Browse code
Handle 0x148 bytes long optional header
| ... | ... |
@@ -412,9 +412,9 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 412 | 412 |
timestamp = (time_t) EC32(file_hdr.TimeDateStamp); |
| 413 | 413 |
cli_dbgmsg("TimeDateStamp: %s", ctime(×tamp));
|
| 414 | 414 |
|
| 415 |
- cli_dbgmsg("SizeOfOptionalHeader: %d\n", EC16(file_hdr.SizeOfOptionalHeader));
|
|
| 415 |
+ cli_dbgmsg("SizeOfOptionalHeader: %x\n", EC16(file_hdr.SizeOfOptionalHeader));
|
|
| 416 | 416 |
|
| 417 |
- if(EC16(file_hdr.SizeOfOptionalHeader) != sizeof(struct pe_image_optional_hdr32)) {
|
|
| 417 |
+ if(EC16(file_hdr.SizeOfOptionalHeader) != sizeof(struct pe_image_optional_hdr32) && EC16(file_hdr.SizeOfOptionalHeader)!=0x148) {
|
|
| 418 | 418 |
if(EC16(file_hdr.SizeOfOptionalHeader) == sizeof(struct pe_image_optional_hdr64)) {
|
| 419 | 419 |
pe_plus = 1; |
| 420 | 420 |
} else {
|
| ... | ... |
@@ -439,6 +439,18 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
| 439 | 439 |
} |
| 440 | 440 |
return CL_CLEAN; |
| 441 | 441 |
} |
| 442 |
+ if (EC16(file_hdr.SizeOfOptionalHeader)==0x148) {
|
|
| 443 |
+ cli_dbgmsg("Found long header\n");
|
|
| 444 |
+ if (lseek(desc, (0x148-0xe0), SEEK_CUR)==-1) { /* Seek to the end of the long header */
|
|
| 445 |
+ if(DETECT_BROKEN) {
|
|
| 446 |
+ if(ctx->virname) |
|
| 447 |
+ *ctx->virname = "Broken.Executable"; |
|
| 448 |
+ return CL_VIRUS; |
|
| 449 |
+ } |
|
| 450 |
+ cli_dbgmsg("But the file is too short to fit it\n");
|
|
| 451 |
+ return CL_CLEAN; |
|
| 452 |
+ } |
|
| 453 |
+ } |
|
| 442 | 454 |
|
| 443 | 455 |
if(EC16(optional_hdr32.Magic) != PE32_SIGNATURE) {
|
| 444 | 456 |
cli_warnmsg("Incorrect magic number in optional header\n");
|