Browse code
Retab cli_scanpe()
Shawn Webb authored on 2014/11/08 00:15:30Showing 1 changed files
| ... | ... |
@@ -722,49 +722,49 @@ static void add_section_info(cli_ctx *ctx, struct cli_exe_section *s) |
| 722 | 722 |
|
| 723 | 723 |
int cli_scanpe(cli_ctx *ctx) |
| 724 | 724 |
{
|
| 725 |
- uint16_t e_magic; /* DOS signature ("MZ") */
|
|
| 726 |
- uint16_t nsections; |
|
| 727 |
- uint32_t e_lfanew; /* address of new exe header */ |
|
| 728 |
- uint32_t ep, vep; /* entry point (raw, virtual) */ |
|
| 729 |
- uint8_t polipos = 0; |
|
| 730 |
- time_t timestamp; |
|
| 731 |
- struct pe_image_file_hdr file_hdr; |
|
| 732 |
- union {
|
|
| 733 |
- struct pe_image_optional_hdr64 opt64; |
|
| 734 |
- struct pe_image_optional_hdr32 opt32; |
|
| 735 |
- } pe_opt; |
|
| 736 |
- struct pe_image_section_hdr *section_hdr; |
|
| 737 |
- char sname[9], epbuff[4096], *tempfile; |
|
| 738 |
- uint32_t epsize; |
|
| 739 |
- ssize_t bytes, at; |
|
| 740 |
- unsigned int i, j, found, upx_success = 0, min = 0, max = 0, err, overlays = 0, rescan = 1; |
|
| 741 |
- unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0, corrupted_cur; |
|
| 742 |
- int (*upxfn)(const char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL; |
|
| 743 |
- const char *src = NULL; |
|
| 744 |
- char *dest = NULL; |
|
| 745 |
- int ndesc, ret = CL_CLEAN, upack = 0, native=0; |
|
| 746 |
- size_t fsize; |
|
| 747 |
- uint32_t valign, falign, hdr_size; |
|
| 748 |
- struct cli_exe_section *exe_sections; |
|
| 749 |
- char timestr[32]; |
|
| 750 |
- struct pe_image_data_dir *dirs; |
|
| 751 |
- struct cli_bc_ctx *bc_ctx; |
|
| 752 |
- fmap_t *map; |
|
| 753 |
- struct cli_pe_hook_data pedata; |
|
| 725 |
+ uint16_t e_magic; /* DOS signature ("MZ") */
|
|
| 726 |
+ uint16_t nsections; |
|
| 727 |
+ uint32_t e_lfanew; /* address of new exe header */ |
|
| 728 |
+ uint32_t ep, vep; /* entry point (raw, virtual) */ |
|
| 729 |
+ uint8_t polipos = 0; |
|
| 730 |
+ time_t timestamp; |
|
| 731 |
+ struct pe_image_file_hdr file_hdr; |
|
| 732 |
+ union {
|
|
| 733 |
+ struct pe_image_optional_hdr64 opt64; |
|
| 734 |
+ struct pe_image_optional_hdr32 opt32; |
|
| 735 |
+ } pe_opt; |
|
| 736 |
+ struct pe_image_section_hdr *section_hdr; |
|
| 737 |
+ char sname[9], epbuff[4096], *tempfile; |
|
| 738 |
+ uint32_t epsize; |
|
| 739 |
+ ssize_t bytes, at; |
|
| 740 |
+ unsigned int i, j, found, upx_success = 0, min = 0, max = 0, err, overlays = 0, rescan = 1; |
|
| 741 |
+ unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0, corrupted_cur; |
|
| 742 |
+ int (*upxfn)(const char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL; |
|
| 743 |
+ const char *src = NULL; |
|
| 744 |
+ char *dest = NULL; |
|
| 745 |
+ int ndesc, ret = CL_CLEAN, upack = 0, native=0; |
|
| 746 |
+ size_t fsize; |
|
| 747 |
+ uint32_t valign, falign, hdr_size; |
|
| 748 |
+ struct cli_exe_section *exe_sections; |
|
| 749 |
+ char timestr[32]; |
|
| 750 |
+ struct pe_image_data_dir *dirs; |
|
| 751 |
+ struct cli_bc_ctx *bc_ctx; |
|
| 752 |
+ fmap_t *map; |
|
| 753 |
+ struct cli_pe_hook_data pedata; |
|
| 754 | 754 |
#ifdef HAVE__INTERNAL__SHA_COLLECT |
| 755 |
- int sha_collect = ctx->sha_collect; |
|
| 755 |
+ int sha_collect = ctx->sha_collect; |
|
| 756 | 756 |
#endif |
| 757 | 757 |
const char *archtype=NULL, *subsystem=NULL; |
| 758 |
- uint32_t viruses_found = 0; |
|
| 758 |
+ uint32_t viruses_found = 0; |
|
| 759 | 759 |
#if HAVE_JSON |
| 760 |
- int toval = 0; |
|
| 761 |
- struct json_object *pe_json=NULL; |
|
| 762 |
- char jsonbuf[128]; |
|
| 760 |
+ int toval = 0; |
|
| 761 |
+ struct json_object *pe_json=NULL; |
|
| 762 |
+ char jsonbuf[128]; |
|
| 763 | 763 |
#endif |
| 764 | 764 |
|
| 765 | 765 |
if(!ctx) {
|
| 766 |
- cli_errmsg("cli_scanpe: ctx == NULL\n");
|
|
| 767 |
- return CL_ENULLARG; |
|
| 766 |
+ cli_errmsg("cli_scanpe: ctx == NULL\n");
|
|
| 767 |
+ return CL_ENULLARG; |
|
| 768 | 768 |
} |
| 769 | 769 |
|
| 770 | 770 |
#if HAVE_JSON |
| ... | ... |
@@ -778,41 +778,42 @@ int cli_scanpe(cli_ctx *ctx) |
| 778 | 778 |
#endif |
| 779 | 779 |
map = *ctx->fmap; |
| 780 | 780 |
if(fmap_readn(map, &e_magic, 0, sizeof(e_magic)) != sizeof(e_magic)) {
|
| 781 |
- cli_dbgmsg("Can't read DOS signature\n");
|
|
| 782 |
- return CL_CLEAN; |
|
| 781 |
+ cli_dbgmsg("Can't read DOS signature\n");
|
|
| 782 |
+ return CL_CLEAN; |
|
| 783 | 783 |
} |
| 784 | 784 |
|
| 785 | 785 |
if(EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE && EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE_OLD) {
|
| 786 |
- cli_dbgmsg("Invalid DOS signature\n");
|
|
| 787 |
- return CL_CLEAN; |
|
| 786 |
+ cli_dbgmsg("Invalid DOS signature\n");
|
|
| 787 |
+ return CL_CLEAN; |
|
| 788 | 788 |
} |
| 789 | 789 |
|
| 790 | 790 |
if(fmap_readn(map, &e_lfanew, 58 + sizeof(e_magic), sizeof(e_lfanew)) != sizeof(e_lfanew)) {
|
| 791 |
- cli_dbgmsg("Can't read new header address\n");
|
|
| 792 |
- /* truncated header? */ |
|
| 793 |
- if(DETECT_BROKEN_PE) {
|
|
| 794 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 795 |
- return CL_VIRUS; |
|
| 796 |
- } |
|
| 797 |
- return CL_CLEAN; |
|
| 791 |
+ cli_dbgmsg("Can't read new header address\n");
|
|
| 792 |
+ /* truncated header? */ |
|
| 793 |
+ if(DETECT_BROKEN_PE) {
|
|
| 794 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 795 |
+ return CL_VIRUS; |
|
| 796 |
+ } |
|
| 797 |
+ |
|
| 798 |
+ return CL_CLEAN; |
|
| 798 | 799 |
} |
| 799 | 800 |
|
| 800 | 801 |
e_lfanew = EC32(e_lfanew); |
| 801 | 802 |
cli_dbgmsg("e_lfanew == %d\n", e_lfanew);
|
| 802 | 803 |
if(!e_lfanew) {
|
| 803 |
- cli_dbgmsg("Not a PE file\n");
|
|
| 804 |
- return CL_CLEAN; |
|
| 804 |
+ cli_dbgmsg("Not a PE file\n");
|
|
| 805 |
+ return CL_CLEAN; |
|
| 805 | 806 |
} |
| 806 | 807 |
|
| 807 | 808 |
if(fmap_readn(map, &file_hdr, e_lfanew, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr)) {
|
| 808 |
- /* bad information in e_lfanew - probably not a PE file */ |
|
| 809 |
- cli_dbgmsg("Can't read file header\n");
|
|
| 810 |
- return CL_CLEAN; |
|
| 809 |
+ /* bad information in e_lfanew - probably not a PE file */ |
|
| 810 |
+ cli_dbgmsg("Can't read file header\n");
|
|
| 811 |
+ return CL_CLEAN; |
|
| 811 | 812 |
} |
| 812 | 813 |
|
| 813 | 814 |
if(EC32(file_hdr.Magic) != PE_IMAGE_NT_SIGNATURE) {
|
| 814 |
- cli_dbgmsg("Invalid PE signature (probably NE file)\n");
|
|
| 815 |
- return CL_CLEAN; |
|
| 815 |
+ cli_dbgmsg("Invalid PE signature (probably NE file)\n");
|
|
| 816 |
+ return CL_CLEAN; |
|
| 816 | 817 |
} |
| 817 | 818 |
|
| 818 | 819 |
if(EC16(file_hdr.Characteristics) & 0x2000) {
|
| ... | ... |
@@ -820,108 +821,108 @@ int cli_scanpe(cli_ctx *ctx) |
| 820 | 820 |
if ((pe_json)) |
| 821 | 821 |
cli_jsonstr(pe_json, "Type", "DLL"); |
| 822 | 822 |
#endif |
| 823 |
- cli_dbgmsg("File type: DLL\n");
|
|
| 824 |
- dll = 1; |
|
| 823 |
+ cli_dbgmsg("File type: DLL\n");
|
|
| 824 |
+ dll = 1; |
|
| 825 | 825 |
} else if(EC16(file_hdr.Characteristics) & 0x01) {
|
| 826 | 826 |
#if HAVE_JSON |
| 827 | 827 |
if ((pe_json)) |
| 828 | 828 |
cli_jsonstr(pe_json, "Type", "EXE"); |
| 829 | 829 |
#endif |
| 830 |
- cli_dbgmsg("File type: Executable\n");
|
|
| 830 |
+ cli_dbgmsg("File type: Executable\n");
|
|
| 831 | 831 |
} |
| 832 | 832 |
|
| 833 | 833 |
switch(EC16(file_hdr.Machine)) {
|
| 834 |
- case 0x0: |
|
| 834 |
+ case 0x0: |
|
| 835 | 835 |
archtype = "Unknown"; |
| 836 |
- break; |
|
| 837 |
- case 0x14c: |
|
| 836 |
+ break; |
|
| 837 |
+ case 0x14c: |
|
| 838 | 838 |
archtype = "80386"; |
| 839 |
- break; |
|
| 840 |
- case 0x14d: |
|
| 839 |
+ break; |
|
| 840 |
+ case 0x14d: |
|
| 841 | 841 |
archtype = "80486"; |
| 842 |
- break; |
|
| 843 |
- case 0x14e: |
|
| 842 |
+ break; |
|
| 843 |
+ case 0x14e: |
|
| 844 | 844 |
archtype = "80586"; |
| 845 |
- break; |
|
| 846 |
- case 0x160: |
|
| 845 |
+ break; |
|
| 846 |
+ case 0x160: |
|
| 847 | 847 |
archtype = "R30000 (big-endian)"; |
| 848 |
- break; |
|
| 849 |
- case 0x162: |
|
| 848 |
+ break; |
|
| 849 |
+ case 0x162: |
|
| 850 | 850 |
archtype = "R3000"; |
| 851 |
- break; |
|
| 852 |
- case 0x166: |
|
| 851 |
+ break; |
|
| 852 |
+ case 0x166: |
|
| 853 | 853 |
archtype = "R4000"; |
| 854 |
- break; |
|
| 855 |
- case 0x168: |
|
| 854 |
+ break; |
|
| 855 |
+ case 0x168: |
|
| 856 | 856 |
archtype = "R10000"; |
| 857 |
- break; |
|
| 858 |
- case 0x184: |
|
| 857 |
+ break; |
|
| 858 |
+ case 0x184: |
|
| 859 | 859 |
archtype = "DEC Alpha AXP"; |
| 860 |
- break; |
|
| 861 |
- case 0x284: |
|
| 860 |
+ break; |
|
| 861 |
+ case 0x284: |
|
| 862 | 862 |
archtype = "DEC Alpha AXP 64bit"; |
| 863 |
- break; |
|
| 864 |
- case 0x1f0: |
|
| 863 |
+ break; |
|
| 864 |
+ case 0x1f0: |
|
| 865 | 865 |
archtype = "PowerPC"; |
| 866 |
- break; |
|
| 867 |
- case 0x200: |
|
| 866 |
+ break; |
|
| 867 |
+ case 0x200: |
|
| 868 | 868 |
archtype = "IA64"; |
| 869 |
- break; |
|
| 870 |
- case 0x268: |
|
| 869 |
+ break; |
|
| 870 |
+ case 0x268: |
|
| 871 | 871 |
archtype = "M68k"; |
| 872 |
- break; |
|
| 873 |
- case 0x266: |
|
| 872 |
+ break; |
|
| 873 |
+ case 0x266: |
|
| 874 | 874 |
archtype = "MIPS16"; |
| 875 |
- break; |
|
| 876 |
- case 0x366: |
|
| 875 |
+ break; |
|
| 876 |
+ case 0x366: |
|
| 877 | 877 |
archtype = "MIPS+FPU"; |
| 878 |
- break; |
|
| 879 |
- case 0x466: |
|
| 878 |
+ break; |
|
| 879 |
+ case 0x466: |
|
| 880 | 880 |
archtype = "MIPS16+FPU"; |
| 881 |
- break; |
|
| 882 |
- case 0x1a2: |
|
| 881 |
+ break; |
|
| 882 |
+ case 0x1a2: |
|
| 883 | 883 |
archtype = "Hitachi SH3"; |
| 884 |
- break; |
|
| 885 |
- case 0x1a3: |
|
| 884 |
+ break; |
|
| 885 |
+ case 0x1a3: |
|
| 886 | 886 |
archtype = "Hitachi SH3-DSP"; |
| 887 |
- break; |
|
| 888 |
- case 0x1a4: |
|
| 887 |
+ break; |
|
| 888 |
+ case 0x1a4: |
|
| 889 | 889 |
archtype = "Hitachi SH3-E"; |
| 890 |
- break; |
|
| 891 |
- case 0x1a6: |
|
| 890 |
+ break; |
|
| 891 |
+ case 0x1a6: |
|
| 892 | 892 |
archtype = "Hitachi SH4"; |
| 893 |
- break; |
|
| 894 |
- case 0x1a8: |
|
| 893 |
+ break; |
|
| 894 |
+ case 0x1a8: |
|
| 895 | 895 |
archtype = "Hitachi SH5"; |
| 896 |
- break; |
|
| 897 |
- case 0x1c0: |
|
| 896 |
+ break; |
|
| 897 |
+ case 0x1c0: |
|
| 898 | 898 |
archtype = "ARM"; |
| 899 |
- break; |
|
| 900 |
- case 0x1c2: |
|
| 899 |
+ break; |
|
| 900 |
+ case 0x1c2: |
|
| 901 | 901 |
archtype = "THUMB"; |
| 902 |
- break; |
|
| 903 |
- case 0x1d3: |
|
| 902 |
+ break; |
|
| 903 |
+ case 0x1d3: |
|
| 904 | 904 |
archtype = "AM33"; |
| 905 |
- break; |
|
| 906 |
- case 0x520: |
|
| 905 |
+ break; |
|
| 906 |
+ case 0x520: |
|
| 907 | 907 |
archtype = "Infineon TriCore"; |
| 908 |
- break; |
|
| 909 |
- case 0xcef: |
|
| 908 |
+ break; |
|
| 909 |
+ case 0xcef: |
|
| 910 | 910 |
archtype = "CEF"; |
| 911 |
- break; |
|
| 912 |
- case 0xebc: |
|
| 911 |
+ break; |
|
| 912 |
+ case 0xebc: |
|
| 913 | 913 |
archtype = "EFI Byte Code"; |
| 914 |
- break; |
|
| 915 |
- case 0x9041: |
|
| 914 |
+ break; |
|
| 915 |
+ case 0x9041: |
|
| 916 | 916 |
archtype = "M32R"; |
| 917 |
- break; |
|
| 918 |
- case 0xc0ee: |
|
| 917 |
+ break; |
|
| 918 |
+ case 0xc0ee: |
|
| 919 | 919 |
archtype = "CEEE"; |
| 920 |
- break; |
|
| 921 |
- case 0x8664: |
|
| 920 |
+ break; |
|
| 921 |
+ case 0x8664: |
|
| 922 | 922 |
archtype = "AMD64"; |
| 923 |
- break; |
|
| 924 |
- default: |
|
| 923 |
+ break; |
|
| 924 |
+ default: |
|
| 925 | 925 |
archtype = "Unknown"; |
| 926 | 926 |
} |
| 927 | 927 |
|
| ... | ... |
@@ -937,18 +938,21 @@ int cli_scanpe(cli_ctx *ctx) |
| 937 | 937 |
#if HAVE_JSON |
| 938 | 938 |
pe_add_heuristic_property(ctx, "BadNumberOfSections"); |
| 939 | 939 |
#endif |
| 940 |
- if(DETECT_BROKEN_PE) {
|
|
| 941 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 942 |
- return CL_VIRUS; |
|
| 943 |
- } |
|
| 944 |
- if(!ctx->corrupted_input) {
|
|
| 945 |
- if(nsections) |
|
| 946 |
- cli_warnmsg("PE file contains %d sections\n", nsections);
|
|
| 947 |
- else |
|
| 948 |
- cli_warnmsg("PE file contains no sections\n");
|
|
| 949 |
- } |
|
| 950 |
- return CL_CLEAN; |
|
| 940 |
+ if(DETECT_BROKEN_PE) {
|
|
| 941 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 942 |
+ return CL_VIRUS; |
|
| 943 |
+ } |
|
| 944 |
+ |
|
| 945 |
+ if(!ctx->corrupted_input) {
|
|
| 946 |
+ if(nsections) |
|
| 947 |
+ cli_warnmsg("PE file contains %d sections\n", nsections);
|
|
| 948 |
+ else |
|
| 949 |
+ cli_warnmsg("PE file contains no sections\n");
|
|
| 950 |
+ } |
|
| 951 |
+ |
|
| 952 |
+ return CL_CLEAN; |
|
| 951 | 953 |
} |
| 954 |
+ |
|
| 952 | 955 |
cli_dbgmsg("NumberOfSections: %d\n", nsections);
|
| 953 | 956 |
|
| 954 | 957 |
timestamp = (time_t) EC32(file_hdr.TimeDateStamp); |
| ... | ... |
@@ -969,21 +973,23 @@ int cli_scanpe(cli_ctx *ctx) |
| 969 | 969 |
pe_add_heuristic_property(ctx, "BadOptionalHeaderSize"); |
| 970 | 970 |
#endif |
| 971 | 971 |
cli_dbgmsg("SizeOfOptionalHeader too small\n");
|
| 972 |
- if(DETECT_BROKEN_PE) {
|
|
| 973 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 974 |
- return CL_VIRUS; |
|
| 975 |
- } |
|
| 976 |
- return CL_CLEAN; |
|
| 972 |
+ if(DETECT_BROKEN_PE) {
|
|
| 973 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 974 |
+ return CL_VIRUS; |
|
| 975 |
+ } |
|
| 976 |
+ |
|
| 977 |
+ return CL_CLEAN; |
|
| 977 | 978 |
} |
| 978 | 979 |
|
| 979 | 980 |
at = e_lfanew + sizeof(struct pe_image_file_hdr); |
| 980 | 981 |
if(fmap_readn(map, &optional_hdr32, at, sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr32)) {
|
| 981 | 982 |
cli_dbgmsg("Can't read optional file header\n");
|
| 982 |
- if(DETECT_BROKEN_PE) {
|
|
| 983 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 984 |
- return CL_VIRUS; |
|
| 985 |
- } |
|
| 986 |
- return CL_CLEAN; |
|
| 983 |
+ if(DETECT_BROKEN_PE) {
|
|
| 984 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 985 |
+ return CL_VIRUS; |
|
| 986 |
+ } |
|
| 987 |
+ |
|
| 988 |
+ return CL_CLEAN; |
|
| 987 | 989 |
} |
| 988 | 990 |
at += sizeof(struct pe_image_optional_hdr32); |
| 989 | 991 |
|
| ... | ... |
@@ -993,125 +999,129 @@ int cli_scanpe(cli_ctx *ctx) |
| 993 | 993 |
pe_add_heuristic_property(ctx, "BadOptionalHeaderSizePE32Plus"); |
| 994 | 994 |
#endif |
| 995 | 995 |
if(EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr64)) {
|
| 996 |
- /* FIXME: need to play around a bit more with xp64 */ |
|
| 997 |
- cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+\n");
|
|
| 998 |
- if(DETECT_BROKEN_PE) {
|
|
| 999 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1000 |
- return CL_VIRUS; |
|
| 1001 |
- } |
|
| 1002 |
- return CL_CLEAN; |
|
| 1003 |
- } |
|
| 1004 |
- pe_plus = 1; |
|
| 996 |
+ /* FIXME: need to play around a bit more with xp64 */ |
|
| 997 |
+ cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+\n");
|
|
| 998 |
+ |
|
| 999 |
+ if(DETECT_BROKEN_PE) {
|
|
| 1000 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1001 |
+ return CL_VIRUS; |
|
| 1002 |
+ } |
|
| 1003 |
+ |
|
| 1004 |
+ return CL_CLEAN; |
|
| 1005 |
+ } |
|
| 1006 |
+ pe_plus = 1; |
|
| 1005 | 1007 |
} |
| 1006 | 1008 |
|
| 1007 | 1009 |
if(!pe_plus) { /* PE */
|
| 1008 |
- if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
|
|
| 1009 |
- /* Seek to the end of the long header */ |
|
| 1010 |
- at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32); |
|
| 1011 |
- } |
|
| 1010 |
+ if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
|
|
| 1011 |
+ /* Seek to the end of the long header */ |
|
| 1012 |
+ at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32); |
|
| 1013 |
+ } |
|
| 1012 | 1014 |
|
| 1013 |
- if(DCONF & PE_CONF_UPACK) |
|
| 1014 |
- upack = (EC16(file_hdr.SizeOfOptionalHeader)==0x148); |
|
| 1015 |
+ if(DCONF & PE_CONF_UPACK) |
|
| 1016 |
+ upack = (EC16(file_hdr.SizeOfOptionalHeader)==0x148); |
|
| 1015 | 1017 |
|
| 1016 |
- vep = EC32(optional_hdr32.AddressOfEntryPoint); |
|
| 1017 |
- hdr_size = EC32(optional_hdr32.SizeOfHeaders); |
|
| 1018 |
- cli_dbgmsg("File format: PE\n");
|
|
| 1019 |
- |
|
| 1020 |
- cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr32.MajorLinkerVersion);
|
|
| 1021 |
- cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr32.MinorLinkerVersion);
|
|
| 1022 |
- cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr32.SizeOfCode));
|
|
| 1023 |
- cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfInitializedData));
|
|
| 1024 |
- cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfUninitializedData));
|
|
| 1025 |
- cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
|
| 1026 |
- cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr32.BaseOfCode));
|
|
| 1027 |
- cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr32.SectionAlignment));
|
|
| 1028 |
- cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr32.FileAlignment));
|
|
| 1029 |
- cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr32.MajorSubsystemVersion));
|
|
| 1030 |
- cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr32.MinorSubsystemVersion));
|
|
| 1031 |
- cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr32.SizeOfImage));
|
|
| 1032 |
- cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
|
| 1033 |
- cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr32.NumberOfRvaAndSizes));
|
|
| 1034 |
- dirs = optional_hdr32.DataDirectory; |
|
| 1018 |
+ vep = EC32(optional_hdr32.AddressOfEntryPoint); |
|
| 1019 |
+ hdr_size = EC32(optional_hdr32.SizeOfHeaders); |
|
| 1020 |
+ cli_dbgmsg("File format: PE\n");
|
|
| 1021 |
+ |
|
| 1022 |
+ cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr32.MajorLinkerVersion);
|
|
| 1023 |
+ cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr32.MinorLinkerVersion);
|
|
| 1024 |
+ cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr32.SizeOfCode));
|
|
| 1025 |
+ cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfInitializedData));
|
|
| 1026 |
+ cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr32.SizeOfUninitializedData));
|
|
| 1027 |
+ cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
|
| 1028 |
+ cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr32.BaseOfCode));
|
|
| 1029 |
+ cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr32.SectionAlignment));
|
|
| 1030 |
+ cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr32.FileAlignment));
|
|
| 1031 |
+ cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr32.MajorSubsystemVersion));
|
|
| 1032 |
+ cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr32.MinorSubsystemVersion));
|
|
| 1033 |
+ cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr32.SizeOfImage));
|
|
| 1034 |
+ cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
|
| 1035 |
+ cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr32.NumberOfRvaAndSizes));
|
|
| 1036 |
+ dirs = optional_hdr32.DataDirectory; |
|
| 1035 | 1037 |
#if HAVE_JSON |
| 1036 |
- cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr32.MajorLinkerVersion); |
|
| 1037 |
- cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr32.MinorLinkerVersion); |
|
| 1038 |
- cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr32.SizeOfCode)); |
|
| 1039 |
- cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr32.SizeOfInitializedData)); |
|
| 1040 |
- cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr32.SizeOfUninitializedData)); |
|
| 1041 |
- cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr32.NumberOfRvaAndSizes)); |
|
| 1042 |
- cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr32.MajorSubsystemVersion)); |
|
| 1043 |
- cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr32.MinorSubsystemVersion)); |
|
| 1038 |
+ cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr32.MajorLinkerVersion); |
|
| 1039 |
+ cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr32.MinorLinkerVersion); |
|
| 1040 |
+ cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr32.SizeOfCode)); |
|
| 1041 |
+ cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr32.SizeOfInitializedData)); |
|
| 1042 |
+ cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr32.SizeOfUninitializedData)); |
|
| 1043 |
+ cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr32.NumberOfRvaAndSizes)); |
|
| 1044 |
+ cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr32.MajorSubsystemVersion)); |
|
| 1045 |
+ cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr32.MinorSubsystemVersion)); |
|
| 1044 | 1046 |
|
| 1045 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.BaseOfCode)); |
|
| 1046 |
- cli_jsonstr(pe_json, "BaseOfCode", jsonbuf); |
|
| 1047 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.BaseOfCode)); |
|
| 1048 |
+ cli_jsonstr(pe_json, "BaseOfCode", jsonbuf); |
|
| 1047 | 1049 |
|
| 1048 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SectionAlignment)); |
|
| 1049 |
- cli_jsonstr(pe_json, "SectionAlignment", jsonbuf); |
|
| 1050 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SectionAlignment)); |
|
| 1051 |
+ cli_jsonstr(pe_json, "SectionAlignment", jsonbuf); |
|
| 1050 | 1052 |
|
| 1051 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.FileAlignment)); |
|
| 1052 |
- cli_jsonstr(pe_json, "FileAlignment", jsonbuf); |
|
| 1053 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.FileAlignment)); |
|
| 1054 |
+ cli_jsonstr(pe_json, "FileAlignment", jsonbuf); |
|
| 1053 | 1055 |
|
| 1054 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SizeOfImage)); |
|
| 1055 |
- cli_jsonstr(pe_json, "SizeOfImage", jsonbuf); |
|
| 1056 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr32.SizeOfImage)); |
|
| 1057 |
+ cli_jsonstr(pe_json, "SizeOfImage", jsonbuf); |
|
| 1056 | 1058 |
|
| 1057 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size); |
|
| 1058 |
- cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf); |
|
| 1059 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size); |
|
| 1060 |
+ cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf); |
|
| 1059 | 1061 |
#endif |
| 1060 | 1062 |
|
| 1061 | 1063 |
} else { /* PE+ */
|
| 1062 |
- /* read the remaining part of the header */ |
|
| 1063 |
- if(fmap_readn(map, &optional_hdr32 + 1, at, sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) {
|
|
| 1064 |
- cli_dbgmsg("Can't read optional file header\n");
|
|
| 1065 |
- if(DETECT_BROKEN_PE) {
|
|
| 1066 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1067 |
- return CL_VIRUS; |
|
| 1068 |
- } |
|
| 1069 |
- return CL_CLEAN; |
|
| 1070 |
- } |
|
| 1071 |
- at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32); |
|
| 1072 |
- vep = EC32(optional_hdr64.AddressOfEntryPoint); |
|
| 1073 |
- hdr_size = EC32(optional_hdr64.SizeOfHeaders); |
|
| 1074 |
- cli_dbgmsg("File format: PE32+\n");
|
|
| 1075 |
- |
|
| 1076 |
- cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr64.MajorLinkerVersion);
|
|
| 1077 |
- cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr64.MinorLinkerVersion);
|
|
| 1078 |
- cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr64.SizeOfCode));
|
|
| 1079 |
- cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfInitializedData));
|
|
| 1080 |
- cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfUninitializedData));
|
|
| 1081 |
- cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
|
| 1082 |
- cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr64.BaseOfCode));
|
|
| 1083 |
- cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr64.SectionAlignment));
|
|
| 1084 |
- cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr64.FileAlignment));
|
|
| 1085 |
- cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr64.MajorSubsystemVersion));
|
|
| 1086 |
- cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr64.MinorSubsystemVersion));
|
|
| 1087 |
- cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr64.SizeOfImage));
|
|
| 1088 |
- cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
|
| 1089 |
- cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
|
| 1090 |
- dirs = optional_hdr64.DataDirectory; |
|
| 1064 |
+ /* read the remaining part of the header */ |
|
| 1065 |
+ if(fmap_readn(map, &optional_hdr32 + 1, at, sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) {
|
|
| 1066 |
+ cli_dbgmsg("Can't read optional file header\n");
|
|
| 1067 |
+ if(DETECT_BROKEN_PE) {
|
|
| 1068 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1069 |
+ return CL_VIRUS; |
|
| 1070 |
+ } |
|
| 1071 |
+ |
|
| 1072 |
+ return CL_CLEAN; |
|
| 1073 |
+ } |
|
| 1074 |
+ |
|
| 1075 |
+ at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32); |
|
| 1076 |
+ vep = EC32(optional_hdr64.AddressOfEntryPoint); |
|
| 1077 |
+ hdr_size = EC32(optional_hdr64.SizeOfHeaders); |
|
| 1078 |
+ cli_dbgmsg("File format: PE32+\n");
|
|
| 1079 |
+ |
|
| 1080 |
+ cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr64.MajorLinkerVersion);
|
|
| 1081 |
+ cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr64.MinorLinkerVersion);
|
|
| 1082 |
+ cli_dbgmsg("SizeOfCode: 0x%x\n", EC32(optional_hdr64.SizeOfCode));
|
|
| 1083 |
+ cli_dbgmsg("SizeOfInitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfInitializedData));
|
|
| 1084 |
+ cli_dbgmsg("SizeOfUninitializedData: 0x%x\n", EC32(optional_hdr64.SizeOfUninitializedData));
|
|
| 1085 |
+ cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", vep);
|
|
| 1086 |
+ cli_dbgmsg("BaseOfCode: 0x%x\n", EC32(optional_hdr64.BaseOfCode));
|
|
| 1087 |
+ cli_dbgmsg("SectionAlignment: 0x%x\n", EC32(optional_hdr64.SectionAlignment));
|
|
| 1088 |
+ cli_dbgmsg("FileAlignment: 0x%x\n", EC32(optional_hdr64.FileAlignment));
|
|
| 1089 |
+ cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr64.MajorSubsystemVersion));
|
|
| 1090 |
+ cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr64.MinorSubsystemVersion));
|
|
| 1091 |
+ cli_dbgmsg("SizeOfImage: 0x%x\n", EC32(optional_hdr64.SizeOfImage));
|
|
| 1092 |
+ cli_dbgmsg("SizeOfHeaders: 0x%x\n", hdr_size);
|
|
| 1093 |
+ cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr64.NumberOfRvaAndSizes));
|
|
| 1094 |
+ dirs = optional_hdr64.DataDirectory; |
|
| 1091 | 1095 |
#if HAVE_JSON |
| 1092 |
- cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr64.MajorLinkerVersion); |
|
| 1093 |
- cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr64.MinorLinkerVersion); |
|
| 1094 |
- cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr64.SizeOfCode)); |
|
| 1095 |
- cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr64.SizeOfInitializedData)); |
|
| 1096 |
- cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr64.SizeOfUninitializedData)); |
|
| 1097 |
- cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr64.NumberOfRvaAndSizes)); |
|
| 1098 |
- cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr64.MajorSubsystemVersion)); |
|
| 1099 |
- cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr64.MinorSubsystemVersion)); |
|
| 1096 |
+ cli_jsonint(pe_json, "MajorLinkerVersion", optional_hdr64.MajorLinkerVersion); |
|
| 1097 |
+ cli_jsonint(pe_json, "MinorLinkerVersion", optional_hdr64.MinorLinkerVersion); |
|
| 1098 |
+ cli_jsonint(pe_json, "SizeOfCode", EC32(optional_hdr64.SizeOfCode)); |
|
| 1099 |
+ cli_jsonint(pe_json, "SizeOfInitializedData", EC32(optional_hdr64.SizeOfInitializedData)); |
|
| 1100 |
+ cli_jsonint(pe_json, "SizeOfUninitializedData", EC32(optional_hdr64.SizeOfUninitializedData)); |
|
| 1101 |
+ cli_jsonint(pe_json, "NumberOfRvaAndSizes", EC32(optional_hdr64.NumberOfRvaAndSizes)); |
|
| 1102 |
+ cli_jsonint(pe_json, "MajorSubsystemVersion", EC16(optional_hdr64.MajorSubsystemVersion)); |
|
| 1103 |
+ cli_jsonint(pe_json, "MinorSubsystemVersion", EC16(optional_hdr64.MinorSubsystemVersion)); |
|
| 1100 | 1104 |
|
| 1101 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.BaseOfCode)); |
|
| 1102 |
- cli_jsonstr(pe_json, "BaseOfCode", jsonbuf); |
|
| 1105 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.BaseOfCode)); |
|
| 1106 |
+ cli_jsonstr(pe_json, "BaseOfCode", jsonbuf); |
|
| 1103 | 1107 |
|
| 1104 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SectionAlignment)); |
|
| 1105 |
- cli_jsonstr(pe_json, "SectionAlignment", jsonbuf); |
|
| 1108 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SectionAlignment)); |
|
| 1109 |
+ cli_jsonstr(pe_json, "SectionAlignment", jsonbuf); |
|
| 1106 | 1110 |
|
| 1107 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.FileAlignment)); |
|
| 1108 |
- cli_jsonstr(pe_json, "FileAlignment", jsonbuf); |
|
| 1111 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.FileAlignment)); |
|
| 1112 |
+ cli_jsonstr(pe_json, "FileAlignment", jsonbuf); |
|
| 1109 | 1113 |
|
| 1110 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SizeOfImage)); |
|
| 1111 |
- cli_jsonstr(pe_json, "SizeOfImage", jsonbuf); |
|
| 1114 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", EC32(optional_hdr64.SizeOfImage)); |
|
| 1115 |
+ cli_jsonstr(pe_json, "SizeOfImage", jsonbuf); |
|
| 1112 | 1116 |
|
| 1113 |
- snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size); |
|
| 1114 |
- cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf); |
|
| 1117 |
+ snprintf(jsonbuf, sizeof(jsonbuf), "0x%x", hdr_size); |
|
| 1118 |
+ cli_jsonstr(pe_json, "SizeOfHeaders", jsonbuf); |
|
| 1115 | 1119 |
#endif |
| 1116 | 1120 |
} |
| 1117 | 1121 |
|
| ... | ... |
@@ -1124,50 +1134,50 @@ int cli_scanpe(cli_ctx *ctx) |
| 1124 | 1124 |
|
| 1125 | 1125 |
|
| 1126 | 1126 |
switch(pe_plus ? EC16(optional_hdr64.Subsystem) : EC16(optional_hdr32.Subsystem)) {
|
| 1127 |
- case 0: |
|
| 1127 |
+ case 0: |
|
| 1128 | 1128 |
subsystem = "Unknown"; |
| 1129 |
- break; |
|
| 1130 |
- case 1: |
|
| 1129 |
+ break; |
|
| 1130 |
+ case 1: |
|
| 1131 | 1131 |
subsystem = "Native (svc)"; |
| 1132 |
- native = 1; |
|
| 1133 |
- break; |
|
| 1134 |
- case 2: |
|
| 1132 |
+ native = 1; |
|
| 1133 |
+ break; |
|
| 1134 |
+ case 2: |
|
| 1135 | 1135 |
subsystem = "Win32 GUI"; |
| 1136 |
- break; |
|
| 1137 |
- case 3: |
|
| 1136 |
+ break; |
|
| 1137 |
+ case 3: |
|
| 1138 | 1138 |
subsystem = "Win32 console"; |
| 1139 |
- break; |
|
| 1140 |
- case 5: |
|
| 1139 |
+ break; |
|
| 1140 |
+ case 5: |
|
| 1141 | 1141 |
subsystem = "OS/2 console"; |
| 1142 |
- break; |
|
| 1143 |
- case 7: |
|
| 1142 |
+ break; |
|
| 1143 |
+ case 7: |
|
| 1144 | 1144 |
subsystem = "POSIX console"; |
| 1145 |
- break; |
|
| 1146 |
- case 8: |
|
| 1145 |
+ break; |
|
| 1146 |
+ case 8: |
|
| 1147 | 1147 |
subsystem = "Native Win9x driver"; |
| 1148 |
- break; |
|
| 1149 |
- case 9: |
|
| 1148 |
+ break; |
|
| 1149 |
+ case 9: |
|
| 1150 | 1150 |
subsystem = "WinCE GUI"; |
| 1151 |
- break; |
|
| 1152 |
- case 10: |
|
| 1151 |
+ break; |
|
| 1152 |
+ case 10: |
|
| 1153 | 1153 |
subsystem = "EFI application"; |
| 1154 |
- break; |
|
| 1155 |
- case 11: |
|
| 1154 |
+ break; |
|
| 1155 |
+ case 11: |
|
| 1156 | 1156 |
subsystem = "EFI driver"; |
| 1157 |
- break; |
|
| 1158 |
- case 12: |
|
| 1157 |
+ break; |
|
| 1158 |
+ case 12: |
|
| 1159 | 1159 |
subsystem = "EFI runtime driver"; |
| 1160 |
- break; |
|
| 1161 |
- case 13: |
|
| 1160 |
+ break; |
|
| 1161 |
+ case 13: |
|
| 1162 | 1162 |
subsystem = "EFI ROM image"; |
| 1163 |
- break; |
|
| 1164 |
- case 14: |
|
| 1163 |
+ break; |
|
| 1164 |
+ case 14: |
|
| 1165 | 1165 |
subsystem = "Xbox"; |
| 1166 |
- break; |
|
| 1167 |
- case 16: |
|
| 1166 |
+ break; |
|
| 1167 |
+ case 16: |
|
| 1168 | 1168 |
subsystem = "Boot application"; |
| 1169 |
- break; |
|
| 1170 |
- default: |
|
| 1169 |
+ break; |
|
| 1170 |
+ default: |
|
| 1171 | 1171 |
subsystem = "Unknown"; |
| 1172 | 1172 |
} |
| 1173 | 1173 |
|
| ... | ... |
@@ -1181,14 +1191,14 @@ int cli_scanpe(cli_ctx *ctx) |
| 1181 | 1181 |
|
| 1182 | 1182 |
if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
|
| 1183 | 1183 |
cli_dbgmsg("Bad virtual alignemnt\n");
|
| 1184 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1185 |
- return CL_VIRUS; |
|
| 1184 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1185 |
+ return CL_VIRUS; |
|
| 1186 | 1186 |
} |
| 1187 | 1187 |
|
| 1188 | 1188 |
if (DETECT_BROKEN_PE && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
|
| 1189 | 1189 |
cli_dbgmsg("Bad file alignemnt\n");
|
| 1190 |
- cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1191 |
- return CL_VIRUS; |
|
| 1190 |
+ cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1191 |
+ return CL_VIRUS; |
|
| 1192 | 1192 |
} |
| 1193 | 1193 |
|
| 1194 | 1194 |
fsize = map->len; |
| ... | ... |
@@ -1196,16 +1206,16 @@ int cli_scanpe(cli_ctx *ctx) |
| 1196 | 1196 |
section_hdr = (struct pe_image_section_hdr *) cli_calloc(nsections, sizeof(struct pe_image_section_hdr)); |
| 1197 | 1197 |
|
| 1198 | 1198 |
if(!section_hdr) {
|
| 1199 |
- cli_dbgmsg("Can't allocate memory for section headers\n");
|
|
| 1200 |
- return CL_EMEM; |
|
| 1199 |
+ cli_dbgmsg("Can't allocate memory for section headers\n");
|
|
| 1200 |
+ return CL_EMEM; |
|
| 1201 | 1201 |
} |
| 1202 | 1202 |
|
| 1203 | 1203 |
exe_sections = (struct cli_exe_section *) cli_calloc(nsections, sizeof(struct cli_exe_section)); |
| 1204 | 1204 |
|
| 1205 | 1205 |
if(!exe_sections) {
|
| 1206 |
- cli_dbgmsg("Can't allocate memory for section headers\n");
|
|
| 1207 |
- free(section_hdr); |
|
| 1208 |
- return CL_EMEM; |
|
| 1206 |
+ cli_dbgmsg("Can't allocate memory for section headers\n");
|
|
| 1207 |
+ free(section_hdr); |
|
| 1208 |
+ return CL_EMEM; |
|
| 1209 | 1209 |
} |
| 1210 | 1210 |
|
| 1211 | 1211 |
valign = (pe_plus)?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment); |
| ... | ... |
@@ -1213,23 +1223,27 @@ int cli_scanpe(cli_ctx *ctx) |
| 1213 | 1213 |
|
| 1214 | 1214 |
if(fmap_readn(map, section_hdr, at, sizeof(struct pe_image_section_hdr)*nsections) != (int)(nsections*sizeof(struct pe_image_section_hdr))) {
|
| 1215 | 1215 |
cli_dbgmsg("Can't read section header\n");
|
| 1216 |
- cli_dbgmsg("Possibly broken PE file\n");
|
|
| 1217 |
- free(section_hdr); |
|
| 1218 |
- free(exe_sections); |
|
| 1219 |
- if(DETECT_BROKEN_PE) {
|
|
| 1220 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1221 |
- return CL_VIRUS; |
|
| 1222 |
- } |
|
| 1223 |
- return CL_CLEAN; |
|
| 1216 |
+ cli_dbgmsg("Possibly broken PE file\n");
|
|
| 1217 |
+ |
|
| 1218 |
+ free(section_hdr); |
|
| 1219 |
+ free(exe_sections); |
|
| 1220 |
+ |
|
| 1221 |
+ if(DETECT_BROKEN_PE) {
|
|
| 1222 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1223 |
+ return CL_VIRUS; |
|
| 1224 |
+ } |
|
| 1225 |
+ |
|
| 1226 |
+ return CL_CLEAN; |
|
| 1224 | 1227 |
} |
| 1228 |
+ |
|
| 1225 | 1229 |
at += sizeof(struct pe_image_section_hdr)*nsections; |
| 1226 | 1230 |
|
| 1227 | 1231 |
for(i = 0; falign!=0x200 && i<nsections; i++) {
|
| 1228 |
- /* file alignment fallback mode - blah */ |
|
| 1229 |
- if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200)) {
|
|
| 1230 |
- cli_dbgmsg("Found misaligned section, using 0x200\n");
|
|
| 1231 |
- falign = 0x200; |
|
| 1232 |
- } |
|
| 1232 |
+ /* file alignment fallback mode - blah */ |
|
| 1233 |
+ if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200)) {
|
|
| 1234 |
+ cli_dbgmsg("Found misaligned section, using 0x200\n");
|
|
| 1235 |
+ falign = 0x200; |
|
| 1236 |
+ } |
|
| 1233 | 1237 |
} |
| 1234 | 1238 |
|
| 1235 | 1239 |
hdr_size = PESALIGN(hdr_size, valign); /* Aligned headers virtual size */ |
| ... | ... |
@@ -1281,7 +1295,7 @@ int cli_scanpe(cli_ctx *ctx) |
| 1281 | 1281 |
} |
| 1282 | 1282 |
} |
| 1283 | 1283 |
|
| 1284 |
- for(i = 0; i < nsections; i++) {
|
|
| 1284 |
+ for(i = 0; i < nsections; i++) {
|
|
| 1285 | 1285 |
strncpy(sname, (char *) section_hdr[i].Name, 8); |
| 1286 | 1286 |
sname[8] = 0; |
| 1287 | 1287 |
|
| ... | ... |
@@ -1295,115 +1309,120 @@ int cli_scanpe(cli_ctx *ctx) |
| 1295 | 1295 |
} |
| 1296 | 1296 |
#endif |
| 1297 | 1297 |
|
| 1298 |
- if (!exe_sections[i].vsz && exe_sections[i].rsz) |
|
| 1299 |
- exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign); |
|
| 1300 |
- |
|
| 1301 |
- if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz)) |
|
| 1302 |
- exe_sections[i].rsz = fsize - exe_sections[i].raw; |
|
| 1303 |
- |
|
| 1304 |
- cli_dbgmsg("Section %d\n", i);
|
|
| 1305 |
- cli_dbgmsg("Section name: %s\n", sname);
|
|
| 1306 |
- cli_dbgmsg("Section data (from headers - in memory)\n");
|
|
| 1307 |
- cli_dbgmsg("VirtualSize: 0x%x 0x%x\n", exe_sections[i].uvsz, exe_sections[i].vsz);
|
|
| 1308 |
- cli_dbgmsg("VirtualAddress: 0x%x 0x%x\n", exe_sections[i].urva, exe_sections[i].rva);
|
|
| 1309 |
- cli_dbgmsg("SizeOfRawData: 0x%x 0x%x\n", exe_sections[i].ursz, exe_sections[i].rsz);
|
|
| 1310 |
- cli_dbgmsg("PointerToRawData: 0x%x 0x%x\n", exe_sections[i].uraw, exe_sections[i].raw);
|
|
| 1311 |
- |
|
| 1312 |
- if(exe_sections[i].chr & 0x20) {
|
|
| 1313 |
- cli_dbgmsg("Section contains executable code\n");
|
|
| 1314 |
- |
|
| 1315 |
- if(exe_sections[i].vsz < exe_sections[i].rsz) {
|
|
| 1316 |
- cli_dbgmsg("Section contains free space\n");
|
|
| 1317 |
- /* |
|
| 1318 |
- cli_dbgmsg("Dumping %d bytes\n", section_hdr.SizeOfRawData - section_hdr.VirtualSize);
|
|
| 1319 |
- ddump(desc, section_hdr.PointerToRawData + section_hdr.VirtualSize, section_hdr.SizeOfRawData - section_hdr.VirtualSize, cli_gentemp(NULL)); |
|
| 1320 |
- */ |
|
| 1298 |
+ if (!exe_sections[i].vsz && exe_sections[i].rsz) |
|
| 1299 |
+ exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign); |
|
| 1321 | 1300 |
|
| 1322 |
- } |
|
| 1323 |
- } |
|
| 1301 |
+ if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz)) |
|
| 1302 |
+ exe_sections[i].rsz = fsize - exe_sections[i].raw; |
|
| 1303 |
+ |
|
| 1304 |
+ cli_dbgmsg("Section %d\n", i);
|
|
| 1305 |
+ cli_dbgmsg("Section name: %s\n", sname);
|
|
| 1306 |
+ cli_dbgmsg("Section data (from headers - in memory)\n");
|
|
| 1307 |
+ cli_dbgmsg("VirtualSize: 0x%x 0x%x\n", exe_sections[i].uvsz, exe_sections[i].vsz);
|
|
| 1308 |
+ cli_dbgmsg("VirtualAddress: 0x%x 0x%x\n", exe_sections[i].urva, exe_sections[i].rva);
|
|
| 1309 |
+ cli_dbgmsg("SizeOfRawData: 0x%x 0x%x\n", exe_sections[i].ursz, exe_sections[i].rsz);
|
|
| 1310 |
+ cli_dbgmsg("PointerToRawData: 0x%x 0x%x\n", exe_sections[i].uraw, exe_sections[i].raw);
|
|
| 1311 |
+ |
|
| 1312 |
+ if(exe_sections[i].chr & 0x20) {
|
|
| 1313 |
+ cli_dbgmsg("Section contains executable code\n");
|
|
| 1314 |
+ |
|
| 1315 |
+ if(exe_sections[i].vsz < exe_sections[i].rsz) {
|
|
| 1316 |
+ cli_dbgmsg("Section contains free space\n");
|
|
| 1317 |
+ /* |
|
| 1318 |
+ cli_dbgmsg("Dumping %d bytes\n", section_hdr.SizeOfRawData - section_hdr.VirtualSize);
|
|
| 1319 |
+ ddump(desc, section_hdr.PointerToRawData + section_hdr.VirtualSize, section_hdr.SizeOfRawData - section_hdr.VirtualSize, cli_gentemp(NULL)); |
|
| 1320 |
+ */ |
|
| 1321 |
+ } |
|
| 1322 |
+ } |
|
| 1324 | 1323 |
|
| 1325 |
- if(exe_sections[i].chr & 0x20000000) |
|
| 1326 |
- cli_dbgmsg("Section's memory is executable\n");
|
|
| 1324 |
+ if(exe_sections[i].chr & 0x20000000) |
|
| 1325 |
+ cli_dbgmsg("Section's memory is executable\n");
|
|
| 1327 | 1326 |
|
| 1328 |
- if(exe_sections[i].chr & 0x80000000) |
|
| 1329 |
- cli_dbgmsg("Section's memory is writeable\n");
|
|
| 1327 |
+ if(exe_sections[i].chr & 0x80000000) |
|
| 1328 |
+ cli_dbgmsg("Section's memory is writeable\n");
|
|
| 1330 | 1329 |
|
| 1331 |
- if (DETECT_BROKEN_PE && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
|
|
| 1332 |
- cli_dbgmsg("VirtualAddress is misaligned\n");
|
|
| 1333 |
- cli_dbgmsg("------------------------------------\n");
|
|
| 1334 |
- cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1335 |
- free(section_hdr); |
|
| 1336 |
- free(exe_sections); |
|
| 1337 |
- return CL_VIRUS; |
|
| 1338 |
- } |
|
| 1330 |
+ if (DETECT_BROKEN_PE && (!valign || (exe_sections[i].urva % valign))) { /* Bad virtual alignment */
|
|
| 1331 |
+ cli_dbgmsg("VirtualAddress is misaligned\n");
|
|
| 1332 |
+ cli_dbgmsg("------------------------------------\n");
|
|
| 1333 |
+ cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1334 |
+ free(section_hdr); |
|
| 1335 |
+ free(exe_sections); |
|
| 1336 |
+ return CL_VIRUS; |
|
| 1337 |
+ } |
|
| 1339 | 1338 |
|
| 1340 |
- if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
|
| 1341 |
- if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i; |
|
| 1342 |
- |
|
| 1343 |
- /* check hash section sigs */ |
|
| 1344 |
- if((DCONF & PE_CONF_MD5SECT) && ctx->engine->hm_mdb) {
|
|
| 1345 |
- ret = scan_pe_mdb(ctx, &exe_sections[i]); |
|
| 1346 |
- if (ret != CL_CLEAN) {
|
|
| 1347 |
- if (ret != CL_VIRUS) |
|
| 1348 |
- cli_errmsg("scan_pe: scan_pe_mdb failed: %s!\n", cl_strerror(ret));
|
|
| 1349 |
- cli_dbgmsg("------------------------------------\n");
|
|
| 1350 |
- free(section_hdr); |
|
| 1351 |
- free(exe_sections); |
|
| 1352 |
- return ret; |
|
| 1353 |
- } |
|
| 1354 |
- } |
|
| 1355 |
- } |
|
| 1356 |
- cli_dbgmsg("------------------------------------\n");
|
|
| 1339 |
+ if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
|
| 1340 |
+ if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i; |
|
| 1357 | 1341 |
|
| 1358 |
- if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
|
|
| 1359 |
- cli_dbgmsg("Found PE values with sign bit set\n");
|
|
| 1360 |
- free(section_hdr); |
|
| 1361 |
- free(exe_sections); |
|
| 1362 |
- if(DETECT_BROKEN_PE) {
|
|
| 1363 |
- cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1364 |
- return CL_VIRUS; |
|
| 1365 |
- } |
|
| 1366 |
- return CL_CLEAN; |
|
| 1367 |
- } |
|
| 1342 |
+ /* check hash section sigs */ |
|
| 1343 |
+ if((DCONF & PE_CONF_MD5SECT) && ctx->engine->hm_mdb) {
|
|
| 1344 |
+ ret = scan_pe_mdb(ctx, &exe_sections[i]); |
|
| 1345 |
+ if (ret != CL_CLEAN) {
|
|
| 1346 |
+ if (ret != CL_VIRUS) |
|
| 1347 |
+ cli_errmsg("scan_pe: scan_pe_mdb failed: %s!\n", cl_strerror(ret));
|
|
| 1368 | 1348 |
|
| 1369 |
- if(!i) {
|
|
| 1370 |
- if (DETECT_BROKEN_PE && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */
|
|
| 1371 |
- cli_dbgmsg("First section is in the wrong place\n");
|
|
| 1372 |
- cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1373 |
- free(section_hdr); |
|
| 1374 |
- free(exe_sections); |
|
| 1375 |
- return CL_VIRUS; |
|
| 1376 |
- } |
|
| 1377 |
- min = exe_sections[i].rva; |
|
| 1378 |
- max = exe_sections[i].rva + exe_sections[i].rsz; |
|
| 1379 |
- } else {
|
|
| 1380 |
- if (DETECT_BROKEN_PE && exe_sections[i].urva - exe_sections[i-1].urva != exe_sections[i-1].vsz) { /* No holes, no overlapping, no virtual disorder */
|
|
| 1381 |
- cli_dbgmsg("Virtually misplaced section (wrong order, overlapping, non contiguous)\n");
|
|
| 1382 |
- cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1383 |
- free(section_hdr); |
|
| 1384 |
- free(exe_sections); |
|
| 1385 |
- return CL_VIRUS; |
|
| 1386 |
- } |
|
| 1387 |
- if(exe_sections[i].rva < min) |
|
| 1388 |
- min = exe_sections[i].rva; |
|
| 1349 |
+ cli_dbgmsg("------------------------------------\n");
|
|
| 1350 |
+ free(section_hdr); |
|
| 1351 |
+ free(exe_sections); |
|
| 1352 |
+ return ret; |
|
| 1353 |
+ } |
|
| 1354 |
+ } |
|
| 1355 |
+ } |
|
| 1356 |
+ cli_dbgmsg("------------------------------------\n");
|
|
| 1389 | 1357 |
|
| 1390 |
- if(exe_sections[i].rva + exe_sections[i].rsz > max) {
|
|
| 1391 |
- max = exe_sections[i].rva + exe_sections[i].rsz; |
|
| 1392 |
- overlays = exe_sections[i].raw + exe_sections[i].rsz; |
|
| 1393 |
- } |
|
| 1394 |
- } |
|
| 1358 |
+ if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
|
|
| 1359 |
+ cli_dbgmsg("Found PE values with sign bit set\n");
|
|
| 1360 |
+ |
|
| 1361 |
+ free(section_hdr); |
|
| 1362 |
+ free(exe_sections); |
|
| 1363 |
+ if(DETECT_BROKEN_PE) {
|
|
| 1364 |
+ cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1365 |
+ return CL_VIRUS; |
|
| 1366 |
+ } |
|
| 1367 |
+ |
|
| 1368 |
+ return CL_CLEAN; |
|
| 1369 |
+ } |
|
| 1370 |
+ |
|
| 1371 |
+ if(!i) {
|
|
| 1372 |
+ if (DETECT_BROKEN_PE && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */
|
|
| 1373 |
+ cli_dbgmsg("First section is in the wrong place\n");
|
|
| 1374 |
+ cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1375 |
+ free(section_hdr); |
|
| 1376 |
+ free(exe_sections); |
|
| 1377 |
+ return CL_VIRUS; |
|
| 1378 |
+ } |
|
| 1379 |
+ |
|
| 1380 |
+ min = exe_sections[i].rva; |
|
| 1381 |
+ max = exe_sections[i].rva + exe_sections[i].rsz; |
|
| 1382 |
+ } else {
|
|
| 1383 |
+ if (DETECT_BROKEN_PE && exe_sections[i].urva - exe_sections[i-1].urva != exe_sections[i-1].vsz) { /* No holes, no overlapping, no virtual disorder */
|
|
| 1384 |
+ cli_dbgmsg("Virtually misplaced section (wrong order, overlapping, non contiguous)\n");
|
|
| 1385 |
+ cli_append_virus(ctx, "Heuristics.Broken.Executable"); |
|
| 1386 |
+ free(section_hdr); |
|
| 1387 |
+ free(exe_sections); |
|
| 1388 |
+ return CL_VIRUS; |
|
| 1389 |
+ } |
|
| 1390 |
+ |
|
| 1391 |
+ if(exe_sections[i].rva < min) |
|
| 1392 |
+ min = exe_sections[i].rva; |
|
| 1393 |
+ |
|
| 1394 |
+ if(exe_sections[i].rva + exe_sections[i].rsz > max) {
|
|
| 1395 |
+ max = exe_sections[i].rva + exe_sections[i].rsz; |
|
| 1396 |
+ overlays = exe_sections[i].raw + exe_sections[i].rsz; |
|
| 1397 |
+ } |
|
| 1398 |
+ } |
|
| 1395 | 1399 |
} |
| 1396 | 1400 |
|
| 1397 | 1401 |
free(section_hdr); |
| 1398 | 1402 |
|
| 1399 | 1403 |
if(!(ep = cli_rawaddr(vep, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
|
| 1400 |
- cli_dbgmsg("EntryPoint out of file\n");
|
|
| 1401 |
- free(exe_sections); |
|
| 1402 |
- if(DETECT_BROKEN_PE) {
|
|
| 1403 |
- cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1404 |
- return CL_VIRUS; |
|
| 1405 |
- } |
|
| 1406 |
- return CL_CLEAN; |
|
| 1404 |
+ cli_dbgmsg("EntryPoint out of file\n");
|
|
| 1405 |
+ free(exe_sections); |
|
| 1406 |
+ if(DETECT_BROKEN_PE) {
|
|
| 1407 |
+ cli_append_virus(ctx,"Heuristics.Broken.Executable"); |
|
| 1408 |
+ return CL_VIRUS; |
|
| 1409 |
+ } |
|
| 1410 |
+ |
|
| 1411 |
+ return CL_CLEAN; |
|
| 1407 | 1412 |
} |
| 1408 | 1413 |
|
| 1409 | 1414 |
#if HAVE_JSON |
| ... | ... |
@@ -1417,8 +1436,8 @@ int cli_scanpe(cli_ctx *ctx) |
| 1417 | 1417 |
cli_dbgmsg("EntryPoint offset: 0x%x (%d)\n", ep, ep);
|
| 1418 | 1418 |
|
| 1419 | 1419 |
if(pe_plus) { /* Do not continue for PE32+ files */
|
| 1420 |
- free(exe_sections); |
|
| 1421 |
- return CL_CLEAN; |
|
| 1420 |
+ free(exe_sections); |
|
| 1421 |
+ return CL_CLEAN; |
|
| 1422 | 1422 |
} |
| 1423 | 1423 |
|
| 1424 | 1424 |
epsize = fmap_readn(map, epbuff, ep, 4096); |
| ... | ... |
@@ -1438,14 +1457,14 @@ int cli_scanpe(cli_ctx *ctx) |
| 1438 | 1438 |
/* } */ |
| 1439 | 1439 |
|
| 1440 | 1440 |
if(overlays) {
|
| 1441 |
- int overlays_sz = fsize - overlays; |
|
| 1442 |
- if(overlays_sz > 0) {
|
|
| 1443 |
- ret = cli_scanishield(ctx, overlays, overlays_sz); |
|
| 1444 |
- if(ret != CL_CLEAN) {
|
|
| 1445 |
- free(exe_sections); |
|
| 1446 |
- return ret; |
|
| 1447 |
- } |
|
| 1448 |
- } |
|
| 1441 |
+ int overlays_sz = fsize - overlays; |
|
| 1442 |
+ if(overlays_sz > 0) {
|
|
| 1443 |
+ ret = cli_scanishield(ctx, overlays, overlays_sz); |
|
| 1444 |
+ if(ret != CL_CLEAN) {
|
|
| 1445 |
+ free(exe_sections); |
|
| 1446 |
+ return ret; |
|
| 1447 |
+ } |
|
| 1448 |
+ } |
|
| 1449 | 1449 |
} |
| 1450 | 1450 |
|
| 1451 | 1451 |
pedata.nsections = nsections; |
| ... | ... |
@@ -1463,10 +1482,11 @@ int cli_scanpe(cli_ctx *ctx) |
| 1463 | 1463 |
/* Bytecode BC_PE_ALL hook */ |
| 1464 | 1464 |
bc_ctx = cli_bytecode_context_alloc(); |
| 1465 | 1465 |
if (!bc_ctx) {
|
| 1466 |
- cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
|
| 1467 |
- free(exe_sections); |
|
| 1468 |
- return CL_EMEM; |
|
| 1466 |
+ cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
|
| 1467 |
+ free(exe_sections); |
|
| 1468 |
+ return CL_EMEM; |
|
| 1469 | 1469 |
} |
| 1470 |
+ |
|
| 1470 | 1471 |
cli_bytecode_context_setpe(bc_ctx, &pedata, exe_sections); |
| 1471 | 1472 |
cli_bytecode_context_setctx(bc_ctx, ctx); |
| 1472 | 1473 |
ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_ALL, map); |
| ... | ... |
@@ -1486,228 +1506,284 @@ int cli_scanpe(cli_ctx *ctx) |
| 1486 | 1486 |
/* W32.Parite.B */ |
| 1487 | 1487 |
if(SCAN_ALGO && (DCONF & PE_CONF_PARITE) && !dll && epsize == 4096 && ep == exe_sections[nsections - 1].raw) {
|
| 1488 | 1488 |
const char *pt = cli_memstr(epbuff, 4040, "\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00", 15); |
| 1489 |
- if(pt) {
|
|
| 1490 |
- pt += 15; |
|
| 1491 |
- if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
|
|
| 1492 |
- cli_append_virus(ctx,"Heuristics.W32.Parite.B"); |
|
| 1493 |
- if (!SCAN_ALL) {
|
|
| 1494 |
- free(exe_sections); |
|
| 1495 |
- return CL_VIRUS; |
|
| 1496 |
- } |
|
| 1497 |
- viruses_found++; |
|
| 1498 |
- } |
|
| 1499 |
- } |
|
| 1489 |
+ if(pt) {
|
|
| 1490 |
+ pt += 15; |
|
| 1491 |
+ if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
|
|
| 1492 |
+ cli_append_virus(ctx,"Heuristics.W32.Parite.B"); |
|
| 1493 |
+ if (!SCAN_ALL) {
|
|
| 1494 |
+ free(exe_sections); |
|
| 1495 |
+ return CL_VIRUS; |
|
| 1496 |
+ } |
|
| 1497 |
+ |
|
| 1498 |
+ viruses_found++; |
|
| 1499 |
+ } |
|
| 1500 |
+ } |
|
| 1500 | 1501 |
} |
| 1501 | 1502 |
|
| 1502 | 1503 |
/* Kriz */ |
| 1503 | 1504 |
if(SCAN_ALGO && (DCONF & PE_CONF_KRIZ) && epsize >= 200 && CLI_ISCONTAINED(exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz, ep, 0x0fd2) && epbuff[1]=='\x9c' && epbuff[2]=='\x60') {
|
| 1504 |
- enum {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSXORPRFX,KZSXOR,KZSDDELTA,KZSLOOP,KZSTOP};
|
|
| 1505 |
- uint8_t kzs[] = {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSTRASH,KZSXORPRFX,KZSXOR,KZSTRASH,KZSDDELTA,KZSTRASH,KZSLOOP,KZSTOP};
|
|
| 1506 |
- uint8_t *kzstate = kzs; |
|
| 1507 |
- uint8_t *kzcode = (uint8_t *)epbuff + 3; |
|
| 1508 |
- uint8_t kzdptr=0xff, kzdsize=0xff; |
|
| 1509 |
- int kzlen = 197, kzinitlen=0xffff, kzxorlen=-1; |
|
| 1510 |
- cli_dbgmsg("in kriz\n");
|
|
| 1511 |
- |
|
| 1512 |
- while(*kzstate!=KZSTOP) {
|
|
| 1513 |
- uint8_t op; |
|
| 1514 |
- if(kzlen<=6) break; |
|
| 1515 |
- op = *kzcode++; |
|
| 1516 |
- kzlen--; |
|
| 1517 |
- switch (*kzstate) {
|
|
| 1518 |
- case KZSTRASH: case KZSGETSIZE: {
|
|
| 1519 |
- int opsz=0; |
|
| 1520 |
- switch(op) {
|
|
| 1521 |
- case 0x81: |
|
| 1522 |
- kzcode+=5; |
|
| 1523 |
- kzlen-=5; |
|
| 1524 |
- break; |
|
| 1525 |
- case 0xb8: case 0xb9: case 0xba: case 0xbb: case 0xbd: case 0xbe: case 0xbf: |
|
| 1526 |
- if(*kzstate==KZSGETSIZE && cli_readint32(kzcode)==0x0fd2) {
|
|
| 1527 |
- kzinitlen = kzlen-5; |
|
| 1528 |
- kzdsize=op-0xb8; |
|
| 1529 |
- kzstate++; |
|
| 1530 |
- op=4; /* fake the register to avoid breaking out */ |
|
| 1531 |
- cli_dbgmsg("kriz: using #%d as size counter\n", kzdsize);
|
|
| 1532 |
- } |
|
| 1533 |
- opsz=4; |
|
| 1534 |
- case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4d: case 0x4e: case 0x4f: |
|
| 1535 |
- op&=7; |
|
| 1536 |
- if(op!=kzdptr && op!=kzdsize) {
|
|
| 1537 |
- kzcode+=opsz; |
|
| 1538 |
- kzlen-=opsz; |
|
| 1539 |
- break; |
|
| 1540 |
- } |
|
| 1541 |
- default: |
|
| 1542 |
- kzcode--; |
|
| 1543 |
- kzlen++; |
|
| 1544 |
- kzstate++; |
|
| 1545 |
- } |
|
| 1546 |
- break; |
|
| 1547 |
- } |
|
| 1548 |
- case KZSCDELTA: |
|
| 1549 |
- if(op==0xe8 && (uint32_t)cli_readint32(kzcode) < 0xff) {
|
|
| 1550 |
- kzlen-=*kzcode+4; |
|
| 1551 |
- kzcode+=*kzcode+4; |
|
| 1552 |
- kzstate++; |
|
| 1553 |
- } else *kzstate=KZSTOP; |
|
| 1554 |
- break; |
|
| 1555 |
- case KZSPDELTA: |
|
| 1556 |
- if((op&0xf8)==0x58 && (kzdptr=op-0x58)!=4) {
|
|
| 1557 |
- kzstate++; |
|
| 1558 |
- cli_dbgmsg("kriz: using #%d as pointer\n", kzdptr);
|
|
| 1559 |
- } else *kzstate=KZSTOP; |
|
| 1560 |
- break; |
|
| 1561 |
- case KZSXORPRFX: |
|
| 1562 |
- kzstate++; |
|
| 1563 |
- if(op==0x3e) break; |
|
| 1564 |
- case KZSXOR: |
|
| 1565 |
- if (op==0x80 && *kzcode==kzdptr+0xb0) {
|
|
| 1566 |
- kzxorlen=kzlen; |
|
| 1567 |
- kzcode+=+6; |
|
| 1568 |
- kzlen-=+6; |
|
| 1569 |
- kzstate++; |
|
| 1570 |
- } else *kzstate=KZSTOP; |
|
| 1571 |
- break; |
|
| 1572 |
- case KZSDDELTA: |
|
| 1573 |
- if (op==kzdptr+0x48) kzstate++; |
|
| 1574 |
- else *kzstate=KZSTOP; |
|
| 1575 |
- break; |
|
| 1576 |
- case KZSLOOP: |
|
| 1577 |
- if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
|
|
| 1578 |
- cli_append_virus(ctx,"Heuristics.W32.Kriz"); |
|
| 1579 |
- if (!SCAN_ALL) {
|
|
| 1580 |
- free(exe_sections); |
|
| 1581 |
- return CL_VIRUS; |
|
| 1582 |
- } |
|
| 1583 |
- viruses_found++; |
|
| 1584 |
- } |
|
| 1585 |
- cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
|
|
| 1586 |
- kzstate++; |
|
| 1587 |
- } |
|
| 1588 |
- } |
|
| 1505 |
+ enum {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSXORPRFX,KZSXOR,KZSDDELTA,KZSLOOP,KZSTOP};
|
|
| 1506 |
+ uint8_t kzs[] = {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSTRASH,KZSXORPRFX,KZSXOR,KZSTRASH,KZSDDELTA,KZSTRASH,KZSLOOP,KZSTOP};
|
|
| 1507 |
+ uint8_t *kzstate = kzs; |
|
| 1508 |
+ uint8_t *kzcode = (uint8_t *)epbuff + 3; |
|
| 1509 |
+ uint8_t kzdptr=0xff, kzdsize=0xff; |
|
| 1510 |
+ int kzlen = 197, kzinitlen=0xffff, kzxorlen=-1; |
|
| 1511 |
+ cli_dbgmsg("in kriz\n");
|
|
| 1512 |
+ |
|
| 1513 |
+ while(*kzstate!=KZSTOP) {
|
|
| 1514 |
+ uint8_t op; |
|
| 1515 |
+ if(kzlen<=6) |
|
| 1516 |
+ break; |
|
| 1517 |
+ |
|
| 1518 |
+ op = *kzcode++; |
|
| 1519 |
+ kzlen--; |
|
| 1520 |
+ |
|
| 1521 |
+ switch (*kzstate) {
|
|
| 1522 |
+ case KZSTRASH: |
|
| 1523 |
+ case KZSGETSIZE: {
|
|
| 1524 |
+ int opsz=0; |
|
| 1525 |
+ switch(op) {
|
|
| 1526 |
+ case 0x81: |
|
| 1527 |
+ kzcode+=5; |
|
| 1528 |
+ kzlen-=5; |
|
| 1529 |
+ break; |
|
| 1530 |
+ case 0xb8: |
|
| 1531 |
+ case 0xb9: |
|
| 1532 |
+ case 0xba: |
|
| 1533 |
+ case 0xbb: |
|
| 1534 |
+ case 0xbd: |
|
| 1535 |
+ case 0xbe: |
|
| 1536 |
+ case 0xbf: |
|
| 1537 |
+ if(*kzstate==KZSGETSIZE && cli_readint32(kzcode)==0x0fd2) {
|
|
| 1538 |
+ kzinitlen = kzlen-5; |
|
| 1539 |
+ kzdsize=op-0xb8; |
|
| 1540 |
+ kzstate++; |
|
| 1541 |
+ op=4; /* fake the register to avoid breaking out */ |
|
| 1542 |
+ |
|
| 1543 |
+ cli_dbgmsg("kriz: using #%d as size counter\n", kzdsize);
|
|
| 1544 |
+ } |
|
| 1545 |
+ opsz=4; |
|
| 1546 |
+ case 0x48: |
|
| 1547 |
+ case 0x49: |
|
| 1548 |
+ case 0x4a: |
|
| 1549 |
+ case 0x4b: |
|
| 1550 |
+ case 0x4d: |
|
| 1551 |
+ case 0x4e: |
|
| 1552 |
+ case 0x4f: |
|
| 1553 |
+ op&=7; |
|
| 1554 |
+ if(op!=kzdptr && op!=kzdsize) {
|
|
| 1555 |
+ kzcode+=opsz; |
|
| 1556 |
+ kzlen-=opsz; |
|
| 1557 |
+ break; |
|
| 1558 |
+ } |
|
| 1559 |
+ default: |
|
| 1560 |
+ kzcode--; |
|
| 1561 |
+ kzlen++; |
|
| 1562 |
+ kzstate++; |
|
| 1563 |
+ } |
|
| 1564 |
+ |
|
| 1565 |
+ break; |
|
| 1566 |
+ } |
|
| 1567 |
+ case KZSCDELTA: |
|
| 1568 |
+ if(op==0xe8 && (uint32_t)cli_readint32(kzcode) < 0xff) {
|
|
| 1569 |
+ kzlen-=*kzcode+4; |
|
| 1570 |
+ kzcode+=*kzcode+4; |
|
| 1571 |
+ kzstate++; |
|
| 1572 |
+ } else {
|
|
| 1573 |
+ *kzstate=KZSTOP; |
|
| 1574 |
+ } |
|
| 1575 |
+ |
|
| 1576 |
+ break; |
|
| 1577 |
+ case KZSPDELTA: |
|
| 1578 |
+ if((op&0xf8)==0x58 && (kzdptr=op-0x58)!=4) {
|
|
| 1579 |
+ kzstate++; |
|
| 1580 |
+ cli_dbgmsg("kriz: using #%d as pointer\n", kzdptr);
|
|
| 1581 |
+ } else {
|
|
| 1582 |
+ *kzstate=KZSTOP; |
|
| 1583 |
+ } |
|
| 1584 |
+ |
|
| 1585 |
+ break; |
|
| 1586 |
+ case KZSXORPRFX: |
|
| 1587 |
+ kzstate++; |
|
| 1588 |
+ if(op==0x3e) |
|
| 1589 |
+ break; |
|
| 1590 |
+ case KZSXOR: |
|
| 1591 |
+ if (op==0x80 && *kzcode==kzdptr+0xb0) {
|
|
| 1592 |
+ kzxorlen=kzlen; |
|
| 1593 |
+ kzcode+=+6; |
|
| 1594 |
+ kzlen-=+6; |
|
| 1595 |
+ kzstate++; |
|
| 1596 |
+ } else {
|
|
| 1597 |
+ *kzstate=KZSTOP; |
|
| 1598 |
+ } |
|
| 1599 |
+ |
|
| 1600 |
+ break; |
|
| 1601 |
+ case KZSDDELTA: |
|
| 1602 |
+ if (op==kzdptr+0x48) |
|
| 1603 |
+ kzstate++; |
|
| 1604 |
+ else |
|
| 1605 |
+ *kzstate=KZSTOP; |
|
| 1606 |
+ |
|
| 1607 |
+ break; |
|
| 1608 |
+ case KZSLOOP: |
|
| 1609 |
+ if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
|
|
| 1610 |
+ cli_append_virus(ctx,"Heuristics.W32.Kriz"); |
|
| 1611 |
+ if (!SCAN_ALL) {
|
|
| 1612 |
+ free(exe_sections); |
|
| 1613 |
+ return CL_VIRUS; |
|
| 1614 |
+ } |
|
| 1615 |
+ |
|
| 1616 |
+ viruses_found++; |
|
| 1617 |
+ } |
|
| 1618 |
+ |
|
| 1619 |
+ cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
|
|
| 1620 |
+ kzstate++; |
|
| 1621 |
+ } |
|
| 1622 |
+ } |
|
| 1589 | 1623 |
} |
| 1590 | 1624 |
|
| 1591 | 1625 |
/* W32.Magistr.A/B */ |
| 1592 | 1626 |
if(SCAN_ALGO && (DCONF & PE_CONF_MAGISTR) && !dll && (nsections>1) && (exe_sections[nsections - 1].chr & 0x80000000)) {
|
| 1593 | 1627 |
uint32_t rsize, vsize, dam = 0; |
| 1594 | 1628 |
|
| 1595 |
- vsize = exe_sections[nsections - 1].uvsz; |
|
| 1596 |
- rsize = exe_sections[nsections - 1].rsz; |
|
| 1597 |
- if(rsize < exe_sections[nsections - 1].ursz) {
|
|
| 1598 |
- rsize = exe_sections[nsections - 1].ursz; |
|
| 1599 |
- dam = 1; |
|
| 1600 |
- } |
|
| 1629 |
+ vsize = exe_sections[nsections - 1].uvsz; |
|
| 1630 |
+ rsize = exe_sections[nsections - 1].rsz; |
|
| 1631 |
+ if(rsize < exe_sections[nsections - 1].ursz) {
|
|
| 1632 |
+ rsize = exe_sections[nsections - 1].ursz; |
|
| 1633 |
+ dam = 1; |
|
| 1634 |
+ } |
|
| 1601 | 1635 |
|
| 1602 |
- if(vsize >= 0x612c && rsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
|
|
| 1603 |
- int bw = rsize < 0x7000 ? rsize : 0x7000; |
|
| 1604 |
- const char *tbuff; |
|
| 1636 |
+ if(vsize >= 0x612c && rsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
|
|
| 1637 |
+ int bw = rsize < 0x7000 ? rsize : 0x7000; |
|
| 1638 |
+ const char *tbuff; |
|
| 1605 | 1639 |
|
| 1606 |
- if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
|
| 1607 |
- if(cli_memstr(tbuff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
|
|
| 1608 |
- cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A"); |
|
| 1609 |
- if (!SCAN_ALL) {
|
|
| 1610 |
- free(exe_sections); |
|
| 1611 |
- return CL_VIRUS; |
|
| 1612 |
- } |
|
| 1613 |
- viruses_found++; |
|
| 1614 |
- } |
|
| 1615 |
- } |
|
| 1640 |
+ if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
|
| 1641 |
+ if(cli_memstr(tbuff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
|
|
| 1642 |
+ cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A"); |
|
| 1643 |
+ if (!SCAN_ALL) {
|
|
| 1644 |
+ free(exe_sections); |
|
| 1645 |
+ return CL_VIRUS; |
|
| 1646 |
+ } |
|
| 1616 | 1647 |
|
| 1617 |
- } else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) {
|
|
| 1618 |
- int bw = rsize < 0x8000 ? rsize : 0x8000; |
|
| 1619 |
- const char *tbuff; |
|
| 1648 |
+ viruses_found++; |
|
| 1649 |
+ } |
|
| 1650 |
+ } |
|
| 1651 |
+ } else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) {
|
|
| 1652 |
+ int bw = rsize < 0x8000 ? rsize : 0x8000; |
|
| 1653 |
+ const char *tbuff; |
|
| 1654 |
+ |
|
| 1655 |
+ if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
|
| 1656 |
+ if(cli_memstr(tbuff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
|
|
| 1657 |
+ cli_append_virus(ctx,dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B"); |
|
| 1658 |
+ if (!SCAN_ALL) {
|
|
| 1659 |
+ free(exe_sections); |
|
| 1660 |
+ return CL_VIRUS; |
|
| 1661 |
+ } |
|
| 1620 | 1662 |
|
| 1621 |
- if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
|
| 1622 |
- if(cli_memstr(tbuff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
|
|
| 1623 |
- cli_append_virus(ctx,dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B"); |
|
| 1624 |
- if (!SCAN_ALL) {
|
|
| 1625 |
- free(exe_sections); |
|
| 1626 |
- return CL_VIRUS; |
|
| 1627 |
- } |
|
| 1628 |
- viruses_found++; |
|
| 1629 |
- } |
|
| 1630 |
- } |
|
| 1631 |
- } |
|
| 1663 |
+ viruses_found++; |
|
| 1664 |
+ } |
|
| 1665 |
+ } |
|
| 1666 |
+ } |
|
| 1632 | 1667 |
} |
| 1633 | 1668 |
|
| 1634 | 1669 |
/* W32.Polipos.A */ |
| 1635 | 1670 |
while(polipos && !dll && nsections > 2 && nsections < 13 && e_lfanew <= 0x800 && (EC16(optional_hdr32.Subsystem) == 2 || EC16(optional_hdr32.Subsystem) == 3) && EC16(file_hdr.Machine) == 0x14c && optional_hdr32.SizeOfStackReserve >= 0x80000) {
|
| 1636 |
- uint32_t jump, jold, *jumps = NULL; |
|
| 1637 |
- const uint8_t *code; |
|
| 1638 |
- unsigned int xsjs = 0; |
|
| 1639 |
- |
|
| 1640 |
- if(exe_sections[0].rsz > CLI_MAX_ALLOCATION) break; |
|
| 1641 |
- |
|
| 1642 |
- if(!exe_sections[0].rsz) break; |
|
| 1643 |
- if(!(code=fmap_need_off_once(map, exe_sections[0].raw, exe_sections[0].rsz))) break; |
|
| 1644 |
- for(i=0; i<exe_sections[0].rsz - 5; i++) {
|
|
| 1645 |
- if((uint8_t)(code[i]-0xe8) > 1) continue; |
|
| 1646 |
- jump = cli_rawaddr(exe_sections[0].rva+i+5+cli_readint32(&code[i+1]), exe_sections, nsections, &err, fsize, hdr_size); |
|
| 1647 |
- if(err || !CLI_ISCONTAINED(exe_sections[polipos].raw, exe_sections[polipos].rsz, jump, 9)) continue; |
|
| 1648 |
- if(xsjs % 128 == 0) {
|
|
| 1649 |
- if(xsjs == 1280) break; |
|
| 1650 |
- if(!(jumps=(uint32_t *)cli_realloc2(jumps, (xsjs+128)*sizeof(uint32_t)))) {
|
|
| 1651 |
- free(exe_sections); |
|
| 1652 |
- return CL_EMEM; |
|
| 1653 |
- } |
|
| 1654 |
- } |
|
| 1655 |
- j=0; |
|
| 1656 |
- for(; j<xsjs; j++) {
|
|
| 1657 |
- if(jumps[j]<jump) continue; |
|
| 1658 |
- if(jumps[j]==jump) {
|
|
| 1659 |
- xsjs--; |
|
| 1660 |
- break; |
|
| 1661 |
- } |
|
| 1662 |
- jold=jumps[j]; |
|
| 1663 |
- jumps[j]=jump; |
|
| 1664 |
- jump=jold; |
|
| 1665 |
- } |
|
| 1666 |
- jumps[j]=jump; |
|
| 1667 |
- xsjs++; |
|
| 1668 |
- } |
|
| 1669 |
- if(!xsjs) break; |
|
| 1670 |
- cli_dbgmsg("Polipos: Checking %d xsect jump(s)\n", xsjs);
|
|
| 1671 |
- for(i=0;i<xsjs;i++) {
|
|
| 1672 |
- if(!(code = fmap_need_off_once(map, jumps[i], 9))) continue; |
|
| 1673 |
- if((jump=cli_readint32(code))==0x60ec8b55 || (code[4]==0x0ec && ((jump==0x83ec8b55 && code[6]==0x60) || (jump==0x81ec8b55 && !code[7] && !code[8])))) {
|
|
| 1674 |
- cli_append_virus(ctx,"Heuristics.W32.Polipos.A"); |
|
| 1675 |
- if (!SCAN_ALL) {
|
|
| 1676 |
- free(jumps); |
|
| 1677 |
- free(exe_sections); |
|
| 1678 |
- return CL_VIRUS; |
|
| 1679 |
- } |
|
| 1680 |
- viruses_found++; |
|
| 1681 |
- } |
|
| 1682 |
- } |
|
| 1683 |
- free(jumps); |
|
| 1684 |
- break; |
|
| 1671 |
+ uint32_t jump, jold, *jumps = NULL; |
|
| 1672 |
+ const uint8_t *code; |
|
| 1673 |
+ unsigned int xsjs = 0; |
|
| 1674 |
+ |
|
| 1675 |
+ if(exe_sections[0].rsz > CLI_MAX_ALLOCATION) |
|
| 1676 |
+ break; |
|
| 1677 |
+ if(!exe_sections[0].rsz) |
|
| 1678 |
+ break; |
|
| 1679 |
+ if(!(code=fmap_need_off_once(map, exe_sections[0].raw, exe_sections[0].rsz))) |
|
| 1680 |
+ break; |
|
| 1681 |
+ |
|
| 1682 |
+ for(i=0; i<exe_sections[0].rsz - 5; i++) {
|
|
| 1683 |
+ if((uint8_t)(code[i]-0xe8) > 1) |
|
| 1684 |
+ continue; |
|
| 1685 |
+ |
|
| 1686 |
+ jump = cli_rawaddr(exe_sections[0].rva+i+5+cli_readint32(&code[i+1]), exe_sections, nsections, &err, fsize, hdr_size); |
|
| 1687 |
+ if(err || !CLI_ISCONTAINED(exe_sections[polipos].raw, exe_sections[polipos].rsz, jump, 9)) |
|
| 1688 |
+ continue; |
|
| 1689 |
+ |
|
| 1690 |
+ if(xsjs % 128 == 0) {
|
|
| 1691 |
+ if(xsjs == 1280) |
|
| 1692 |
+ break; |
|
| 1693 |
+ |
|
| 1694 |
+ if(!(jumps=(uint32_t *)cli_realloc2(jumps, (xsjs+128)*sizeof(uint32_t)))) {
|
|
| 1695 |
+ free(exe_sections); |
|
| 1696 |
+ return CL_EMEM; |
|
| 1697 |
+ } |
|
| 1698 |
+ } |
|
| 1699 |
+ |
|
| 1700 |
+ j=0; |
|
| 1701 |
+ for(; j<xsjs; j++) {
|
|
| 1702 |
+ if(jumps[j]<jump) |
|
| 1703 |
+ continue; |
|
| 1704 |
+ if(jumps[j]==jump) {
|
|
| 1705 |
+ xsjs--; |
|
| 1706 |
+ break; |
|
| 1707 |
+ } |
|
| 1708 |
+ |
|
| 1709 |
+ jold=jumps[j]; |
|
| 1710 |
+ jumps[j]=jump; |
|
| 1711 |
+ jump=jold; |
|
| 1712 |
+ } |
|
| 1713 |
+ |
|
| 1714 |
+ jumps[j]=jump; |
|
| 1715 |
+ xsjs++; |
|
| 1716 |
+ } |
|
| 1717 |
+ |
|
| 1718 |
+ if(!xsjs) |
|
| 1719 |
+ break; |
|
| 1720 |
+ |
|
| 1721 |
+ cli_dbgmsg("Polipos: Checking %d xsect jump(s)\n", xsjs);
|
|
| 1722 |
+ for(i=0;i<xsjs;i++) {
|
|
| 1723 |
+ if(!(code = fmap_need_off_once(map, jumps[i], 9))) |
|
| 1724 |
+ continue; |
|
| 1725 |
+ |
|
| 1726 |
+ if((jump=cli_readint32(code))==0x60ec8b55 || (code[4]==0x0ec && ((jump==0x83ec8b55 && code[6]==0x60) || (jump==0x81ec8b55 && !code[7] && !code[8])))) {
|
|
| 1727 |
+ cli_append_virus(ctx,"Heuristics.W32.Polipos.A"); |
|
| 1728 |
+ if (!SCAN_ALL) {
|
|
| 1729 |
+ free(jumps); |
|
| 1730 |
+ free(exe_sections); |
|
| 1731 |
+ return CL_VIRUS; |
|
| 1732 |
+ } |
|
| 1733 |
+ |
|
| 1734 |
+ viruses_found++; |
|
| 1735 |
+ } |
|
| 1736 |
+ } |
|
| 1737 |
+ |
|
| 1738 |
+ free(jumps); |
|
| 1739 |
+ break; |
|
| 1685 | 1740 |
} |
| 1686 | 1741 |
|
| 1687 | 1742 |
/* Trojan.Swizzor.Gen */ |
| 1688 | 1743 |
if (SCAN_ALGO && (DCONF & PE_CONF_SWIZZOR) && nsections > 1 && fsize > 64*1024 && fsize < 4*1024*1024) {
|
| 1689 |
- if(dirs[2].Size) {
|
|
| 1690 |
- struct swizz_stats *stats = cli_calloc(1, sizeof(*stats)); |
|
| 1691 |
- unsigned int m = 1000; |
|
| 1692 |
- ret = CL_CLEAN; |
|
| 1693 |
- |
|
| 1694 |
- if (!stats) |
|
| 1695 |
- ret = CL_EMEM; |
|
| 1696 |
- else {
|
|
| 1697 |
- cli_parseres_special(EC32(dirs[2].VirtualAddress), EC32(dirs[2].VirtualAddress), map, exe_sections, nsections, fsize, hdr_size, 0, 0, &m, stats); |
|
| 1698 |
- if ((ret = cli_detect_swizz(stats)) == CL_VIRUS) {
|
|
| 1699 |
- cli_append_virus(ctx,"Heuristics.Trojan.Swizzor.Gen"); |
|
| 1700 |
- } |
|
| 1701 |
- free(stats); |
|
| 1702 |
- } |
|
| 1703 |
- if (ret != CL_CLEAN) {
|
|
| 1704 |
- if (!(ret == CL_VIRUS && SCAN_ALL)) {
|
|
| 1705 |
- free(exe_sections); |
|
| 1706 |
- return ret; |
|
| 1707 |
- } |
|
| 1708 |
- viruses_found++; |
|
| 1709 |
- } |
|
| 1710 |
- } |
|
| 1744 |
+ if(dirs[2].Size) {
|
|
| 1745 |
+ struct swizz_stats *stats = cli_calloc(1, sizeof(*stats)); |
|
| 1746 |
+ unsigned int m = 1000; |
|
| 1747 |
+ ret = CL_CLEAN; |
|
| 1748 |
+ |
|
| 1749 |
+ if (!stats) {
|
|
| 1750 |
+ ret = CL_EMEM; |
|
| 1751 |
+ } else {
|
|
| 1752 |
+ cli_parseres_special(EC32(dirs[2].VirtualAddress), EC32(dirs[2].VirtualAddress), map, exe_sections, nsections, fsize, hdr_size, 0, 0, &m, stats); |
|
| 1753 |
+ if ((ret = cli_detect_swizz(stats)) == CL_VIRUS) |
|
| 1754 |
+ cli_append_virus(ctx,"Heuristics.Trojan.Swizzor.Gen"); |
|
| 1755 |
+ |
|
| 1756 |
+ free(stats); |
|
| 1757 |
+ } |
|
| 1758 |
+ if (ret != CL_CLEAN) {
|
|
| 1759 |
+ if (!(ret == CL_VIRUS && SCAN_ALL)) {
|
|
| 1760 |
+ free(exe_sections); |
|
| 1761 |
+ return ret; |
|
| 1762 |
+ } |
|
| 1763 |
+ |
|
| 1764 |
+ viruses_found++; |
|
| 1765 |
+ } |
|
| 1766 |
+ } |
|
| 1711 | 1767 |
} |
| 1712 | 1768 |
|
| 1713 | 1769 |
|
| ... | ... |
@@ -1721,722 +1797,733 @@ int cli_scanpe(cli_ctx *ctx) |
| 1721 | 1721 |
/* try to find the first section with physical size == 0 */ |
| 1722 | 1722 |
found = 0; |
| 1723 | 1723 |
if(DCONF & (PE_CONF_UPX | PE_CONF_FSG | PE_CONF_MEW)) {
|
| 1724 |
- for(i = 0; i < (unsigned int) nsections - 1; i++) {
|
|
| 1725 |
- if(!exe_sections[i].rsz && exe_sections[i].vsz && exe_sections[i + 1].rsz && exe_sections[i + 1].vsz) {
|
|
| 1726 |
- found = 1; |
|
| 1727 |
- cli_dbgmsg("UPX/FSG/MEW: empty section found - assuming compression\n");
|
|
| 1724 |
+ for(i = 0; i < (unsigned int) nsections - 1; i++) {
|
|
| 1725 |
+ if(!exe_sections[i].rsz && exe_sections[i].vsz && exe_sections[i + 1].rsz && exe_sections[i + 1].vsz) {
|
|
| 1726 |
+ found = 1; |
|
| 1727 |
+ cli_dbgmsg("UPX/FSG/MEW: empty section found - assuming compression\n");
|
|
| 1728 | 1728 |
#if HAVE_JSON |
| 1729 |
- cli_jsonbool(pe_json, "HasEmptySection", 1); |
|
| 1729 |
+ cli_jsonbool(pe_json, "HasEmptySection", 1); |
|
| 1730 | 1730 |
#endif |
| 1731 |
- break; |
|
| 1732 |
- } |
|
| 1733 |
- } |
|
| 1731 |
+ break; |
|
| 1732 |
+ } |
|
| 1733 |
+ } |
|
| 1734 | 1734 |
} |
| 1735 | 1735 |
|
| 1736 | 1736 |
/* MEW support */ |
| 1737 | 1737 |
if (found && (DCONF & PE_CONF_MEW) && epsize>=16 && epbuff[0]=='\xe9') {
|
| 1738 |
- uint32_t fileoffset; |
|
| 1739 |
- const char *tbuff; |
|
| 1738 |
+ uint32_t fileoffset; |
|
| 1739 |
+ const char *tbuff; |
|
| 1740 | 1740 |
|
| 1741 |
- fileoffset = (vep + cli_readint32(epbuff + 1) + 5); |
|
| 1742 |
- while (fileoffset == 0x154 || fileoffset == 0x158) {
|
|
| 1743 |
- char *src; |
|
| 1744 |
- uint32_t offdiff, uselzma; |
|
| 1741 |
+ fileoffset = (vep + cli_readint32(epbuff + 1) + 5); |
|
| 1742 |
+ while (fileoffset == 0x154 || fileoffset == 0x158) {
|
|
| 1743 |
+ char *src; |
|
| 1744 |
+ uint32_t offdiff, uselzma; |
|
| 1745 | 1745 |
|
| 1746 |
- cli_dbgmsg ("MEW: found MEW characteristics %08X + %08X + 5 = %08X\n",
|
|
| 1747 |
- cli_readint32(epbuff + 1), vep, cli_readint32(epbuff + 1) + vep + 5); |
|
| 1746 |
+ cli_dbgmsg ("MEW: found MEW characteristics %08X + %08X + 5 = %08X\n",
|
|
| 1747 |
+ cli_readint32(epbuff + 1), vep, cli_readint32(epbuff + 1) + vep + 5); |
|
| 1748 | 1748 |
|
| 1749 |
- if(!(tbuff = fmap_need_off_once(map, fileoffset, 0xb0))) |
|
| 1750 |
- break; |
|
| 1751 |
- if (fileoffset == 0x154) cli_dbgmsg("MEW: Win9x compatibility was set!\n");
|
|
| 1752 |
- else cli_dbgmsg("MEW: Win9x compatibility was NOT set!\n");
|
|
| 1749 |
+ if(!(tbuff = fmap_need_off_once(map, fileoffset, 0xb0))) |
|
| 1750 |
+ break; |
|
| 1753 | 1751 |
|
| 1754 |
- if((offdiff = cli_readint32(tbuff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4) {
|
|
| 1755 |
- cli_dbgmsg("MEW: ESI is not in proper section\n");
|
|
| 1756 |
- break; |
|
| 1757 |
- } |
|
| 1758 |
- offdiff -= exe_sections[i + 1].rva; |
|
| 1752 |
+ if (fileoffset == 0x154) |
|
| 1753 |
+ cli_dbgmsg("MEW: Win9x compatibility was set!\n");
|
|
| 1754 |
+ else |
|
| 1755 |
+ cli_dbgmsg("MEW: Win9x compatibility was NOT set!\n");
|
|
| 1759 | 1756 |
|
| 1760 |
- if(!exe_sections[i + 1].rsz) {
|
|
| 1761 |
- cli_dbgmsg("MEW: mew section is empty\n");
|
|
| 1762 |
- break; |
|
| 1763 |
- } |
|
| 1764 |
- ssize = exe_sections[i + 1].vsz; |
|
| 1765 |
- dsize = exe_sections[i].vsz; |
|
| 1757 |
+ if((offdiff = cli_readint32(tbuff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4) {
|
|
| 1758 |
+ cli_dbgmsg("MEW: ESI is not in proper section\n");
|
|
| 1759 |
+ break; |
|
| 1760 |
+ } |
|
| 1766 | 1761 |
|
| 1767 |
- cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
|
|
| 1762 |
+ offdiff -= exe_sections[i + 1].rva; |
|
| 1768 | 1763 |
|
| 1769 |
- CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
|
|
| 1770 |
- CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
|
|
| 1764 |
+ if(!exe_sections[i + 1].rsz) {
|
|
| 1765 |
+ cli_dbgmsg("MEW: mew section is empty\n");
|
|
| 1766 |
+ break; |
|
| 1767 |
+ } |
|
| 1771 | 1768 |
|
| 1772 |
- if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize) {
|
|
| 1773 |
- cli_dbgmsg("MEW: Size mismatch: %08x\n", exe_sections[i + 1].rsz);
|
|
| 1774 |
- break; |
|
| 1775 |
- } |
|
| 1769 |
+ ssize = exe_sections[i + 1].vsz; |
|
| 1770 |
+ dsize = exe_sections[i].vsz; |
|
| 1776 | 1771 |
|
| 1777 |
- /* allocate needed buffer */ |
|
| 1778 |
- if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
|
|
| 1779 |
- free(exe_sections); |
|
| 1780 |
- return CL_EMEM; |
|
| 1781 |
- } |
|
| 1772 |
+ cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
|
|
| 1782 | 1773 |
|
| 1783 |
- if((bytes = fmap_readn(map, src + dsize, exe_sections[i + 1].raw, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) {
|
|
| 1784 |
- cli_dbgmsg("MEW: Can't read %d bytes [read: %lu]\n", exe_sections[i + 1].rsz, (unsigned long)bytes);
|
|
| 1785 |
- free(exe_sections); |
|
| 1786 |
- free(src); |
|
| 1787 |
- return CL_EREAD; |
|
| 1788 |
- } |
|
| 1789 |
- cli_dbgmsg("MEW: %u (%08x) bytes read\n", (unsigned int)bytes, (unsigned int)bytes);
|
|
| 1790 |
- |
|
| 1791 |
- /* count offset to lzma proc, if lzma used, 0xe8 -> call */ |
|
| 1792 |
- if (tbuff[0x7b] == '\xe8') {
|
|
| 1793 |
- if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(tbuff + 0x7c) + fileoffset + 0x80, 4)) {
|
|
| 1794 |
- cli_dbgmsg("MEW: lzma proc out of bounds!\n");
|
|
| 1795 |
- free(src); |
|
| 1796 |
- break; /* to next unpacker in chain */ |
|
| 1797 |
- } |
|
| 1798 |
- uselzma = cli_readint32(tbuff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80); |
|
| 1799 |
- } else {
|
|
| 1800 |
- uselzma = 0; |
|
| 1801 |
- } |
|
| 1774 |
+ CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
|
|
| 1775 |
+ CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
|
|
| 1776 |
+ |
|
| 1777 |
+ if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize) {
|
|
| 1778 |
+ cli_dbgmsg("MEW: Size mismatch: %08x\n", exe_sections[i + 1].rsz);
|
|
| 1779 |
+ break; |
|
| 1780 |
+ } |
|
| 1781 |
+ |
|
| 1782 |
+ /* allocate needed buffer */ |
|
| 1783 |
+ if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
|
|
| 1784 |
+ free(exe_sections); |
|
| 1785 |
+ return CL_EMEM; |
|
| 1786 |
+ } |
|
| 1787 |
+ |
|
| 1788 |
+ if((bytes = fmap_readn(map, src + dsize, exe_sections[i + 1].raw, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) {
|
|
| 1789 |
+ cli_dbgmsg("MEW: Can't read %d bytes [read: %lu]\n", exe_sections[i + 1].rsz, (unsigned long)bytes);
|
|
| 1790 |
+ free(exe_sections); |
|
| 1791 |
+ free(src); |
|
| 1792 |
+ return CL_EREAD; |
|
| 1793 |
+ } |
|
| 1794 |
+ |
|
| 1795 |
+ cli_dbgmsg("MEW: %u (%08x) bytes read\n", (unsigned int)bytes, (unsigned int)bytes);
|
|
| 1796 |
+ |
|
| 1797 |
+ /* count offset to lzma proc, if lzma used, 0xe8 -> call */ |
|
| 1798 |
+ if (tbuff[0x7b] == '\xe8') {
|
|
| 1799 |
+ if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(tbuff + 0x7c) + fileoffset + 0x80, 4)) {
|
|
| 1800 |
+ cli_dbgmsg("MEW: lzma proc out of bounds!\n");
|
|
| 1801 |
+ free(src); |
|
| 1802 |
+ break; /* to next unpacker in chain */ |
|
| 1803 |
+ } |
|
| 1804 |
+ |
|
| 1805 |
+ uselzma = cli_readint32(tbuff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80); |
|
| 1806 |
+ } else {
|
|
| 1807 |
+ uselzma = 0; |
|
| 1808 |
+ } |
|
| 1802 | 1809 |
|
| 1803 | 1810 |
#if HAVE_JSON |
| 1804 |
- cli_jsonstr(pe_json, "Packer", "MEW"); |
|
| 1811 |
+ cli_jsonstr(pe_json, "Packer", "MEW"); |
|
| 1805 | 1812 |
#endif |
| 1806 | 1813 |
|
| 1807 |
- CLI_UNPTEMP("MEW",(src,exe_sections,0));
|
|
| 1808 |
- CLI_UNPRESULTS("MEW",(unmew11(src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, ndesc)),1,(src,0));
|
|
| 1809 |
- break; |
|
| 1810 |
- } |
|
| 1814 |
+ CLI_UNPTEMP("MEW",(src,exe_sections,0));
|
|
| 1815 |
+ CLI_UNPRESULTS("MEW",(unmew11(src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, ndesc)),1,(src,0));
|
|
| 1816 |
+ break; |
|
| 1817 |
+ } |
|
| 1811 | 1818 |
} |
| 1812 | 1819 |
|
| 1813 | 1820 |
if(epsize<168) {
|
| 1814 |
- free(exe_sections); |
|
| 1815 |
- return CL_CLEAN; |
|
| 1821 |
+ free(exe_sections); |
|
| 1822 |
+ return CL_CLEAN; |
|
| 1816 | 1823 |
} |
| 1817 | 1824 |
|
| 1818 | 1825 |
if (found || upack) {
|
| 1819 |
- /* Check EP for UPX vs. FSG vs. Upack */ |
|
| 1820 |
- |
|
| 1821 |
- /* Upack 0.39 produces 2 types of executables |
|
| 1822 |
- * 3 sections: | 2 sections (one empty, I don't chech found if !upack, since it's in OR above): |
|
| 1823 |
- * mov esi, value | pusha |
|
| 1824 |
- * lodsd | call $+0x9 |
|
| 1825 |
- * push eax | |
|
| 1826 |
- * |
|
| 1827 |
- * Upack 1.1/1.2 Beta produces [based on 2 samples (sUx) provided by aCaB]: |
|
| 1828 |
- * 2 sections |
|
| 1829 |
- * mov esi, value |
|
| 1830 |
- * loads |
|
| 1831 |
- * mov edi, eax |
|
| 1832 |
- * |
|
| 1833 |
- * Upack unknown [sample 0297729] |
|
| 1834 |
- * 3 sections |
|
| 1835 |
- * mov esi, value |
|
| 1836 |
- * push [esi] |
|
| 1837 |
- * jmp |
|
| 1838 |
- * |
|
| 1839 |
- */ |
|
| 1840 |
- /* upack 0.39-3s + sample 0151477*/ |
|
| 1841 |
- while(((upack && nsections == 3) && /* 3 sections */ |
|
| 1842 |
- (( |
|
| 1843 |
- epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */ |
|
| 1844 |
- epbuff[5] == '\xad' && epbuff[6] == '\x50' /* lodsd; push eax */ |
|
| 1845 |
- ) |
|
| 1846 |
- || |
|
| 1847 |
- /* based on 0297729 sample from aCaB */ |
|
| 1848 |
- (epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */ |
|
| 1849 |
- epbuff[5] == '\xff' && epbuff[6] == '\x36' /* push [esi] */ |
|
| 1850 |
- ) |
|
| 1851 |
- )) |
|
| 1852 |
- || |
|
| 1853 |
- ((!upack && nsections == 2) && /* 2 sections */ |
|
| 1854 |
- (( /* upack 0.39-2s */ |
|
| 1855 |
- epbuff[0] == '\x60' && epbuff[1] == '\xe8' && cli_readint32(epbuff+2) == 0x9 /* pusha; call+9 */ |
|
| 1856 |
- ) |
|
| 1857 |
- || |
|
| 1858 |
- ( /* upack 1.1/1.2, based on 2 samples */ |
|
| 1859 |
- epbuff[0] == '\xbe' && cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase) < min && /* mov esi */ |
|
| 1860 |
- cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > 0 && |
|
| 1861 |
- epbuff[5] == '\xad' && epbuff[6] == '\x8b' && epbuff[7] == '\xf8' /* loads; mov edi, eax */ |
|
| 1862 |
- ) |
|
| 1863 |
- )) |
|
| 1864 |
- ) {
|
|
| 1865 |
- uint32_t vma, off; |
|
| 1866 |
- int a,b,c; |
|
| 1867 |
- |
|
| 1868 |
- cli_dbgmsg("Upack characteristics found.\n");
|
|
| 1869 |
- a = exe_sections[0].vsz; |
|
| 1870 |
- b = exe_sections[1].vsz; |
|
| 1871 |
- if (upack) {
|
|
| 1872 |
- cli_dbgmsg("Upack: var set\n");
|
|
| 1873 |
- c = exe_sections[2].vsz; |
|
| 1874 |
- ssize = exe_sections[0].ursz + exe_sections[0].uraw; |
|
| 1875 |
- off = exe_sections[0].rva; |
|
| 1876 |
- vma = EC32(optional_hdr32.ImageBase) + exe_sections[0].rva; |
|
| 1877 |
- } else {
|
|
| 1878 |
- cli_dbgmsg("Upack: var NOT set\n");
|
|
| 1879 |
- c = exe_sections[1].rva; |
|
| 1880 |
- ssize = exe_sections[1].uraw; |
|
| 1881 |
- off = 0; |
|
| 1882 |
- vma = exe_sections[1].rva - exe_sections[1].uraw; |
|
| 1883 |
- } |
|
| 1826 |
+ /* Check EP for UPX vs. FSG vs. Upack */ |
|
| 1827 |
+ |
|
| 1828 |
+ /* Upack 0.39 produces 2 types of executables |
|
| 1829 |
+ * 3 sections: | 2 sections (one empty, I don't chech found if !upack, since it's in OR above): |
|
| 1830 |
+ * mov esi, value | pusha |
|
| 1831 |
+ * lodsd | call $+0x9 |
|
| 1832 |
+ * push eax | |
|
| 1833 |
+ * |
|
| 1834 |
+ * Upack 1.1/1.2 Beta produces [based on 2 samples (sUx) provided by aCaB]: |
|
| 1835 |
+ * 2 sections |
|
| 1836 |
+ * mov esi, value |
|
| 1837 |
+ * loads |
|
| 1838 |
+ * mov edi, eax |
|
| 1839 |
+ * |
|
| 1840 |
+ * Upack unknown [sample 0297729] |
|
| 1841 |
+ * 3 sections |
|
| 1842 |
+ * mov esi, value |
|
| 1843 |
+ * push [esi] |
|
| 1844 |
+ * jmp |
|
| 1845 |
+ * |
|
| 1846 |
+ */ |
|
| 1847 |
+ /* upack 0.39-3s + sample 0151477*/ |
|
| 1848 |
+ while(((upack && nsections == 3) && /* 3 sections */ |
|
| 1849 |
+ (( |
|
| 1850 |
+ epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */ |
|
| 1851 |
+ epbuff[5] == '\xad' && epbuff[6] == '\x50' /* lodsd; push eax */ |
|
| 1852 |
+ ) |
|
| 1853 |
+ || |
|
| 1854 |
+ /* based on 0297729 sample from aCaB */ |
|
| 1855 |
+ (epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */ |
|
| 1856 |
+ epbuff[5] == '\xff' && epbuff[6] == '\x36' /* push [esi] */ |
|
| 1857 |
+ ) |
|
| 1858 |
+ )) |
|
| 1859 |
+ || |
|
| 1860 |
+ ((!upack && nsections == 2) && /* 2 sections */ |
|
| 1861 |
+ (( /* upack 0.39-2s */ |
|
| 1862 |
+ epbuff[0] == '\x60' && epbuff[1] == '\xe8' && cli_readint32(epbuff+2) == 0x9 /* pusha; call+9 */ |
|
| 1863 |
+ ) |
|
| 1864 |
+ || |
|
| 1865 |
+ ( /* upack 1.1/1.2, based on 2 samples */ |
|
| 1866 |
+ epbuff[0] == '\xbe' && cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase) < min && /* mov esi */ |
|
| 1867 |
+ cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > 0 && |
|
| 1868 |
+ epbuff[5] == '\xad' && epbuff[6] == '\x8b' && epbuff[7] == '\xf8' /* loads; mov edi, eax */ |
|
| 1869 |
+ ) |
|
| 1870 |
+ )) |
|
| 1871 |
+ ) {
|
|
| 1872 |
+ uint32_t vma, off; |
|
| 1873 |
+ int a,b,c; |
|
| 1874 |
+ |
|
| 1875 |
+ cli_dbgmsg("Upack characteristics found.\n");
|
|
| 1876 |
+ a = exe_sections[0].vsz; |
|
| 1877 |
+ b = exe_sections[1].vsz; |
|
| 1878 |
+ if (upack) {
|
|
| 1879 |
+ cli_dbgmsg("Upack: var set\n");
|
|
| 1880 |
+ |
|
| 1881 |
+ c = exe_sections[2].vsz; |
|
| 1882 |
+ ssize = exe_sections[0].ursz + exe_sections[0].uraw; |
|
| 1883 |
+ off = exe_sections[0].rva; |
|
| 1884 |
+ vma = EC32(optional_hdr32.ImageBase) + exe_sections[0].rva; |
|
| 1885 |
+ } else {
|
|
| 1886 |
+ cli_dbgmsg("Upack: var NOT set\n");
|
|
| 1887 |
+ c = exe_sections[1].rva; |
|
| 1888 |
+ ssize = exe_sections[1].uraw; |
|
| 1889 |
+ off = 0; |
|
| 1890 |
+ vma = exe_sections[1].rva - exe_sections[1].uraw; |
|
| 1891 |
+ } |
|
| 1884 | 1892 |
|
| 1885 |
- dsize = a+b+c; |
|
| 1893 |
+ dsize = a+b+c; |
|
| 1886 | 1894 |
|
| 1887 |
- CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));
|
|
| 1895 |
+ CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));
|
|
| 1888 | 1896 |
|
| 1889 |
- if (!CLI_ISCONTAINED(0, dsize, exe_sections[1].rva - off, exe_sections[1].ursz) || (upack && !CLI_ISCONTAINED(0, dsize, exe_sections[2].rva - exe_sections[0].rva, ssize)) || ssize > dsize) {
|
|
| 1890 |
- cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");
|
|
| 1891 |
- break; |
|
| 1892 |
- } |
|
| 1893 |
- |
|
| 1894 |
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 1895 |
- free(exe_sections); |
|
| 1896 |
- return CL_EMEM; |
|
| 1897 |
- } |
|
| 1897 |
+ if (!CLI_ISCONTAINED(0, dsize, exe_sections[1].rva - off, exe_sections[1].ursz) || (upack && !CLI_ISCONTAINED(0, dsize, exe_sections[2].rva - exe_sections[0].rva, ssize)) || ssize > dsize) {
|
|
| 1898 |
+ cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");
|
|
| 1899 |
+ break; |
|
| 1900 |
+ } |
|
| 1901 |
+ |
|
| 1902 |
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 1903 |
+ free(exe_sections); |
|
| 1904 |
+ return CL_EMEM; |
|
| 1905 |
+ } |
|
| 1898 | 1906 |
|
| 1899 |
- if((unsigned int)fmap_readn(map, dest, 0, ssize) != ssize) {
|
|
| 1900 |
- cli_dbgmsg("Upack: Can't read raw data of section 0\n");
|
|
| 1901 |
- free(dest); |
|
| 1902 |
- break; |
|
| 1903 |
- } |
|
| 1907 |
+ if((unsigned int)fmap_readn(map, dest, 0, ssize) != ssize) {
|
|
| 1908 |
+ cli_dbgmsg("Upack: Can't read raw data of section 0\n");
|
|
| 1909 |
+ free(dest); |
|
| 1910 |
+ break; |
|
| 1911 |
+ } |
|
| 1904 | 1912 |
|
| 1905 |
- if(upack) memmove(dest + exe_sections[2].rva - exe_sections[0].rva, dest, ssize); |
|
| 1913 |
+ if(upack) |
|
| 1914 |
+ memmove(dest + exe_sections[2].rva - exe_sections[0].rva, dest, ssize); |
|
| 1906 | 1915 |
|
| 1907 |
- if((unsigned int)fmap_readn(map, dest + exe_sections[1].rva - off, exe_sections[1].uraw, exe_sections[1].ursz) != exe_sections[1].ursz) {
|
|
| 1908 |
- cli_dbgmsg("Upack: Can't read raw data of section 1\n");
|
|
| 1909 |
- free(dest); |
|
| 1910 |
- break; |
|
| 1911 |
- } |
|
| 1916 |
+ if((unsigned int)fmap_readn(map, dest + exe_sections[1].rva - off, exe_sections[1].uraw, exe_sections[1].ursz) != exe_sections[1].ursz) {
|
|
| 1917 |
+ cli_dbgmsg("Upack: Can't read raw data of section 1\n");
|
|
| 1918 |
+ free(dest); |
|
| 1919 |
+ break; |
|
| 1920 |
+ } |
|
| 1912 | 1921 |
|
| 1913 | 1922 |
#if HAVE_JSON |
| 1914 |
- cli_jsonstr(pe_json, "Packer", "Upack"); |
|
| 1923 |
+ cli_jsonstr(pe_json, "Packer", "Upack"); |
|
| 1915 | 1924 |
#endif |
| 1916 | 1925 |
|
| 1917 |
- CLI_UNPTEMP("Upack",(dest,exe_sections,0));
|
|
| 1918 |
- CLI_UNPRESULTS("Upack",(unupack(upack, dest, dsize, epbuff, vma, ep, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, ndesc)),1,(dest,0));
|
|
| 1919 |
- break; |
|
| 1920 |
- } |
|
| 1921 |
- } |
|
| 1926 |
+ CLI_UNPTEMP("Upack",(dest,exe_sections,0));
|
|
| 1927 |
+ CLI_UNPRESULTS("Upack",(unupack(upack, dest, dsize, epbuff, vma, ep, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, ndesc)),1,(dest,0));
|
|
| 1922 | 1928 |
|
| 1929 |
+ break; |
|
| 1930 |
+ } |
|
| 1931 |
+ } |
|
| 1923 | 1932 |
|
| 1924 | 1933 |
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == '\x87' && epbuff[1] == '\x25') {
|
| 1925 |
- const char *dst; |
|
| 1926 |
- |
|
| 1927 |
- /* FSG v2.0 support - thanks to aCaB ! */ |
|
| 1934 |
+ const char *dst; |
|
| 1935 |
+ uint32_t newesi, newedi, newebx, newedx; |
|
| 1928 | 1936 |
|
| 1929 |
- uint32_t newesi, newedi, newebx, newedx; |
|
| 1930 |
- |
|
| 1931 |
- ssize = exe_sections[i + 1].rsz; |
|
| 1932 |
- dsize = exe_sections[i].vsz; |
|
| 1937 |
+ /* FSG v2.0 support - thanks to aCaB ! */ |
|
| 1938 |
+ |
|
| 1939 |
+ ssize = exe_sections[i + 1].rsz; |
|
| 1940 |
+ dsize = exe_sections[i].vsz; |
|
| 1933 | 1941 |
|
| 1934 |
- CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
| 1942 |
+ CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
| 1935 | 1943 |
|
| 1936 |
- if(ssize <= 0x19 || dsize <= ssize) {
|
|
| 1937 |
- cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 1938 |
- free(exe_sections); |
|
| 1939 |
- return CL_CLEAN; |
|
| 1940 |
- } |
|
| 1941 |
- |
|
| 1942 |
- newedx = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase); |
|
| 1943 |
- if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
|
| 1944 |
- cli_dbgmsg("FSG: xchg out of bounds (%x), giving up\n", newedx);
|
|
| 1945 |
- break; |
|
| 1946 |
- } |
|
| 1947 |
- |
|
| 1948 |
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 1949 |
- cli_dbgmsg("Can't read raw data of section %d\n", i + 1);
|
|
| 1950 |
- free(exe_sections); |
|
| 1951 |
- return CL_ESEEK; |
|
| 1952 |
- } |
|
| 1944 |
+ if(ssize <= 0x19 || dsize <= ssize) {
|
|
| 1945 |
+ cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 1946 |
+ free(exe_sections); |
|
| 1947 |
+ return CL_CLEAN; |
|
| 1948 |
+ } |
|
| 1949 |
+ |
|
| 1950 |
+ newedx = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase); |
|
| 1951 |
+ if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
|
| 1952 |
+ cli_dbgmsg("FSG: xchg out of bounds (%x), giving up\n", newedx);
|
|
| 1953 |
+ break; |
|
| 1954 |
+ } |
|
| 1955 |
+ |
|
| 1956 |
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 1957 |
+ cli_dbgmsg("Can't read raw data of section %d\n", i + 1);
|
|
| 1958 |
+ free(exe_sections); |
|
| 1959 |
+ return CL_ESEEK; |
|
| 1960 |
+ } |
|
| 1953 | 1961 |
|
| 1954 |
- dst = src + newedx - exe_sections[i + 1].rva; |
|
| 1955 |
- if(newedx < exe_sections[i + 1].rva || !CLI_ISCONTAINED(src, ssize, dst, 4)) {
|
|
| 1956 |
- cli_dbgmsg("FSG: New ESP out of bounds\n");
|
|
| 1957 |
- break; |
|
| 1958 |
- } |
|
| 1962 |
+ dst = src + newedx - exe_sections[i + 1].rva; |
|
| 1963 |
+ if(newedx < exe_sections[i + 1].rva || !CLI_ISCONTAINED(src, ssize, dst, 4)) {
|
|
| 1964 |
+ cli_dbgmsg("FSG: New ESP out of bounds\n");
|
|
| 1965 |
+ break; |
|
| 1966 |
+ } |
|
| 1959 | 1967 |
|
| 1960 |
- newedx = cli_readint32(dst) - EC32(optional_hdr32.ImageBase); |
|
| 1961 |
- if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
|
| 1962 |
- cli_dbgmsg("FSG: New ESP (%x) is wrong\n", newedx);
|
|
| 1963 |
- break; |
|
| 1964 |
- } |
|
| 1965 |
- |
|
| 1966 |
- dst = src + newedx - exe_sections[i + 1].rva; |
|
| 1967 |
- if(!CLI_ISCONTAINED(src, ssize, dst, 32)) {
|
|
| 1968 |
- cli_dbgmsg("FSG: New stack out of bounds\n");
|
|
| 1969 |
- break; |
|
| 1970 |
- } |
|
| 1968 |
+ newedx = cli_readint32(dst) - EC32(optional_hdr32.ImageBase); |
|
| 1969 |
+ if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
|
|
| 1970 |
+ cli_dbgmsg("FSG: New ESP (%x) is wrong\n", newedx);
|
|
| 1971 |
+ break; |
|
| 1972 |
+ } |
|
| 1973 |
+ |
|
| 1974 |
+ dst = src + newedx - exe_sections[i + 1].rva; |
|
| 1975 |
+ if(!CLI_ISCONTAINED(src, ssize, dst, 32)) {
|
|
| 1976 |
+ cli_dbgmsg("FSG: New stack out of bounds\n");
|
|
| 1977 |
+ break; |
|
| 1978 |
+ } |
|
| 1971 | 1979 |
|
| 1972 |
- newedi = cli_readint32(dst) - EC32(optional_hdr32.ImageBase); |
|
| 1973 |
- newesi = cli_readint32(dst + 4) - EC32(optional_hdr32.ImageBase); |
|
| 1974 |
- newebx = cli_readint32(dst + 16) - EC32(optional_hdr32.ImageBase); |
|
| 1975 |
- newedx = cli_readint32(dst + 20); |
|
| 1980 |
+ newedi = cli_readint32(dst) - EC32(optional_hdr32.ImageBase); |
|
| 1981 |
+ newesi = cli_readint32(dst + 4) - EC32(optional_hdr32.ImageBase); |
|
| 1982 |
+ newebx = cli_readint32(dst + 16) - EC32(optional_hdr32.ImageBase); |
|
| 1983 |
+ newedx = cli_readint32(dst + 20); |
|
| 1976 | 1984 |
|
| 1977 |
- if(newedi != exe_sections[i].rva) {
|
|
| 1978 |
- cli_dbgmsg("FSG: Bad destination buffer (edi is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
| 1979 |
- break; |
|
| 1980 |
- } |
|
| 1985 |
+ if(newedi != exe_sections[i].rva) {
|
|
| 1986 |
+ cli_dbgmsg("FSG: Bad destination buffer (edi is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
| 1987 |
+ break; |
|
| 1988 |
+ } |
|
| 1981 | 1989 |
|
| 1982 |
- if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
|
| 1983 |
- cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
| 1984 |
- break; |
|
| 1985 |
- } |
|
| 1990 |
+ if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
|
| 1991 |
+ cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
| 1992 |
+ break; |
|
| 1993 |
+ } |
|
| 1986 | 1994 |
|
| 1987 |
- if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newebx, 16)) {
|
|
| 1988 |
- cli_dbgmsg("FSG: Array of functions out of bounds\n");
|
|
| 1989 |
- break; |
|
| 1990 |
- } |
|
| 1995 |
+ if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newebx, 16)) {
|
|
| 1996 |
+ cli_dbgmsg("FSG: Array of functions out of bounds\n");
|
|
| 1997 |
+ break; |
|
| 1998 |
+ } |
|
| 1991 | 1999 |
|
| 1992 |
- newedx=cli_readint32(newebx + 12 - exe_sections[i + 1].rva + src) - EC32(optional_hdr32.ImageBase); |
|
| 1993 |
- cli_dbgmsg("FSG: found old EP @%x\n",newedx);
|
|
| 2000 |
+ newedx=cli_readint32(newebx + 12 - exe_sections[i + 1].rva + src) - EC32(optional_hdr32.ImageBase); |
|
| 2001 |
+ cli_dbgmsg("FSG: found old EP @%x\n",newedx);
|
|
| 1994 | 2002 |
|
| 1995 |
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 1996 |
- free(exe_sections); |
|
| 1997 |
- return CL_EMEM; |
|
| 1998 |
- } |
|
| 2003 |
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2004 |
+ free(exe_sections); |
|
| 2005 |
+ return CL_EMEM; |
|
| 2006 |
+ } |
|
| 1999 | 2007 |
|
| 2000 | 2008 |
#if HAVE_JSON |
| 2001 |
- cli_jsonstr(pe_json, "Packer", "FSG"); |
|
| 2009 |
+ cli_jsonstr(pe_json, "Packer", "FSG"); |
|
| 2002 | 2010 |
#endif |
| 2003 | 2011 |
|
| 2004 |
- CLI_UNPTEMP("FSG",(dest,exe_sections,0));
|
|
| 2005 |
- CLI_UNPRESULTSFSG2("FSG",(unfsg_200(newesi - exe_sections[i + 1].rva + src, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, newedi, EC32(optional_hdr32.ImageBase), newedx, ndesc)),1,(dest,0));
|
|
| 2006 |
- break; |
|
| 2012 |
+ CLI_UNPTEMP("FSG",(dest,exe_sections,0));
|
|
| 2013 |
+ CLI_UNPRESULTSFSG2("FSG",(unfsg_200(newesi - exe_sections[i + 1].rva + src, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, newedi, EC32(optional_hdr32.ImageBase), newedx, ndesc)),1,(dest,0));
|
|
| 2014 |
+ break; |
|
| 2007 | 2015 |
} |
| 2008 | 2016 |
|
| 2009 | 2017 |
|
| 2010 | 2018 |
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == '\xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) < min) {
|
| 2019 |
+ int sectcnt = 0; |
|
| 2020 |
+ const char *support; |
|
| 2021 |
+ uint32_t newesi, newedi, oldep, gp, t; |
|
| 2022 |
+ struct cli_exe_section *sections; |
|
| 2011 | 2023 |
|
| 2012 |
- /* FSG support - v. 1.33 (thx trog for the many samples) */ |
|
| 2013 |
- |
|
| 2014 |
- int sectcnt = 0; |
|
| 2015 |
- const char *support; |
|
| 2016 |
- uint32_t newesi, newedi, oldep, gp, t; |
|
| 2017 |
- struct cli_exe_section *sections; |
|
| 2024 |
+ /* FSG support - v. 1.33 (thx trog for the many samples) */ |
|
| 2018 | 2025 |
|
| 2019 |
- ssize = exe_sections[i + 1].rsz; |
|
| 2020 |
- dsize = exe_sections[i].vsz; |
|
| 2026 |
+ ssize = exe_sections[i + 1].rsz; |
|
| 2027 |
+ dsize = exe_sections[i].vsz; |
|
| 2021 | 2028 |
|
| 2022 |
- CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
| 2029 |
+ CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
| 2023 | 2030 |
|
| 2024 |
- if(ssize <= 0x19 || dsize <= ssize) {
|
|
| 2025 |
- cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 2026 |
- free(exe_sections); |
|
| 2027 |
- return CL_CLEAN; |
|
| 2028 |
- } |
|
| 2031 |
+ if(ssize <= 0x19 || dsize <= ssize) {
|
|
| 2032 |
+ cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 2033 |
+ free(exe_sections); |
|
| 2034 |
+ return CL_CLEAN; |
|
| 2035 |
+ } |
|
| 2029 | 2036 |
|
| 2030 |
- if(!(t = cli_rawaddr(cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size)) && err ) {
|
|
| 2031 |
- cli_dbgmsg("FSG: Support data out of padding area\n");
|
|
| 2032 |
- break; |
|
| 2033 |
- } |
|
| 2037 |
+ if(!(t = cli_rawaddr(cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size)) && err ) {
|
|
| 2038 |
+ cli_dbgmsg("FSG: Support data out of padding area\n");
|
|
| 2039 |
+ break; |
|
| 2040 |
+ } |
|
| 2034 | 2041 |
|
| 2035 |
- gp = exe_sections[i + 1].raw - t; |
|
| 2042 |
+ gp = exe_sections[i + 1].raw - t; |
|
| 2036 | 2043 |
|
| 2037 |
- CLI_UNPSIZELIMITS("FSG", gp);
|
|
| 2044 |
+ CLI_UNPSIZELIMITS("FSG", gp);
|
|
| 2038 | 2045 |
|
| 2039 |
- if(!(support = fmap_need_off_once(map, t, gp))) {
|
|
| 2040 |
- cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
|
| 2041 |
- free(exe_sections); |
|
| 2042 |
- return CL_EREAD; |
|
| 2043 |
- } |
|
| 2046 |
+ if(!(support = fmap_need_off_once(map, t, gp))) {
|
|
| 2047 |
+ cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
|
| 2048 |
+ free(exe_sections); |
|
| 2049 |
+ return CL_EREAD; |
|
| 2050 |
+ } |
|
| 2044 | 2051 |
|
| 2045 |
- /* newebx = cli_readint32(support) - EC32(optional_hdr32.ImageBase); Unused */ |
|
| 2046 |
- newedi = cli_readint32(support + 4) - EC32(optional_hdr32.ImageBase); /* 1st dest */ |
|
| 2047 |
- newesi = cli_readint32(support + 8) - EC32(optional_hdr32.ImageBase); /* Source */ |
|
| 2052 |
+ /* newebx = cli_readint32(support) - EC32(optional_hdr32.ImageBase); Unused */ |
|
| 2053 |
+ newedi = cli_readint32(support + 4) - EC32(optional_hdr32.ImageBase); /* 1st dest */ |
|
| 2054 |
+ newesi = cli_readint32(support + 8) - EC32(optional_hdr32.ImageBase); /* Source */ |
|
| 2048 | 2055 |
|
| 2049 |
- if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
|
| 2050 |
- cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
| 2051 |
- break; |
|
| 2052 |
- } |
|
| 2056 |
+ if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
|
|
| 2057 |
+ cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
| 2058 |
+ break; |
|
| 2059 |
+ } |
|
| 2053 | 2060 |
|
| 2054 |
- if(newedi != exe_sections[i].rva) {
|
|
| 2055 |
- cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
| 2056 |
- break; |
|
| 2057 |
- } |
|
| 2061 |
+ if(newedi != exe_sections[i].rva) {
|
|
| 2062 |
+ cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
| 2063 |
+ break; |
|
| 2064 |
+ } |
|
| 2058 | 2065 |
|
| 2059 |
- /* Counting original sections */ |
|
| 2060 |
- for(t = 12; t < gp - 4; t += 4) {
|
|
| 2061 |
- uint32_t rva = cli_readint32(support+t); |
|
| 2066 |
+ /* Counting original sections */ |
|
| 2067 |
+ for(t = 12; t < gp - 4; t += 4) {
|
|
| 2068 |
+ uint32_t rva = cli_readint32(support+t); |
|
| 2062 | 2069 |
|
| 2063 |
- if(!rva) |
|
| 2064 |
- break; |
|
| 2070 |
+ if(!rva) |
|
| 2071 |
+ break; |
|
| 2065 | 2072 |
|
| 2066 |
- rva -= EC32(optional_hdr32.ImageBase)+1; |
|
| 2067 |
- sectcnt++; |
|
| 2073 |
+ rva -= EC32(optional_hdr32.ImageBase)+1; |
|
| 2074 |
+ sectcnt++; |
|
| 2068 | 2075 |
|
| 2069 |
- if(rva % 0x1000) cli_dbgmsg("FSG: Original section %d is misaligned\n", sectcnt);
|
|
| 2076 |
+ if(rva % 0x1000) |
|
| 2077 |
+ cli_dbgmsg("FSG: Original section %d is misaligned\n", sectcnt);
|
|
| 2070 | 2078 |
|
| 2071 |
- if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
|
| 2072 |
- cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
|
| 2073 |
- break; |
|
| 2074 |
- } |
|
| 2075 |
- } |
|
| 2079 |
+ if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
|
| 2080 |
+ cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
|
| 2081 |
+ break; |
|
| 2082 |
+ } |
|
| 2083 |
+ } |
|
| 2076 | 2084 |
|
| 2077 |
- if(t >= gp - 4 || cli_readint32(support + t)) {
|
|
| 2078 |
- break; |
|
| 2079 |
- } |
|
| 2085 |
+ if(t >= gp - 4 || cli_readint32(support + t)) {
|
|
| 2086 |
+ break; |
|
| 2087 |
+ } |
|
| 2080 | 2088 |
|
| 2081 |
- if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
|
| 2082 |
- cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
|
| 2083 |
- free(exe_sections); |
|
| 2084 |
- return CL_EMEM; |
|
| 2085 |
- } |
|
| 2089 |
+ if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
|
| 2090 |
+ cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
|
| 2091 |
+ free(exe_sections); |
|
| 2092 |
+ return CL_EMEM; |
|
| 2093 |
+ } |
|
| 2086 | 2094 |
|
| 2087 |
- sections[0].rva = newedi; |
|
| 2088 |
- for(t = 1; t <= (uint32_t)sectcnt; t++) |
|
| 2089 |
- sections[t].rva = cli_readint32(support + 8 + t * 4) - 1 - EC32(optional_hdr32.ImageBase); |
|
| 2095 |
+ sections[0].rva = newedi; |
|
| 2096 |
+ for(t = 1; t <= (uint32_t)sectcnt; t++) |
|
| 2097 |
+ sections[t].rva = cli_readint32(support + 8 + t * 4) - 1 - EC32(optional_hdr32.ImageBase); |
|
| 2090 | 2098 |
|
| 2091 |
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 2092 |
- cli_dbgmsg("Can't read raw data of section %d\n", i);
|
|
| 2093 |
- free(exe_sections); |
|
| 2094 |
- free(sections); |
|
| 2095 |
- return CL_EREAD; |
|
| 2096 |
- } |
|
| 2099 |
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 2100 |
+ cli_dbgmsg("Can't read raw data of section %d\n", i);
|
|
| 2101 |
+ free(exe_sections); |
|
| 2102 |
+ free(sections); |
|
| 2103 |
+ return CL_EREAD; |
|
| 2104 |
+ } |
|
| 2097 | 2105 |
|
| 2098 |
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2099 |
- free(exe_sections); |
|
| 2100 |
- free(sections); |
|
| 2101 |
- return CL_EMEM; |
|
| 2102 |
- } |
|
| 2106 |
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2107 |
+ free(exe_sections); |
|
| 2108 |
+ free(sections); |
|
| 2109 |
+ return CL_EMEM; |
|
| 2110 |
+ } |
|
| 2103 | 2111 |
|
| 2104 |
- oldep = vep + 161 + 6 + cli_readint32(epbuff+163); |
|
| 2105 |
- cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
|
| 2112 |
+ oldep = vep + 161 + 6 + cli_readint32(epbuff+163); |
|
| 2113 |
+ cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
|
| 2106 | 2114 |
|
| 2107 | 2115 |
#if HAVE_JSON |
| 2108 |
- cli_jsonstr(pe_json, "Packer", "FSG"); |
|
| 2116 |
+ cli_jsonstr(pe_json, "Packer", "FSG"); |
|
| 2109 | 2117 |
#endif |
| 2110 | 2118 |
|
| 2111 |
- CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
|
| 2112 |
- CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
|
| 2113 |
- break; /* were done with 1.33 */ |
|
| 2119 |
+ CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
|
| 2120 |
+ CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
|
| 2121 |
+ break; /* were done with 1.33 */ |
|
| 2114 | 2122 |
} |
| 2115 | 2123 |
|
| 2116 |
- |
|
| 2117 | 2124 |
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == '\xbb' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) < min && epbuff[5] == '\xbf' && epbuff[10] == '\xbe' && vep >= exe_sections[i + 1].rva && vep - exe_sections[i + 1].rva > exe_sections[i + 1].rva - 0xe0 ) {
|
| 2125 |
+ int sectcnt = 0; |
|
| 2126 |
+ uint32_t gp, t = cli_rawaddr(cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size); |
|
| 2127 |
+ const char *support; |
|
| 2128 |
+ uint32_t newesi = cli_readint32(epbuff+11) - EC32(optional_hdr32.ImageBase); |
|
| 2129 |
+ uint32_t newedi = cli_readint32(epbuff+6) - EC32(optional_hdr32.ImageBase); |
|
| 2130 |
+ uint32_t oldep = vep - exe_sections[i + 1].rva; |
|
| 2131 |
+ struct cli_exe_section *sections; |
|
| 2118 | 2132 |
|
| 2119 |
- /* FSG support - v. 1.31 */ |
|
| 2120 |
- |
|
| 2121 |
- int sectcnt = 0; |
|
| 2122 |
- uint32_t gp, t = cli_rawaddr(cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size); |
|
| 2123 |
- const char *support; |
|
| 2124 |
- uint32_t newesi = cli_readint32(epbuff+11) - EC32(optional_hdr32.ImageBase); |
|
| 2125 |
- uint32_t newedi = cli_readint32(epbuff+6) - EC32(optional_hdr32.ImageBase); |
|
| 2126 |
- uint32_t oldep = vep - exe_sections[i + 1].rva; |
|
| 2127 |
- struct cli_exe_section *sections; |
|
| 2133 |
+ /* FSG support - v. 1.31 */ |
|
| 2128 | 2134 |
|
| 2129 |
- ssize = exe_sections[i + 1].rsz; |
|
| 2130 |
- dsize = exe_sections[i].vsz; |
|
| 2135 |
+ ssize = exe_sections[i + 1].rsz; |
|
| 2136 |
+ dsize = exe_sections[i].vsz; |
|
| 2131 | 2137 |
|
| 2132 |
- if(err) {
|
|
| 2133 |
- cli_dbgmsg("FSG: Support data out of padding area\n");
|
|
| 2134 |
- break; |
|
| 2135 |
- } |
|
| 2138 |
+ if(err) {
|
|
| 2139 |
+ cli_dbgmsg("FSG: Support data out of padding area\n");
|
|
| 2140 |
+ break; |
|
| 2141 |
+ } |
|
| 2136 | 2142 |
|
| 2137 |
- if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].raw) {
|
|
| 2138 |
- cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
| 2139 |
- break; |
|
| 2140 |
- } |
|
| 2143 |
+ if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].raw) {
|
|
| 2144 |
+ cli_dbgmsg("FSG: Source buffer out of section bounds\n");
|
|
| 2145 |
+ break; |
|
| 2146 |
+ } |
|
| 2141 | 2147 |
|
| 2142 |
- if(newedi != exe_sections[i].rva) {
|
|
| 2143 |
- cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
| 2144 |
- break; |
|
| 2145 |
- } |
|
| 2148 |
+ if(newedi != exe_sections[i].rva) {
|
|
| 2149 |
+ cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, exe_sections[i].rva);
|
|
| 2150 |
+ break; |
|
| 2151 |
+ } |
|
| 2146 | 2152 |
|
| 2147 |
- CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
| 2153 |
+ CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
|
|
| 2148 | 2154 |
|
| 2149 |
- if(ssize <= 0x19 || dsize <= ssize) {
|
|
| 2150 |
- cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 2151 |
- free(exe_sections); |
|
| 2152 |
- return CL_CLEAN; |
|
| 2153 |
- } |
|
| 2155 |
+ if(ssize <= 0x19 || dsize <= ssize) {
|
|
| 2156 |
+ cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 2157 |
+ free(exe_sections); |
|
| 2158 |
+ return CL_CLEAN; |
|
| 2159 |
+ } |
|
| 2154 | 2160 |
|
| 2155 |
- gp = exe_sections[i + 1].raw - t; |
|
| 2161 |
+ gp = exe_sections[i + 1].raw - t; |
|
| 2156 | 2162 |
|
| 2157 |
- CLI_UNPSIZELIMITS("FSG", gp)
|
|
| 2163 |
+ CLI_UNPSIZELIMITS("FSG", gp)
|
|
| 2158 | 2164 |
|
| 2159 |
- if(!(support = fmap_need_off_once(map, t, gp))) {
|
|
| 2160 |
- cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
|
| 2161 |
- free(exe_sections); |
|
| 2162 |
- return CL_EREAD; |
|
| 2163 |
- } |
|
| 2165 |
+ if(!(support = fmap_need_off_once(map, t, gp))) {
|
|
| 2166 |
+ cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
|
|
| 2167 |
+ free(exe_sections); |
|
| 2168 |
+ return CL_EREAD; |
|
| 2169 |
+ } |
|
| 2164 | 2170 |
|
| 2165 |
- /* Counting original sections */ |
|
| 2166 |
- for(t = 0; t < gp - 2; t += 2) {
|
|
| 2167 |
- uint32_t rva = support[t]|(support[t+1]<<8); |
|
| 2171 |
+ /* Counting original sections */ |
|
| 2172 |
+ for(t = 0; t < gp - 2; t += 2) {
|
|
| 2173 |
+ uint32_t rva = support[t]|(support[t+1]<<8); |
|
| 2168 | 2174 |
|
| 2169 |
- if (rva == 2 || rva == 1) |
|
| 2170 |
- break; |
|
| 2175 |
+ if (rva == 2 || rva == 1) |
|
| 2176 |
+ break; |
|
| 2171 | 2177 |
|
| 2172 |
- rva = ((rva-2)<<12) - EC32(optional_hdr32.ImageBase); |
|
| 2173 |
- sectcnt++; |
|
| 2178 |
+ rva = ((rva-2)<<12) - EC32(optional_hdr32.ImageBase); |
|
| 2179 |
+ sectcnt++; |
|
| 2174 | 2180 |
|
| 2175 |
- if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
|
| 2176 |
- cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
|
| 2177 |
- break; |
|
| 2178 |
- } |
|
| 2179 |
- } |
|
| 2181 |
+ if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
|
|
| 2182 |
+ cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
|
|
| 2183 |
+ break; |
|
| 2184 |
+ } |
|
| 2185 |
+ } |
|
| 2180 | 2186 |
|
| 2181 |
- if(t >= gp-10 || cli_readint32(support + t + 6) != 2) {
|
|
| 2182 |
- break; |
|
| 2183 |
- } |
|
| 2187 |
+ if(t >= gp-10 || cli_readint32(support + t + 6) != 2) |
|
| 2188 |
+ break; |
|
| 2184 | 2189 |
|
| 2185 |
- if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
|
| 2186 |
- cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
|
| 2187 |
- free(exe_sections); |
|
| 2188 |
- return CL_EMEM; |
|
| 2189 |
- } |
|
| 2190 |
+ if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
|
|
| 2191 |
+ cli_errmsg("FSG: Unable to allocate memory for sections %lu\n", (sectcnt + 1) * sizeof(struct cli_exe_section));
|
|
| 2192 |
+ free(exe_sections); |
|
| 2193 |
+ return CL_EMEM; |
|
| 2194 |
+ } |
|
| 2190 | 2195 |
|
| 2191 |
- sections[0].rva = newedi; |
|
| 2192 |
- for(t = 0; t <= (uint32_t)sectcnt - 1; t++) {
|
|
| 2193 |
- sections[t+1].rva = (((support[t*2]|(support[t*2+1]<<8))-2)<<12)-EC32(optional_hdr32.ImageBase); |
|
| 2194 |
- } |
|
| 2196 |
+ sections[0].rva = newedi; |
|
| 2197 |
+ for(t = 0; t <= (uint32_t)sectcnt - 1; t++) |
|
| 2198 |
+ sections[t+1].rva = (((support[t*2]|(support[t*2+1]<<8))-2)<<12)-EC32(optional_hdr32.ImageBase); |
|
| 2195 | 2199 |
|
| 2196 |
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 2197 |
- cli_dbgmsg("FSG: Can't read raw data of section %d\n", i);
|
|
| 2198 |
- free(exe_sections); |
|
| 2199 |
- free(sections); |
|
| 2200 |
- return CL_EREAD; |
|
| 2201 |
- } |
|
| 2200 |
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 2201 |
+ cli_dbgmsg("FSG: Can't read raw data of section %d\n", i);
|
|
| 2202 |
+ free(exe_sections); |
|
| 2203 |
+ free(sections); |
|
| 2204 |
+ return CL_EREAD; |
|
| 2205 |
+ } |
|
| 2202 | 2206 |
|
| 2203 |
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2204 |
- free(exe_sections); |
|
| 2205 |
- free(sections); |
|
| 2206 |
- return CL_EMEM; |
|
| 2207 |
- } |
|
| 2207 |
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2208 |
+ free(exe_sections); |
|
| 2209 |
+ free(sections); |
|
| 2210 |
+ return CL_EMEM; |
|
| 2211 |
+ } |
|
| 2208 | 2212 |
|
| 2209 |
- gp = 0xda + 6*(epbuff[16]=='\xe8'); |
|
| 2210 |
- oldep = vep + gp + 6 + cli_readint32(src+gp+2+oldep); |
|
| 2211 |
- cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
|
| 2213 |
+ gp = 0xda + 6*(epbuff[16]=='\xe8'); |
|
| 2214 |
+ oldep = vep + gp + 6 + cli_readint32(src+gp+2+oldep); |
|
| 2215 |
+ cli_dbgmsg("FSG: found old EP @%x\n", oldep);
|
|
| 2212 | 2216 |
|
| 2213 | 2217 |
#if HAVE_JSON |
| 2214 |
- cli_jsonstr(pe_json, "Packer", "FSG"); |
|
| 2218 |
+ cli_jsonstr(pe_json, "Packer", "FSG"); |
|
| 2215 | 2219 |
#endif |
| 2216 | 2220 |
|
| 2217 |
- CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
|
| 2218 |
- CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
|
| 2219 |
- break; /* were done with 1.31 */ |
|
| 2221 |
+ CLI_UNPTEMP("FSG",(dest,sections,exe_sections,0));
|
|
| 2222 |
+ CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(dest,sections,0));
|
|
| 2223 |
+ |
|
| 2224 |
+ break; /* were done with 1.31 */ |
|
| 2220 | 2225 |
} |
| 2221 | 2226 |
|
| 2222 | 2227 |
|
| 2223 | 2228 |
if(found && (DCONF & PE_CONF_UPX)) {
|
| 2229 |
+ ssize = exe_sections[i + 1].rsz; |
|
| 2230 |
+ dsize = exe_sections[i].vsz + exe_sections[i + 1].vsz; |
|
| 2224 | 2231 |
|
| 2225 |
- /* UPX support */ |
|
| 2232 |
+ /* |
|
| 2233 |
+ * UPX support |
|
| 2234 |
+ * we assume (i + 1) is UPX1 |
|
| 2235 |
+ */ |
|
| 2226 | 2236 |
|
| 2227 |
- /* we assume (i + 1) is UPX1 */ |
|
| 2228 |
- ssize = exe_sections[i + 1].rsz; |
|
| 2229 |
- dsize = exe_sections[i].vsz + exe_sections[i + 1].vsz; |
|
| 2237 |
+ /* cli_dbgmsg("UPX: ssize %u dsize %u\n", ssize, dsize); */
|
|
| 2230 | 2238 |
|
| 2231 |
- /* cli_dbgmsg("UPX: ssize %u dsize %u\n", ssize, dsize); */
|
|
| 2239 |
+ CLI_UNPSIZELIMITS("UPX", MAX(dsize, ssize));
|
|
| 2232 | 2240 |
|
| 2233 |
- CLI_UNPSIZELIMITS("UPX", MAX(dsize, ssize));
|
|
| 2241 |
+ if(ssize <= 0x19 || dsize <= ssize || dsize > CLI_MAX_ALLOCATION ) {
|
|
| 2242 |
+ cli_dbgmsg("UPX: Size mismatch or dsize too big (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 2243 |
+ free(exe_sections); |
|
| 2244 |
+ return CL_CLEAN; |
|
| 2245 |
+ } |
|
| 2234 | 2246 |
|
| 2235 |
- if(ssize <= 0x19 || dsize <= ssize || dsize > CLI_MAX_ALLOCATION ) {
|
|
| 2236 |
- cli_dbgmsg("UPX: Size mismatch or dsize too big (ssize: %d, dsize: %d)\n", ssize, dsize);
|
|
| 2237 |
- free(exe_sections); |
|
| 2238 |
- return CL_CLEAN; |
|
| 2239 |
- } |
|
| 2247 |
+ if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 2248 |
+ cli_dbgmsg("UPX: Can't read raw data of section %d\n", i+1);
|
|
| 2249 |
+ free(exe_sections); |
|
| 2250 |
+ return CL_EREAD; |
|
| 2251 |
+ } |
|
| 2240 | 2252 |
|
| 2241 |
- if(!exe_sections[i + 1].rsz || !(src = fmap_need_off_once(map, exe_sections[i + 1].raw, ssize))) {
|
|
| 2242 |
- cli_dbgmsg("UPX: Can't read raw data of section %d\n", i+1);
|
|
| 2243 |
- free(exe_sections); |
|
| 2244 |
- return CL_EREAD; |
|
| 2245 |
- } |
|
| 2253 |
+ if((dest = (char *) cli_calloc(dsize + 8192, sizeof(char))) == NULL) {
|
|
| 2254 |
+ free(exe_sections); |
|
| 2255 |
+ return CL_EMEM; |
|
| 2256 |
+ } |
|
| 2246 | 2257 |
|
| 2247 |
- if((dest = (char *) cli_calloc(dsize + 8192, sizeof(char))) == NULL) {
|
|
| 2248 |
- free(exe_sections); |
|
| 2249 |
- return CL_EMEM; |
|
| 2250 |
- } |
|
| 2258 |
+ /* try to detect UPX code */ |
|
| 2259 |
+ if(cli_memstr(UPX_NRV2B, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, epbuff + 0x69 + 8, 13)) {
|
|
| 2260 |
+ cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");
|
|
| 2261 |
+ upxfn = upx_inflate2b; |
|
| 2262 |
+ } else if(cli_memstr(UPX_NRV2D, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, epbuff + 0x69 + 8, 13)) {
|
|
| 2263 |
+ cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");
|
|
| 2264 |
+ upxfn = upx_inflate2d; |
|
| 2265 |
+ } else if(cli_memstr(UPX_NRV2E, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, epbuff + 0x69 + 8, 13)) {
|
|
| 2266 |
+ cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");
|
|
| 2267 |
+ upxfn = upx_inflate2e; |
|
| 2268 |
+ } |
|
| 2251 | 2269 |
|
| 2252 |
- /* try to detect UPX code */ |
|
| 2253 |
- if(cli_memstr(UPX_NRV2B, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, epbuff + 0x69 + 8, 13)) {
|
|
| 2254 |
- cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");
|
|
| 2255 |
- upxfn = upx_inflate2b; |
|
| 2256 |
- } else if(cli_memstr(UPX_NRV2D, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, epbuff + 0x69 + 8, 13)) {
|
|
| 2257 |
- cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");
|
|
| 2258 |
- upxfn = upx_inflate2d; |
|
| 2259 |
- } else if(cli_memstr(UPX_NRV2E, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, epbuff + 0x69 + 8, 13)) {
|
|
| 2260 |
- cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");
|
|
| 2261 |
- upxfn = upx_inflate2e; |
|
| 2262 |
- } |
|
| 2270 |
+ if(upxfn) {
|
|
| 2271 |
+ int skew = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase) - exe_sections[i + 1].rva; |
|
| 2263 | 2272 |
|
| 2264 |
- if(upxfn) {
|
|
| 2265 |
- int skew = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase) - exe_sections[i + 1].rva; |
|
| 2273 |
+ if(epbuff[1] != '\xbe' || skew <= 0 || skew > 0xfff) {
|
|
| 2274 |
+ /* FIXME: legit skews?? */ |
|
| 2275 |
+ skew = 0; |
|
| 2276 |
+ } else if ((unsigned int)skew > ssize) {
|
|
| 2277 |
+ /* Ignore suggested skew larger than section size */ |
|
| 2278 |
+ skew = 0; |
|
| 2279 |
+ } else {
|
|
| 2280 |
+ cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
|
|
| 2281 |
+ } |
|
| 2266 | 2282 |
|
| 2267 |
- if(epbuff[1] != '\xbe' || skew <= 0 || skew > 0xfff) { /* FIXME: legit skews?? */
|
|
| 2268 |
- skew = 0; |
|
| 2269 |
- } else if ((unsigned int)skew > ssize) {
|
|
| 2270 |
- /* Ignore suggested skew larger than section size */ |
|
| 2271 |
- skew = 0; |
|
| 2272 |
- } else {
|
|
| 2273 |
- cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
|
|
| 2274 |
- } |
|
| 2283 |
+ /* Try skewed first (skew may be zero) */ |
|
| 2284 |
+ if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0) {
|
|
| 2285 |
+ upx_success = 1; |
|
| 2286 |
+ } |
|
| 2287 |
+ /* If skew not successful and non-zero, try no skew */ |
|
| 2288 |
+ else if(skew && (upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
|
|
| 2289 |
+ upx_success = 1; |
|
| 2290 |
+ } |
|
| 2275 | 2291 |
|
| 2276 |
- /* Try skewed first (skew may be zero) */ |
|
| 2277 |
- if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0) {
|
|
| 2278 |
- upx_success = 1; |
|
| 2279 |
- } |
|
| 2280 |
- /* If skew not successful and non-zero, try no skew */ |
|
| 2281 |
- else if(skew && (upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)) {
|
|
| 2282 |
- upx_success = 1; |
|
| 2283 |
- } |
|
| 2292 |
+ if(upx_success) |
|
| 2293 |
+ cli_dbgmsg("UPX: Successfully decompressed\n");
|
|
| 2294 |
+ else |
|
| 2295 |
+ cli_dbgmsg("UPX: Preferred decompressor failed\n");
|
|
| 2296 |
+ } |
|
| 2284 | 2297 |
|
| 2285 |
- if(upx_success) |
|
| 2286 |
- cli_dbgmsg("UPX: Successfully decompressed\n");
|
|
| 2287 |
- else |
|
| 2288 |
- cli_dbgmsg("UPX: Preferred decompressor failed\n");
|
|
| 2289 |
- } |
|
| 2298 |
+ if(!upx_success && upxfn != upx_inflate2b) {
|
|
| 2299 |
+ if(upx_inflate2b(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2b(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
| 2290 | 2300 |
|
| 2291 |
- if(!upx_success && upxfn != upx_inflate2b) {
|
|
| 2292 |
- if(upx_inflate2b(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2b(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
| 2301 |
+ cli_dbgmsg("UPX: NRV2B decompressor failed\n");
|
|
| 2302 |
+ } else {
|
|
| 2303 |
+ upx_success = 1; |
|
| 2304 |
+ cli_dbgmsg("UPX: Successfully decompressed with NRV2B\n");
|
|
| 2305 |
+ } |
|
| 2306 |
+ } |
|
| 2293 | 2307 |
|
| 2294 |
- cli_dbgmsg("UPX: NRV2B decompressor failed\n");
|
|
| 2295 |
- } else {
|
|
| 2296 |
- upx_success = 1; |
|
| 2297 |
- cli_dbgmsg("UPX: Successfully decompressed with NRV2B\n");
|
|
| 2298 |
- } |
|
| 2299 |
- } |
|
| 2308 |
+ if(!upx_success && upxfn != upx_inflate2d) {
|
|
| 2309 |
+ if(upx_inflate2d(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2d(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
| 2300 | 2310 |
|
| 2301 |
- if(!upx_success && upxfn != upx_inflate2d) {
|
|
| 2302 |
- if(upx_inflate2d(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2d(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
| 2311 |
+ cli_dbgmsg("UPX: NRV2D decompressor failed\n");
|
|
| 2312 |
+ } else {
|
|
| 2313 |
+ upx_success = 1; |
|
| 2314 |
+ cli_dbgmsg("UPX: Successfully decompressed with NRV2D\n");
|
|
| 2315 |
+ } |
|
| 2316 |
+ } |
|
| 2303 | 2317 |
|
| 2304 |
- cli_dbgmsg("UPX: NRV2D decompressor failed\n");
|
|
| 2305 |
- } else {
|
|
| 2306 |
- upx_success = 1; |
|
| 2307 |
- cli_dbgmsg("UPX: Successfully decompressed with NRV2D\n");
|
|
| 2308 |
- } |
|
| 2309 |
- } |
|
| 2318 |
+ if(!upx_success && upxfn != upx_inflate2e) {
|
|
| 2319 |
+ if(upx_inflate2e(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2e(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
| 2320 |
+ cli_dbgmsg("UPX: NRV2E decompressor failed\n");
|
|
| 2321 |
+ } else {
|
|
| 2322 |
+ upx_success = 1; |
|
| 2323 |
+ cli_dbgmsg("UPX: Successfully decompressed with NRV2E\n");
|
|
| 2324 |
+ } |
|
| 2325 |
+ } |
|
| 2310 | 2326 |
|
| 2311 |
- if(!upx_success && upxfn != upx_inflate2e) {
|
|
| 2312 |
- if(upx_inflate2e(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2e(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
|
|
| 2313 |
- cli_dbgmsg("UPX: NRV2E decompressor failed\n");
|
|
| 2314 |
- } else {
|
|
| 2315 |
- upx_success = 1; |
|
| 2316 |
- cli_dbgmsg("UPX: Successfully decompressed with NRV2E\n");
|
|
| 2317 |
- } |
|
| 2318 |
- } |
|
| 2327 |
+ if(cli_memstr(UPX_LZMA2, 20, epbuff + 0x2f, 20)) {
|
|
| 2328 |
+ uint32_t strictdsize=cli_readint32(epbuff+0x21), skew = 0; |
|
| 2329 |
+ if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
|
| 2330 |
+ skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase; |
|
| 2331 |
+ if(skew!=0x15) |
|
| 2332 |
+ skew = 0; |
|
| 2333 |
+ } |
|
| 2319 | 2334 |
|
| 2320 |
- if(cli_memstr(UPX_LZMA2, 20, epbuff + 0x2f, 20)) {
|
|
| 2321 |
- uint32_t strictdsize=cli_readint32(epbuff+0x21), skew = 0; |
|
| 2322 |
- if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
|
| 2323 |
- skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase; |
|
| 2324 |
- if(skew!=0x15) skew = 0; |
|
| 2325 |
- } |
|
| 2326 |
- if(strictdsize<=dsize) |
|
| 2327 |
- upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0; |
|
| 2328 |
- } else if (cli_memstr(UPX_LZMA1, 20, epbuff + 0x39, 20)) {
|
|
| 2329 |
- uint32_t strictdsize=cli_readint32(epbuff+0x2b), skew = 0; |
|
| 2330 |
- if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
|
| 2331 |
- skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase; |
|
| 2332 |
- if(skew!=0x15) skew = 0; |
|
| 2333 |
- } |
|
| 2334 |
- if(strictdsize<=dsize) |
|
| 2335 |
- upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0; |
|
| 2336 |
- } |
|
| 2335 |
+ if(strictdsize<=dsize) |
|
| 2336 |
+ upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0; |
|
| 2337 |
+ } else if (cli_memstr(UPX_LZMA1, 20, epbuff + 0x39, 20)) {
|
|
| 2338 |
+ uint32_t strictdsize=cli_readint32(epbuff+0x2b), skew = 0; |
|
| 2339 |
+ if(ssize > 0x15 && epbuff[0] == '\x60' && epbuff[1] == '\xbe') {
|
|
| 2340 |
+ skew = cli_readint32(epbuff+2) - exe_sections[i + 1].rva - optional_hdr32.ImageBase; |
|
| 2341 |
+ if(skew!=0x15) |
|
| 2342 |
+ skew = 0; |
|
| 2343 |
+ } |
|
| 2337 | 2344 |
|
| 2338 |
- if(!upx_success) {
|
|
| 2339 |
- cli_dbgmsg("UPX: All decompressors failed\n");
|
|
| 2340 |
- free(dest); |
|
| 2341 |
- } |
|
| 2345 |
+ if(strictdsize<=dsize) |
|
| 2346 |
+ upx_success = upx_inflatelzma(src+skew, ssize-skew, dest, &strictdsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0; |
|
| 2347 |
+ } |
|
| 2348 |
+ |
|
| 2349 |
+ if(!upx_success) {
|
|
| 2350 |
+ cli_dbgmsg("UPX: All decompressors failed\n");
|
|
| 2351 |
+ free(dest); |
|
| 2352 |
+ } |
|
| 2342 | 2353 |
} |
| 2343 | 2354 |
|
| 2344 | 2355 |
if(upx_success) {
|
| 2345 |
- free(exe_sections); |
|
| 2356 |
+ free(exe_sections); |
|
| 2346 | 2357 |
|
| 2347 |
- CLI_UNPTEMP("UPX/FSG",(dest,0));
|
|
| 2358 |
+ CLI_UNPTEMP("UPX/FSG",(dest,0));
|
|
| 2348 | 2359 |
#if HAVE_JSON |
| 2349 |
- cli_jsonstr(pe_json, "Packer", "UPX"); |
|
| 2360 |
+ cli_jsonstr(pe_json, "Packer", "UPX"); |
|
| 2350 | 2361 |
#endif |
| 2351 | 2362 |
|
| 2352 |
- if((unsigned int) write(ndesc, dest, dsize) != dsize) {
|
|
| 2353 |
- cli_dbgmsg("UPX/FSG: Can't write %d bytes\n", dsize);
|
|
| 2354 |
- free(tempfile); |
|
| 2355 |
- free(dest); |
|
| 2356 |
- close(ndesc); |
|
| 2357 |
- return CL_EWRITE; |
|
| 2358 |
- } |
|
| 2363 |
+ if((unsigned int) write(ndesc, dest, dsize) != dsize) {
|
|
| 2364 |
+ cli_dbgmsg("UPX/FSG: Can't write %d bytes\n", dsize);
|
|
| 2365 |
+ free(tempfile); |
|
| 2366 |
+ free(dest); |
|
| 2367 |
+ close(ndesc); |
|
| 2368 |
+ return CL_EWRITE; |
|
| 2369 |
+ } |
|
| 2359 | 2370 |
|
| 2360 |
- free(dest); |
|
| 2361 |
- if (lseek(ndesc, 0, SEEK_SET) == -1) {
|
|
| 2362 |
- cli_dbgmsg("UPX/FSG: lseek() failed\n");
|
|
| 2363 |
- close(ndesc); |
|
| 2364 |
- CLI_TMPUNLK(); |
|
| 2365 |
- free(tempfile); |
|
| 2366 |
- SHA_RESET; |
|
| 2367 |
- return CL_ESEEK; |
|
| 2368 |
- } |
|
| 2371 |
+ free(dest); |
|
| 2372 |
+ if (lseek(ndesc, 0, SEEK_SET) == -1) {
|
|
| 2373 |
+ cli_dbgmsg("UPX/FSG: lseek() failed\n");
|
|
| 2374 |
+ close(ndesc); |
|
| 2375 |
+ CLI_TMPUNLK(); |
|
| 2376 |
+ free(tempfile); |
|
| 2377 |
+ SHA_RESET; |
|
| 2378 |
+ return CL_ESEEK; |
|
| 2379 |
+ } |
|
| 2369 | 2380 |
|
| 2370 |
- if(ctx->engine->keeptmp) |
|
| 2371 |
- cli_dbgmsg("UPX/FSG: Decompressed data saved in %s\n", tempfile);
|
|
| 2381 |
+ if(ctx->engine->keeptmp) |
|
| 2382 |
+ cli_dbgmsg("UPX/FSG: Decompressed data saved in %s\n", tempfile);
|
|
| 2372 | 2383 |
|
| 2373 |
- cli_dbgmsg("***** Scanning decompressed file *****\n");
|
|
| 2374 |
- SHA_OFF; |
|
| 2375 |
- if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS) {
|
|
| 2376 |
- close(ndesc); |
|
| 2377 |
- CLI_TMPUNLK(); |
|
| 2378 |
- free(tempfile); |
|
| 2379 |
- SHA_RESET; |
|
| 2380 |
- return CL_VIRUS; |
|
| 2381 |
- } |
|
| 2384 |
+ cli_dbgmsg("***** Scanning decompressed file *****\n");
|
|
| 2385 |
+ SHA_OFF; |
|
| 2386 |
+ if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS) {
|
|
| 2387 |
+ close(ndesc); |
|
| 2388 |
+ CLI_TMPUNLK(); |
|
| 2389 |
+ free(tempfile); |
|
| 2390 |
+ SHA_RESET; |
|
| 2391 |
+ return CL_VIRUS; |
|
| 2392 |
+ } |
|
| 2382 | 2393 |
|
| 2383 |
- SHA_RESET; |
|
| 2384 |
- close(ndesc); |
|
| 2385 |
- CLI_TMPUNLK(); |
|
| 2386 |
- free(tempfile); |
|
| 2387 |
- return ret; |
|
| 2394 |
+ SHA_RESET; |
|
| 2395 |
+ close(ndesc); |
|
| 2396 |
+ CLI_TMPUNLK(); |
|
| 2397 |
+ free(tempfile); |
|
| 2398 |
+ return ret; |
|
| 2388 | 2399 |
} |
| 2389 | 2400 |
|
| 2390 | 2401 |
|
| 2391 | 2402 |
/* Petite */ |
| 2392 | 2403 |
|
| 2393 | 2404 |
if(epsize<200) {
|
| 2394 |
- free(exe_sections); |
|
| 2395 |
- return CL_CLEAN; |
|
| 2405 |
+ free(exe_sections); |
|
| 2406 |
+ return CL_CLEAN; |
|
| 2396 | 2407 |
} |
| 2397 | 2408 |
|
| 2398 | 2409 |
found = 2; |
| 2399 | 2410 |
|
| 2400 | 2411 |
if(epbuff[0] != '\xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 1].rva + EC32(optional_hdr32.ImageBase)) {
|
| 2401 |
- if(nsections < 2 || epbuff[0] != '\xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 2].rva + EC32(optional_hdr32.ImageBase)) |
|
| 2402 |
- found = 0; |
|
| 2403 |
- else |
|
| 2404 |
- found = 1; |
|
| 2412 |
+ if(nsections < 2 || epbuff[0] != '\xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 2].rva + EC32(optional_hdr32.ImageBase)) |
|
| 2413 |
+ found = 0; |
|
| 2414 |
+ else |
|
| 2415 |
+ found = 1; |
|
| 2405 | 2416 |
} |
| 2406 | 2417 |
|
| 2407 | 2418 |
if(found && (DCONF & PE_CONF_PETITE)) {
|
| 2408 |
- cli_dbgmsg("Petite: v2.%d compression detected\n", found);
|
|
| 2419 |
+ cli_dbgmsg("Petite: v2.%d compression detected\n", found);
|
|
| 2409 | 2420 |
|
| 2410 |
- if(cli_readint32(epbuff + 0x80) == 0x163c988d) {
|
|
| 2411 |
- cli_dbgmsg("Petite: level zero compression is not supported yet\n");
|
|
| 2412 |
- } else {
|
|
| 2413 |
- dsize = max - min; |
|
| 2421 |
+ if(cli_readint32(epbuff + 0x80) == 0x163c988d) {
|
|
| 2422 |
+ cli_dbgmsg("Petite: level zero compression is not supported yet\n");
|
|
| 2423 |
+ } else {
|
|
| 2424 |
+ dsize = max - min; |
|
| 2414 | 2425 |
|
| 2415 |
- CLI_UNPSIZELIMITS("Petite", dsize);
|
|
| 2426 |
+ CLI_UNPSIZELIMITS("Petite", dsize);
|
|
| 2416 | 2427 |
|
| 2417 |
- if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2418 |
- cli_dbgmsg("Petite: Can't allocate %d bytes\n", dsize);
|
|
| 2419 |
- free(exe_sections); |
|
| 2420 |
- return CL_EMEM; |
|
| 2421 |
- } |
|
| 2428 |
+ if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
|
|
| 2429 |
+ cli_dbgmsg("Petite: Can't allocate %d bytes\n", dsize);
|
|
| 2430 |
+ free(exe_sections); |
|
| 2431 |
+ return CL_EMEM; |
|
| 2432 |
+ } |
|
| 2422 | 2433 |
|
| 2423 |
- for(i = 0 ; i < nsections; i++) {
|
|
| 2424 |
- if(exe_sections[i].raw) {
|
|
| 2425 |
- if(!exe_sections[i].rsz || (unsigned int)fmap_readn(map, dest + exe_sections[i].rva - min, exe_sections[i].raw, exe_sections[i].ursz) != exe_sections[i].ursz) {
|
|
| 2426 |
- free(exe_sections); |
|
| 2427 |
- free(dest); |
|
| 2428 |
- return CL_CLEAN; |
|
| 2429 |
- } |
|
| 2430 |
- } |
|
| 2431 |
- } |
|
| 2434 |
+ for(i = 0 ; i < nsections; i++) {
|
|
| 2435 |
+ if(exe_sections[i].raw) {
|
|
| 2436 |
+ if(!exe_sections[i].rsz || (unsigned int)fmap_readn(map, dest + exe_sections[i].rva - min, exe_sections[i].raw, exe_sections[i].ursz) != exe_sections[i].ursz) {
|
|
| 2437 |
+ free(exe_sections); |
|
| 2438 |
+ free(dest); |
|
| 2439 |
+ return CL_CLEAN; |
|
| 2440 |
+ } |
|
| 2441 |
+ } |
|
| 2442 |
+ } |
|
| 2432 | 2443 |
|
| 2433 | 2444 |
#if HAVE_JSON |
| 2434 |
- cli_jsonstr(pe_json, "Packer", "Petite"); |
|
| 2445 |
+ cli_jsonstr(pe_json, "Packer", "Petite"); |
|
| 2435 | 2446 |
#endif |
| 2436 | 2447 |
|
| 2437 |
- CLI_UNPTEMP("Petite",(dest,exe_sections,0));
|
|
| 2438 |
- CLI_UNPRESULTS("Petite",(petite_inflate2x_1to9(dest, min, max - min, exe_sections, nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),EC32(optional_hdr32.DataDirectory[2].Size))),0,(dest,0));
|
|
| 2439 |
- } |
|
| 2448 |
+ CLI_UNPTEMP("Petite",(dest,exe_sections,0));
|
|
| 2449 |
+ CLI_UNPRESULTS("Petite",(petite_inflate2x_1to9(dest, min, max - min, exe_sections, nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),EC32(optional_hdr32.DataDirectory[2].Size))),0,(dest,0));
|
|
| 2450 |
+ } |
|
| 2440 | 2451 |
} |
| 2441 | 2452 |
|
| 2442 | 2453 |
/* PESpin 1.1 */ |
| ... | ... |
@@ -2446,29 +2533,29 @@ int cli_scanpe(cli_ctx *ctx) |
| 2446 | 2446 |
vep < exe_sections[nsections - 1].rva + exe_sections[nsections - 1].rsz - 0x3217 - 4 && |
| 2447 | 2447 |
memcmp(epbuff+4, "\xe8\x00\x00\x00\x00\x8b\x1c\x24\x83\xc3", 10) == 0) {
|
| 2448 | 2448 |
|
| 2449 |
- char *spinned; |
|
| 2449 |
+ char *spinned; |
|
| 2450 | 2450 |
|
| 2451 |
- CLI_UNPSIZELIMITS("PEspin", fsize);
|
|
| 2451 |
+ CLI_UNPSIZELIMITS("PEspin", fsize);
|
|
| 2452 | 2452 |
|
| 2453 |
- if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
|
| 2454 |
- cli_errmsg("PESping: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
|
| 2455 |
- free(exe_sections); |
|
| 2456 |
- return CL_EMEM; |
|
| 2457 |
- } |
|
| 2453 |
+ if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
|
| 2454 |
+ cli_errmsg("PESping: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
|
| 2455 |
+ free(exe_sections); |
|
| 2456 |
+ return CL_EMEM; |
|
| 2457 |
+ } |
|
| 2458 | 2458 |
|
| 2459 |
- if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
|
| 2460 |
- cli_dbgmsg("PESpin: Can't read %lu bytes\n", (unsigned long)fsize);
|
|
| 2461 |
- free(spinned); |
|
| 2462 |
- free(exe_sections); |
|
| 2463 |
- return CL_EREAD; |
|
| 2464 |
- } |
|
| 2459 |
+ if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
|
| 2460 |
+ cli_dbgmsg("PESpin: Can't read %lu bytes\n", (unsigned long)fsize);
|
|
| 2461 |
+ free(spinned); |
|
| 2462 |
+ free(exe_sections); |
|
| 2463 |
+ return CL_EREAD; |
|
| 2464 |
+ } |
|
| 2465 | 2465 |
|
| 2466 | 2466 |
#if HAVE_JSON |
| 2467 |
- cli_jsonstr(pe_json, "Packer", "PEspin"); |
|
| 2467 |
+ cli_jsonstr(pe_json, "Packer", "PEspin"); |
|
| 2468 | 2468 |
#endif |
| 2469 | 2469 |
|
| 2470 |
- CLI_UNPTEMP("PESpin",(spinned,exe_sections,0));
|
|
| 2471 |
- CLI_UNPRESULTS_("PEspin",SPINCASE(),(unspin(spinned, fsize, exe_sections, nsections - 1, vep, ndesc, ctx)),0,(spinned,0));
|
|
| 2470 |
+ CLI_UNPTEMP("PESpin",(spinned,exe_sections,0));
|
|
| 2471 |
+ CLI_UNPRESULTS_("PEspin",SPINCASE(),(unspin(spinned, fsize, exe_sections, nsections - 1, vep, ndesc, ctx)),0,(spinned,0));
|
|
| 2472 | 2472 |
} |
| 2473 | 2473 |
|
| 2474 | 2474 |
|
| ... | ... |
@@ -2476,69 +2563,69 @@ int cli_scanpe(cli_ctx *ctx) |
| 2476 | 2476 |
if((DCONF & PE_CONF_YC) && nsections > 1 && |
| 2477 | 2477 |
(EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60)) {
|
| 2478 | 2478 |
|
| 2479 |
- uint32_t ecx = 0; |
|
| 2480 |
- int16_t offset; |
|
| 2479 |
+ uint32_t ecx = 0; |
|
| 2480 |
+ int16_t offset; |
|
| 2481 | 2481 |
|
| 2482 |
- /* yC 1.3 */ |
|
| 2483 |
- if (!memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED", 15) && |
|
| 2484 |
- !memcmp(epbuff+0x26, "\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 13) && |
|
| 2485 |
- ((uint8_t)epbuff[0x13] == 0xB9) && |
|
| 2486 |
- ((uint16_t)(cli_readint16(epbuff+0x18)) == 0xE981) && |
|
| 2487 |
- !memcmp(epbuff+0x1e,"\x8B\xD5\x81\xC2", 4)) {
|
|
| 2482 |
+ /* yC 1.3 */ |
|
| 2483 |
+ if (!memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED", 15) && |
|
| 2484 |
+ !memcmp(epbuff+0x26, "\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 13) && |
|
| 2485 |
+ ((uint8_t)epbuff[0x13] == 0xB9) && |
|
| 2486 |
+ ((uint16_t)(cli_readint16(epbuff+0x18)) == 0xE981) && |
|
| 2487 |
+ !memcmp(epbuff+0x1e,"\x8B\xD5\x81\xC2", 4)) {
|
|
| 2488 | 2488 |
|
| 2489 |
- offset = 0; |
|
| 2490 |
- if (0x6c - cli_readint32(epbuff+0xf) + cli_readint32(epbuff+0x22) == 0xC6) |
|
| 2491 |
- ecx = cli_readint32(epbuff+0x14) - cli_readint32(epbuff+0x1a); |
|
| 2492 |
- } |
|
| 2489 |
+ offset = 0; |
|
| 2490 |
+ if (0x6c - cli_readint32(epbuff+0xf) + cli_readint32(epbuff+0x22) == 0xC6) |
|
| 2491 |
+ ecx = cli_readint32(epbuff+0x14) - cli_readint32(epbuff+0x1a); |
|
| 2492 |
+ } |
|
| 2493 | 2493 |
|
| 2494 |
- /* yC 1.3 variant */ |
|
| 2495 |
- if (!ecx && !memcmp(epbuff, "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57", 9) && |
|
| 2496 |
- !memcmp(epbuff+0x17, "\xe8\x00\x00\x00\x00\x5d\x81\xed", 8) && |
|
| 2497 |
- ((uint8_t)epbuff[0x23] == 0xB9)) {
|
|
| 2494 |
+ /* yC 1.3 variant */ |
|
| 2495 |
+ if (!ecx && !memcmp(epbuff, "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57", 9) && |
|
| 2496 |
+ !memcmp(epbuff+0x17, "\xe8\x00\x00\x00\x00\x5d\x81\xed", 8) && |
|
| 2497 |
+ ((uint8_t)epbuff[0x23] == 0xB9)) {
|
|
| 2498 | 2498 |
|
| 2499 |
- offset = 0x10; |
|
| 2500 |
- if (0x6c - cli_readint32(epbuff+0x1f) + cli_readint32(epbuff+0x32) == 0xC6) |
|
| 2501 |
- ecx = cli_readint32(epbuff+0x24) - cli_readint32(epbuff+0x2a); |
|
| 2502 |
- } |
|
| 2499 |
+ offset = 0x10; |
|
| 2500 |
+ if (0x6c - cli_readint32(epbuff+0x1f) + cli_readint32(epbuff+0x32) == 0xC6) |
|
| 2501 |
+ ecx = cli_readint32(epbuff+0x24) - cli_readint32(epbuff+0x2a); |
|
| 2502 |
+ } |
|
| 2503 | 2503 |
|
| 2504 |
- /* yC 1.x/modified */ |
|
| 2505 |
- if (!ecx && !memcmp(epbuff, "\x60\xe8\x00\x00\x00\x00\x5d\x81\xed",9) && |
|
| 2506 |
- ((uint8_t)epbuff[0xd] == 0xb9) && |
|
| 2507 |
- ((uint16_t)cli_readint16(epbuff + 0x12)== 0xbd8d) && |
|
| 2508 |
- !memcmp(epbuff+0x18, "\x8b\xf7\xac", 3)) {
|
|
| 2504 |
+ /* yC 1.x/modified */ |
|
| 2505 |
+ if (!ecx && !memcmp(epbuff, "\x60\xe8\x00\x00\x00\x00\x5d\x81\xed",9) && |
|
| 2506 |
+ ((uint8_t)epbuff[0xd] == 0xb9) && |
|
| 2507 |
+ ((uint16_t)cli_readint16(epbuff + 0x12)== 0xbd8d) && |
|
| 2508 |
+ !memcmp(epbuff+0x18, "\x8b\xf7\xac", 3)) {
|
|
| 2509 | 2509 |
|
| 2510 |
- offset = -0x18; |
|
| 2511 |
- if (0x66 - cli_readint32(epbuff+0x9) + cli_readint32(epbuff+0x14) == 0xae) |
|
| 2512 |
- ecx = cli_readint32(epbuff+0xe); |
|
| 2513 |
- } |
|
| 2510 |
+ offset = -0x18; |
|
| 2511 |
+ if (0x66 - cli_readint32(epbuff+0x9) + cli_readint32(epbuff+0x14) == 0xae) |
|
| 2512 |
+ ecx = cli_readint32(epbuff+0xe); |
|
| 2513 |
+ } |
|
| 2514 | 2514 |
|
| 2515 |
- if (ecx > 0x800 && ecx < 0x2000 && |
|
| 2516 |
- !memcmp(epbuff+0x63+offset, "\xaa\xe2\xcc", 3) && |
|
| 2517 |
- (fsize >= exe_sections[nsections-1].raw + 0xC6 + ecx + offset)) {
|
|
| 2515 |
+ if (ecx > 0x800 && ecx < 0x2000 && |
|
| 2516 |
+ !memcmp(epbuff+0x63+offset, "\xaa\xe2\xcc", 3) && |
|
| 2517 |
+ (fsize >= exe_sections[nsections-1].raw + 0xC6 + ecx + offset)) {
|
|
| 2518 | 2518 |
|
| 2519 |
- char *spinned; |
|
| 2519 |
+ char *spinned; |
|
| 2520 | 2520 |
|
| 2521 |
- if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
|
| 2522 |
- cli_errmsg("yC: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
|
| 2523 |
- free(exe_sections); |
|
| 2524 |
- return CL_EMEM; |
|
| 2525 |
- } |
|
| 2521 |
+ if((spinned = (char *) cli_malloc(fsize)) == NULL) {
|
|
| 2522 |
+ cli_errmsg("yC: Unable to allocate memory for spinned %lu\n", (unsigned long)fsize);
|
|
| 2523 |
+ free(exe_sections); |
|
| 2524 |
+ return CL_EMEM; |
|
| 2525 |
+ } |
|
| 2526 | 2526 |
|
| 2527 |
- if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
|
| 2528 |
- cli_dbgmsg("yC: Can't read %lu bytes\n", (unsigned long)fsize);
|
|
| 2529 |
- free(spinned); |
|
| 2530 |
- free(exe_sections); |
|
| 2531 |
- return CL_EREAD; |
|
| 2532 |
- } |
|
| 2527 |
+ if((size_t) fmap_readn(map, spinned, 0, fsize) != fsize) {
|
|
| 2528 |
+ cli_dbgmsg("yC: Can't read %lu bytes\n", (unsigned long)fsize);
|
|
| 2529 |
+ free(spinned); |
|
| 2530 |
+ free(exe_sections); |
|
| 2531 |
+ return CL_EREAD; |
|
| 2532 |
+ } |
|
| 2533 | 2533 |
|
| 2534 | 2534 |
#if HAVE_JSON |
| 2535 |
- cli_jsonstr(pe_json, "Packer", "yC"); |
|
| 2535 |
+ cli_jsonstr(pe_json, "Packer", "yC"); |
|
| 2536 | 2536 |
#endif |
| 2537 | 2537 |
|
| 2538 |
- cli_dbgmsg("%d,%d,%d,%d\n", nsections-1, e_lfanew, ecx, offset);
|
|
| 2539 |
- CLI_UNPTEMP("yC",(spinned,exe_sections,0));
|
|
| 2540 |
- CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));
|
|
| 2541 |
- } |
|
| 2538 |
+ cli_dbgmsg("%d,%d,%d,%d\n", nsections-1, e_lfanew, ecx, offset);
|
|
| 2539 |
+ CLI_UNPTEMP("yC",(spinned,exe_sections,0));
|
|
| 2540 |
+ CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));
|
|
| 2541 |
+ } |
|
| 2542 | 2542 |
} |
| 2543 | 2543 |
|
| 2544 | 2544 |
/* WWPack */ |
| ... | ... |
@@ -2547,87 +2634,111 @@ int cli_scanpe(cli_ctx *ctx) |
| 2547 | 2547 |
vep == exe_sections[nsections - 1].rva && |
| 2548 | 2548 |
memcmp(epbuff, "\x53\x55\x8b\xe8\x33\xdb\xeb", 7) == 0 && |
| 2549 | 2549 |
memcmp(epbuff+0x68, "\xe8\x00\x00\x00\x00\x58\x2d\x6d\x00\x00\x00\x50\x60\x33\xc9\x50\x58\x50\x50", 19) == 0) {
|
| 2550 |
- uint32_t head = exe_sections[nsections - 1].raw; |
|
| 2550 |
+ uint32_t head = exe_sections[nsections - 1].raw; |
|
| 2551 | 2551 |
uint8_t *packer; |
| 2552 |
- char *src; |
|
| 2553 |
- |
|
| 2554 |
- ssize = 0; |
|
| 2555 |
- for(i=0 ; ; i++) {
|
|
| 2556 |
- if(exe_sections[i].raw<head) |
|
| 2557 |
- head=exe_sections[i].raw; |
|
| 2558 |
- if(i+1==nsections) break; |
|
| 2559 |
- if(ssize<exe_sections[i].rva+exe_sections[i].vsz) |
|
| 2560 |
- ssize=exe_sections[i].rva+exe_sections[i].vsz; |
|
| 2561 |
- } |
|
| 2562 |
- if(!head || !ssize || head>ssize) break; |
|
| 2552 |
+ char *src; |
|
| 2553 |
+ |
|
| 2554 |
+ ssize = 0; |
|
| 2555 |
+ for(i=0 ; ; i++) {
|
|
| 2556 |
+ if(exe_sections[i].raw<head) |
|
| 2557 |
+ head=exe_sections[i].raw; |
|
| 2558 |
+ |
|
| 2559 |
+ if(i+1==nsections) |
|
| 2560 |
+ break; |
|
| 2561 |
+ |
|
| 2562 |
+ if(ssize<exe_sections[i].rva+exe_sections[i].vsz) |
|
| 2563 |
+ ssize=exe_sections[i].rva+exe_sections[i].vsz; |
|
| 2564 |
+ } |
|
| 2563 | 2565 |
|
| 2564 |
- CLI_UNPSIZELIMITS("WWPack", ssize);
|
|
| 2566 |
+ if(!head || !ssize || head>ssize) |
|
| 2567 |
+ break; |
|
| 2568 |
+ |
|
| 2569 |
+ CLI_UNPSIZELIMITS("WWPack", ssize);
|
|
| 2565 | 2570 |
|
| 2566 | 2571 |
if(!(src=(char *)cli_calloc(ssize, sizeof(char)))) {
|
| 2567 |
- free(exe_sections); |
|
| 2568 |
- return CL_EMEM; |
|
| 2569 |
- } |
|
| 2570 |
- if((size_t) fmap_readn(map, src, 0, head) != head) {
|
|
| 2571 |
- cli_dbgmsg("WWPack: Can't read %d bytes from headers\n", head);
|
|
| 2572 |
- free(src); |
|
| 2573 |
- free(exe_sections); |
|
| 2574 |
- return CL_EREAD; |
|
| 2575 |
- } |
|
| 2572 |
+ free(exe_sections); |
|
| 2573 |
+ return CL_EMEM; |
|
| 2574 |
+ } |
|
| 2575 |
+ |
|
| 2576 |
+ if((size_t) fmap_readn(map, src, 0, head) != head) {
|
|
| 2577 |
+ cli_dbgmsg("WWPack: Can't read %d bytes from headers\n", head);
|
|
| 2578 |
+ free(src); |
|
| 2579 |
+ free(exe_sections); |
|
| 2580 |
+ return CL_EREAD; |
|
| 2581 |
+ } |
|
| 2582 |
+ |
|
| 2576 | 2583 |
for(i = 0 ; i < (unsigned int)nsections-1; i++) {
|
| 2577 |
- if(!exe_sections[i].rsz) continue; |
|
| 2578 |
- if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) break; |
|
| 2579 |
- if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz) break; |
|
| 2584 |
+ if(!exe_sections[i].rsz) |
|
| 2585 |
+ continue; |
|
| 2586 |
+ |
|
| 2587 |
+ if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) |
|
| 2588 |
+ break; |
|
| 2589 |
+ |
|
| 2590 |
+ if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz) |
|
| 2591 |
+ break; |
|
| 2580 | 2592 |
} |
| 2593 |
+ |
|
| 2581 | 2594 |
if(i+1!=nsections) {
|
| 2582 | 2595 |
cli_dbgmsg("WWpack: Probably hacked/damaged file.\n");
|
| 2583 | 2596 |
free(src); |
| 2584 | 2597 |
break; |
| 2585 | 2598 |
} |
| 2586 |
- if((packer = (uint8_t *) cli_calloc(exe_sections[nsections - 1].rsz, sizeof(char))) == NULL) {
|
|
| 2587 |
- free(src); |
|
| 2588 |
- free(exe_sections); |
|
| 2589 |
- return CL_EMEM; |
|
| 2590 |
- } |
|
| 2591 |
- if(!exe_sections[nsections - 1].rsz || (size_t) fmap_readn(map, packer, exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz) != exe_sections[nsections - 1].rsz) {
|
|
| 2592 |
- cli_dbgmsg("WWPack: Can't read %d bytes from wwpack sect\n", exe_sections[nsections - 1].rsz);
|
|
| 2593 |
- free(src); |
|
| 2594 |
- free(packer); |
|
| 2595 |
- free(exe_sections); |
|
| 2596 |
- return CL_EREAD; |
|
| 2597 |
- } |
|
| 2599 |
+ |
|
| 2600 |
+ if((packer = (uint8_t *) cli_calloc(exe_sections[nsections - 1].rsz, sizeof(char))) == NULL) {
|
|
| 2601 |
+ free(src); |
|
| 2602 |
+ free(exe_sections); |
|
| 2603 |
+ return CL_EMEM; |
|
| 2604 |
+ } |
|
| 2605 |
+ |
|
| 2606 |
+ if(!exe_sections[nsections - 1].rsz || (size_t) fmap_readn(map, packer, exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz) != exe_sections[nsections - 1].rsz) {
|
|
| 2607 |
+ cli_dbgmsg("WWPack: Can't read %d bytes from wwpack sect\n", exe_sections[nsections - 1].rsz);
|
|
| 2608 |
+ free(src); |
|
| 2609 |
+ free(packer); |
|
| 2610 |
+ free(exe_sections); |
|
| 2611 |
+ return CL_EREAD; |
|
| 2612 |
+ } |
|
| 2598 | 2613 |
|
| 2599 | 2614 |
#if HAVE_JSON |
| 2600 |
- cli_jsonstr(pe_json, "Packer", "WWPack"); |
|
| 2615 |
+ cli_jsonstr(pe_json, "Packer", "WWPack"); |
|
| 2601 | 2616 |
#endif |
| 2602 | 2617 |
|
| 2603 |
- CLI_UNPTEMP("WWPack",(src,packer,exe_sections,0));
|
|
| 2604 |
- CLI_UNPRESULTS("WWPack",(wwunpack((uint8_t *)src, ssize, packer, exe_sections, nsections-1, e_lfanew, ndesc)),0,(src,packer,0));
|
|
| 2605 |
- break; |
|
| 2618 |
+ CLI_UNPTEMP("WWPack",(src,packer,exe_sections,0));
|
|
| 2619 |
+ CLI_UNPRESULTS("WWPack",(wwunpack((uint8_t *)src, ssize, packer, exe_sections, nsections-1, e_lfanew, ndesc)),0,(src,packer,0));
|
|
| 2620 |
+ break; |
|
| 2606 | 2621 |
} |
| 2607 | 2622 |
|
| 2608 | 2623 |
|
| 2609 | 2624 |
/* ASPACK support */ |
| 2610 | 2625 |
while((DCONF & PE_CONF_ASPACK) && ep+58+0x70e < fsize && !memcmp(epbuff,"\x60\xe8\x03\x00\x00\x00\xe9\xeb",8)) {
|
| 2611 |
- char *src; |
|
| 2626 |
+ char *src; |
|
| 2612 | 2627 |
|
| 2613 |
- if(epsize<0x3bf || memcmp(epbuff+0x3b9, "\x68\x00\x00\x00\x00\xc3",6)) break; |
|
| 2614 |
- ssize = 0; |
|
| 2615 |
- for(i=0 ; i< nsections ; i++) |
|
| 2616 |
- if(ssize<exe_sections[i].rva+exe_sections[i].vsz) |
|
| 2617 |
- ssize=exe_sections[i].rva+exe_sections[i].vsz; |
|
| 2618 |
- if(!ssize) break; |
|
| 2628 |
+ if(epsize<0x3bf || memcmp(epbuff+0x3b9, "\x68\x00\x00\x00\x00\xc3",6)) |
|
| 2629 |
+ break; |
|
| 2630 |
+ ssize = 0; |
|
| 2631 |
+ for(i=0 ; i< nsections ; i++) |
|
| 2632 |
+ if(ssize<exe_sections[i].rva+exe_sections[i].vsz) |
|
| 2633 |
+ ssize=exe_sections[i].rva+exe_sections[i].vsz; |
|
| 2634 |
+ |
|
| 2635 |
+ if(!ssize) |
|
| 2636 |
+ break; |
|
| 2619 | 2637 |
|
| 2620 |
- CLI_UNPSIZELIMITS("Aspack", ssize);
|
|
| 2638 |
+ CLI_UNPSIZELIMITS("Aspack", ssize);
|
|
| 2621 | 2639 |
|
| 2622 | 2640 |
if(!(src=(char *)cli_calloc(ssize, sizeof(char)))) {
|
| 2623 |
- free(exe_sections); |
|
| 2624 |
- return CL_EMEM; |
|
| 2625 |
- } |
|
| 2641 |
+ free(exe_sections); |
|
| 2642 |
+ return CL_EMEM; |
|
| 2643 |
+ } |
|
| 2626 | 2644 |
for(i = 0 ; i < (unsigned int)nsections; i++) {
|
| 2627 |
- if(!exe_sections[i].rsz) continue; |
|
| 2628 |
- if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) break; |
|
| 2629 |
- if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz) break; |
|
| 2645 |
+ if(!exe_sections[i].rsz) |
|
| 2646 |
+ continue; |
|
| 2647 |
+ |
|
| 2648 |
+ if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) |
|
| 2649 |
+ break; |
|
| 2650 |
+ |
|
| 2651 |
+ if((unsigned int)fmap_readn(map, src+exe_sections[i].rva, exe_sections[i].raw, exe_sections[i].rsz)!=exe_sections[i].rsz) |
|
| 2652 |
+ break; |
|
| 2630 | 2653 |
} |
| 2654 |
+ |
|
| 2631 | 2655 |
if(i!=nsections) {
|
| 2632 | 2656 |
cli_dbgmsg("Aspack: Probably hacked/damaged Aspack file.\n");
|
| 2633 | 2657 |
free(src); |
| ... | ... |
@@ -2638,122 +2749,137 @@ int cli_scanpe(cli_ctx *ctx) |
| 2638 | 2638 |
cli_jsonstr(pe_json, "Packer", "Aspack"); |
| 2639 | 2639 |
#endif |
| 2640 | 2640 |
|
| 2641 |
- CLI_UNPTEMP("Aspack",(src,exe_sections,0));
|
|
| 2642 |
- CLI_UNPRESULTS("Aspack",(unaspack212((uint8_t *)src, ssize, exe_sections, nsections, vep-1, EC32(optional_hdr32.ImageBase), ndesc)),1,(src,0));
|
|
| 2643 |
- break; |
|
| 2641 |
+ CLI_UNPTEMP("Aspack",(src,exe_sections,0));
|
|
| 2642 |
+ CLI_UNPRESULTS("Aspack",(unaspack212((uint8_t *)src, ssize, exe_sections, nsections, vep-1, EC32(optional_hdr32.ImageBase), ndesc)),1,(src,0));
|
|
| 2643 |
+ break; |
|
| 2644 | 2644 |
} |
| 2645 | 2645 |
|
| 2646 | 2646 |
/* NsPack */ |
| 2647 | 2647 |
|
| 2648 | 2648 |
while (DCONF & PE_CONF_NSPACK) {
|
| 2649 |
- uint32_t eprva = vep; |
|
| 2650 |
- uint32_t start_of_stuff, rep = ep; |
|
| 2651 |
- unsigned int nowinldr; |
|
| 2652 |
- const char *nbuff; |
|
| 2653 |
- |
|
| 2654 |
- src=epbuff; |
|
| 2655 |
- if (*epbuff=='\xe9') { /* bitched headers */
|
|
| 2656 |
- eprva = cli_readint32(epbuff+1)+vep+5; |
|
| 2657 |
- if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) break; |
|
| 2658 |
- if (!(nbuff = fmap_need_off_once(map, rep, 24))) break; |
|
| 2659 |
- src = nbuff; |
|
| 2660 |
- } |
|
| 2649 |
+ uint32_t eprva = vep; |
|
| 2650 |
+ uint32_t start_of_stuff, rep = ep; |
|
| 2651 |
+ unsigned int nowinldr; |
|
| 2652 |
+ const char *nbuff; |
|
| 2653 |
+ |
|
| 2654 |
+ src=epbuff; |
|
| 2655 |
+ if (*epbuff=='\xe9') { /* bitched headers */
|
|
| 2656 |
+ eprva = cli_readint32(epbuff+1)+vep+5; |
|
| 2657 |
+ if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) |
|
| 2658 |
+ break; |
|
| 2661 | 2659 |
|
| 2662 |
- if (memcmp(src, "\x9c\x60\xe8\x00\x00\x00\x00\x5d\xb8\x07\x00\x00\x00", 13)) break; |
|
| 2660 |
+ if (!(nbuff = fmap_need_off_once(map, rep, 24))) |
|
| 2661 |
+ break; |
|
| 2663 | 2662 |
|
| 2664 |
- nowinldr = 0x54-cli_readint32(src+17); |
|
| 2665 |
- cli_dbgmsg("NsPack: Found *start_of_stuff @delta-%x\n", nowinldr);
|
|
| 2663 |
+ src = nbuff; |
|
| 2664 |
+ } |
|
| 2666 | 2665 |
|
| 2667 |
- if(!(nbuff = fmap_need_off_once(map, rep-nowinldr, 4))) break; |
|
| 2668 |
- start_of_stuff=rep+cli_readint32(nbuff); |
|
| 2669 |
- if(!(nbuff = fmap_need_off_once(map, start_of_stuff, 20))) break; |
|
| 2670 |
- src = nbuff; |
|
| 2671 |
- if (!cli_readint32(nbuff)) {
|
|
| 2672 |
- start_of_stuff+=4; /* FIXME: more to do */ |
|
| 2673 |
- src+=4; |
|
| 2674 |
- } |
|
| 2666 |
+ if (memcmp(src, "\x9c\x60\xe8\x00\x00\x00\x00\x5d\xb8\x07\x00\x00\x00", 13)) |
|
| 2667 |
+ break; |
|
| 2675 | 2668 |
|
| 2676 |
- ssize = cli_readint32(src+5)|0xff; |
|
| 2677 |
- dsize = cli_readint32(src+9); |
|
| 2669 |
+ nowinldr = 0x54-cli_readint32(src+17); |
|
| 2670 |
+ cli_dbgmsg("NsPack: Found *start_of_stuff @delta-%x\n", nowinldr);
|
|
| 2678 | 2671 |
|
| 2679 |
- CLI_UNPSIZELIMITS("NsPack", MAX(ssize,dsize));
|
|
| 2672 |
+ if(!(nbuff = fmap_need_off_once(map, rep-nowinldr, 4))) |
|
| 2673 |
+ break; |
|
| 2680 | 2674 |
|
| 2681 |
- if (!ssize || !dsize || dsize != exe_sections[0].vsz) break; |
|
| 2682 |
- if (!(dest=cli_malloc(dsize))) {
|
|
| 2683 |
- cli_errmsg("NsPack: Unable to allocate memory for dest %u\n", dsize);
|
|
| 2684 |
- break; |
|
| 2685 |
- } |
|
| 2686 |
- /* memset(dest, 0xfc, dsize); */ |
|
| 2675 |
+ start_of_stuff=rep+cli_readint32(nbuff); |
|
| 2676 |
+ if(!(nbuff = fmap_need_off_once(map, start_of_stuff, 20))) |
|
| 2677 |
+ break; |
|
| 2687 | 2678 |
|
| 2688 |
- if(!(src = fmap_need_off(map, start_of_stuff, ssize))) {
|
|
| 2689 |
- free(dest); |
|
| 2690 |
- break; |
|
| 2691 |
- } |
|
| 2692 |
- /* memset(src, 0x00, ssize); */ |
|
| 2679 |
+ src = nbuff; |
|
| 2680 |
+ if (!cli_readint32(nbuff)) {
|
|
| 2681 |
+ start_of_stuff+=4; /* FIXME: more to do */ |
|
| 2682 |
+ src+=4; |
|
| 2683 |
+ } |
|
| 2693 | 2684 |
|
| 2694 |
- eprva+=0x27a; |
|
| 2695 |
- if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
|
|
| 2696 |
- free(dest); |
|
| 2697 |
- break; |
|
| 2698 |
- } |
|
| 2699 |
- if(!(nbuff = fmap_need_off_once(map, rep, 5))) {
|
|
| 2700 |
- free(dest); |
|
| 2701 |
- break; |
|
| 2702 |
- } |
|
| 2703 |
- fmap_unneed_off(map, start_of_stuff, ssize); |
|
| 2704 |
- eprva=eprva+5+cli_readint32(nbuff+1); |
|
| 2705 |
- cli_dbgmsg("NsPack: OEP = %08x\n", eprva);
|
|
| 2685 |
+ ssize = cli_readint32(src+5)|0xff; |
|
| 2686 |
+ dsize = cli_readint32(src+9); |
|
| 2687 |
+ |
|
| 2688 |
+ CLI_UNPSIZELIMITS("NsPack", MAX(ssize,dsize));
|
|
| 2689 |
+ |
|
| 2690 |
+ if (!ssize || !dsize || dsize != exe_sections[0].vsz) |
|
| 2691 |
+ break; |
|
| 2692 |
+ |
|
| 2693 |
+ if (!(dest=cli_malloc(dsize))) {
|
|
| 2694 |
+ cli_errmsg("NsPack: Unable to allocate memory for dest %u\n", dsize);
|
|
| 2695 |
+ break; |
|
| 2696 |
+ } |
|
| 2697 |
+ /* memset(dest, 0xfc, dsize); */ |
|
| 2698 |
+ |
|
| 2699 |
+ if(!(src = fmap_need_off(map, start_of_stuff, ssize))) {
|
|
| 2700 |
+ free(dest); |
|
| 2701 |
+ break; |
|
| 2702 |
+ } |
|
| 2703 |
+ /* memset(src, 0x00, ssize); */ |
|
| 2704 |
+ |
|
| 2705 |
+ eprva+=0x27a; |
|
| 2706 |
+ if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
|
|
| 2707 |
+ free(dest); |
|
| 2708 |
+ break; |
|
| 2709 |
+ } |
|
| 2710 |
+ |
|
| 2711 |
+ if(!(nbuff = fmap_need_off_once(map, rep, 5))) {
|
|
| 2712 |
+ free(dest); |
|
| 2713 |
+ break; |
|
| 2714 |
+ } |
|
| 2715 |
+ |
|
| 2716 |
+ fmap_unneed_off(map, start_of_stuff, ssize); |
|
| 2717 |
+ eprva=eprva+5+cli_readint32(nbuff+1); |
|
| 2718 |
+ cli_dbgmsg("NsPack: OEP = %08x\n", eprva);
|
|
| 2706 | 2719 |
|
| 2707 | 2720 |
#if HAVE_JSON |
| 2708 |
- cli_jsonstr(pe_json, "Packer", "NsPack"); |
|
| 2721 |
+ cli_jsonstr(pe_json, "Packer", "NsPack"); |
|
| 2709 | 2722 |
#endif |
| 2710 | 2723 |
|
| 2711 |
- CLI_UNPTEMP("NsPack",(dest,exe_sections,0));
|
|
| 2712 |
- CLI_UNPRESULTS("NsPack",(unspack(src, dest, ctx, exe_sections[0].rva, EC32(optional_hdr32.ImageBase), eprva, ndesc)),0,(dest,0));
|
|
| 2713 |
- break; |
|
| 2724 |
+ CLI_UNPTEMP("NsPack",(dest,exe_sections,0));
|
|
| 2725 |
+ CLI_UNPRESULTS("NsPack",(unspack(src, dest, ctx, exe_sections[0].rva, EC32(optional_hdr32.ImageBase), eprva, ndesc)),0,(dest,0));
|
|
| 2726 |
+ break; |
|
| 2714 | 2727 |
} |
| 2715 | 2728 |
|
| 2716 | 2729 |
/* to be continued ... */ |
| 2717 | 2730 |
|
| 2718 |
- |
|
| 2719 |
- |
|
| 2720 |
- |
|
| 2721 | 2731 |
/* !!!!!!!!!!!!!! PACKERS END HERE !!!!!!!!!!!!!! */ |
| 2722 | 2732 |
ctx->corrupted_input = corrupted_cur; |
| 2723 | 2733 |
|
| 2724 | 2734 |
/* Bytecode BC_PE_UNPACKER hook */ |
| 2725 | 2735 |
bc_ctx = cli_bytecode_context_alloc(); |
| 2726 | 2736 |
if (!bc_ctx) {
|
| 2727 |
- cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
|
| 2728 |
- return CL_EMEM; |
|
| 2737 |
+ cli_errmsg("cli_scanpe: can't allocate memory for bc_ctx\n");
|
|
| 2738 |
+ return CL_EMEM; |
|
| 2729 | 2739 |
} |
| 2740 |
+ |
|
| 2730 | 2741 |
cli_bytecode_context_setpe(bc_ctx, &pedata, exe_sections); |
| 2731 | 2742 |
cli_bytecode_context_setctx(bc_ctx, ctx); |
| 2743 |
+ |
|
| 2732 | 2744 |
ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_UNPACKER, map); |
| 2733 | 2745 |
switch (ret) {
|
| 2734 |
- case CL_VIRUS: |
|
| 2735 |
- free(exe_sections); |
|
| 2736 |
- cli_bytecode_context_destroy(bc_ctx); |
|
| 2737 |
- return CL_VIRUS; |
|
| 2738 |
- case CL_SUCCESS: |
|
| 2739 |
- ndesc = cli_bytecode_context_getresult_file(bc_ctx, &tempfile); |
|
| 2740 |
- cli_bytecode_context_destroy(bc_ctx); |
|
| 2741 |
- if (ndesc != -1 && tempfile) {
|
|
| 2742 |
- CLI_UNPRESULTS("bytecode PE hook", 1, 1, (0));
|
|
| 2743 |
- } |
|
| 2744 |
- break; |
|
| 2745 |
- default: |
|
| 2746 |
- cli_bytecode_context_destroy(bc_ctx); |
|
| 2746 |
+ case CL_VIRUS: |
|
| 2747 |
+ free(exe_sections); |
|
| 2748 |
+ cli_bytecode_context_destroy(bc_ctx); |
|
| 2749 |
+ return CL_VIRUS; |
|
| 2750 |
+ case CL_SUCCESS: |
|
| 2751 |
+ ndesc = cli_bytecode_context_getresult_file(bc_ctx, &tempfile); |
|
| 2752 |
+ cli_bytecode_context_destroy(bc_ctx); |
|
| 2753 |
+ if (ndesc != -1 && tempfile) {
|
|
| 2754 |
+ CLI_UNPRESULTS("bytecode PE hook", 1, 1, (0));
|
|
| 2755 |
+ } |
|
| 2756 |
+ |
|
| 2757 |
+ break; |
|
| 2758 |
+ default: |
|
| 2759 |
+ cli_bytecode_context_destroy(bc_ctx); |
|
| 2747 | 2760 |
} |
| 2748 | 2761 |
|
| 2749 | 2762 |
free(exe_sections); |
| 2763 |
+ |
|
| 2750 | 2764 |
#if HAVE_JSON |
| 2751 |
- if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS) {
|
|
| 2765 |
+ if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS) |
|
| 2752 | 2766 |
return CL_ETIMEOUT; |
| 2753 |
- } |
|
| 2754 | 2767 |
#endif |
| 2768 |
+ |
|
| 2755 | 2769 |
if (SCAN_ALL && viruses_found) |
| 2756 |
- return CL_VIRUS; |
|
| 2770 |
+ return CL_VIRUS; |
|
| 2771 |
+ |
|
| 2757 | 2772 |
return CL_CLEAN; |
| 2758 | 2773 |
} |
| 2759 | 2774 |
|