...
|
...
|
@@ -1835,12 +1835,43 @@ static int decodehex(const char *hexsig)
|
1835
|
1835
|
static int decodesig(char *sig)
|
1836
|
1836
|
{
|
1837
|
1837
|
char *pt;
|
1838
|
|
- const char *tokens[7];
|
1839
|
|
- int tokens_count;
|
|
1838
|
+ const char *tokens[68];
|
|
1839
|
+ int tokens_count, subsigs, i;
|
1840
|
1840
|
|
1841
|
1841
|
if(strchr(sig, ';')) { /* lsig */
|
1842
|
|
- mprintf("decodesig: Not supported signature format (yet)\n");
|
1843
|
|
- return -1;
|
|
1842
|
+ tokens_count = cli_strtokenize(sig, ';', 67 + 1, (const char **) tokens);
|
|
1843
|
+ if(tokens_count < 4) {
|
|
1844
|
+ mprintf("!decodesig: Invalid or not supported signature format\n");
|
|
1845
|
+ return -1;
|
|
1846
|
+ }
|
|
1847
|
+ mprintf("VIRUS NAME: %s\n", tokens[0]);
|
|
1848
|
+ mprintf("TDB: %s\n", tokens[1]);
|
|
1849
|
+ mprintf("LOGICAL EXPRESSION: %s\n", tokens[2]);
|
|
1850
|
+ subsigs = cli_ac_chklsig(tokens[2], tokens[2] + strlen(tokens[2]), NULL, NULL, NULL, 1);
|
|
1851
|
+ if(subsigs == -1) {
|
|
1852
|
+ mprintf("!decodesig: Broken logical expression\n");
|
|
1853
|
+ return -1;
|
|
1854
|
+ }
|
|
1855
|
+ subsigs++;
|
|
1856
|
+ if(subsigs > 64) {
|
|
1857
|
+ mprintf("!decodesig: Too many subsignatures\n");
|
|
1858
|
+ return -1;
|
|
1859
|
+ }
|
|
1860
|
+ if(subsigs != tokens_count - 3) {
|
|
1861
|
+ mprintf("!decodesig: The number of subsignatures (==%u) doesn't match the IDs in the logical expression (==%u)\n", tokens_count - 3, subsigs);
|
|
1862
|
+ return -1;
|
|
1863
|
+ }
|
|
1864
|
+ for(i = 0; i < subsigs; i++) {
|
|
1865
|
+ mprintf(" * SUBSIG ID %d\n", i);
|
|
1866
|
+ if((pt = strchr(tokens[3 + i], ':'))) {
|
|
1867
|
+ *pt++ = 0;
|
|
1868
|
+ mprintf(" +-> OFFSET: %s\n", pt);
|
|
1869
|
+ } else {
|
|
1870
|
+ mprintf(" +-> OFFSET: ANY\n");
|
|
1871
|
+ }
|
|
1872
|
+ mprintf(" +-> DECODED SUBSIGNATURE:\n");
|
|
1873
|
+ decodehex(tokens[3 + i]);
|
|
1874
|
+ }
|
1844
|
1875
|
} else if(strchr(sig, ':')) { /* ndb */
|
1845
|
1876
|
tokens_count = cli_strtokenize(sig, ':', 6 + 1, tokens);
|
1846
|
1877
|
if(tokens_count < 4 || tokens_count > 6) {
|