git-svn: trunk@2481
aCaB authored on 2006/11/05 08:01:17... | ... |
@@ -412,9 +412,9 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
412 | 412 |
timestamp = (time_t) EC32(file_hdr.TimeDateStamp); |
413 | 413 |
cli_dbgmsg("TimeDateStamp: %s", ctime(×tamp)); |
414 | 414 |
|
415 |
- cli_dbgmsg("SizeOfOptionalHeader: %d\n", EC16(file_hdr.SizeOfOptionalHeader)); |
|
415 |
+ cli_dbgmsg("SizeOfOptionalHeader: %x\n", EC16(file_hdr.SizeOfOptionalHeader)); |
|
416 | 416 |
|
417 |
- if(EC16(file_hdr.SizeOfOptionalHeader) != sizeof(struct pe_image_optional_hdr32)) { |
|
417 |
+ if(EC16(file_hdr.SizeOfOptionalHeader) != sizeof(struct pe_image_optional_hdr32) && EC16(file_hdr.SizeOfOptionalHeader)!=0x148) { |
|
418 | 418 |
if(EC16(file_hdr.SizeOfOptionalHeader) == sizeof(struct pe_image_optional_hdr64)) { |
419 | 419 |
pe_plus = 1; |
420 | 420 |
} else { |
... | ... |
@@ -439,6 +439,18 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
439 | 439 |
} |
440 | 440 |
return CL_CLEAN; |
441 | 441 |
} |
442 |
+ if (EC16(file_hdr.SizeOfOptionalHeader)==0x148) { |
|
443 |
+ cli_dbgmsg("Found long header\n"); |
|
444 |
+ if (lseek(desc, (0x148-0xe0), SEEK_CUR)==-1) { /* Seek to the end of the long header */ |
|
445 |
+ if(DETECT_BROKEN) { |
|
446 |
+ if(ctx->virname) |
|
447 |
+ *ctx->virname = "Broken.Executable"; |
|
448 |
+ return CL_VIRUS; |
|
449 |
+ } |
|
450 |
+ cli_dbgmsg("But the file is too short to fit it\n"); |
|
451 |
+ return CL_CLEAN; |
|
452 |
+ } |
|
453 |
+ } |
|
442 | 454 |
|
443 | 455 |
if(EC16(optional_hdr32.Magic) != PE32_SIGNATURE) { |
444 | 456 |
cli_warnmsg("Incorrect magic number in optional header\n"); |