... | ... |
@@ -686,89 +686,93 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc |
686 | 686 |
return ret; |
687 | 687 |
} |
688 | 688 |
|
689 |
-int cli_lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash) |
|
689 |
+static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid) |
|
690 | 690 |
{ |
691 |
- unsigned int i, evalcnt; |
|
692 |
- uint64_t evalids; |
|
693 |
- fmap_t *map = *ctx->fmap; |
|
694 |
- unsigned int viruses_found = 0; |
|
691 |
+ unsigned evalcnt = 0; |
|
692 |
+ uint64_t evalids = 0; |
|
693 |
+ fmap_t *map = *ctx->fmap; |
|
694 |
+ struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid]; |
|
695 |
+ char * exp = ac_lsig->u.logic; |
|
696 |
+ char* exp_end = exp + strlen(exp); |
|
695 | 697 |
|
696 |
- for(i = 0; i < root->ac_lsigs; i++) { |
|
697 |
- evalcnt = 0; |
|
698 |
- evalids = 0; |
|
699 |
- cli_ac_chkmacro(root, acdata, i); |
|
700 |
- //TODO - handle CLI_NORMAL_YARA lsigs here |
|
701 |
- if(cli_ac_chklsig(root->ac_lsigtable[i]->u.logic, root->ac_lsigtable[i]->u.logic + strlen(root->ac_lsigtable[i]->u.logic), acdata->lsigcnt[i], &evalcnt, &evalids, 0) == 1) { |
|
702 |
- if(root->ac_lsigtable[i]->tdb.container && root->ac_lsigtable[i]->tdb.container[0] != ctx->container_type) |
|
703 |
- continue; |
|
704 |
- if(root->ac_lsigtable[i]->tdb.filesize && (root->ac_lsigtable[i]->tdb.filesize[0] > map->len || root->ac_lsigtable[i]->tdb.filesize[1] < map->len)) |
|
705 |
- continue; |
|
706 |
- |
|
707 |
- if(root->ac_lsigtable[i]->tdb.ep || root->ac_lsigtable[i]->tdb.nos) { |
|
708 |
- if(!target_info || target_info->status != 1) |
|
709 |
- continue; |
|
710 |
- if(root->ac_lsigtable[i]->tdb.ep && (root->ac_lsigtable[i]->tdb.ep[0] > target_info->exeinfo.ep || root->ac_lsigtable[i]->tdb.ep[1] < target_info->exeinfo.ep)) |
|
711 |
- continue; |
|
712 |
- if(root->ac_lsigtable[i]->tdb.nos && (root->ac_lsigtable[i]->tdb.nos[0] > target_info->exeinfo.nsections || root->ac_lsigtable[i]->tdb.nos[1] < target_info->exeinfo.nsections)) |
|
713 |
- continue; |
|
714 |
- } |
|
698 |
+ cli_ac_chkmacro(root, acdata, lsid); |
|
699 |
+ if (cli_ac_chklsig(exp, exp_end, acdata->lsigcnt[lsid], &evalcnt, &evalids, 0) == 1) { |
|
700 |
+ if(ac_lsig->tdb.container && ac_lsig->tdb.container[0] != ctx->container_type) |
|
701 |
+ return CL_CLEAN; |
|
702 |
+ if(ac_lsig->tdb.filesize && (ac_lsig->tdb.filesize[0] > map->len || ac_lsig->tdb.filesize[1] < map->len)) |
|
703 |
+ return CL_CLEAN; |
|
715 | 704 |
|
716 |
- if(hash && root->ac_lsigtable[i]->tdb.handlertype) { |
|
717 |
- if(memcmp(ctx->handlertype_hash, hash, 16)) { |
|
718 |
- ctx->recursion++; |
|
719 |
- memcpy(ctx->handlertype_hash, hash, 16); |
|
720 |
- if(cli_magic_scandesc_type(ctx, root->ac_lsigtable[i]->tdb.handlertype[0]) == CL_VIRUS) { |
|
721 |
- ctx->recursion--; |
|
722 |
- if (SCAN_ALL) { |
|
723 |
- viruses_found++; |
|
724 |
- continue; |
|
725 |
- } |
|
726 |
- return CL_VIRUS; |
|
727 |
- } |
|
728 |
- ctx->recursion--; |
|
729 |
- continue; |
|
730 |
- } |
|
731 |
- } |
|
705 |
+ if(ac_lsig->tdb.ep || ac_lsig->tdb.nos) { |
|
706 |
+ if(!target_info || target_info->status != 1) |
|
707 |
+ return CL_CLEAN; |
|
708 |
+ if(ac_lsig->tdb.ep && (ac_lsig->tdb.ep[0] > target_info->exeinfo.ep || ac_lsig->tdb.ep[1] < target_info->exeinfo.ep)) |
|
709 |
+ return CL_CLEAN; |
|
710 |
+ if(ac_lsig->tdb.nos && (ac_lsig->tdb.nos[0] > target_info->exeinfo.nsections || ac_lsig->tdb.nos[1] < target_info->exeinfo.nsections)) |
|
711 |
+ return CL_CLEAN; |
|
712 |
+ } |
|
732 | 713 |
|
733 |
- if(root->ac_lsigtable[i]->tdb.icongrp1 || root->ac_lsigtable[i]->tdb.icongrp2) { |
|
734 |
- if(!target_info || target_info->status != 1) |
|
735 |
- continue; |
|
736 |
- if(matchicon(ctx, &target_info->exeinfo, root->ac_lsigtable[i]->tdb.icongrp1, root->ac_lsigtable[i]->tdb.icongrp2) == CL_VIRUS) { |
|
737 |
- if(!root->ac_lsigtable[i]->bc_idx) { |
|
738 |
- cli_append_virus(ctx, root->ac_lsigtable[i]->virname); |
|
739 |
- if (SCAN_ALL) { |
|
740 |
- viruses_found++; |
|
741 |
- continue; |
|
742 |
- } |
|
743 |
- return CL_VIRUS; |
|
744 |
- } else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, acdata->lsigcnt[i], acdata->lsigsuboff_first[i], map) == CL_VIRUS) { |
|
745 |
- if (SCAN_ALL) { |
|
746 |
- viruses_found++; |
|
747 |
- continue; |
|
748 |
- } |
|
749 |
- return CL_VIRUS; |
|
750 |
- } |
|
751 |
- } |
|
752 |
- continue; |
|
753 |
- } |
|
754 |
- if(!root->ac_lsigtable[i]->bc_idx) { |
|
755 |
- cli_append_virus(ctx, root->ac_lsigtable[i]->virname); |
|
756 |
- if (SCAN_ALL) { |
|
757 |
- viruses_found++; |
|
758 |
- continue; |
|
759 |
- } |
|
760 |
- return CL_VIRUS; |
|
761 |
- } |
|
762 |
- if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, acdata->lsigcnt[i], acdata->lsigsuboff_first[i], map) == CL_VIRUS) { |
|
763 |
- if (SCAN_ALL) { |
|
764 |
- viruses_found++; |
|
765 |
- continue; |
|
766 |
- } |
|
767 |
- return CL_VIRUS; |
|
768 |
- } |
|
769 |
- } |
|
714 |
+ if(hash && ac_lsig->tdb.handlertype) { |
|
715 |
+ if(memcmp(ctx->handlertype_hash, hash, 16)) { |
|
716 |
+ ctx->recursion++; |
|
717 |
+ memcpy(ctx->handlertype_hash, hash, 16); |
|
718 |
+ if(cli_magic_scandesc_type(ctx, ac_lsig->tdb.handlertype[0]) == CL_VIRUS) { |
|
719 |
+ ctx->recursion--; |
|
720 |
+ return CL_VIRUS; |
|
721 |
+ } |
|
722 |
+ ctx->recursion--; |
|
723 |
+ return CL_CLEAN; |
|
724 |
+ } |
|
725 |
+ } |
|
726 |
+ |
|
727 |
+ if(ac_lsig->tdb.icongrp1 || ac_lsig->tdb.icongrp2) { |
|
728 |
+ if(!target_info || target_info->status != 1) |
|
729 |
+ return CL_CLEAN; |
|
730 |
+ if(matchicon(ctx, &target_info->exeinfo, ac_lsig->tdb.icongrp1, ac_lsig->tdb.icongrp2) == CL_VIRUS) { |
|
731 |
+ if(!ac_lsig->bc_idx) { |
|
732 |
+ cli_append_virus(ctx, ac_lsig->virname); |
|
733 |
+ return CL_VIRUS; |
|
734 |
+ } else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, ac_lsig->bc_idx, acdata->lsigcnt[lsid], acdata->lsigsuboff_first[lsid], map) == CL_VIRUS) { |
|
735 |
+ return CL_VIRUS; |
|
736 |
+ } |
|
737 |
+ } |
|
738 |
+ return CL_CLEAN; |
|
739 |
+ } |
|
740 |
+ if(!ac_lsig->bc_idx) { |
|
741 |
+ cli_append_virus(ctx, ac_lsig->virname); |
|
742 |
+ return CL_VIRUS; |
|
743 |
+ } |
|
744 |
+ if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, ac_lsig->bc_idx, acdata->lsigcnt[lsid], acdata->lsigsuboff_first[lsid], map) == CL_VIRUS) { |
|
745 |
+ return CL_VIRUS; |
|
746 |
+ } |
|
770 | 747 |
} |
771 |
- if (SCAN_ALL && viruses_found) |
|
748 |
+ |
|
749 |
+ return CL_CLEAN; |
|
750 |
+} |
|
751 |
+ |
|
752 |
+static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid) |
|
753 |
+{ |
|
754 |
+ return CL_CLEAN; |
|
755 |
+} |
|
756 |
+ |
|
757 |
+int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash) |
|
758 |
+{ |
|
759 |
+ uint8_t viruses_found = 0; |
|
760 |
+ uint32_t i; |
|
761 |
+ int32_t rc; |
|
762 |
+ |
|
763 |
+ for(i = 0; i < root->ac_lsigs; i++) { |
|
764 |
+ if (root->ac_lsigtable[i]->type == CLI_NORMAL_LSIG) |
|
765 |
+ rc = lsig_eval(ctx, root, acdata, target_info, hash, i); |
|
766 |
+ else if (root->ac_lsigtable[i]->type == CLI_NORMAL_YARA) |
|
767 |
+ rc = yara_eval(ctx, root, acdata, target_info, hash, i); |
|
768 |
+ if (rc == CL_VIRUS) { |
|
769 |
+ viruses_found = 1; |
|
770 |
+ if (SCAN_ALL) |
|
771 |
+ continue; |
|
772 |
+ break; |
|
773 |
+ } |
|
774 |
+ } |
|
775 |
+ if (viruses_found) |
|
772 | 776 |
return CL_VIRUS; |
773 | 777 |
return CL_CLEAN; |
774 | 778 |
} |
... | ... |
@@ -1132,7 +1136,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
1132 | 1132 |
|
1133 | 1133 |
if(troot) { |
1134 | 1134 |
if(ret != CL_VIRUS || SCAN_ALL) |
1135 |
- ret = cli_lsig_eval(ctx, troot, &tdata, &info, (const char *)refhash); |
|
1135 |
+ ret = cli_exp_eval(ctx, troot, &tdata, &info, (const char *)refhash); |
|
1136 | 1136 |
if (ret == CL_VIRUS) |
1137 | 1137 |
viruses_found++; |
1138 | 1138 |
|
... | ... |
@@ -1144,7 +1148,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
1144 | 1144 |
|
1145 | 1145 |
if(groot) { |
1146 | 1146 |
if(ret != CL_VIRUS || SCAN_ALL) |
1147 |
- ret = cli_lsig_eval(ctx, groot, &gdata, &info, (const char *)refhash); |
|
1147 |
+ ret = cli_exp_eval(ctx, groot, &gdata, &info, (const char *)refhash); |
|
1148 | 1148 |
cli_ac_freedata(&gdata); |
1149 | 1149 |
cli_pcre_freeoff(&gpoff); |
1150 | 1150 |
} |
... | ... |
@@ -193,7 +193,7 @@ int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, |
193 | 193 |
|
194 | 194 |
int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres); |
195 | 195 |
int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, unsigned char *refhash); |
196 |
-int cli_lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash); |
|
196 |
+int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash); |
|
197 | 197 |
int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned int target, uint32_t *offdata, uint32_t *offset_min, uint32_t *offset_max); |
198 | 198 |
|
199 | 199 |
int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx); |
... | ... |
@@ -953,12 +953,12 @@ static int vba_scandata(const unsigned char *data, unsigned int len, cli_ctx *ct |
953 | 953 |
viruses_found++; |
954 | 954 |
|
955 | 955 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) { |
956 |
- ret = cli_lsig_eval(ctx, troot, &tmdata, NULL, NULL); |
|
956 |
+ ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL); |
|
957 | 957 |
if (ret == CL_VIRUS) |
958 | 958 |
viruses_found++; |
959 | 959 |
|
960 | 960 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) |
961 |
- ret = cli_lsig_eval(ctx, groot, &gmdata, NULL, NULL); |
|
961 |
+ ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL); |
|
962 | 962 |
} |
963 | 963 |
cli_ac_freedata(&tmdata); |
964 | 964 |
cli_ac_freedata(&gmdata); |
... | ... |
@@ -1417,10 +1417,10 @@ static int cli_scanscript(cli_ctx *ctx) |
1417 | 1417 |
} |
1418 | 1418 |
free(normalized); |
1419 | 1419 |
if(ret != CL_VIRUS || SCAN_ALL) { |
1420 |
- if ((ret = cli_lsig_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS) |
|
1420 |
+ if ((ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS) |
|
1421 | 1421 |
viruses_found++; |
1422 | 1422 |
if(ret != CL_VIRUS || SCAN_ALL) |
1423 |
- if ((ret = cli_lsig_eval(ctx, groot, &gmdata, NULL, NULL)) == CL_VIRUS) |
|
1423 |
+ if ((ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL)) == CL_VIRUS) |
|
1424 | 1424 |
viruses_found++; |
1425 | 1425 |
} |
1426 | 1426 |
cli_ac_freedata(&tmdata); |