1. clamav-devel
  2. Commit b1cdc75a8728834ac576ceed191a821719d474e6
Browse code

sigtool: --decode-sigs: handle .ndb sigs

Tomasz Kojm authored on 2009/11/26 03:08:49
Showing 2 changed files
ChangeLog
History View file @ b1cdc75
... ... 
@@ -1,3 +1,7 @@
1 
+Wed Nov 25 19:07:51 CET 2009 (tk)
2 
+---------------------------------
3 
+ * sigtool: --decode-sigs: handle .ndb sigs
4 
+
1 5 
 Tue Nov 24 10:24:27 EET 2009 (edwin)
2 6 
 ------------------------------------
3 7 
  * clamd/server-th.c: enable more than 256 FD support on Solaris (bb #1764).
sigtool/sigtool.c
History View file @ b1cdc75
... ... 
@@ -1835,13 +1835,68 @@ static int decodehex(const char *hexsig)
1835 1835 
 static int decodesig(char *sig)
1836 1836 
 {
1837 1837 
 	char *pt;
1838 
+	const char *tokens[7];
1839 
+	int tokens_count;
1838 1840
1839 1841 
     if(strchr(sig, ';')) { /* lsig */
1840 1842 
 	mprintf("decodesig: Not supported signature format (yet)\n");
1841 1843 
 	return -1;
1842 1844 
     } else if(strchr(sig, ':')) { /* ndb */
1843 
-	mprintf("decodesig: Not supported signature format (yet)\n");
1844 
-	return -1;
1845 
+	tokens_count = cli_strtokenize(sig, ':', 6 + 1, tokens);
1846 
+	if(tokens_count < 4 || tokens_count > 6) {
1847 
+	    mprintf("!decodesig: Invalid or not supported signature format\n");
1848 
+	    mprintf("TOKENS COUNT: %u\n", tokens_count);
1849 
+	    return -1;
1850 
+	}
1851 
+	mprintf("VIRUS NAME: %s\n", tokens[0]);
1852 
+	if(tokens_count == 5)
1853 
+	    mprintf("FUNCTIONALITY LEVEL: >=%s\n", tokens[4]);
1854 
+	else if(tokens_count == 6)
1855 
+	    mprintf("FUNCTIONALITY LEVEL: %s..%s\n", tokens[4], tokens[5]);
1856 
+
1857 
+	if(!cli_isnumber(tokens[1])) {
1858 
+	    mprintf("!decodesig: Invalid target type\n");
1859 
+	    return -1;
1860 
+	}
1861 
+	mprintf("TARGET TYPE: ");
1862 
+	switch(atoi(tokens[1])) {
1863 
+	    case 0:
1864 
+		mprintf("ANY FILE\n");
1865 
+		break;
1866 
+	    case 1:
1867 
+		mprintf("PE\n");
1868 
+		break;
1869 
+	    case 2:
1870 
+		mprintf("OLE2\n");
1871 
+		break;
1872 
+	    case 3:
1873 
+		mprintf("HTML\n");
1874 
+		break;
1875 
+	    case 4:
1876 
+		mprintf("MAIL\n");
1877 
+		break;
1878 
+	    case 5:
1879 
+		mprintf("GRAPHICS\n");
1880 
+		break;
1881 
+	    case 6:
1882 
+		mprintf("ELF\n");
1883 
+		break;
1884 
+	    case 7:
1885 
+		mprintf("NORMALIZED ASCII TEXT\n");
1886 
+		break;
1887 
+	    case 8:
1888 
+		mprintf("DISASM DATA\n");
1889 
+		break;
1890 
+	    case 9:
1891 
+		mprintf("MACHO\n");
1892 
+		break;
1893 
+	    default:
1894 
+		mprintf("!decodesig: Invalid target type\n");
1895 
+		return -1;
1896 
+	}
1897 
+	mprintf("OFFSET: %s\n", tokens[2]);
1898 
+	mprintf("DECODED SIGNATURE:\n");
1899 
+	decodehex(tokens[3]);
1845 1900 
     } else if((pt = strchr(sig, '='))) {
1846 1901 
 	*pt++ = 0;
1847 1902 
 	mprintf("VIRUS NAME: %s\n", sig);