@@ -1,3 +1,7 @@

+Fri Jan 12 21:20:00 CET 2007 (acab)

+-----------------------------------

+  * libclamav: Fix for cli_rebuildpe call in mew unpacker.

+

 Fri Jan 12 19:25:21 GMT 2007 (njh)

 ----------------------------------

   * clamav-milter:	Remove -b option (enable BOUNCE compile time option

@@ -44,6 +44,7 @@

 #include "others.h"

 #include "mew.h"

 #include "packlibs.h"

+#include "rebuildpe.h"

 #define EC32(x) le32_to_host(x) /* Convert little endian to host */

 #define CE32(x) be32_to_host(x) /* Convert big endian to host */

@@ -760,5 +761,109 @@ uint32_t lzma_upack_esi_54(struct lzmastate *p, uint32_t old_eax, uint32_t *old_

 }

-#endif

+int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)

+{

+	uint32_t entry_point, newedi, loc_ds=dsize, loc_ss=ssize;

+	char *source = src + dsize + off; /*EC32(section_hdr[sectnum].VirtualSize) + off;*/

+	char *lesi = source + 12, *ledi;

+	char *f1, *f2;

+	int i;

+	struct cli_exe_section *section = NULL;

+	uint32_t vma = base + vadd, size_sum = ssize + dsize;

+

+	entry_point  = cli_readint32(source + 4); /* 2vGiM: ate these safe enough?

+						   * yup, if (EC32(section_hdr[i + 1].SizeOfRawData) < ...

+						   * ~line #879 in pe.c

+						   */

+	newedi = cli_readint32(source + 8);

+	ledi = src + (newedi - vma);

+

+	i = 0;

+	ssize -= 12;

+	while (1)

+	{

+  		cli_dbgmsg("MEW unpacking section %d (%08x->%08x)\n", i, lesi, ledi);

+		if (!CLI_ISCONTAINED(src, size_sum, lesi, 4) || !CLI_ISCONTAINED(src, size_sum, ledi, 4))

+		{

+			cli_dbgmsg("Possibly programmer error or hand-crafted PE file, report to clamav team\n");

+			return -1;

+		}

+		if (unmew(lesi, ledi, loc_ss, loc_ds, &f1, &f2))

+		{

+			free(section);

+			return -1;

+		}

+

+		/* we don't need last section in sections since this is information for fixing imptbl */

+		if (!CLI_ISCONTAINED(src, size_sum, f1, 4))

+		{

+			free(section);

+			return -1;

+		}

+

+		/* XXX */

+		loc_ss -= (f1+4-lesi);

+		loc_ds -= (f2-ledi);

+		ledi = src + (cli_readint32(f1) - vma);

+		lesi = f1+4;

+

+		if (!uselzma)

+		{

+			uint32_t val = f2 - src;

+			/* round-up to 4k boundary, I'm not sure of this XXX */

+			val >>= 12;

+			val <<= 12;

+			val += 0x1000;

+

+			/* eeevil XXX */

+			section = cli_realloc(section, (i+2)*sizeof(struct cli_exe_section));

+			section[0].raw = 0; section[0].rva = vadd;

+			section[i+1].raw = val;

+			section[i+1].rva = val + vadd;

+			section[i].rsz = section[i].vsz = i?val - section[i].raw:val;

+		}

+		i++;

+

+		if (!cli_readint32(f1))

+			break;

+	}

+

+	/* LZMA stuff */

+	if (uselzma) {

+		/* put everything in one section */

+		i = 1;

+		if (!CLI_ISCONTAINED(src, size_sum, src+uselzma+8, 1))

+		{

+			cli_dbgmsg("MEW: couldn't access lzma 'special' tag\n");

+			free(section);

+			return -1;

+		}

+		/* 0x50 -> push eax */

+		cli_dbgmsg("MEW: lzma %swas used, unpacking\n", (*(src + uselzma+8) == '\x50')?"special ":"");

+		if (!CLI_ISCONTAINED(src, size_sum, f1+4, 20 + 4 + 5))

+		{

+			cli_dbgmsg("MEW: lzma initialization data not available!\n");

+			free(section);

+			return -1;

+		}

+		if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))

+		{

+			free(section);

+			return -1;

+		}

+		loc_ds >>= 12; loc_ds <<= 12; loc_ds += 0x1000;

+		/* I have EP but no section's information, so I weren't sure what to do with that */ /* 2vGiM: sounds fair */

+		section = cli_calloc(1, sizeof(struct cli_exe_section));

+		section[0].raw = 0; section[0].rva = vadd;

+		section[0].rsz = section[0].vsz = dsize;

+	}

+	if (!cli_rebuildpe(src, section, i, base, entry_point - base, 0, 0, filedesc))

+	{

+		cli_dbgmsg("MEW: Rebuilding failed\n");

+		return -1;

+	}

+

+	return 1;

+}

+#endif /* CL_EXPERIMENTAL */

@@ -20,6 +20,11 @@

 #ifndef __MEW_H

 #define __MEW_H

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#ifdef CL_EXPERIMENTAL

 struct lzmastate {

 	char *p0;

 	uint32_t p1, p2;

@@ -30,9 +35,7 @@ int mew_lzma(struct pe_image_section_hdr *, char *, char *, uint32_t, uint32_t,

 uint32_t lzma_upack_esi_00(struct lzmastate *, char *, char *, uint32_t);

 uint32_t lzma_upack_esi_50(struct lzmastate *, uint32_t, uint32_t, char **, char *, uint32_t *, char *, uint32_t);

 uint32_t lzma_upack_esi_54(struct lzmastate *, uint32_t, uint32_t *, char **, uint32_t *, char *, uint32_t);

-

+int unmew11(struct pe_image_section_hdr *, int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int);

 #endif

-

-

-

+#endif

@@ -25,7 +25,6 @@

 #include "others.h"

 #include "execs.h"

 #include "pe.h"

-#include "rebuildpe.h"

 static int doubledl(char **scur, uint8_t *mydlptr, char *buffer, uint32_t buffersize)

 {

@@ -171,7 +170,7 @@ int cli_unfsg(char *source, char *dest, int ssize, int dsize, char **endsrc, cha

 }

 #ifdef CL_EXPERIMENTAL

-static int unmew(char *source, char *dest, int ssize, int dsize, char **endsrc, char **enddst) {

+int unmew(char *source, char *dest, int ssize, int dsize, char **endsrc, char **enddst) {

   uint8_t mydl=0x80;

   uint32_t myeax_backbytes, myecx_backsize, oldback = 0;

   char *csrc = source, *cdst = dest;

@@ -310,115 +309,4 @@ static int unmew(char *source, char *dest, int ssize, int dsize, char **endsrc,

   return 0;

 }

-

-int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)

-{

-	uint32_t entry_point, newedi, loc_ds=dsize, loc_ss=ssize;

-	char *source = src + dsize + off; /*EC32(section_hdr[sectnum].VirtualSize) + off;*/

-	char *lesi = source + 12, *ledi;

-	char *f1, *f2;

-	int i;

-	struct cli_exe_section *section = NULL;

-	uint32_t vma = base + vadd, size_sum = ssize + dsize;

-

-	entry_point  = cli_readint32(source + 4); /* 2vGiM: ate these safe enough?

-						   * yup, if (EC32(section_hdr[i + 1].SizeOfRawData) < ...

-						   * ~line #879 in pe.c

-						   */

-	newedi = cli_readint32(source + 8);

-	ledi = src + (newedi - vma);

-

-	i = 0;

-	ssize -= 12;

-	while (1)

-	{

-  		cli_dbgmsg("MEW unpacking section %d (%08x->%08x)\n", i, lesi, ledi);

-		if (!CLI_ISCONTAINED(src, size_sum, lesi, 4) || !CLI_ISCONTAINED(src, size_sum, ledi, 4))

-		{

-			cli_dbgmsg("Possibly programmer error or hand-crafted PE file, report to clamav team\n");

-			return -1;

-		}

-		if (unmew(lesi, ledi, loc_ss, loc_ds, &f1, &f2))

-		{

-			free(section);

-			return -1;

-		}

-

-		/* we don't need last section in sections since this is information for fixing imptbl */

-		if (!CLI_ISCONTAINED(src, size_sum, f1, 4))

-		{

-			free(section);

-			return -1;

-		}

-

-		/* XXX */

-		loc_ss -= (f1+4-lesi);

-		loc_ds -= (f2-ledi);

-		ledi = src + (cli_readint32(f1) - vma);

-		lesi = f1+4;

-

-		if (!uselzma)

-		{

-			uint32_t val = f2 - src;

-			/* round-up to 4k boundary, I'm not sure of this XXX */

-			val >>= 12;

-			val <<= 12;

-			val += 0x1000;

-

-			/* eeevil XXX */

-			section = cli_realloc(section, (i+2)*sizeof(struct cli_exe_section));

-			section[0].raw = 0; section[0].rva = vadd;

-			section[i+1].raw = val;

-			section[i+1].rva = val + vadd;

-			section[i].rsz = section[i].vsz = i?val - section[i].raw:val;

-		}

-		i++;

-

-		if (!cli_readint32(f1))

-			break;

-	}

-

-	/* LZMA stuff */

-	if (uselzma) {

-		/* put everything in one section */

-		i = 1;

-		if (!CLI_ISCONTAINED(src, size_sum, src+uselzma+8, 1))

-		{

-			cli_dbgmsg("MEW: couldn't access lzma 'special' tag\n");

-			free(section);

-			return -1;

-		}

-		/* 0x50 -> push eax */

-		cli_dbgmsg("MEW: lzma %swas used, unpacking\n", (*(src + uselzma+8) == '\x50')?"special ":"");

-		if (!CLI_ISCONTAINED(src, size_sum, f1+4, 20 + 4 + 5))

-		{

-			cli_dbgmsg("MEW: lzma initialization data not available!\n");

-			free(section);

-			return -1;

-		}

-		if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))

-		{

-			free(section);

-			return -1;

-		}

-		loc_ds >>= 12; loc_ds <<= 12; loc_ds += 0x1000;

-		/* I have EP but no section's information, so I weren't sure what to do with that */ /* 2vGiM: sounds fair */

-		section = cli_calloc(1, sizeof(struct cli_exe_section));

-		section[0].raw = 0; section[0].rva = vadd;

-		section[0].rsz = section[0].vsz = dsize;

-	}

-	if ((f1 = cli_rebuildpe(src, section, i, base, entry_point - base, 0, 0, filedesc)))

-	{

-		if (cli_writen(filedesc, f1, 0x148+0x80+0x28*i+dsize) == -1) {

-			free(f1);

-			return -1;

-		}

-	} else {

-		cli_dbgmsg("MEW: Rebuilding failed\n");

-		return -1;

-	}

-

-	return 1;

-}

 #endif

-

@@ -20,10 +20,17 @@

 #ifndef __PACKLIBS_H

 #define __PACKLIBS_H

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

 #include "cltypes.h"

 #include "rebuildpe.h"

 int cli_unfsg(char *, char *, int, int, char **, char **);

-int unmew11(struct pe_image_section_hdr *, int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int);

+

+#ifdef CL_EXPERIMENTAL

+int unmew(char *, char *, int, int, char **, char **);

+#endif

 #endif

@@ -1165,6 +1165,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		    free(section_hdr);

 		    return CL_EMEM;

 		}

+		cli_dbgmsg ("MY FUCKING src IS AT %x\n", src);

 		if (EC32(section_hdr[i + 1].SizeOfRawData) < offdiff + 12 || EC32(section_hdr[i + 1].SizeOfRawData) > ssize)

 		{