dest);
|
2697
|
|
- break;
|
2698
|
|
- }
|
2699
|
|
- if(!(nbuff = fmap_need_off_once(map, rep, 5))) {
|
2700
|
|
- free(dest);
|
2701
|
|
- break;
|
2702
|
|
- }
|
2703
|
|
- fmap_unneed_off(map, start_of_stuff, ssize);
|
2704
|
|
- eprva=eprva+5+cli_readint32(nbuff+1);
|
2705
|
|
- cli_dbgmsg("NsPack: OEP = %08x\n", eprva);
|
|
2685
|
+ ssize = cli_readint32(src+5)|0xff;
|
|
2686
|
+ dsize = cli_readint32(src+9);
|
|
2687
|
+
|
|
2688
|
+ CLI_UNPSIZELIMITS("NsPack", MAX(ssize,dsize));
|
|
2689
|
+
|
|
2690
|
+ if (!ssize || !dsize || dsize != exe_sections[0].vsz)
|
|
2691
|
+ break;
|
|
2692
|
+
|
|
2693
|
+ if (!(dest=cli_malloc(dsize))) {
|
|
2694
|
+ cli_errmsg("NsPack: Unable to allocate memory for dest %u\n", dsize);
|
|
2695
|
+ break;
|
|
2696
|
+ }
|
|
2697
|
+ /* memset(dest, 0xfc, dsize); */
|
|
2698
|
+
|
|
2699
|
+ if(!(src = fmap_need_off(map, start_of_stuff, ssize))) {
|
|
2700
|
+ free(dest);
|
|
2701
|
+ break;
|
|
2702
|
+ }
|
|
2703
|
+ /* memset(src, 0x00, ssize); */
|
|
2704
|
+
|
|
2705
|
+ eprva+=0x27a;
|
|
2706
|
+ if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
|
|
2707
|
+ free(dest);
|
|
2708
|
+ break;
|
|
2709
|
+ }
|
|
2710
|
+
|
|
2711
|
+ if(!(nbuff = fmap_need_off_once(map, rep, 5))) {
|
|
2712
|
+ free(dest);
|
|
2713
|
+ break;
|
|
2714
|
+ }
|
|
2715
|
+
|
|
2716
|
+ fmap_unneed_off(map, start_of_stuff, ssize);
|
|
2717
|
+ eprva=eprva+5+cli_readint32(nbuff+1);
|
|
2718
|
+ cli_dbgmsg("NsPack: OEP = %08x\n", eprva);
|
2706
|
2719
|
|
2707
|
2720
|
#if HAVE_JSON
|
2708
|
|
- cli_jsonstr(pe_json, "Packer", "NsPack");
|
|
2721
|
+ cli_jsonstr(pe_json, "Packer", "NsPack");
|
2709
|
2722
|
#endif
|
2710
|
2723
|
|
2711
|
|
- CLI_UNPTEMP("NsPack",(dest,exe_sections,0));
|
2712
|
|
- CLI_UNPRESULTS("NsPack",(unspack(src, dest, ctx, exe_sections[0].rva, EC32(optional_hdr32.ImageBase), eprva, ndesc)),0,(dest,0));
|
2713
|
|
- break;
|
|
2724
|
+ CLI_UNPTEMP("NsPack",(dest,exe_sections,0));
|
|
2725
|
+ CLI_UNPRESULTS("NsPack",(unspack(src, dest, ctx, exe_sections[0].rva, EC32(optional_hdr32.ImageBase), eprva, ndesc)),0,(dest,0));
|
|
2726
|
+ break;
|
2714
|
2727
|
}
|
2715
|
2728
|
|
2716
|
2729
|
/* to be continued ... */
|
2717
|
2730
|
|
2718
|
|
-
|
2719
|
|
-
|
2720
|
|
-
|
2721
|
2731
|
/* !!!!!!!!!!!!!! PACKERS END HERE !!!!!!!!!!!!!! */
|
2722
|
2732
|
ctx->corrupted_input = corrupted_cur;
|
2723
|
2733
|
|
2724
|
2734
|
/* Bytecode BC_PE_UNPACKER hook */
|
2725
|
2735
|
bc_ctx = cli_bytecode_context_alloc();
|
2726
|
2736
|
if (!bc_ctx) {
|
2727
|
|
- cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
2728
|
|
- return CL_EMEM;
|
|
2737
|
+ cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
|
2738
|
+ return CL_EMEM;
|
2729
|
2739
|
}
|
|
2740
|
+
|
2730
|
2741
|
cli_bytecode_context_setpe(bc_ctx, &pedata, exe_sections);
|
2731
|
2742
|
cli_bytecode_context_setctx(bc_ctx, ctx);
|
|
2743
|
+
|
2732
|
2744
|
ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_UNPACKER, map);
|
2733
|
2745
|
switch (ret) {
|
2734
|
|
- case CL_VIRUS:
|
2735
|
|
- free(exe_sections);
|
2736
|
|
- cli_bytecode_context_destroy(bc_ctx);
|
2737
|
|
- return CL_VIRUS;
|
2738
|
|
- case CL_SUCCESS:
|
2739
|
|
- ndesc = cli_bytecode_context_getresult_file(bc_ctx, &tempfile);
|
2740
|
|
- cli_bytecode_context_destroy(bc_ctx);
|
2741
|
|
- if (ndesc != -1 && tempfile) {
|
2742
|
|
- CLI_UNPRESULTS("bytecode PE hook", 1, 1, (0));
|
2743
|
|
- }
|
2744
|
|
- break;
|
2745
|
|
- default:
|
2746
|
|
- cli_bytecode_context_destroy(bc_ctx);
|
|
2746
|
+ case CL_VIRUS:
|
|
2747
|
+ free(exe_sections);
|
|
2748
|
+ cli_bytecode_context_destroy(bc_ctx);
|
|
2749
|
+ return CL_VIRUS;
|
|
2750
|
+ case CL_SUCCESS:
|
|
2751
|
+ ndesc = cli_bytecode_context_getresult_file(bc_ctx, &tempfile);
|
|
2752
|
+ cli_bytecode_context_destroy(bc_ctx);
|
|
2753
|
+ if (ndesc != -1 && tempfile) {
|
|
2754
|
+ CLI_UNPRESULTS("bytecode PE hook", 1, 1, (0));
|
|
2755
|
+ }
|
|
2756
|
+
|
|
2757
|
+ break;
|
|
2758
|
+ default:
|
|
2759
|
+ cli_bytecode_context_destroy(bc_ctx);
|
2747
|
2760
|
}
|
2748
|
2761
|
|
2749
|
2762
|
free(exe_sections);
|
|
2763
|
+
|
2750
|
2764
|
#if HAVE_JSON
|
2751
|
|
- if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS) {
|
|
2765
|
+ if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS)
|
2752
|
2766
|
return CL_ETIMEOUT;
|
2753
|
|
- }
|
2754
|
2767
|
#endif
|
|
2768
|
+
|
2755
|
2769
|
if (SCAN_ALL && viruses_found)
|
2756
|
|
- return CL_VIRUS;
|
|
2770
|
+ return CL_VIRUS;
|
|
2771
|
+
|
2757
|
2772
|
return CL_CLEAN;
|
2758
|
2773
|
}
|
2759
|
2774
|
|