...
|
...
|
@@ -737,14 +737,14 @@ int cli_scanpe(cli_ctx *ctx)
|
737
|
737
|
char sname[9], epbuff[4096], *tempfile;
|
738
|
738
|
uint32_t epsize;
|
739
|
739
|
ssize_t bytes, at;
|
740
|
|
- unsigned int i, found, upx_success = 0, min = 0, max = 0, err, overlays = 0;
|
|
740
|
+ unsigned int i, j, found, upx_success = 0, min = 0, max = 0, err, overlays = 0, rescan = 1;
|
741
|
741
|
unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0, corrupted_cur;
|
742
|
742
|
int (*upxfn)(const char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;
|
743
|
743
|
const char *src = NULL;
|
744
|
744
|
char *dest = NULL;
|
745
|
745
|
int ndesc, ret = CL_CLEAN, upack = 0, native=0;
|
746
|
746
|
size_t fsize;
|
747
|
|
- uint32_t valign, falign, hdr_size, j;
|
|
747
|
+ uint32_t valign, falign, hdr_size;
|
748
|
748
|
struct cli_exe_section *exe_sections;
|
749
|
749
|
char timestr[32];
|
750
|
750
|
struct pe_image_data_dir *dirs;
|
...
|
...
|
@@ -1238,18 +1238,52 @@ int cli_scanpe(cli_ctx *ctx)
|
1238
|
1238
|
cli_jsonint(pe_json, "NumberOfSections", nsections);
|
1239
|
1239
|
#endif
|
1240
|
1240
|
|
|
1241
|
+ while (rescan==1) {
|
|
1242
|
+ rescan=0;
|
|
1243
|
+ for (i=0; i < nsections; i++) {
|
|
1244
|
+ exe_sections[i].rva = PEALIGN(EC32(section_hdr[i].VirtualAddress), valign);
|
|
1245
|
+ exe_sections[i].vsz = PESALIGN(EC32(section_hdr[i].VirtualSize), valign);
|
|
1246
|
+ exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);
|
|
1247
|
+ exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);
|
|
1248
|
+ exe_sections[i].chr = EC32(section_hdr[i].Characteristics);
|
|
1249
|
+ exe_sections[i].urva = EC32(section_hdr[i].VirtualAddress); /* Just in case */
|
|
1250
|
+ exe_sections[i].uvsz = EC32(section_hdr[i].VirtualSize);
|
|
1251
|
+ exe_sections[i].uraw = EC32(section_hdr[i].PointerToRawData);
|
|
1252
|
+ exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData);
|
|
1253
|
+
|
|
1254
|
+ if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
|
1255
|
+ if (!CLI_ISCONTAINED(0, fsize, exe_sections[i].uraw, exe_sections[i].ursz)
|
|
1256
|
+ || exe_sections[i].raw >= fsize) {
|
|
1257
|
+ cli_dbgmsg("Broken PE file - Section %d starts or exists beyond the end of file (Offset@ %lu, Total filesize %lu)\n", i, (unsigned long)exe_sections[i].raw, (unsigned long)fsize);
|
|
1258
|
+ if (nsections == 1) {
|
|
1259
|
+ free(section_hdr);
|
|
1260
|
+ free(exe_sections);
|
|
1261
|
+
|
|
1262
|
+ if(DETECT_BROKEN_PE) {
|
|
1263
|
+ cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
|
1264
|
+ return CL_VIRUS;
|
|
1265
|
+ }
|
|
1266
|
+
|
|
1267
|
+ return CL_CLEAN; /* no ninjas to see here! move along! */
|
|
1268
|
+ }
|
|
1269
|
+
|
|
1270
|
+ for (j=i; j < nsections-1; j++)
|
|
1271
|
+ memcpy(&exe_sections[j], &exe_sections[j+1], sizeof(struct cli_exe_section));
|
|
1272
|
+
|
|
1273
|
+ for (j=i; j < nsections-1; j++)
|
|
1274
|
+ memcpy(§ion_hdr[j], §ion_hdr[j+1], sizeof(struct pe_image_section_hdr));
|
|
1275
|
+
|
|
1276
|
+ nsections--;
|
|
1277
|
+ rescan=1;
|
|
1278
|
+ break;
|
|
1279
|
+ }
|
|
1280
|
+ }
|
|
1281
|
+ }
|
|
1282
|
+ }
|
|
1283
|
+
|
1241
|
1284
|
for(i = 0; i < nsections; i++) {
|
1242
|
|
- strncpy(sname, (char *) section_hdr[i].Name, 8);
|
1243
|
|
- sname[8] = 0;
|
1244
|
|
- exe_sections[i].rva = PEALIGN(EC32(section_hdr[i].VirtualAddress), valign);
|
1245
|
|
- exe_sections[i].vsz = PESALIGN(EC32(section_hdr[i].VirtualSize), valign);
|
1246
|
|
- exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);
|
1247
|
|
- exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);
|
1248
|
|
- exe_sections[i].chr = EC32(section_hdr[i].Characteristics);
|
1249
|
|
- exe_sections[i].urva = EC32(section_hdr[i].VirtualAddress); /* Just in case */
|
1250
|
|
- exe_sections[i].uvsz = EC32(section_hdr[i].VirtualSize);
|
1251
|
|
- exe_sections[i].uraw = EC32(section_hdr[i].PointerToRawData);
|
1252
|
|
- exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData);
|
|
1285
|
+ strncpy(sname, (char *) section_hdr[i].Name, 8);
|
|
1286
|
+ sname[8] = 0;
|
1253
|
1287
|
|
1254
|
1288
|
#if HAVE_JSON
|
1255
|
1289
|
add_section_info(ctx, &exe_sections[i]);
|
...
|
...
|
@@ -1304,18 +1338,6 @@ int cli_scanpe(cli_ctx *ctx)
|
1304
|
1304
|
}
|
1305
|
1305
|
|
1306
|
1306
|
if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
|
1307
|
|
- if (exe_sections[i].raw >= fsize) { /* really broken */
|
1308
|
|
- cli_dbgmsg("Broken PE file - Section %d starts beyond the end of file (Offset@ %lu, Total filesize %lu)\n", i, (unsigned long)exe_sections[i].raw, (unsigned long)fsize);
|
1309
|
|
- cli_dbgmsg("------------------------------------\n");
|
1310
|
|
- free(section_hdr);
|
1311
|
|
- free(exe_sections);
|
1312
|
|
- if(DETECT_BROKEN_PE) {
|
1313
|
|
- cli_append_virus(ctx, "Heuristics.Broken.Executable");
|
1314
|
|
- return CL_VIRUS;
|
1315
|
|
- }
|
1316
|
|
- return CL_CLEAN; /* no ninjas to see here! move along! */
|
1317
|
|
- }
|
1318
|
|
-
|
1319
|
1307
|
if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i;
|
1320
|
1308
|
|
1321
|
1309
|
/* check hash section sigs */
|