Browse code
refactor and simplify cli_lsig_eval, add new function cli_exp_eval to loop thru the lsig table and call either lsig_eval or yara_eval.
Steven Morgan authored on 2015/03/04 09:25:13Showing 3 changed files
| ... | ... |
@@ -686,89 +686,93 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc |
| 686 | 686 |
return ret; |
| 687 | 687 |
} |
| 688 | 688 |
|
| 689 |
-int cli_lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash) |
|
| 689 |
+static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid) |
|
| 690 | 690 |
{
|
| 691 |
- unsigned int i, evalcnt; |
|
| 692 |
- uint64_t evalids; |
|
| 693 |
- fmap_t *map = *ctx->fmap; |
|
| 694 |
- unsigned int viruses_found = 0; |
|
| 691 |
+ unsigned evalcnt = 0; |
|
| 692 |
+ uint64_t evalids = 0; |
|
| 693 |
+ fmap_t *map = *ctx->fmap; |
|
| 694 |
+ struct cli_ac_lsig *ac_lsig = root->ac_lsigtable[lsid]; |
|
| 695 |
+ char * exp = ac_lsig->u.logic; |
|
| 696 |
+ char* exp_end = exp + strlen(exp); |
|
| 695 | 697 |
|
| 696 |
- for(i = 0; i < root->ac_lsigs; i++) {
|
|
| 697 |
- evalcnt = 0; |
|
| 698 |
- evalids = 0; |
|
| 699 |
- cli_ac_chkmacro(root, acdata, i); |
|
| 700 |
- //TODO - handle CLI_NORMAL_YARA lsigs here |
|
| 701 |
- if(cli_ac_chklsig(root->ac_lsigtable[i]->u.logic, root->ac_lsigtable[i]->u.logic + strlen(root->ac_lsigtable[i]->u.logic), acdata->lsigcnt[i], &evalcnt, &evalids, 0) == 1) {
|
|
| 702 |
- if(root->ac_lsigtable[i]->tdb.container && root->ac_lsigtable[i]->tdb.container[0] != ctx->container_type) |
|
| 703 |
- continue; |
|
| 704 |
- if(root->ac_lsigtable[i]->tdb.filesize && (root->ac_lsigtable[i]->tdb.filesize[0] > map->len || root->ac_lsigtable[i]->tdb.filesize[1] < map->len)) |
|
| 705 |
- continue; |
|
| 706 |
- |
|
| 707 |
- if(root->ac_lsigtable[i]->tdb.ep || root->ac_lsigtable[i]->tdb.nos) {
|
|
| 708 |
- if(!target_info || target_info->status != 1) |
|
| 709 |
- continue; |
|
| 710 |
- if(root->ac_lsigtable[i]->tdb.ep && (root->ac_lsigtable[i]->tdb.ep[0] > target_info->exeinfo.ep || root->ac_lsigtable[i]->tdb.ep[1] < target_info->exeinfo.ep)) |
|
| 711 |
- continue; |
|
| 712 |
- if(root->ac_lsigtable[i]->tdb.nos && (root->ac_lsigtable[i]->tdb.nos[0] > target_info->exeinfo.nsections || root->ac_lsigtable[i]->tdb.nos[1] < target_info->exeinfo.nsections)) |
|
| 713 |
- continue; |
|
| 714 |
- } |
|
| 698 |
+ cli_ac_chkmacro(root, acdata, lsid); |
|
| 699 |
+ if (cli_ac_chklsig(exp, exp_end, acdata->lsigcnt[lsid], &evalcnt, &evalids, 0) == 1) {
|
|
| 700 |
+ if(ac_lsig->tdb.container && ac_lsig->tdb.container[0] != ctx->container_type) |
|
| 701 |
+ return CL_CLEAN; |
|
| 702 |
+ if(ac_lsig->tdb.filesize && (ac_lsig->tdb.filesize[0] > map->len || ac_lsig->tdb.filesize[1] < map->len)) |
|
| 703 |
+ return CL_CLEAN; |
|
| 715 | 704 |
|
| 716 |
- if(hash && root->ac_lsigtable[i]->tdb.handlertype) {
|
|
| 717 |
- if(memcmp(ctx->handlertype_hash, hash, 16)) {
|
|
| 718 |
- ctx->recursion++; |
|
| 719 |
- memcpy(ctx->handlertype_hash, hash, 16); |
|
| 720 |
- if(cli_magic_scandesc_type(ctx, root->ac_lsigtable[i]->tdb.handlertype[0]) == CL_VIRUS) {
|
|
| 721 |
- ctx->recursion--; |
|
| 722 |
- if (SCAN_ALL) {
|
|
| 723 |
- viruses_found++; |
|
| 724 |
- continue; |
|
| 725 |
- } |
|
| 726 |
- return CL_VIRUS; |
|
| 727 |
- } |
|
| 728 |
- ctx->recursion--; |
|
| 729 |
- continue; |
|
| 730 |
- } |
|
| 731 |
- } |
|
| 705 |
+ if(ac_lsig->tdb.ep || ac_lsig->tdb.nos) {
|
|
| 706 |
+ if(!target_info || target_info->status != 1) |
|
| 707 |
+ return CL_CLEAN; |
|
| 708 |
+ if(ac_lsig->tdb.ep && (ac_lsig->tdb.ep[0] > target_info->exeinfo.ep || ac_lsig->tdb.ep[1] < target_info->exeinfo.ep)) |
|
| 709 |
+ return CL_CLEAN; |
|
| 710 |
+ if(ac_lsig->tdb.nos && (ac_lsig->tdb.nos[0] > target_info->exeinfo.nsections || ac_lsig->tdb.nos[1] < target_info->exeinfo.nsections)) |
|
| 711 |
+ return CL_CLEAN; |
|
| 712 |
+ } |
|
| 732 | 713 |
|
| 733 |
- if(root->ac_lsigtable[i]->tdb.icongrp1 || root->ac_lsigtable[i]->tdb.icongrp2) {
|
|
| 734 |
- if(!target_info || target_info->status != 1) |
|
| 735 |
- continue; |
|
| 736 |
- if(matchicon(ctx, &target_info->exeinfo, root->ac_lsigtable[i]->tdb.icongrp1, root->ac_lsigtable[i]->tdb.icongrp2) == CL_VIRUS) {
|
|
| 737 |
- if(!root->ac_lsigtable[i]->bc_idx) {
|
|
| 738 |
- cli_append_virus(ctx, root->ac_lsigtable[i]->virname); |
|
| 739 |
- if (SCAN_ALL) {
|
|
| 740 |
- viruses_found++; |
|
| 741 |
- continue; |
|
| 742 |
- } |
|
| 743 |
- return CL_VIRUS; |
|
| 744 |
- } else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, acdata->lsigcnt[i], acdata->lsigsuboff_first[i], map) == CL_VIRUS) {
|
|
| 745 |
- if (SCAN_ALL) {
|
|
| 746 |
- viruses_found++; |
|
| 747 |
- continue; |
|
| 748 |
- } |
|
| 749 |
- return CL_VIRUS; |
|
| 750 |
- } |
|
| 751 |
- } |
|
| 752 |
- continue; |
|
| 753 |
- } |
|
| 754 |
- if(!root->ac_lsigtable[i]->bc_idx) {
|
|
| 755 |
- cli_append_virus(ctx, root->ac_lsigtable[i]->virname); |
|
| 756 |
- if (SCAN_ALL) {
|
|
| 757 |
- viruses_found++; |
|
| 758 |
- continue; |
|
| 759 |
- } |
|
| 760 |
- return CL_VIRUS; |
|
| 761 |
- } |
|
| 762 |
- if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, acdata->lsigcnt[i], acdata->lsigsuboff_first[i], map) == CL_VIRUS) {
|
|
| 763 |
- if (SCAN_ALL) {
|
|
| 764 |
- viruses_found++; |
|
| 765 |
- continue; |
|
| 766 |
- } |
|
| 767 |
- return CL_VIRUS; |
|
| 768 |
- } |
|
| 769 |
- } |
|
| 714 |
+ if(hash && ac_lsig->tdb.handlertype) {
|
|
| 715 |
+ if(memcmp(ctx->handlertype_hash, hash, 16)) {
|
|
| 716 |
+ ctx->recursion++; |
|
| 717 |
+ memcpy(ctx->handlertype_hash, hash, 16); |
|
| 718 |
+ if(cli_magic_scandesc_type(ctx, ac_lsig->tdb.handlertype[0]) == CL_VIRUS) {
|
|
| 719 |
+ ctx->recursion--; |
|
| 720 |
+ return CL_VIRUS; |
|
| 721 |
+ } |
|
| 722 |
+ ctx->recursion--; |
|
| 723 |
+ return CL_CLEAN; |
|
| 724 |
+ } |
|
| 725 |
+ } |
|
| 726 |
+ |
|
| 727 |
+ if(ac_lsig->tdb.icongrp1 || ac_lsig->tdb.icongrp2) {
|
|
| 728 |
+ if(!target_info || target_info->status != 1) |
|
| 729 |
+ return CL_CLEAN; |
|
| 730 |
+ if(matchicon(ctx, &target_info->exeinfo, ac_lsig->tdb.icongrp1, ac_lsig->tdb.icongrp2) == CL_VIRUS) {
|
|
| 731 |
+ if(!ac_lsig->bc_idx) {
|
|
| 732 |
+ cli_append_virus(ctx, ac_lsig->virname); |
|
| 733 |
+ return CL_VIRUS; |
|
| 734 |
+ } else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, ac_lsig->bc_idx, acdata->lsigcnt[lsid], acdata->lsigsuboff_first[lsid], map) == CL_VIRUS) {
|
|
| 735 |
+ return CL_VIRUS; |
|
| 736 |
+ } |
|
| 737 |
+ } |
|
| 738 |
+ return CL_CLEAN; |
|
| 739 |
+ } |
|
| 740 |
+ if(!ac_lsig->bc_idx) {
|
|
| 741 |
+ cli_append_virus(ctx, ac_lsig->virname); |
|
| 742 |
+ return CL_VIRUS; |
|
| 743 |
+ } |
|
| 744 |
+ if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, ac_lsig->bc_idx, acdata->lsigcnt[lsid], acdata->lsigsuboff_first[lsid], map) == CL_VIRUS) {
|
|
| 745 |
+ return CL_VIRUS; |
|
| 746 |
+ } |
|
| 770 | 747 |
} |
| 771 |
- if (SCAN_ALL && viruses_found) |
|
| 748 |
+ |
|
| 749 |
+ return CL_CLEAN; |
|
| 750 |
+} |
|
| 751 |
+ |
|
| 752 |
+static int yara_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid) |
|
| 753 |
+{
|
|
| 754 |
+ return CL_CLEAN; |
|
| 755 |
+} |
|
| 756 |
+ |
|
| 757 |
+int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash) |
|
| 758 |
+{
|
|
| 759 |
+ uint8_t viruses_found = 0; |
|
| 760 |
+ uint32_t i; |
|
| 761 |
+ int32_t rc; |
|
| 762 |
+ |
|
| 763 |
+ for(i = 0; i < root->ac_lsigs; i++) {
|
|
| 764 |
+ if (root->ac_lsigtable[i]->type == CLI_NORMAL_LSIG) |
|
| 765 |
+ rc = lsig_eval(ctx, root, acdata, target_info, hash, i); |
|
| 766 |
+ else if (root->ac_lsigtable[i]->type == CLI_NORMAL_YARA) |
|
| 767 |
+ rc = yara_eval(ctx, root, acdata, target_info, hash, i); |
|
| 768 |
+ if (rc == CL_VIRUS) {
|
|
| 769 |
+ viruses_found = 1; |
|
| 770 |
+ if (SCAN_ALL) |
|
| 771 |
+ continue; |
|
| 772 |
+ break; |
|
| 773 |
+ } |
|
| 774 |
+ } |
|
| 775 |
+ if (viruses_found) |
|
| 772 | 776 |
return CL_VIRUS; |
| 773 | 777 |
return CL_CLEAN; |
| 774 | 778 |
} |
| ... | ... |
@@ -1132,7 +1136,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
| 1132 | 1132 |
|
| 1133 | 1133 |
if(troot) {
|
| 1134 | 1134 |
if(ret != CL_VIRUS || SCAN_ALL) |
| 1135 |
- ret = cli_lsig_eval(ctx, troot, &tdata, &info, (const char *)refhash); |
|
| 1135 |
+ ret = cli_exp_eval(ctx, troot, &tdata, &info, (const char *)refhash); |
|
| 1136 | 1136 |
if (ret == CL_VIRUS) |
| 1137 | 1137 |
viruses_found++; |
| 1138 | 1138 |
|
| ... | ... |
@@ -1144,7 +1148,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
| 1144 | 1144 |
|
| 1145 | 1145 |
if(groot) {
|
| 1146 | 1146 |
if(ret != CL_VIRUS || SCAN_ALL) |
| 1147 |
- ret = cli_lsig_eval(ctx, groot, &gdata, &info, (const char *)refhash); |
|
| 1147 |
+ ret = cli_exp_eval(ctx, groot, &gdata, &info, (const char *)refhash); |
|
| 1148 | 1148 |
cli_ac_freedata(&gdata); |
| 1149 | 1149 |
cli_pcre_freeoff(&gpoff); |
| 1150 | 1150 |
} |
| ... | ... |
@@ -193,7 +193,7 @@ int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, |
| 193 | 193 |
|
| 194 | 194 |
int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres); |
| 195 | 195 |
int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, unsigned char *refhash); |
| 196 |
-int cli_lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash); |
|
| 196 |
+int cli_exp_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash); |
|
| 197 | 197 |
int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned int target, uint32_t *offdata, uint32_t *offset_min, uint32_t *offset_max); |
| 198 | 198 |
|
| 199 | 199 |
int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx); |
| ... | ... |
@@ -953,12 +953,12 @@ static int vba_scandata(const unsigned char *data, unsigned int len, cli_ctx *ct |
| 953 | 953 |
viruses_found++; |
| 954 | 954 |
|
| 955 | 955 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) {
|
| 956 |
- ret = cli_lsig_eval(ctx, troot, &tmdata, NULL, NULL); |
|
| 956 |
+ ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL); |
|
| 957 | 957 |
if (ret == CL_VIRUS) |
| 958 | 958 |
viruses_found++; |
| 959 | 959 |
|
| 960 | 960 |
if (ret == CL_CLEAN || (ret == CL_VIRUS && SCAN_ALL)) |
| 961 |
- ret = cli_lsig_eval(ctx, groot, &gmdata, NULL, NULL); |
|
| 961 |
+ ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL); |
|
| 962 | 962 |
} |
| 963 | 963 |
cli_ac_freedata(&tmdata); |
| 964 | 964 |
cli_ac_freedata(&gmdata); |
| ... | ... |
@@ -1417,10 +1417,10 @@ static int cli_scanscript(cli_ctx *ctx) |
| 1417 | 1417 |
} |
| 1418 | 1418 |
free(normalized); |
| 1419 | 1419 |
if(ret != CL_VIRUS || SCAN_ALL) {
|
| 1420 |
- if ((ret = cli_lsig_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS) |
|
| 1420 |
+ if ((ret = cli_exp_eval(ctx, troot, &tmdata, NULL, NULL)) == CL_VIRUS) |
|
| 1421 | 1421 |
viruses_found++; |
| 1422 | 1422 |
if(ret != CL_VIRUS || SCAN_ALL) |
| 1423 |
- if ((ret = cli_lsig_eval(ctx, groot, &gmdata, NULL, NULL)) == CL_VIRUS) |
|
| 1423 |
+ if ((ret = cli_exp_eval(ctx, groot, &gmdata, NULL, NULL)) == CL_VIRUS) |
|
| 1424 | 1424 |
viruses_found++; |
| 1425 | 1425 |
} |
| 1426 | 1426 |
cli_ac_freedata(&tmdata); |