open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ClamAV is an open source (GPLv2) anti-virus toolkit.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10307 Commits
40 Branches
228 Tags
220 MiB
Tag: Branch: Tree: c637de532b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c637de532b'
${ noResults }
clamav/libclamav/pe.h

105 lines
4.4 KiB
Raw Normal View History Unescape

add PE dumper git-svn: trunk@556
21 years ago
/*
Update copyright dates for 2020
5 years ago
* Copyright (C) 2013-2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Updating and cleaning up copyright notices.
6 years ago
* Copyright (C) 2007-2013 Sourcefire, Inc.
add PE dumper git-svn: trunk@556
21 years ago
*
Add support for cert blacklisting and whitelisting upfront Instead of checking the Authenticode header as an FP prevention mechanism, we now check it in the beginning if it exists. Also, we can now do actual blacklisting with .crb rules (previously, a blacklist rule just let you override a whitelist rule).
6 years ago
* Authors: Alberto Wu, Tomasz Kojm, Andrew Williams
Update to clamav-devel to synchronize with the clamav-bytecode-compiler project.
6 years ago
*
* Acknowledgements: The header structures were based upon a PE format
Eliminating AUTHORS file, and moving acknowledgements for various source code contributions to the file comment blocks for the individual files, as appropriate.
7 years ago
* analysis by B. Luevelsmeyer.
libclamav: pe: integrate Petite unpacker from aCaB (not yet activated) git-svn: trunk@715
21 years ago
*
add PE dumper git-svn: trunk@556
21 years ago
* This program is free software; you can redistribute it and/or modify
update copyrights and stick more files to GPLv2; move and add more credits to the AUTHORS file; add COPYING.BSD git-svn: trunk@3749
17 years ago
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
add PE dumper git-svn: trunk@556
21 years ago
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
update GPL headers with new address for FSF git-svn: trunk@1901
19 years ago
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
add PE dumper git-svn: trunk@556
21 years ago
*/
#ifndef __PE_H
#define __PE_H
#include "clamav.h"
simplify internal function declarations by passing a context structure git-svn: trunk@1845
20 years ago
#include "others.h"
scanners to fmap - hackish peheader to fmap lacks review + elf + macho
16 years ago
#include "fmap.h"
change bytecode format to allow structs with more than 16 fields.
16 years ago
#include "bcfeatures.h"
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
#include "pe_structs.h"
#include "execs.h"
Update PE parsing code related to Authenticode verification The following changes were made - The code to calculate the authenticode hash was not properly accounting for the case where a PE had sections that either overlapped with each other or overlapped with the PE header. One common case for this is UPX-packed binaries, where the first section with data on disk starts at offset 0x400, which overlaps with the specified PE header by 0xC00 bytes. - The code didn't wrap accesses to fields in the Security DataDirectory with EC32(), so it seems likely that authenticode parsing always encountered issues on big endian systems. I think I fixed all of the accesses in cli_checkfp_pe, but there might still be issues here. I'll test this further. - We parse the authenticode data header to better ensure that it's PCKS7 we are trying to parse, and not one of the other types - cli_checkfp_pe should now finish faster in the case where there is no authenticode data and we don't want to compute the section hashes. - Fixed a potential memory leak in one cli_checkfp_pe failure case
7 years ago
Sync headers with bytecode compiler.
15 years ago
/** Data for the bytecode PE hook
Update to clamav-devel to synchronize with the clamav-bytecode-compiler project.
6 years ago
* \group_pe
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
*
* NOTE: This structure must stay in-sync with the ones defined within the
* clamav-bytecode-compiler source at:
* - clang/lib/Headers/bytecode_pe.h
* - llvm/tools/clang/lib/Headers/bytecode_pe.h
* We allocate space for this, populate the values via cli_peheader, and pass
* it to the bytecode sig runtime for use.
*
* TODO Next time we are making changes to the clamav-bytecode-compiler
* source, update pe_image_optional_hdr32 and pe_image_optional_hdr64 to
* remove DataDirectory from both (like with the definitions here). Then,
* remove opt32_dirs and opt64_dirs below. There's no need to have these
* bytes in 3 places! Also, consider using a union to hold opt32 and opt64,
* since you never need more than one at a time.
*/
Add generic and PE hooks.
16 years ago
struct cli_pe_hook_data {
clang-format'd using new .clang-format rules.
7 years ago
uint32_t offset;
uint32_t ep; /**< EntryPoint as file offset */
uint16_t nsections; /**< Number of sections */
uint16_t dummy; /* align */
struct pe_image_file_hdr file_hdr; /**< Header for this PE file */
struct pe_image_optional_hdr32 opt32; /**< 32-bit PE optional header */
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
/** Our opt32 no longer includes DataDirectory[16], but the one in the
Update to clamav-devel to synchronize with the clamav-bytecode-compiler project.
6 years ago
* bytecode compiler source still does. Add this here as a placeholder (and
* it gets used, so we need to populate it also */
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
struct pe_image_data_dir opt32_dirs[16];
uint32_t dummy2; /* align */
struct pe_image_optional_hdr64 opt64; /**< 64-bit PE optional header */
struct pe_image_data_dir opt64_dirs[16]; /** See note about opt32_dirs */
struct pe_image_data_dir dirs[16]; /**< PE data directory header */
uint32_t e_lfanew; /**< address of new exe header */
uint32_t overlays; /**< number of overlays */
int32_t overlays_sz; /**< size of overlays */
uint32_t hdr_size; /**< internally needed by rawaddr */
Add generic and PE hooks.
16 years ago
};
use cached metadata in icon parser, add icon unit tests
15 years ago
int cli_scanpe(cli_ctx *ctx);
add PE dumper git-svn: trunk@556
21 years ago
sigtool: properly generates and reports pe section hashes (mdb)
9 years ago
enum {
CL_GENHASH_PE_CLASS_SECTION,
CL_GENHASH_PE_CLASS_IMPTBL,
/* place new class types above this line */
CL_GENHASH_PE_CLASS_LAST
};
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
// For info about these, see the cli_peheader definition in pe.c
#define CLI_PEHEADER_OPT_NONE 0x0
#define CLI_PEHEADER_OPT_COLLECT_JSON 0x1
#define CLI_PEHEADER_OPT_DBG_PRINT_INFO 0x2
#define CLI_PEHEADER_OPT_EXTRACT_VINFO 0x4
#define CLI_PEHEADER_OPT_STRICT_ON_PE_ERRORS 0x8
Add option to not remove missing sections (PE) This addresses a regression with sample 848092559: LDB sig (Win.Virus.Virut-5898123-1) that uses 'NumberOfSections:3-3' started matching on a PE that has 4 sections, but one is totally outside of the file and gets removed. Previously, two of the ClamAV PE header parsing implementations handled this case differently, and the NDB/LDB matching code would be told there were 4 sections while the bytecode and unpacking code would only see 3 sections. When consolidating the PE header parsing code, I made it so that the section always gets removed. For now we just replicate the original behavior by providing a new flag to the PE header parsing code. We should re-evaluate the effects that this has later, once we have better tests for the bytecode API and we have test samples for each of the hardcoded detection cases in cli_scanpe. Also, fixes some memory leaks based on the changes in my last commit x_x
6 years ago
#define CLI_PEHEADER_OPT_REMOVE_MISSING_SECTIONS 0x10
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
#define CLI_PEHEADER_RET_SUCCESS 0
#define CLI_PEHEADER_RET_GENERIC_ERROR -1
#define CLI_PEHEADER_RET_BROKEN_PE -2
#define CLI_PEHEADER_RET_JSON_TIMEOUT -3
int cli_pe_targetinfo(fmap_t *map, struct cli_exe_info *peinfo);
int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo, uint32_t opts, cli_ctx *ctx);
Multiple blacklist sigs can now match with allmatch Also, move the cert-related DCONF cfg checks to more appropriate locations. One change in behavior: PE_CONF_CATALOG will disable loading trusted hashes from .cat files, but won't disable Authenticode hash checking completely (PE_CONF_CERTS does this).
6 years ago
cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo);
Use genhash_pe instead of checkfp_pe for section hash computation cli_checkfp_pe is now effectively the function that just checks the Authenticode hash. This makes the code less complicated, and adds some minor improvements: - section hashes are no longer computed if there is no stats callback function (at least in that part of the code) - We now actually set the len field in the stats_section_t structure - If an error occurs when computing a section hash, we skip that section instead of not computing any hashes
6 years ago
int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type, stats_section_t *hashes);
include new function cli_peheader(); fix crash when bm_shift is not initialised git-svn: trunk@804
21 years ago
distcheck
16 years ago
uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);
PE parsing code improvements, db loading bug fixes Consolidate the PE parsing code into one function. I tried to preserve all existing functionality from the previous, distinct implementations to a large extent (with the exceptions mentioned below). If I noticed potential bugs/improvements, I added a TODO statement about those so that they can be fixed in a smaller commit later. Also, there are more TODOs in places where I'm not entirely sure why certain actions are performed - more research is needed for these. I'm submitting a pull request now so that regression testing can be done, and because merging what I have thus far now will likely have fewer conflicts than if I try to merge later PE parsing code improvements: - PEs without all 16 data directories are parsed more appropriately now - Added lots more debug statements Also: - Allow MAX_BC and MAX_TRACKED_PCRE to be specified via CFLAGS When doing performance testing with the latest CVD, MAX_BC and MAX_TRACKED_PCRE need to be raised to track all the events. Allow these to be specified via CFLAGS by not redefining them if they are already defined - Fix an issue preventing wildcard sizes in .MDB/.MSB rules I'm not sure what the original intent of the check I removed was, but it prevents using wildcard sizes in .MDB/.MSB rules. AFAICT these wildcard sizes should be handled appropriately by the MD5 section hash computation code, so I don't think a check on that is needed. - Fix several issues related to db loading - .imp files will now get loaded if they exist in a directory passed via clamscan's '-d' flag - .pwdb files will now get loaded if they exist in a directory passed via clamscan's '-d' flag even when compiling without yara support - Changes to .imp, .ign, and .ign2 files will now be reflected in calls to cl_statinidir and cl_statchkdir (and also .pwdb files, even when compiling without yara support) - The contents of .sfp files won't be included in some of the signature counts, and the contents of .cud files will be - Any local.gdb files will no longer be loaded twice - For .imp files, you are no longer required to specify a minimum flevel for wildcard rules, since this isn't needed
6 years ago
void findres(uint32_t, uint32_t, fmap_t *map, struct cli_exe_info *, int (*)(void *, uint32_t, uint32_t, uint32_t, uint32_t), void *);
resource parser and icon collector
16 years ago
add PE dumper git-svn: trunk@556
21 years ago
#endif