... | ... |
@@ -285,7 +285,7 @@ struct cl_engine { |
285 | 285 |
/* hash matcher for MD5 sigs for PE sections */ |
286 | 286 |
struct cli_matcher *hm_mdb; |
287 | 287 |
/* hash matcher for MD5 sigs for PE import tables */ |
288 |
- struct cli_matcher *hm_ith; |
|
288 |
+ struct cli_matcher *hm_imp; |
|
289 | 289 |
/* hash matcher for whitelist db */ |
290 | 290 |
struct cli_matcher *hm_fp; |
291 | 291 |
|
... | ... |
@@ -2340,7 +2340,7 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, uint32_t *itsz, s |
2340 | 2340 |
} |
2341 | 2341 |
|
2342 | 2342 |
static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus) { |
2343 |
- struct cli_matcher *ith = ctx->engine->hm_ith; |
|
2343 |
+ struct cli_matcher *imp = ctx->engine->hm_imp; |
|
2344 | 2344 |
struct pe_image_data_dir *datadir = &(dirs[1]); |
2345 | 2345 |
struct pe_image_import_descriptor *image; |
2346 | 2346 |
fmap_t *map = *ctx->fmap; |
... | ... |
@@ -2435,10 +2435,10 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c |
2435 | 2435 |
free(dstr); |
2436 | 2436 |
} |
2437 | 2437 |
|
2438 |
- if (ith) { |
|
2439 |
- if ((ret = cli_hm_scan(digest, itsz, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
2438 |
+ if (imp) { |
|
2439 |
+ if ((ret = cli_hm_scan(digest, itsz, &virname, imp, CLI_HASH_MD5)) == CL_VIRUS) |
|
2440 | 2440 |
cli_append_virus(ctx, virname); |
2441 |
- else if ((ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS) |
|
2441 |
+ else if ((ret = cli_hm_scan_wild(digest, &virname, imp, CLI_HASH_MD5)) == CL_VIRUS) |
|
2442 | 2442 |
cli_append_virus(ctx, virname); |
2443 | 2443 |
} |
2444 | 2444 |
|
... | ... |
@@ -3356,9 +3356,9 @@ int cli_scanpe(cli_ctx *ctx) |
3356 | 3356 |
/* Attempt to run scans on import table */ |
3357 | 3357 |
/* Run if there are existing signatures and/or preclassing */ |
3358 | 3358 |
#if HAVE_JSON |
3359 |
- if (DCONF & PE_CONF_IMPTBL && (ctx->engine->hm_ith || ctx->wrkproperty)) { |
|
3359 |
+ if (DCONF & PE_CONF_IMPTBL && (ctx->engine->hm_imp || ctx->wrkproperty)) { |
|
3360 | 3360 |
#else |
3361 |
- if (DCONF & PE_CONF_IMPTBL && ctx->engine->hm_ith) { |
|
3361 |
+ if (DCONF & PE_CONF_IMPTBL && ctx->engine->hm_imp) { |
|
3362 | 3362 |
#endif |
3363 | 3363 |
ret = scan_pe_imptbl(ctx, dirs, exe_sections, nsections, hdr_size, pe_plus); |
3364 | 3364 |
switch (ret) { |
... | ... |
@@ -2380,7 +2380,7 @@ static int cli_loadign(FILE *fs, struct cl_engine *engine, unsigned int options, |
2380 | 2380 |
#define MD5_HDB 0 |
2381 | 2381 |
#define MD5_MDB 1 |
2382 | 2382 |
#define MD5_FP 2 |
2383 |
-#define MD5_ITH 3 |
|
2383 |
+#define MD5_IMP 3 |
|
2384 | 2384 |
|
2385 | 2385 |
#define MD5_TOKENS 5 |
2386 | 2386 |
static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int mode, unsigned int options, struct cli_dbio *dbio, const char *dbname) |
... | ... |
@@ -2401,8 +2401,8 @@ static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
2401 | 2401 |
db = engine->hm_mdb; |
2402 | 2402 |
} else if(mode == MD5_HDB) |
2403 | 2403 |
db = engine->hm_hdb; |
2404 |
- else if(mode == MD5_ITH) |
|
2405 |
- db = engine->hm_ith; |
|
2404 |
+ else if(mode == MD5_IMP) |
|
2405 |
+ db = engine->hm_imp; |
|
2406 | 2406 |
else |
2407 | 2407 |
db = engine->hm_fp; |
2408 | 2408 |
|
... | ... |
@@ -2416,8 +2416,8 @@ static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, |
2416 | 2416 |
engine->hm_hdb = db; |
2417 | 2417 |
else if(mode == MD5_MDB) |
2418 | 2418 |
engine->hm_mdb = db; |
2419 |
- else if(mode == MD5_ITH) |
|
2420 |
- engine->hm_ith = db; |
|
2419 |
+ else if(mode == MD5_IMP) |
|
2420 |
+ engine->hm_imp = db; |
|
2421 | 2421 |
else |
2422 | 2422 |
engine->hm_fp = db; |
2423 | 2423 |
} |
... | ... |
@@ -4285,8 +4285,8 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo |
4285 | 4285 |
ret = cli_loadhash(fs, engine, signo, MD5_FP, options, dbio, dbname); |
4286 | 4286 |
} else if(cli_strbcasestr(dbname, ".mdb") || cli_strbcasestr(dbname, ".msb")) { |
4287 | 4287 |
ret = cli_loadhash(fs, engine, signo, MD5_MDB, options, dbio, dbname); |
4288 |
- } else if(cli_strbcasestr(dbname, ".ith")) { |
|
4289 |
- ret = cli_loadhash(fs, engine, signo, MD5_ITH, options, dbio, dbname); |
|
4288 |
+ } else if(cli_strbcasestr(dbname, ".imp")) { |
|
4289 |
+ ret = cli_loadhash(fs, engine, signo, MD5_IMP, options, dbio, dbname); |
|
4290 | 4290 |
|
4291 | 4291 |
} else if(cli_strbcasestr(dbname, ".mdu") || cli_strbcasestr(dbname, ".msu")) { |
4292 | 4292 |
if(options & CL_DB_PUA) |
... | ... |
@@ -111,6 +111,7 @@ const struct clam_option __clam_options[] = { |
111 | 111 |
{ NULL, "sha1", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_SIGTOOL, "", "" }, |
112 | 112 |
{ NULL, "sha256", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_SIGTOOL, "", "" }, |
113 | 113 |
{ NULL, "mdb", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_SIGTOOL, "", "" }, |
114 |
+ { NULL, "imp", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_SIGTOOL, "", "" }, |
|
114 | 115 |
{ NULL, "print-certs", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" }, |
115 | 116 |
{ NULL, "html-normalise", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" }, |
116 | 117 |
{ NULL, "ascii-normalise", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_SIGTOOL, "", "" }, |
... | ... |
@@ -118,6 +118,7 @@ static const struct dblist_s { |
118 | 118 |
{ "wdb", 0 }, |
119 | 119 |
{ "crb", 1 }, |
120 | 120 |
{ "cdb", 1 }, |
121 |
+ { "imp", 1 }, |
|
121 | 122 |
|
122 | 123 |
{ NULL, 0 } |
123 | 124 |
}; |
... | ... |
@@ -1415,7 +1416,8 @@ static int listdir(const char *dirname, const regex_t *regex) |
1415 | 1415 |
cli_strbcasestr(dent->d_name, ".cbc") || |
1416 | 1416 |
cli_strbcasestr(dent->d_name, ".cld") || |
1417 | 1417 |
cli_strbcasestr(dent->d_name, ".cvd") || |
1418 |
- cli_strbcasestr(dent->d_name, ".crb"))) { |
|
1418 |
+ cli_strbcasestr(dent->d_name, ".crb") || |
|
1419 |
+ cli_strbcasestr(dent->d_name, ".imp"))) { |
|
1419 | 1420 |
|
1420 | 1421 |
dbfile = (char *) malloc(strlen(dent->d_name) + strlen(dirname) + 2); |
1421 | 1422 |
if(!dbfile) { |
... | ... |
@@ -1559,7 +1561,7 @@ static int listdb(const char *filename, const regex_t *regex) |
1559 | 1559 |
line++; |
1560 | 1560 |
mprintf("%s\n", buffer); |
1561 | 1561 |
} |
1562 |
- } else if(cli_strbcasestr(filename, ".hdb") || cli_strbcasestr(filename, ".hdu") || cli_strbcasestr(filename, ".mdb") || cli_strbcasestr(filename, ".mdu") || cli_strbcasestr(filename, ".hsb") || cli_strbcasestr(filename, ".hsu") || cli_strbcasestr(filename, ".msb") || cli_strbcasestr(filename, ".msu")) { /* hash database */ |
|
1562 |
+ } else if(cli_strbcasestr(filename, ".hdb") || cli_strbcasestr(filename, ".hdu") || cli_strbcasestr(filename, ".mdb") || cli_strbcasestr(filename, ".mdu") || cli_strbcasestr(filename, ".hsb") || cli_strbcasestr(filename, ".hsu") || cli_strbcasestr(filename, ".msb") || cli_strbcasestr(filename, ".msu") || cli_strbcasestr(filename, ".imp")) { /* hash database */ |
|
1563 | 1563 |
|
1564 | 1564 |
while(fgets(buffer, FILEBUFF, fh)) { |
1565 | 1565 |
cli_chomp(buffer); |
... | ... |
@@ -3490,7 +3492,8 @@ static void help(void) |
3490 | 3490 |
mprintf(" or SHA1 sigs for FILES\n"); |
3491 | 3491 |
mprintf(" --sha256 [FILES] generate SHA256 checksum from stdin\n"); |
3492 | 3492 |
mprintf(" or SHA256 sigs for FILES\n"); |
3493 |
- mprintf(" --mdb [FILES] generate .mdb sigs\n"); |
|
3493 |
+ mprintf(" --mdb [FILES] generate .mdb (section hash) sigs\n"); |
|
3494 |
+ mprintf(" --imp [FILES] generate .imp (import table hash) sigs\n"); |
|
3494 | 3495 |
mprintf(" --html-normalise=FILE create normalised parts of HTML file\n"); |
3495 | 3496 |
mprintf(" --ascii-normalise=FILE create normalised text file from ascii source\n"); |
3496 | 3497 |
mprintf(" --utf16-decode=FILE decode UTF16 encoded files\n"); |
... | ... |
@@ -3585,6 +3588,8 @@ int main(int argc, char **argv) |
3585 | 3585 |
ret = hashsig(opts, 0, 3); |
3586 | 3586 |
else if(optget(opts, "mdb")->enabled) |
3587 | 3587 |
ret = hashsig(opts, 1, 1); |
3588 |
+ else if(optget(opts, "imp")->enabled) |
|
3589 |
+ ret = hashsig(opts, 2, 1); |
|
3588 | 3590 |
else if(optget(opts, "html-normalise")->enabled) |
3589 | 3591 |
ret = htmlnorm(opts); |
3590 | 3592 |
else if(optget(opts, "ascii-normalise")->enabled) |