/* * Copyright (C) 2007-2008 Sourcefire, Inc. * * Authors: Tomasz Kojm * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. */ #if HAVE_CONFIG_H #include "clamav-config.h" #endif #include #include #include #include #ifdef HAVE_UNISTD_H #include #endif #include "clamav.h" #include "filetypes.h" #include "others.h" #include "readdb.h" #include "matcher-ac.h" #include "str.h" #include "textdet.h" #include "default.h" #include "htmlnorm.h" #include "entconv.h" #include "mpool.h" static const struct ftmap_s { const char *name; cli_file_t code; } ftmap[] = { { "CL_TYPE_TEXT_ASCII", CL_TYPE_TEXT_ASCII }, { "CL_TYPE_TEXT_UTF8", CL_TYPE_TEXT_UTF8 }, { "CL_TYPE_TEXT_UTF16LE", CL_TYPE_TEXT_UTF16LE }, { "CL_TYPE_TEXT_UTF16BE", CL_TYPE_TEXT_UTF16BE }, { "CL_TYPE_BINARY_DATA", CL_TYPE_BINARY_DATA }, { "CL_TYPE_IGNORED", CL_TYPE_IGNORED }, { "CL_TYPE_ANY", CL_TYPE_ANY }, { "CL_TYPE_MSEXE", CL_TYPE_MSEXE }, { "CL_TYPE_ELF", CL_TYPE_ELF }, { "CL_TYPE_MACHO", CL_TYPE_MACHO }, { "CL_TYPE_MACHO_UNIBIN", CL_TYPE_MACHO_UNIBIN }, { "CL_TYPE_POSIX_TAR", CL_TYPE_POSIX_TAR }, { "CL_TYPE_OLD_TAR", CL_TYPE_OLD_TAR }, { "CL_TYPE_CPIO_OLD", CL_TYPE_CPIO_OLD }, { "CL_TYPE_CPIO_ODC", CL_TYPE_CPIO_ODC }, { "CL_TYPE_CPIO_NEWC", CL_TYPE_CPIO_NEWC }, { "CL_TYPE_CPIO_CRC", CL_TYPE_CPIO_CRC }, { "CL_TYPE_GZ", CL_TYPE_GZ }, { "CL_TYPE_ZIP", CL_TYPE_ZIP }, { "CL_TYPE_BZ", CL_TYPE_BZ }, { "CL_TYPE_RAR", CL_TYPE_RAR }, { "CL_TYPE_ARJ", CL_TYPE_ARJ }, { "CL_TYPE_MSSZDD", CL_TYPE_MSSZDD }, { "CL_TYPE_MSOLE2", CL_TYPE_MSOLE2 }, { "CL_TYPE_MSCAB", CL_TYPE_MSCAB }, { "CL_TYPE_MSCHM", CL_TYPE_MSCHM }, { "CL_TYPE_SIS", CL_TYPE_SIS }, { "CL_TYPE_SCRENC", CL_TYPE_SCRENC }, { "CL_TYPE_GRAPHICS", CL_TYPE_GRAPHICS }, { "CL_TYPE_RIFF", CL_TYPE_RIFF }, { "CL_TYPE_BINHEX", CL_TYPE_BINHEX }, { "CL_TYPE_TNEF", CL_TYPE_TNEF }, { "CL_TYPE_CRYPTFF", CL_TYPE_CRYPTFF }, { "CL_TYPE_PDF", CL_TYPE_PDF }, { "CL_TYPE_UUENCODED", CL_TYPE_UUENCODED }, { "CL_TYPE_HTML_UTF16", CL_TYPE_HTML_UTF16 }, { "CL_TYPE_SCRIPT", CL_TYPE_SCRIPT }, { "CL_TYPE_RTF", CL_TYPE_RTF }, { "CL_TYPE_HTML", CL_TYPE_HTML }, { "CL_TYPE_MAIL", CL_TYPE_MAIL }, { "CL_TYPE_SFX", CL_TYPE_SFX }, { "CL_TYPE_ZIPSFX", CL_TYPE_ZIPSFX }, { "CL_TYPE_RARSFX", CL_TYPE_RARSFX }, { "CL_TYPE_CABSFX", CL_TYPE_CABSFX }, { "CL_TYPE_ARJSFX", CL_TYPE_ARJSFX }, { "CL_TYPE_NULSFT", CL_TYPE_NULSFT }, { "CL_TYPE_AUTOIT", CL_TYPE_AUTOIT }, { "CL_TYPE_ISHIELD_MSI", CL_TYPE_ISHIELD_MSI }, { "CL_TYPE_7Z", CL_TYPE_7Z }, { NULL, CL_TYPE_IGNORED } }; cli_file_t cli_ftcode(const char *name) { unsigned int i; for(i = 0; ftmap[i].name; i++) if(!strcmp(ftmap[i].name, name)) return ftmap[i].code; return CL_TYPE_ERROR; } void cli_ftfree(const struct cl_engine *engine) { struct cli_ftype *ftypes=engine->ftypes, *pt; while(ftypes) { pt = ftypes; ftypes = ftypes->next; mpool_free(engine->mempool, pt->magic); mpool_free(engine->mempool, pt->tname); mpool_free(engine->mempool, pt); } } cli_file_t cli_filetype(const unsigned char *buf, size_t buflen, const struct cl_engine *engine) { struct cli_ftype *ftype = engine->ftypes; while(ftype) { if(ftype->offset + ftype->length <= buflen) { if(!memcmp(buf + ftype->offset, ftype->magic, ftype->length)) { cli_dbgmsg("Recognized %s file\n", ftype->tname); return ftype->type; } } ftype = ftype->next; } return cli_texttype(buf, buflen); } int is_tar(unsigned char *buf, unsigned int nbytes); cli_file_t cli_filetype2(fmap_t *map, const struct cl_engine *engine) { unsigned char *buff, *decoded; int bread = MIN(map->len, MAGIC_BUFFER_SIZE), sret; cli_file_t ret = CL_TYPE_BINARY_DATA; struct cli_matcher *root; struct cli_ac_data mdata; if(!engine) { cli_errmsg("cli_filetype2: engine == NULL\n"); return CL_TYPE_ERROR; } buff = fmap_need_off_once(map, 0, bread); if(!buff) return CL_TYPE_ERROR; ret = cli_filetype(buff, bread, engine); if(ret == CL_TYPE_BINARY_DATA) { switch(is_tar(buff, bread)) { case 1: cli_dbgmsg("Recognized old fashioned tar file\n"); return CL_TYPE_OLD_TAR; case 2: cli_dbgmsg("Recognized POSIX tar file\n"); return CL_TYPE_POSIX_TAR; } } if(ret >= CL_TYPE_TEXT_ASCII && ret <= CL_TYPE_BINARY_DATA) { /* HTML files may contain special characters and could be * misidentified as BINARY_DATA by cli_filetype() */ root = engine->root[0]; if(!root) return ret; if(cli_ac_initdata(&mdata, root->ac_partsigs, root->ac_lsigs, root->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) return ret; sret = cli_ac_scanbuff(buff, bread, NULL, NULL, NULL, engine->root[0], &mdata, 0, ret, NULL, AC_SCAN_FT, NULL); cli_ac_freedata(&mdata); if(sret >= CL_TYPENO) { ret = sret; } else { if(cli_ac_initdata(&mdata, root->ac_partsigs, root->ac_lsigs, root->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) return ret; decoded = (unsigned char *) cli_utf16toascii((char *) buff, bread); if(decoded) { sret = cli_ac_scanbuff(decoded, bread / 2, NULL, NULL, NULL, engine->root[0], &mdata, 0, CL_TYPE_TEXT_ASCII, NULL, AC_SCAN_FT, NULL); free(decoded); if(sret == CL_TYPE_HTML) ret = CL_TYPE_HTML_UTF16; } cli_ac_freedata(&mdata); if((((struct cli_dconf*) engine->dconf)->phishing & PHISHING_CONF_ENTCONV) && ret != CL_TYPE_HTML_UTF16) { const char* encoding; /* check if we can autodetect this encoding. * If we can't don't try to detect HTML sig, since * we just tried that above, and failed */ if((encoding = encoding_detect_bom(buff, bread))) { unsigned char decodedbuff[(MAGIC_BUFFER_SIZE+1)*2]; m_area_t in_area, out_area; in_area.buffer = (unsigned char *) buff; in_area.length = bread; in_area.offset = 0; out_area.buffer = decodedbuff; out_area.length = sizeof(decodedbuff); out_area.offset = 0; /* in htmlnorm we simply skip over \0 chars, and that allows to parse HTML in any unicode * (multibyte characters will not be exactly handled, but that is not a problem). * However when detecting whether a file is HTML or not, we need exact conversion. * (just eliminating zeros and matching would introduce false positives */ if(encoding_normalize_toascii(&in_area, encoding, &out_area) >= 0 && out_area.length > 0) { if(cli_ac_initdata(&mdata, root->ac_partsigs, root->ac_lsigs, root->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) return ret; if(out_area.length > 0) { sret = cli_ac_scanbuff(decodedbuff, out_area.length, NULL, NULL, NULL, engine->root[0], &mdata, 0, 0, NULL, AC_SCAN_FT, NULL); /* FIXME: can we use CL_TYPE_TEXT_ASCII instead of 0? */ if(sret == CL_TYPE_HTML) { cli_dbgmsg("cli_filetype2: detected HTML signature in Unicode file\n"); /* htmlnorm is able to handle any unicode now, since it skips null chars */ ret = CL_TYPE_HTML; } } cli_ac_freedata(&mdata); } } } } } return ret; }