... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Wed Nov 25 19:07:51 CET 2009 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * sigtool: --decode-sigs: handle .ndb sigs |
|
4 |
+ |
|
1 | 5 |
Tue Nov 24 10:24:27 EET 2009 (edwin) |
2 | 6 |
------------------------------------ |
3 | 7 |
* clamd/server-th.c: enable more than 256 FD support on Solaris (bb #1764). |
... | ... |
@@ -1835,13 +1835,68 @@ static int decodehex(const char *hexsig) |
1835 | 1835 |
static int decodesig(char *sig) |
1836 | 1836 |
{ |
1837 | 1837 |
char *pt; |
1838 |
+ const char *tokens[7]; |
|
1839 |
+ int tokens_count; |
|
1838 | 1840 |
|
1839 | 1841 |
if(strchr(sig, ';')) { /* lsig */ |
1840 | 1842 |
mprintf("decodesig: Not supported signature format (yet)\n"); |
1841 | 1843 |
return -1; |
1842 | 1844 |
} else if(strchr(sig, ':')) { /* ndb */ |
1843 |
- mprintf("decodesig: Not supported signature format (yet)\n"); |
|
1844 |
- return -1; |
|
1845 |
+ tokens_count = cli_strtokenize(sig, ':', 6 + 1, tokens); |
|
1846 |
+ if(tokens_count < 4 || tokens_count > 6) { |
|
1847 |
+ mprintf("!decodesig: Invalid or not supported signature format\n"); |
|
1848 |
+ mprintf("TOKENS COUNT: %u\n", tokens_count); |
|
1849 |
+ return -1; |
|
1850 |
+ } |
|
1851 |
+ mprintf("VIRUS NAME: %s\n", tokens[0]); |
|
1852 |
+ if(tokens_count == 5) |
|
1853 |
+ mprintf("FUNCTIONALITY LEVEL: >=%s\n", tokens[4]); |
|
1854 |
+ else if(tokens_count == 6) |
|
1855 |
+ mprintf("FUNCTIONALITY LEVEL: %s..%s\n", tokens[4], tokens[5]); |
|
1856 |
+ |
|
1857 |
+ if(!cli_isnumber(tokens[1])) { |
|
1858 |
+ mprintf("!decodesig: Invalid target type\n"); |
|
1859 |
+ return -1; |
|
1860 |
+ } |
|
1861 |
+ mprintf("TARGET TYPE: "); |
|
1862 |
+ switch(atoi(tokens[1])) { |
|
1863 |
+ case 0: |
|
1864 |
+ mprintf("ANY FILE\n"); |
|
1865 |
+ break; |
|
1866 |
+ case 1: |
|
1867 |
+ mprintf("PE\n"); |
|
1868 |
+ break; |
|
1869 |
+ case 2: |
|
1870 |
+ mprintf("OLE2\n"); |
|
1871 |
+ break; |
|
1872 |
+ case 3: |
|
1873 |
+ mprintf("HTML\n"); |
|
1874 |
+ break; |
|
1875 |
+ case 4: |
|
1876 |
+ mprintf("MAIL\n"); |
|
1877 |
+ break; |
|
1878 |
+ case 5: |
|
1879 |
+ mprintf("GRAPHICS\n"); |
|
1880 |
+ break; |
|
1881 |
+ case 6: |
|
1882 |
+ mprintf("ELF\n"); |
|
1883 |
+ break; |
|
1884 |
+ case 7: |
|
1885 |
+ mprintf("NORMALIZED ASCII TEXT\n"); |
|
1886 |
+ break; |
|
1887 |
+ case 8: |
|
1888 |
+ mprintf("DISASM DATA\n"); |
|
1889 |
+ break; |
|
1890 |
+ case 9: |
|
1891 |
+ mprintf("MACHO\n"); |
|
1892 |
+ break; |
|
1893 |
+ default: |
|
1894 |
+ mprintf("!decodesig: Invalid target type\n"); |
|
1895 |
+ return -1; |
|
1896 |
+ } |
|
1897 |
+ mprintf("OFFSET: %s\n", tokens[2]); |
|
1898 |
+ mprintf("DECODED SIGNATURE:\n"); |
|
1899 |
+ decodehex(tokens[3]); |
|
1845 | 1900 |
} else if((pt = strchr(sig, '='))) { |
1846 | 1901 |
*pt++ = 0; |
1847 | 1902 |
mprintf("VIRUS NAME: %s\n", sig); |