git-svn: trunk@2521
aCaB authored on 2006/11/27 07:31:16... | ... |
@@ -794,60 +794,60 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
794 | 794 |
cli_dbgmsg("in kriz\n"); |
795 | 795 |
lseek(desc, ep, SEEK_SET); |
796 | 796 |
if(cli_readn(desc, buff, 200) == 200) { |
797 |
- while (1) { |
|
798 |
- char *krizpos=buff+3; |
|
799 |
- char *krizmov, *krizxor; |
|
800 |
- int krizleft = 200-3; |
|
801 |
- int krizrega,krizregb; |
|
802 |
- |
|
803 |
- if (buff[1]!='\x9c' || buff[2]!='\x60') break; /* EP+1 */ |
|
804 |
- xckriz(&krizpos, &krizleft, 0, 8); |
|
805 |
- if (krizleft < 6 || *krizpos!='\xe8' || krizpos[2] || krizpos[3] || krizpos[4]) break; /* call DELTA */ |
|
806 |
- krizleft-=5+(unsigned char)krizpos[1]; |
|
807 |
- if (krizleft < 2) break; |
|
808 |
- krizpos+=5+(unsigned char)krizpos[1]; |
|
809 |
- if (*krizpos<'\x58' || *krizpos>'\x5f' || *krizpos=='\x5c') break; /* pop DELTA */ |
|
810 |
- krizrega=*krizpos-'\x58'; |
|
811 |
- cli_dbgmsg("kriz: pop delta using %d\n", krizrega); |
|
812 |
- krizpos+=1; |
|
813 |
- krizleft-=1; |
|
814 |
- xckriz(&krizpos, &krizleft, 1, 8); |
|
815 |
- if (krizleft <6 || *krizpos<'\xb8' || *krizpos>'\xbf' || *krizpos=='\xbc' || cli_readint32(krizpos+1)!=0x0fd2) break; |
|
816 |
- krizregb=*krizpos-'\xb8'; |
|
817 |
- if (krizrega==krizregb) break; |
|
818 |
- cli_dbgmsg("kriz: using %d for size\n", krizregb); |
|
819 |
- krizpos+=5; |
|
820 |
- krizleft-=5; |
|
821 |
- krizmov = krizpos; |
|
822 |
- xckriz(&krizpos, &krizleft, 0, 8); |
|
823 |
- krizxor=krizpos; |
|
824 |
- if (krizleft && *krizpos=='\x3e') { |
|
825 |
- /* strip ds: */ |
|
826 |
- krizpos++; |
|
827 |
- krizleft--; |
|
828 |
- } |
|
829 |
- if (krizleft<8 || *krizpos!='\x80' || (char)(krizpos[1]-krizrega)!='\xb0') { |
|
830 |
- cli_dbgmsg("kriz: bogus opcode or register\n"); |
|
831 |
- break; |
|
832 |
- } |
|
833 |
- krizpos+=7; |
|
834 |
- krizleft-=7; |
|
835 |
- xckriz(&krizpos, &krizleft, 0, krizrega); |
|
836 |
- if (! krizleft || (char)(*krizpos-krizrega)!='\x48') break; /* dec delta */ |
|
837 |
- krizpos++; |
|
838 |
- krizleft--; |
|
839 |
- cli_dbgmsg("kriz: dec delta found\n"); |
|
840 |
- xckriz(&krizpos, &krizleft, 0, krizregb); |
|
841 |
- if (krizleft <4 || (char)(*krizpos-krizregb)!='\x48' || krizpos[1]!='\x75') break; /* dec size + jne loop */ |
|
842 |
- if (krizpos+3+(int)krizpos[2]<krizmov || krizpos+3+(int)krizpos[2]>krizxor) { |
|
843 |
- cli_dbgmsg("kriz: jmp back out of range (%d>%d>%d)\n", krizmov-(krizpos+3), (int)krizpos[2], krizxor-(krizpos+3)); |
|
844 |
- break; |
|
845 |
- } |
|
846 |
- *ctx->virname = "Win32.Kriz"; |
|
847 |
- free(section_hdr); |
|
848 |
- free(exe_sections); |
|
849 |
- return CL_VIRUS; |
|
797 |
+ while (1) { |
|
798 |
+ char *krizpos=buff+3; |
|
799 |
+ char *krizmov, *krizxor; |
|
800 |
+ int krizleft = 200-3; |
|
801 |
+ int krizrega,krizregb; |
|
802 |
+ |
|
803 |
+ if (buff[1]!='\x9c' || buff[2]!='\x60') break; /* EP+1 */ |
|
804 |
+ xckriz(&krizpos, &krizleft, 0, 8); |
|
805 |
+ if (krizleft < 6 || *krizpos!='\xe8' || krizpos[2] || krizpos[3] || krizpos[4]) break; /* call DELTA */ |
|
806 |
+ krizleft-=5+(unsigned char)krizpos[1]; |
|
807 |
+ if (krizleft < 2) break; |
|
808 |
+ krizpos+=5+(unsigned char)krizpos[1]; |
|
809 |
+ if (*krizpos<'\x58' || *krizpos>'\x5f' || *krizpos=='\x5c') break; /* pop DELTA */ |
|
810 |
+ krizrega=*krizpos-'\x58'; |
|
811 |
+ cli_dbgmsg("kriz: pop delta using %d\n", krizrega); |
|
812 |
+ krizpos+=1; |
|
813 |
+ krizleft-=1; |
|
814 |
+ xckriz(&krizpos, &krizleft, 1, 8); |
|
815 |
+ if (krizleft <6 || *krizpos<'\xb8' || *krizpos>'\xbf' || *krizpos=='\xbc' || cli_readint32(krizpos+1)!=0x0fd2) break; |
|
816 |
+ krizregb=*krizpos-'\xb8'; |
|
817 |
+ if (krizrega==krizregb) break; |
|
818 |
+ cli_dbgmsg("kriz: using %d for size\n", krizregb); |
|
819 |
+ krizpos+=5; |
|
820 |
+ krizleft-=5; |
|
821 |
+ krizmov = krizpos; |
|
822 |
+ xckriz(&krizpos, &krizleft, 0, 8); |
|
823 |
+ krizxor=krizpos; |
|
824 |
+ if (krizleft && *krizpos=='\x3e') { |
|
825 |
+ /* strip ds: */ |
|
826 |
+ krizpos++; |
|
827 |
+ krizleft--; |
|
828 |
+ } |
|
829 |
+ if (krizleft<8 || *krizpos!='\x80' || (char)(krizpos[1]-krizrega)!='\xb0') { |
|
830 |
+ cli_dbgmsg("kriz: bogus opcode or register\n"); |
|
831 |
+ break; |
|
850 | 832 |
} |
833 |
+ krizpos+=7; |
|
834 |
+ krizleft-=7; |
|
835 |
+ xckriz(&krizpos, &krizleft, 0, krizrega); |
|
836 |
+ if (! krizleft || (char)(*krizpos-krizrega)!='\x48') break; /* dec delta */ |
|
837 |
+ krizpos++; |
|
838 |
+ krizleft--; |
|
839 |
+ cli_dbgmsg("kriz: dec delta found\n"); |
|
840 |
+ xckriz(&krizpos, &krizleft, 0, krizregb); |
|
841 |
+ if (krizleft <4 || (char)(*krizpos-krizregb)!='\x48' || krizpos[1]!='\x75') break; /* dec size + jne loop */ |
|
842 |
+ if (krizpos+3+(int)krizpos[2]<krizmov || krizpos+3+(int)krizpos[2]>krizxor) { |
|
843 |
+ cli_dbgmsg("kriz: jmp back out of range (%d>%d>%d)\n", krizmov-(krizpos+3), (int)krizpos[2], krizxor-(krizpos+3)); |
|
844 |
+ break; |
|
845 |
+ } |
|
846 |
+ *ctx->virname = "Win32.Kriz"; |
|
847 |
+ free(section_hdr); |
|
848 |
+ free(exe_sections); |
|
849 |
+ return CL_VIRUS; |
|
850 |
+ } |
|
851 | 851 |
} |
852 | 852 |
} |
853 | 853 |
|
... | ... |
@@ -855,13 +855,13 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
855 | 855 |
if(SCAN_ALGO && !dll && (EC32(section_hdr[nsections - 1].Characteristics) & 0x80000000)) { |
856 | 856 |
uint32_t rsize, vsize; |
857 | 857 |
|
858 |
- rsize = EC32(section_hdr[nsections - 1].SizeOfRawData); |
|
859 |
- vsize = EC32(section_hdr[nsections - 1].VirtualSize); |
|
858 |
+ rsize = exe_sections[nsections - 1].rsz; |
|
859 |
+ vsize = exe_sections[nsections - 1].vsz; |
|
860 | 860 |
|
861 | 861 |
if(rsize >= 0x612c && vsize >= 0x612c && ((vsize & 0xff) == 0xec)) { |
862 | 862 |
int bw = rsize < 0x7000 ? rsize : 0x7000; |
863 | 863 |
|
864 |
- lseek(desc, EC32(section_hdr[nsections - 1].PointerToRawData) + rsize - bw, SEEK_SET); |
|
864 |
+ lseek(desc, exe_sections[nsections - 1].raw + rsize - bw, SEEK_SET); |
|
865 | 865 |
if(cli_readn(desc, buff, 4096) == 4096) { |
866 | 866 |
if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) { |
867 | 867 |
*ctx->virname = "W32.Magistr.A"; |
... | ... |
@@ -874,7 +874,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
874 | 874 |
} else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) { |
875 | 875 |
int bw = rsize < 0x8000 ? rsize : 0x8000; |
876 | 876 |
|
877 |
- lseek(desc, EC32(section_hdr[nsections - 1].PointerToRawData) + rsize - bw, SEEK_SET); |
|
877 |
+ lseek(desc, exe_sections[nsections - 1].raw + rsize - bw, SEEK_SET); |
|
878 | 878 |
if(cli_readn(desc, buff, 4096) == 4096) { |
879 | 879 |
if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) { |
880 | 880 |
*ctx->virname = "W32.Magistr.B"; |