GitList

Browse code

MEW code cleanup, now using sanitized values, removed unused variables, removed swear. MEW merge complete!

git-svn: trunk@2613

aCaB authored on 2007/01/13 06:06:08
Showing 4 changed files

clamav-devel/ChangeLog index 342d805..5af7a37 100644
clamav-devel/libclamav/mew.c index 2871677..e03ab43 100644
clamav-devel/libclamav/mew.h index 9c2994e..5d5f403 100644
clamav-devel/libclamav/pe.c index e727c45..2eb6e45 100644

@@ -1,3 +1,7 @@
                     +Fri Jan 12 22:03:53 CET 2007 (acab)
                     +-----------------------------------
                     +  * libclamav/mew: Cleanup. Now fully merged.
+                    +
                      Fri Jan 12 21:20:00 CET 2007 (acab)
                      -----------------------------------
                        * libclamav: Fix for cli_rebuildpe call in mew unpacker.

clamav-devel/libclamav/mew.c

History View file @ 91ad933

@@ -335,7 +335,8 @@ uint32_t lzma_48631a (struct lzmastate *p, char **old_ecx, uint32_t *old_edx, ui
                      	return 0;
+                     }
                     -int mew_lzma(struct pe_image_section_hdr *section_hdr, char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special)
                     +//int mew_lzma(struct pe_image_section_hdr *section_hdr, char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special)
                     +int mew_lzma(char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special)
+                     {
                      	uint32_t var08, var0C, var10, var14, var18, var20, var24, var28, var34;
                      	struct lzmastate var40;
@@ -761,7 +762,8 @@ uint32_t lzma_upack_esi_54(struct lzmastate *p, uint32_t old_eax, uint32_t *old_
+                     }
                     -int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)
                     +//int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)
                     +int unmew11(int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)
+                     {
                      	uint32_t entry_point, newedi, loc_ds=dsize, loc_ss=ssize;
                      	char *source = src + dsize + off; /*EC32(section_hdr[sectnum].VirtualSize) + off;*/
@@ -771,10 +773,7 @@ int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, in
                      	struct cli_exe_section *section = NULL;
                      	uint32_t vma = base + vadd, size_sum = ssize + dsize;
                     -	entry_point  = cli_readint32(source + 4); /* 2vGiM: ate these safe enough?
                     -						   * yup, if (EC32(section_hdr[i + 1].SizeOfRawData) < ...
                     -						   * ~line #879 in pe.c
                     -						   */
                     +	entry_point  = cli_readint32(source + 4);
                      	newedi = cli_readint32(source + 8);
                      	ledi = src + (newedi - vma);
@@ -846,13 +845,14 @@ int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, in
                      			free(section);
                      			return -1;
+                     		}
                     -		if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))
                     +		//		if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))
                     +		if(mew_lzma(src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))
+                     		{
                      			free(section);
                      			return -1;
+                     		}
                      		loc_ds >>= 12; loc_ds <<= 12; loc_ds += 0x1000;
                     -		/* I have EP but no section's information, so I weren't sure what to do with that */ /* 2vGiM: sounds fair */
+                    +
                      		section = cli_calloc(1, sizeof(struct cli_exe_section));
                      		section[0].raw = 0; section[0].rva = vadd;
                      		section[0].rsz = section[0].vsz = dsize;

clamav-devel/libclamav/mew.h

History View file @ 91ad933

@@ -30,12 +30,14 @@ struct lzmastate {
                      	uint32_t p1, p2;
                      };
                     -int mew_lzma(struct pe_image_section_hdr *, char *, char *, uint32_t, uint32_t, uint32_t);
                     +//int mew_lzma(struct pe_image_section_hdr *, char *, char *, uint32_t, uint32_t, uint32_t);
                     +int mew_lzma(char *, char *, uint32_t, uint32_t, uint32_t);
                      uint32_t lzma_upack_esi_00(struct lzmastate *, char *, char *, uint32_t);
                      uint32_t lzma_upack_esi_50(struct lzmastate *, uint32_t, uint32_t, char **, char *, uint32_t *, char *, uint32_t);
                      uint32_t lzma_upack_esi_54(struct lzmastate *, uint32_t, uint32_t *, char **, uint32_t *, char *, uint32_t);
                     -int unmew11(struct pe_image_section_hdr *, int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int);
                     +//int unmew11(struct pe_image_section_hdr *, int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int);
                     +int unmew11(int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int);
                      #endif
                      #endif

clamav-devel/libclamav/pe.c

History View file @ 91ad933

@@ -1097,6 +1097,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      	if(lseek(desc, ep, SEEK_SET) == -1) {
                      	    cli_dbgmsg("MEW: lseek() failed\n");
                      	    free(section_hdr);
                     +	    free(exe_sections);
                      	    return CL_EIO;
+                     	}
@@ -1104,6 +1105,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      	    cli_dbgmsg("MEW: Can't read at least 16 bytes at 0x%x (%d) %d\n", ep, ep, bytes);
                      	    cli_dbgmsg("MEW: Broken or not compressed file\n");
                                  free(section_hdr);
                     +	    free(exe_sections);
                      	    return CL_CLEAN;
+                     	}
@@ -1119,6 +1121,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      		if(lseek(desc, fileoffset, SEEK_SET) == -1) {
                      		    cli_dbgmsg("MEW: lseek() failed\n");
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    return CL_EIO;
+                     		}
@@ -1133,25 +1136,27 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      		    cli_dbgmsg("MEW: Win9x compatibility was NOT set!\n");
                      		/* is it always 0x1C and 0x21C or not */
                     -		if((offdiff = cli_readint32(buff+1) - EC32(optional_hdr32.ImageBase)) <= EC32(section_hdr[i + 1].VirtualAddress) || offdiff >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 4)
                     +		if((offdiff = cli_readint32(buff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4)
+                     		{
                      		    cli_dbgmsg("MEW: ESI is not in proper section\n");
                      		    break;
+                     		}
                     -		offdiff -= EC32(section_hdr[i + 1].VirtualAddress);
                     +		offdiff -= exe_sections[i + 1].rva;
                     -		if(lseek(desc, EC32(section_hdr[i + 1].PointerToRawData), SEEK_SET) == -1) {
                     +		if(lseek(desc, exe_sections[i + 1].raw, SEEK_SET) == -1) {
                      		    cli_dbgmsg("MEW: lseek() failed\n"); /* ACAB: lseek won't fail here but checking doesn't hurt even */
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    return CL_EIO;
+                     		}
                     -		ssize = EC32(section_hdr[i + 1].VirtualSize);
                     -		dsize = EC32(section_hdr[i].VirtualSize);
                     +		ssize = exe_sections[i + 1].vsz;
                     +		dsize = exe_sections[i].vsz;
                      		cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff);
                     -		if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || EC32(section_hdr[i + 1].SizeOfRawData) > ctx->limits->maxfilesize)) {
                     +		if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || exe_sections[i + 1].rsz > ctx->limits->maxfilesize)) {
                      		    cli_dbgmsg("MEW: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize);
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    if(BLOCKMAX) {
                      			*ctx->virname = "PE.MEW.ExceededFileSize";
                      			return CL_VIRUS;
@@ -1163,20 +1168,21 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      		/* allocate needed buffer */
                      		if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    return CL_EMEM;
+                     		}
                     -		cli_dbgmsg ("MY FUCKING src IS AT %x\n", src);
                     -		if (EC32(section_hdr[i + 1].SizeOfRawData) < offdiff + 12 || EC32(section_hdr[i + 1].SizeOfRawData) > ssize)
                     +		if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize)
+                     		{
                     -		    cli_dbgmsg("MEW: Size mismatch: %08x\n", EC32(section_hdr[i + 1].SizeOfRawData));
                     +		    cli_dbgmsg("MEW: Size mismatch: %08x\n", exe_sections[i + 1].rsz);
                      		    free(src);
                      		    break;
+                     		}
                     -		if((bytes = read(desc, src + dsize, EC32(section_hdr[i + 1].SizeOfRawData))) != EC32(section_hdr[i + 1].SizeOfRawData)) {
                     -		    cli_dbgmsg("MEW: Can't read %d bytes [readed: %d]\n", EC32(section_hdr[i + 1].SizeOfRawData), bytes);
                     +		if((bytes = read(desc, src + dsize, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) {
                     +		    cli_dbgmsg("MEW: Can't read %d bytes [readed: %d]\n", exe_sections[i + 1].rsz, bytes);
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    free(src);
                      		    return CL_EIO;
+                     		}
@@ -1184,18 +1190,19 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      		/* count offset to lzma proc, if lzma used, 0xe8 -> call */
                      		if (buff[0x7b] == '\xe8')
+                     		{
                     -		    if (!CLI_ISCONTAINED(EC32(section_hdr[1].VirtualAddress), EC32(section_hdr[1].VirtualSize), cli_readint32(buff + 0x7c) + fileoffset + 0x80, 4))
                     +		    if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(buff + 0x7c) + fileoffset + 0x80, 4))
+                     		    {
                      			cli_dbgmsg("MEW: lzma proc out of bounds!\n");
                      			free(src);
                      			break; /* to next unpacker in chain */
+                     		    }
                     -		    uselzma = cli_readint32(buff + 0x7c) - (EC32(section_hdr[0].VirtualAddress) - fileoffset - 0x80);
                     +		    uselzma = cli_readint32(buff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80);
                      		} else
                      		    uselzma = 0;
                      		if(!(tempfile = cli_gentemp(NULL))) {
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    free(src);
                      		    return CL_EMEM;
+                     		}
@@ -1203,11 +1210,12 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      		    cli_dbgmsg("MEW: Can't create file %s\n", tempfile);
                      		    free(tempfile);
                      		    free(section_hdr);
                     +		    free(exe_sections);
                      		    free(src);
                      		    return CL_EIO;
+                     		}
                      		dest = src;
                     -		switch(unmew11(section_hdr, i, src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), EC32(section_hdr[0].VirtualAddress), uselzma, NULL, NULL, ndesc)) {
                     +		switch(unmew11(i, src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, NULL, NULL, ndesc)) {
                      		    case 1: /* Everything OK */
                      			cli_dbgmsg("MEW: Unpacked and rebuilt executable saved in %s\n", tempfile);
                      			free(src);
@@ -1217,6 +1225,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      			cli_dbgmsg("***** Scanning rebuilt PE file *****\n");
                      			if(cli_magic_scandesc(ndesc, ctx) == CL_VIRUS) {
                      			    free(section_hdr);
                     +			    free(exe_sections);
                      			    close(ndesc);
                      			    if(!cli_leavetemps_flag)
                      				unlink(tempfile);
@@ -1228,6 +1237,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
                      			    unlink(tempfile);
                      			free(tempfile);
                      			free(section_hdr);
                     +			free(exe_sections);
                      			return CL_CLEAN;
                      		    default: /* Everything gone wrong */
                      			cli_dbgmsg("MEW: Unpacking failed\n");