@@ -1,3 +1,7 @@

+Thu Jul 31 04:01:02 CEST 2008 (acab)

+------------------------------------

+  * libclamav/upx: add preliminar support for upx/lzma (disabled)

+

 Wed Jul 30 20:09:03 EEST 2008 (edwin)

 -------------------------------------

   * clamd/others.c: avoid calling non-async-signal-safe functions between fork()

@@ -128,3 +128,33 @@ int cli_LzmaDecode(CLI_LZMA **Lp, struct stream_state* state) {

   return res;

 }

+

+int cli_LzmaInitUPX(CLI_LZMA **Lp, uint32_t dictsz) {

+  CLI_LZMA *L = *Lp;

+

+  if(!L) {

+    *Lp = L = cli_calloc(sizeof(*L), 1);

+    if(!L) {

+      return LZMA_RESULT_DATA_ERROR;

+    }

+  }

+

+  L->state.Properties.pb = 2; /* FIXME: these  */

+  L->state.Properties.lp = 0; /* values may    */

+  L->state.Properties.lc = 3; /* not be static */

+

+  L->state.Properties.DictionarySize = dictsz;

+

+  if (!(L->state.Probs = (CProb *)cli_malloc(LzmaGetNumProbs(&L->state.Properties) * sizeof(CProb))))

+    return LZMA_RESULT_DATA_ERROR;

+

+  if (!(L->state.Dictionary = (unsigned char *)cli_malloc(L->state.Properties.DictionarySize))) {

+    free(L->state.Probs);

+    return LZMA_RESULT_DATA_ERROR;

+  }

+

+  L->initted = 1;

+

+  LzmaDecoderInit(&L->state);

+  return LZMA_RESULT_OK;

+}

@@ -37,6 +37,7 @@ struct stream_state {

 int cli_LzmaInit(CLI_LZMA **, uint64_t);

 void cli_LzmaShutdown(CLI_LZMA **);

 int cli_LzmaDecode(CLI_LZMA **, struct stream_state*);

+int cli_LzmaInitUPX(CLI_LZMA **, uint32_t);

 #define LZMA_STREAM_END 2

 #define LZMA_RESULT_OK 0

@@ -75,6 +75,8 @@

 #define UPX_NRV2B "\x11\xdb\x11\xc9\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9\x11\xc9\x75\x20\x41\x01\xdb"

 #define UPX_NRV2D "\x83\xf0\xff\x74\x78\xd1\xf8\x89\xc5\xeb\x0b\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9"

 #define UPX_NRV2E "\xeb\x52\x31\xc9\x83\xe8\x03\x72\x11\xc1\xe0\x08\x8a\x06\x46\x83\xf0\xff\x74\x75\xd1\xf8\x89\xc5"

+#define UPX_LZMA1 "\x56\x83\xc3\x04\x53\x50\xc7\x03\x03\x00\x02\x00\x90\x90\x90\x55\x57\x56\x53\x83"

+#define UPX_LZMA2 "\x56\x83\xc3\x04\x53\x50\xc7\x03\x03\x00\x02\x00\x90\x90\x90\x90\x90\x55\x57\x56"

 #define EC32(x) le32_to_host(x) /* Convert little endian to host */

 #define EC16(x) le16_to_host(x)

@@ -1737,6 +1739,12 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    }

 	}

+	if(0 && cli_memstr(UPX_LZMA2, 20, epbuff + 0x2f, 20)) {

+	  uint32_t ndsize=cli_readint32(epbuff+0x21);

+	  if(ndsize<=dsize)

+	    upx_success = upx_inflatelzma(src, ssize, dest, &ndsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >=0;

+	}

+

 	if(!upx_success) {

 	    cli_dbgmsg("UPX: All decompressors failed\n");

 	    free(src);

@@ -56,6 +56,7 @@

 #include "others.h"

 #include "upx.h"

 #include "str.h"

+#include "lzma_iface.h"

 #define PEALIGN(o,a) (((a))?(((o)/(a))*(a)):(o))

 #define PESALIGN(o,a) (((a))?(((o)/(a)+((o)%(a)!=0))*(a)):(o))

@@ -520,3 +521,24 @@ int upx_inflate2e(char *src, uint32_t ssize, char *dst, uint32_t *dsize, uint32_

   return pefromupx (src, ssize, dst, dsize, ep, upx0, upx1, magic, dcur);

 }

+

+int upx_inflatelzma(char *src, uint32_t ssize, char *dst, uint32_t *dsize, uint32_t upx0, uint32_t upx1, uint32_t ep) {

+  CLI_LZMA *lz = NULL;

+  struct stream_state s;

+  uint32_t magic[]={0xb16,0xb1e,0};

+

+  cli_LzmaInitUPX(&lz, *dsize);

+  s.avail_in = ssize;

+  s.avail_out = *dsize;

+  s.next_in = src+2;

+  s.next_out = dst;

+

+  if(cli_LzmaDecode(&lz, &s)==LZMA_RESULT_DATA_ERROR) {

+/*     __asm__ __volatile__("int3"); */

+    cli_LzmaShutdown(&lz);

+    return -1;

+  }

+  cli_LzmaShutdown(&lz);

+

+  return pefromupx (src, ssize, dst, dsize, ep, upx0, upx1, magic, *dsize);

+}

@@ -26,5 +26,6 @@

 int upx_inflate2b(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t);

 int upx_inflate2d(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t);

 int upx_inflate2e(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t);

+int upx_inflatelzma(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t);

 #endif