@@ -1,3 +1,9 @@

+Wed Sep 27 02:34:00 CEST 2006 (tk)

+----------------------------------

+  * libclamav: add support for PE section based MD5 signatures (stored in .mdb)

+	       Requested by Christoph

+  * sigtool: handle .mdb databases

+

 Tue Sep 26 17:42:17 BST 2006 (njh)

 ----------------------------------

   * libclamav/mbox.c:	Experimental curl removal: fix proxy handling and

@@ -170,6 +170,9 @@ struct cl_engine {

     /* MD5 */

     struct cli_md5_node **md5_hlist;

+    /* MD5 list for PE sections */

+    struct cli_md5_node *md5_sect;

+

     /* Zip metadata */

     struct cli_meta_node *zip_mlist;

@@ -49,6 +49,7 @@

 #include "rebuildpe.h"

 #include "str.h"

 #include "execs.h"

+#include "md5.h"

 #ifndef	O_BINARY

 #define	O_BINARY	0

@@ -173,6 +174,49 @@ static int cli_ddump(int desc, int offset, int size, const char *file)

 }

 */

+static unsigned char *cli_md5sect(int fd, uint32_t offset, uint32_t size)

+{

+	size_t bread, sum = 0;

+	off_t pos;

+	char buff[FILEBUFF];

+	unsigned char *digest;

+	MD5_CTX md5ctx;

+

+

+    if((pos = lseek(fd, 0, SEEK_CUR)) == -1) {

+	cli_dbgmsg("cli_md5sect: Invalid descriptor %d\n", fd);

+	return NULL;

+    }

+

+    if(lseek(fd, offset, SEEK_SET) == -1) {

+	cli_dbgmsg("cli_md5sect: lseek() failed\n");

+	lseek(fd, pos, SEEK_SET);

+	return NULL;

+    }

+

+    digest = cli_calloc(16, sizeof(char));

+    if(!digest) {

+	cli_errmsg("cli_md5sect: Can't allocate memory for digest\n");

+	return NULL;

+    }

+

+    MD5_Init(&md5ctx);

+

+    while((bread = cli_readn(fd, buff, FILEBUFF)) > 0) {

+	if(sum + bread >= size) {

+	    MD5_Update(&md5ctx, buff, size - sum);

+	    break;

+	} else {

+	    MD5_Update(&md5ctx, buff, bread);

+	    sum += bread;

+	}

+    }

+

+    MD5_Final(digest, &md5ctx);

+    lseek(fd, pos, SEEK_SET);

+    return digest;

+}

+

 int cli_scanpe(int desc, cli_ctx *ctx)

 {

 	uint16_t e_magic; /* DOS signature ("MZ") */

@@ -185,9 +229,10 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	struct pe_image_optional_hdr32 optional_hdr32;

 	struct pe_image_optional_hdr64 optional_hdr64;

 	struct pe_image_section_hdr *section_hdr;

+	struct cli_md5_node *md5_sect;

 	struct stat sb;

 	char sname[9], buff[4096], *tempfile;

-	unsigned char *ubuff;

+	unsigned char *ubuff, *md5_dig;

 	ssize_t bytes;

 	unsigned int i, found, upx_success = 0, min = 0, max = 0, err, broken = 0;

 	unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0;

@@ -561,6 +606,31 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		return CL_VIRUS;

 	    }

 	    broken = 1;

+

+	} else {

+	    /* check MD5 section sigs */

+	    md5_sect = ctx->engine->md5_sect;

+	    while(md5_sect && md5_sect->size < EC32(section_hdr[i].SizeOfRawData))

+		md5_sect = md5_sect->next;

+

+	    if(md5_sect && md5_sect->size == EC32(section_hdr[i].SizeOfRawData)) {

+		md5_dig = cli_md5sect(desc, EC32(section_hdr[i].PointerToRawData), EC32(section_hdr[i].SizeOfRawData));

+		if(!md5_dig) {

+		    cli_errmsg("PE: Can't calculate MD5 for section %d\n", i);

+		} else {

+		    while(md5_sect && md5_sect->size == EC32(section_hdr[i].SizeOfRawData)) {

+			if(!strcmp(md5_dig, md5_sect->md5)) {

+			    if(ctx->virname)

+				*ctx->virname = md5_sect->virname;

+			    free(md5_dig);

+			    free(section_hdr);

+			    return CL_VIRUS;

+			}

+			md5_sect = md5_sect->next;

+		    }

+		    free(md5_dig);

+		}

+	    }

 	}

 	if(!i) {

@@ -584,6 +654,8 @@ int cli_scanpe(int desc, cli_ctx *ctx)

     }

+

+

     if(pe_plus)

 	ep = EC32(optional_hdr64.AddressOfEntryPoint);

     else

@@ -739,11 +739,11 @@ static int cli_loadndb(FILE *fd, struct cl_engine **engine, unsigned int *signo,

     return CL_SUCCESS;

 }

-static int cli_loadhdb(FILE *fd, struct cl_engine **engine, unsigned int *signo, unsigned short fp, unsigned int options)

+static int cli_loadhdb(FILE *fd, struct cl_engine **engine, unsigned int *signo, unsigned short mode, unsigned int options)

 {

 	char buffer[FILEBUFF], *pt;

 	int line = 0, ret = 0;

-	struct cli_md5_node *new;

+	struct cli_md5_node *new, *mpt, *last;

     if((ret = cli_initengine(engine, options))) {

@@ -761,7 +761,8 @@ static int cli_loadhdb(FILE *fd, struct cl_engine **engine, unsigned int *signo,

 	    break;

 	}

-	new->fp = fp;

+	if(mode == 1) /* fp */

+	    new->fp = 1;

 	if(!(pt = cli_strtok(buffer, 0, ":"))) {

 	    free(new);

@@ -796,17 +797,38 @@ static int cli_loadhdb(FILE *fd, struct cl_engine **engine, unsigned int *signo,

 	new->viralias = cli_strtok(buffer, 3, ":"); /* aliases are optional */

-	if(!(*engine)->md5_hlist) {

-	    cli_dbgmsg("Initializing md5 list structure\n");

-	    (*engine)->md5_hlist = (struct cli_md5_node **) cli_calloc(256, sizeof(struct cli_md5_node *));

+	if(mode == 2) { /* section MD5 */

+	    if(!(*engine)->md5_sect) {

+		(*engine)->md5_sect = new;

+	    } else {

+		if(new->size < (*engine)->md5_sect->size) {

+		    new->next = (*engine)->md5_sect;

+		    (*engine)->md5_sect = new;

+		} else {

+		    mpt = (*engine)->md5_sect;

+		    while(mpt) {

+			last = mpt;

+			if((mpt->size < new->size) && (!mpt->next || new->size < mpt->next->size))

+			    break;

+			mpt = mpt->next;

+		    }

+		    new->next = last->next;

+		    last->next = new;

+		}

+	    }

+	} else {

 	    if(!(*engine)->md5_hlist) {

-		ret = CL_EMEM;

-		break;

+		cli_dbgmsg("Initializing md5 list structure\n");

+		(*engine)->md5_hlist = (struct cli_md5_node **) cli_calloc(256, sizeof(struct cli_md5_node *));

+		if(!(*engine)->md5_hlist) {

+		    ret = CL_EMEM;

+		    break;

+		}

 	    }

-	}

-	new->next = (*engine)->md5_hlist[new->md5[0] & 0xff];

-	(*engine)->md5_hlist[new->md5[0] & 0xff] = new;

+	    new->next = (*engine)->md5_hlist[new->md5[0] & 0xff];

+	    (*engine)->md5_hlist[new->md5[0] & 0xff] = new;

+	}

     }

     if(!line) {

@@ -1065,6 +1087,9 @@ static int cli_load(const char *filename, struct cl_engine **engine, unsigned in

     } else if(cli_strbcasestr(filename, ".fp")) {

 	ret = cli_loadhdb(fd, engine, signo, 1, options);

+    } else if(cli_strbcasestr(filename, ".mdb")) {

+	ret = cli_loadhdb(fd, engine, signo, 2, options);

+

     } else if(cli_strbcasestr(filename, ".ndb")) {

 	if(options & CL_DB_HWACCEL)

 	    skipped = 1;

@@ -1163,6 +1188,7 @@ static int cli_loaddbdir(const char *dirname, struct cl_engine **engine, unsigne

 	     cli_strbcasestr(dent->d_name, ".db3")  ||

 	     cli_strbcasestr(dent->d_name, ".hdb")  ||

 	     cli_strbcasestr(dent->d_name, ".fp")   ||

+	     cli_strbcasestr(dent->d_name, ".mdb")  ||

 	     cli_strbcasestr(dent->d_name, ".ndb")  ||

 	     cli_strbcasestr(dent->d_name, ".sdb")  ||

 	     cli_strbcasestr(dent->d_name, ".zmd")  ||

@@ -1283,6 +1309,7 @@ int cl_statinidir(const char *dirname, struct cl_stat *dbstat)

 	    cli_strbcasestr(dent->d_name, ".db3")  || 

 	    cli_strbcasestr(dent->d_name, ".hdb")  || 

 	    cli_strbcasestr(dent->d_name, ".fp")   || 

+	    cli_strbcasestr(dent->d_name, ".mdb")  ||

 	    cli_strbcasestr(dent->d_name, ".ndb")  || 

 	    cli_strbcasestr(dent->d_name, ".sdb")  || 

 	    cli_strbcasestr(dent->d_name, ".zmd")  || 

@@ -1361,6 +1388,7 @@ int cl_statchkdir(const struct cl_stat *dbstat)

 	    cli_strbcasestr(dent->d_name, ".db3")  || 

 	    cli_strbcasestr(dent->d_name, ".hdb")  || 

 	    cli_strbcasestr(dent->d_name, ".fp")   || 

+	    cli_strbcasestr(dent->d_name, ".mdb")  ||

 	    cli_strbcasestr(dent->d_name, ".ndb")  || 

 	    cli_strbcasestr(dent->d_name, ".sdb")  || 

 	    cli_strbcasestr(dent->d_name, ".zmd")  || 

@@ -270,7 +270,7 @@ static int writeinfo(const char *db, const char *header)

 	int i;

 	struct stat sb;

 	char file[32], *md5;

-	char *extlist[] = { "db", "fp", "hdb", "ndb", "rmd", "zmd", "sdb", NULL };

+	char *extlist[] = { "db", "fp", "hdb", "mdb", "ndb", "rmd", "zmd", "sdb", NULL };

     snprintf(file, sizeof(file), "%s.info", db);

@@ -345,6 +345,7 @@ static int build(struct optstruct *opt)

     if(stat("main.db", &foo) == -1 && stat("daily.db", &foo) == -1 &&

        stat("main.hdb", &foo) == -1 && stat("daily.hdb", &foo) == -1 &&

+       stat("main.mdb", &foo) == -1 && stat("daily.mdb", &foo) == -1 &&

        stat("main.ndb", &foo) == -1 && stat("daily.ndb", &foo) == -1 &&

        stat("main.sdb", &foo) == -1 && stat("daily.sdb", &foo) == -1 &&

        stat("main.zmd", &foo) == -1 && stat("daily.zmd", &foo) == -1 &&

@@ -366,6 +367,7 @@ static int build(struct optstruct *opt)

     } else {

 	lines = countlines("main.db") + countlines("daily.db") +

 		countlines("main.hdb") + countlines("daily.hdb") +

+		countlines("main.mdb") + countlines("daily.mdb") +

 		countlines("main.ndb") + countlines("daily.ndb") +

 		countlines("main.sdb") + countlines("daily.sdb") +

 		countlines("main.zmd") + countlines("daily.zmd") +

@@ -481,7 +483,8 @@ static int build(struct optstruct *opt)

 				 "main.ndb", "daily.ndb", "main.sdb",

 				 "daily.sdb", "main.zmd", "daily.zmd",

 				 "main.rmd", "daily.rmd", "main.fp",

-				 "daily.fp", "daily.info", "main.info",

+				 "daily.fp", "main.mdb", "daily.mdb",

+				 "daily.info", "main.info",

 #ifdef CL_EXPERIMENTAL

 				 /* TODO: add support for main.[wp]db */

 				 "daily.wdb","daily.pdb",

@@ -817,6 +820,7 @@ static int listdir(const char *dirname)

 	    if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") &&

 	    (cli_strbcasestr(dent->d_name, ".db")  ||

 	     cli_strbcasestr(dent->d_name, ".hdb") ||

+	     cli_strbcasestr(dent->d_name, ".mdb") ||

 	     cli_strbcasestr(dent->d_name, ".ndb") ||

 	     cli_strbcasestr(dent->d_name, ".sdb") ||

 	     cli_strbcasestr(dent->d_name, ".zmd") ||

@@ -944,7 +948,7 @@ static int listdb(const char *filename)

 	    mprintf("%s\n", start);

 	}

-    } else if(cli_strbcasestr(filename, ".hdb")) { /* hash database */

+    } else if(cli_strbcasestr(filename, ".hdb") || cli_strbcasestr(filename, ".mdb")) { /* hash database */

 	while(fgets(buffer, FILEBUFF, fd)) {

 	    line++;