... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Fri Dec 9 16:41:05 CET 2011 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav/matcher.c: add new offset modifier SEx (bb#4008) |
|
4 |
+ |
|
1 | 5 |
Thu Dec 1 15:07:49 CET 2011 (tk) |
2 | 6 |
--------------------------------- |
3 | 7 |
* libclamav/readdb.c: allow comments in all db files (bb#3930) |
... | ... |
@@ -356,6 +356,8 @@ MalwareName:TargetType:Offset:HexSignature[:MinFL:[MaxFL]] |
356 | 356 |
\item \verb#Sx+n# = start of section \verb+x+'s (counted from 0) |
357 | 357 |
data plus \verb+n+ bytes |
358 | 358 |
\item \verb#Sx-n# = start of section \verb+x+'s data minus \verb+n+ bytes |
359 |
+ \item \verb#SEx# = entire section \verb+x+ (offset must lie within section |
|
360 |
+ boundaries) |
|
359 | 361 |
\item \verb#SL+n# = start of last section plus \verb+n+ bytes |
360 | 362 |
\item \verb#SL-n# = start of last section minus \verb+n+ bytes |
361 | 363 |
\end{itemize} |
... | ... |
@@ -245,7 +245,15 @@ int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned |
245 | 245 |
offdata[1] = atoi(&offcpy[3]); |
246 | 246 |
|
247 | 247 |
} else if(offcpy[0] == 'S') { |
248 |
- if(!strncmp(offstr, "SL+", 3)) { |
|
248 |
+ if(offcpy[1] == 'E') { |
|
249 |
+ if(!cli_isnumber(&offcpy[2])) { |
|
250 |
+ cli_errmsg("cli_caloff: Invalid section number\n"); |
|
251 |
+ return CL_EMALFDB; |
|
252 |
+ } |
|
253 |
+ offdata[0] = CLI_OFF_SE; |
|
254 |
+ offdata[3] = atoi(&offcpy[2]); |
|
255 |
+ |
|
256 |
+ } else if(!strncmp(offstr, "SL+", 3)) { |
|
249 | 257 |
offdata[0] = CLI_OFF_SL_PLUS; |
250 | 258 |
if(!cli_isnumber(&offcpy[3])) { |
251 | 259 |
cli_errmsg("cli_caloff: Invalid offset value\n"); |
... | ... |
@@ -303,12 +311,11 @@ int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned |
303 | 303 |
|
304 | 304 |
} else { |
305 | 305 |
/* calculate relative offsets */ |
306 |
- if(info->status == -1) { |
|
307 |
- *offset_min = CLI_OFF_NONE; |
|
308 |
- if(offset_max) |
|
309 |
- *offset_max = CLI_OFF_NONE; |
|
306 |
+ *offset_min = CLI_OFF_NONE; |
|
307 |
+ if(offset_max) |
|
308 |
+ *offset_max = CLI_OFF_NONE; |
|
309 |
+ if(info->status == -1) |
|
310 | 310 |
return CL_SUCCESS; |
311 |
- } |
|
312 | 311 |
|
313 | 312 |
switch(offdata[0]) { |
314 | 313 |
case CLI_OFF_EOF_MINUS: |
... | ... |
@@ -333,6 +340,16 @@ int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned |
333 | 333 |
else |
334 | 334 |
*offset_min = info->exeinfo.section[offdata[3]].raw + offdata[1]; |
335 | 335 |
break; |
336 |
+ |
|
337 |
+ case CLI_OFF_SE: |
|
338 |
+ if(offdata[3] >= info->exeinfo.nsections) { |
|
339 |
+ *offset_min = CLI_OFF_NONE; |
|
340 |
+ } else { |
|
341 |
+ *offset_min = info->exeinfo.section[offdata[3]].raw; |
|
342 |
+ *offset_max = *offset_min + info->exeinfo.section[offdata[3]].rsz + offdata[2]; |
|
343 |
+ } |
|
344 |
+ break; |
|
345 |
+ |
|
336 | 346 |
case CLI_OFF_VERSION: |
337 | 347 |
*offset_min = *offset_max = CLI_OFF_ANY; |
338 | 348 |
break; |
... | ... |
@@ -341,12 +358,8 @@ int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned |
341 | 341 |
return CL_EARG; |
342 | 342 |
} |
343 | 343 |
|
344 |
- if(offset_max) { |
|
345 |
- if(*offset_min != CLI_OFF_NONE) |
|
346 |
- *offset_max = *offset_min + offdata[2]; |
|
347 |
- else |
|
348 |
- *offset_max = CLI_OFF_NONE; |
|
349 |
- } |
|
344 |
+ if(offset_max && *offset_max == CLI_OFF_NONE && *offset_min != CLI_OFF_NONE) |
|
345 |
+ *offset_max = *offset_min + offdata[2]; |
|
350 | 346 |
} |
351 | 347 |
|
352 | 348 |
return CL_SUCCESS; |
... | ... |
@@ -161,6 +161,7 @@ static const struct cli_mtarget cli_mtargets[CLI_MTARGETS] = { |
161 | 161 |
#define CLI_OFF_SX_PLUS 6 |
162 | 162 |
#define CLI_OFF_VERSION 7 |
163 | 163 |
#define CLI_OFF_MACRO 8 |
164 |
+#define CLI_OFF_SE 9 |
|
164 | 165 |
|
165 | 166 |
int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata); |
166 | 167 |
|