...
|
...
|
@@ -1290,9 +1290,10 @@ int cli_scanpe(cli_ctx *ctx)
|
1290
|
1290
|
case KZSLOOP:
|
1291
|
1291
|
if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
|
1292
|
1292
|
cli_append_virus(ctx,"Heuristics.W32.Kriz");
|
1293
|
|
- free(exe_sections);
|
1294
|
|
- if (!SCAN_ALL)
|
|
1293
|
+ if (!SCAN_ALL) {
|
|
1294
|
+ free(exe_sections);
|
1295
|
1295
|
return CL_VIRUS;
|
|
1296
|
+ }
|
1296
|
1297
|
viruses_found++;
|
1297
|
1298
|
}
|
1298
|
1299
|
cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
|
...
|
...
|
@@ -1319,9 +1320,10 @@ int cli_scanpe(cli_ctx *ctx)
|
1319
|
1319
|
if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
1320
|
1320
|
if(cli_memstr(tbuff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
|
1321
|
1321
|
cli_append_virus(ctx, dam ? "Heuristics.W32.Magistr.A.dam" : "Heuristics.W32.Magistr.A");
|
1322
|
|
- free(exe_sections);
|
1323
|
|
- if (!SCAN_ALL)
|
|
1322
|
+ if (!SCAN_ALL) {
|
|
1323
|
+ free(exe_sections);
|
1324
|
1324
|
return CL_VIRUS;
|
|
1325
|
+ }
|
1325
|
1326
|
viruses_found++;
|
1326
|
1327
|
}
|
1327
|
1328
|
}
|
...
|
...
|
@@ -1333,9 +1335,10 @@ int cli_scanpe(cli_ctx *ctx)
|
1333
|
1333
|
if((tbuff = fmap_need_off_once(map, exe_sections[nsections - 1].raw + rsize - bw, 4096))) {
|
1334
|
1334
|
if(cli_memstr(tbuff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
|
1335
|
1335
|
cli_append_virus(ctx,dam ? "Heuristics.W32.Magistr.B.dam" : "Heuristics.W32.Magistr.B");
|
1336
|
|
- free(exe_sections);
|
1337
|
|
- if (!SCAN_ALL)
|
|
1336
|
+ if (!SCAN_ALL) {
|
|
1337
|
+ free(exe_sections);
|
1338
|
1338
|
return CL_VIRUS;
|
|
1339
|
+ }
|
1339
|
1340
|
viruses_found++;
|
1340
|
1341
|
}
|
1341
|
1342
|
}
|
...
|
...
|
@@ -1383,10 +1386,11 @@ int cli_scanpe(cli_ctx *ctx)
|
1383
|
1383
|
if(!(code = fmap_need_off_once(map, jumps[i], 9))) continue;
|
1384
|
1384
|
if((jump=cli_readint32(code))==0x60ec8b55 || (code[4]==0x0ec && ((jump==0x83ec8b55 && code[6]==0x60) || (jump==0x81ec8b55 && !code[7] && !code[8])))) {
|
1385
|
1385
|
cli_append_virus(ctx,"Heuristics.W32.Polipos.A");
|
1386
|
|
- free(jumps);
|
1387
|
|
- free(exe_sections);
|
1388
|
|
- if (!SCAN_ALL)
|
|
1386
|
+ if (!SCAN_ALL) {
|
|
1387
|
+ free(jumps);
|
|
1388
|
+ free(exe_sections);
|
1389
|
1389
|
return CL_VIRUS;
|
|
1390
|
+ }
|
1390
|
1391
|
viruses_found++;
|
1391
|
1392
|
}
|
1392
|
1393
|
}
|