September 17, 2018 | ||
---|---|---|
View 9dcc0f7
Integrated new PE file unpacking capabilities for versions of Aspack up to 2.42, courtesy of Emmanuel Tacheau.Micah Snyder (micasnyd) authored on 2018/09/17 22:58:33 |
September 9, 2018 | ||
---|---|---|
View 20e3cfc
bb12170: Added pointer arithmetic guards to PE MEW unpacking code.Micah Snyder authored on 2018/09/09 23:00:12 |
September 5, 2018 | ||
---|---|---|
View 6c8ca96
Fix actual authenticode hash computation for header overlap case I'm really not sure why my testing earlier didn't catch that the computed hash was not correct, but this seems to fix it in the UPX caseAndrew authored on 2018/09/05 00:28:20 |
September 2, 2018 | ||
---|---|---|
View c714559
Add support for MD5 and SHA256 hash-based validation of the exe code Also refactors the code a bit to consolidate some duplicate functionalityAndrew authored on 2018/09/02 12:29:45 |
August 31, 2018 | ||
---|---|---|
View 50873c8
Replace tabs with spaces in pe.c and crtmgr.c, move debug messageAndrew authored on 2018/08/31 04:17:37 |
August 29, 2018 | ||
---|---|---|
View 5130fdd
Allow signature whitelisting for binaries that violate MS13-098Andrew authored on 2018/08/29 04:43:30 |
||
View e1a08b6
Fix authenticode hash computation regression (must hash data not contained in a section)Andrew authored on 2018/08/29 02:25:28 |
August 28, 2018 | ||
---|---|---|
View 18a813a
Update PE parsing code related to Authenticode verification The following changes were made - The code to calculate the authenticode hash was not properly accounting for the case where a PE had sections that either overlapped with each other or overlapped with the PE header. One common case for this is UPX-packed binaries, where the first section with data on disk starts at offset 0x400, which overlaps with the specified PE header by 0xC00 bytes. - The code didn't wrap accesses to fields in the Security DataDirectory with EC32(), so it seems likely that authenticode parsing always encountered issues on big endian systems. I think I fixed all of the accesses in cli_checkfp_pe, but there might still be issues here. I'll test this further. - We parse the authenticode data header to better ensure that it's PCKS7 we are trying to parse, and not one of the other types - cli_checkfp_pe should now finish faster in the case where there is no authenticode data and we don't want to compute the section hashes. - Fixed a potential memory leak in one cli_checkfp_pe failure caseAndrew authored on 2018/08/28 11:53:23 |
July 31, 2018 | ||
---|---|---|
View d39cb65
Updating libclamunrar from legacy C implementation to modern unrar 5.6.5. API changes and supporting changes included to pass the filepath of the scanned file into libclamav through the cli_ctx structure, required by the unrar library to open archives. The filename argument may be optional for the scandesc scanning variant, but libclamav will make a best effort to identify the filename from the file descriptor if it was not provided. In addition, included the ability to prefix temp file and directory names with file basenames.Micah Snyder authored on 2018/07/31 09:19:28 |
July 21, 2018 | ||
---|---|---|
View d7979d4
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files.Micah Snyder authored on 2018/07/21 11:28:48 |
March 6, 2018 | ||
---|---|---|
View 6289eda
Eliminating AUTHORS file, and moving acknowledgements for various source code contributions to the file comment blocks for the individual files, as appropriate.Micah Snyder authored on 2018/03/06 06:34:35 |
February 22, 2018 | ||
---|---|---|
View 7cd9337
Spelling Adjustments (#30)Josh Soref authored on 2018/02/22 05:00:59 |
August 25, 2017 | ||
---|---|---|
View 5ce31ac
bb11904 - ensuring md5 hashset string is initialized before useMickey Sola authored on 2017/08/25 06:23:38 |
August 16, 2017 | ||
---|---|---|
View 4cd97da
eliminating warnings, mostly with regards to signed vs unsigned comparisons, some of which could have been functional bugs if negative values were used (for offsets, etc). cleaned up a couple of macros and cleaned up some ifdefs.Micah Snyder authored on 2017/08/16 05:50:01 |
April 29, 2017 | ||
---|---|---|
View 1c6bead
Tolerate different LZMA parameters in UPX compressionJonas Zaddach authored on 2017/04/29 00:59:23 |