... | ... |
@@ -284,6 +284,8 @@ struct cl_engine { |
284 | 284 |
struct cli_matcher *hm_hdb; |
285 | 285 |
/* hash matcher for MD5 sigs for PE sections */ |
286 | 286 |
struct cli_matcher *hm_mdb; |
287 |
+ /* hash matcher for MD5 sigs for PE import tables */ |
|
288 |
+ struct cli_matcher *hm_ith; |
|
287 | 289 |
/* hash matcher for whitelist db */ |
288 | 290 |
struct cli_matcher *hm_fp; |
289 | 291 |
|
... | ... |
@@ -2354,12 +2354,13 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i |
2354 | 2354 |
} |
2355 | 2355 |
|
2356 | 2356 |
static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus) { |
2357 |
+ struct cli_matcher *ith = ctx->engine->hm_ith; |
|
2357 | 2358 |
struct pe_image_data_dir *datadir = &(dirs[1]); |
2358 | 2359 |
struct pe_image_import_descriptor *image; |
2359 | 2360 |
fmap_t *map = *ctx->fmap; |
2360 | 2361 |
size_t left, fsize = map->len; |
2361 | 2362 |
uint32_t impoff, offset; |
2362 |
- const char *impdes, *buffer; |
|
2363 |
+ const char *impdes, *buffer, *virname; |
|
2363 | 2364 |
void *md5ctx; |
2364 | 2365 |
uint8_t digest[16] = {0}; |
2365 | 2366 |
char *dstr; |
... | ... |
@@ -2420,7 +2421,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2420 | 2420 |
/* JSON TOMFOOLERY */ |
2421 | 2421 |
} |
2422 | 2422 |
|
2423 |
- /* DLL function handling - inline function */ |
|
2423 |
+ /* DLL function handling - inline function TODO - dconf this */ |
|
2424 | 2424 |
ret = scan_pe_impfuncs(ctx, md5ctx, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first); |
2425 | 2425 |
if (dllname) |
2426 | 2426 |
free(dllname); |
... | ... |
@@ -2437,12 +2438,16 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2437 | 2437 |
/* send off for md5 comparison - use ret */ |
2438 | 2438 |
cl_finish_hash(md5ctx, digest); |
2439 | 2439 |
dstr = cli_str2hex(digest, sizeof(digest)); |
2440 |
- cli_errmsg("IMPHASH: %s\n", (char *)dstr); |
|
2440 |
+ cli_dbgmsg("IMPHASH: %s\n", (char *)dstr); |
|
2441 | 2441 |
#if HAVE_JSON |
2442 | 2442 |
if (ctx->wrkproperty) |
2443 | 2443 |
cli_jsonstr(ctx->wrkproperty, "Imphash", dstr); |
2444 | 2444 |
#endif |
2445 | 2445 |
free(dstr); |
2446 |
+ |
|
2447 |
+ if (ith && (ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
2448 |
+ cli_append_virus(ctx, virname); |
|
2449 |
+ |
|
2446 | 2450 |
return ret; |
2447 | 2451 |
} |
2448 | 2452 |
|
... | ... |
@@ -3367,7 +3372,6 @@ int cli_scanpe(cli_ctx *ctx) |
3367 | 3367 |
/* intentional fall-through */ |
3368 | 3368 |
case CL_BREAK: |
3369 | 3369 |
free(exe_sections); |
3370 |
- cli_bytecode_context_destroy(bc_ctx); |
|
3371 | 3370 |
return ret == CL_VIRUS ? CL_VIRUS : CL_CLEAN; |
3372 | 3371 |
} |
3373 | 3372 |
/* Attempt to detect some popular polymorphic viruses */ |
... | ... |
@@ -2380,6 +2380,7 @@ static int cli_loadign(FILE *fs, struct cl_engine *engine, unsigned int options, |
2380 | 2380 |
#define MD5_HDB 0 |
2381 | 2381 |
#define MD5_MDB 1 |
2382 | 2382 |
#define MD5_FP 2 |
2383 |
+#define MD5_ITH 3 |
|
2383 | 2384 |
|
2384 | 2385 |
#define MD5_TOKENS 5 |
2385 | 2386 |
static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int mode, unsigned int options, struct cli_dbio *dbio, const char *dbname) |
... | ... |
@@ -2400,6 +2401,8 @@ static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
2400 | 2400 |
db = engine->hm_mdb; |
2401 | 2401 |
} else if(mode == MD5_HDB) |
2402 | 2402 |
db = engine->hm_hdb; |
2403 |
+ else if(mode == MD5_ITH) |
|
2404 |
+ db = engine->hm_ith; |
|
2403 | 2405 |
else |
2404 | 2406 |
db = engine->hm_fp; |
2405 | 2407 |
|
... | ... |
@@ -2413,6 +2416,8 @@ static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
2413 | 2413 |
engine->hm_hdb = db; |
2414 | 2414 |
else if(mode == MD5_MDB) |
2415 | 2415 |
engine->hm_mdb = db; |
2416 |
+ else if(mode == MD5_ITH) |
|
2417 |
+ engine->hm_ith = db; |
|
2416 | 2418 |
else |
2417 | 2419 |
engine->hm_fp = db; |
2418 | 2420 |
} |
... | ... |
@@ -4280,6 +4285,8 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
4280 | 4280 |
ret = cli_loadhash(fs, engine, signo, MD5_FP, options, dbio, dbname); |
4281 | 4281 |
} else if(cli_strbcasestr(dbname, ".mdb") || cli_strbcasestr(dbname, ".msb")) { |
4282 | 4282 |
ret = cli_loadhash(fs, engine, signo, MD5_MDB, options, dbio, dbname); |
4283 |
+ } else if(cli_strbcasestr(dbname, ".ith")) { |
|
4284 |
+ ret = cli_loadhash(fs, engine, signo, MD5_ITH, options, dbio, dbname); |
|
4283 | 4285 |
|
4284 | 4286 |
} else if(cli_strbcasestr(dbname, ".mdu") || cli_strbcasestr(dbname, ".msu")) { |
4285 | 4287 |
if(options & CL_DB_PUA) |