mirror of https://github.com/Cisco-Talos/clamav
moved old example bytecodes to examples/fileprop_analysis/old/remotes/push_mirror/klin/msxml
Kevin Lin
10 years ago
parent
514dfa1e96
commit
0945e3c5f1
Binary file not shown.
@ -1,34 +1,51 @@ |
||||
VIRUSNAME_PREFIX("SUBMIT.NotPDF") |
||||
VIRUSNAMES("InActive", "Submit") |
||||
|
||||
/* Target type is 13, internal JSON properties */ |
||||
TARGET(13) |
||||
/* Target type is 0, all relevant files */ |
||||
TARGET(0) |
||||
|
||||
/* Declares to run bytecode only for preclassification (affecting only preclass files) */ |
||||
PRECLASS_HOOK_DECLARE |
||||
|
||||
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5) |
||||
|
||||
SIGNATURES_DECL_BEGIN |
||||
DECLARE_SIGNATURE(sig1) |
||||
DECLARE_SIGNATURE(sig2) |
||||
SIGNATURES_DECL_END |
||||
|
||||
SIGNATURES_DEF_BEGIN |
||||
/* search @offset 0 : '{ "Magic": "CLAMJSON' */ |
||||
/* this can be readjusted for specific filetypes */ |
||||
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e") |
||||
/* search '"RootFileType": "CL_TYPE_PDF"' */ |
||||
DEFINE_SIGNATURE(sig2, "22526f6f7446696c6554797065223a2022434c5f545950455f50444622") |
||||
SIGNATURES_END |
||||
|
||||
bool logical_trigger(void) |
||||
{ |
||||
return matches(Signatures.sig1) && !matches(Signatures.sig2); |
||||
} |
||||
/* PRECLASS_HOOK_DECLARE will require FUNC_LEVEL_098_7 = 80 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_7) |
||||
|
||||
#define STR_MAXLEN 256 |
||||
|
||||
int entrypoint () |
||||
{ |
||||
foundVirus("Submit"); |
||||
int32_t type, obj, strlen; |
||||
char str[STR_MAXLEN]; |
||||
|
||||
/* check is json is available, alerts on inactive (optional) */ |
||||
if (!json_is_active()) { |
||||
return -1; |
||||
} |
||||
|
||||
/* acquire array of internal contained objects */ |
||||
obj = json_get_object("FileType", 8, 0); |
||||
if (obj <= 0) return -1; |
||||
|
||||
/* acquire and check type */ |
||||
type = json_get_type(obj); |
||||
if (type == JSON_TYPE_STRING) { |
||||
/* acquire string length, note +1 is for the NULL terminator */ |
||||
strlen = json_get_string_length(obj)+1; |
||||
/* prevent buffer overflow */ |
||||
if (strlen > STR_MAXLEN) |
||||
strlen = STR_MAXLEN; |
||||
/* acquire string data, note strlen includes NULL terminator */ |
||||
if (json_get_string(str, strlen, obj)) { |
||||
/* debug print str (with '\n' and prepended message */ |
||||
debug_print_str(str,strlen); |
||||
|
||||
/* check the contained object's type */ |
||||
if (!(strlen == 12) || !memcmp(str, "CL_TYPE_PDF", 12)) { |
||||
foundVirus("Submit"); |
||||
} |
||||
} |
||||
} |
||||
|
||||
return 0; |
||||
} |
||||
|
||||
Binary file not shown.
@ -0,0 +1,84 @@ |
||||
VIRUSNAME_PREFIX("SUBMIT.contains") |
||||
VIRUSNAMES("EmbedPE") |
||||
|
||||
/* Target type is 13, internal JSON properties */ |
||||
TARGET(13) |
||||
|
||||
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5) |
||||
|
||||
SIGNATURES_DECL_BEGIN |
||||
DECLARE_SIGNATURE(sig1) |
||||
SIGNATURES_DECL_END |
||||
|
||||
SIGNATURES_DEF_BEGIN |
||||
/* search @offset 0 : '{ "Magic": "CLAMJSON' */ |
||||
/* this can be readjusted for specific filetypes */ |
||||
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e") |
||||
SIGNATURES_END |
||||
|
||||
bool logical_trigger(void) |
||||
{ |
||||
return matches(Signatures.sig1); |
||||
} |
||||
|
||||
#define STR_MAXLEN 256 |
||||
|
||||
int entrypoint () |
||||
{ |
||||
int i; |
||||
int32_t type, obj, objarr, objit, arrlen, strlen; |
||||
char str[STR_MAXLEN]; |
||||
|
||||
/* check is json is available, alerts on inactive (optional) */ |
||||
if (!json_is_active()) { |
||||
return -1; |
||||
} |
||||
|
||||
/* acquire array of internal contained objects */ |
||||
objarr = json_get_object("ContainedObjects", 16, 0); |
||||
type = json_get_type(objarr); |
||||
/* debug print uint (no '\n' or prepended message */ |
||||
debug_print_uint(type); |
||||
|
||||
if (type != JSON_TYPE_ARRAY) { |
||||
return -1; |
||||
} |
||||
|
||||
/* check array length for iteration over elements */ |
||||
arrlen = json_get_array_length(objarr); |
||||
for (i = 0; i < arrlen; ++i) { |
||||
/* acquire json object @ idx i */ |
||||
objit = json_get_array_idx(i, objarr); |
||||
if (objit <= 0) continue; |
||||
|
||||
/* acquire FileType object of the array element @ idx i */ |
||||
obj = json_get_object("FileType", 8, objit); |
||||
if (obj <= 0) continue; |
||||
|
||||
/* acquire and check type */ |
||||
type = json_get_type(obj); |
||||
if (type == JSON_TYPE_STRING) { |
||||
/* acquire string length, note +1 is for the NULL terminator */ |
||||
strlen = json_get_string_length(obj)+1; |
||||
/* prevent buffer overflow */ |
||||
if (strlen > STR_MAXLEN) |
||||
strlen = STR_MAXLEN; |
||||
/* acquire string data, note strlen includes NULL terminator */ |
||||
if (json_get_string(str, strlen, obj)) { |
||||
/* debug print str (with '\n' and prepended message */ |
||||
debug_print_str(str,strlen); |
||||
|
||||
/* check the contained object's type */ |
||||
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) { |
||||
//if (!strcmp(str, strlen, "CL_TYPE_MSEXE", strlen)) {
|
||||
/* alert for submission */ |
||||
foundVirus("EmbedPE"); |
||||
return 0; |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
return 0; |
||||
} |
||||
@ -0,0 +1,104 @@ |
||||
VIRUSNAME_PREFIX("SUBMIT.filetype") |
||||
VIRUSNAMES("CL_TYPE_MSWORD", "CL_TYPE_MSPPT", "CL_TYPE_MSXL", |
||||
"CL_TYPE_OOXML_WORD", "CL_TYPE_OOXML_PPT", "CL_TYPE_OOXML_XL", |
||||
"CL_TYPE_MSEXE", "CL_TYPE_PDF", "CL_TYPE_MSOLE2", "CL_TYPE_UNKNOWN", "InActive") |
||||
|
||||
/* Target type is 13, internal JSON properties */ |
||||
TARGET(13) |
||||
|
||||
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5) |
||||
|
||||
SIGNATURES_DECL_BEGIN |
||||
DECLARE_SIGNATURE(sig1) |
||||
SIGNATURES_DECL_END |
||||
|
||||
SIGNATURES_DEF_BEGIN |
||||
/* search @offset 0 : '{ "Magic": "CLAMJSON' */ |
||||
/* this can be readjusted for specific filetypes */ |
||||
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e") |
||||
SIGNATURES_END |
||||
|
||||
bool logical_trigger(void) |
||||
{ |
||||
return matches(Signatures.sig1); |
||||
} |
||||
|
||||
#define STR_MAXLEN 256 |
||||
|
||||
int entrypoint () |
||||
{ |
||||
int32_t objid, type, strlen; |
||||
char str[STR_MAXLEN]; |
||||
|
||||
/* check is json is available, alerts on inactive (optional) */ |
||||
if (!json_is_active()) |
||||
foundVirus("InActive"); |
||||
|
||||
/* acquire the filetype object */ |
||||
objid = json_get_object("FileType", 8, 0); |
||||
if (objid <= 0) { |
||||
debug_print_str("json object has no filetype!", 28); |
||||
return 1; |
||||
} |
||||
type = json_get_type(objid); |
||||
if (type != JSON_TYPE_STRING) { |
||||
debug_print_str("json object filetype property is not string!", 44); |
||||
return 1; |
||||
} |
||||
|
||||
/* acquire string length, note +1 is for the NULL terminator */ |
||||
strlen = json_get_string_length(objid)+1; |
||||
/* prevent buffer overflow */ |
||||
if (strlen > STR_MAXLEN) |
||||
strlen = STR_MAXLEN; |
||||
|
||||
/* acquire string data, note strlen includes NULL terminator */ |
||||
if (json_get_string(str, strlen, objid)) { |
||||
/* debug print str (with '\n' and prepended message */ |
||||
debug_print_str(str,strlen); |
||||
|
||||
/* check the contained object's filetype */ |
||||
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) { |
||||
foundVirus("CL_TYPE_MSEXE"); |
||||
return 0; |
||||
} |
||||
if (strlen == 12 && !memcmp(str, "CL_TYPE_PDF", 12)) { |
||||
foundVirus("CL_TYPE_PDF"); |
||||
return 0; |
||||
} |
||||
if (strlen == 19 && !memcmp(str, "CL_TYPE_OOXML_WORD", 19)) { |
||||
foundVirus("CL_TYPE_OOXML_WORD"); |
||||
return 0; |
||||
} |
||||
if (strlen == 18 && !memcmp(str, "CL_TYPE_OOXML_PPT", 18)) { |
||||
foundVirus("CL_TYPE_OOXML_PPT"); |
||||
return 0; |
||||
} |
||||
if (strlen == 17 && !memcmp(str, "CL_TYPE_OOXML_XL", 17)) { |
||||
foundVirus("CL_TYPE_OOXML_XL"); |
||||
return 0; |
||||
} |
||||
if (strlen == 15 && !memcmp(str, "CL_TYPE_MSWORD", 15)) { |
||||
foundVirus("CL_TYPE_MSWORD"); |
||||
return 0; |
||||
} |
||||
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSPPT", 14)) { |
||||
foundVirus("CL_TYPE_MSPPT"); |
||||
return 0; |
||||
} |
||||
if (strlen == 13 && !memcmp(str, "CL_TYPE_MSXL", 13)) { |
||||
foundVirus("CL_TYPE_MSXL"); |
||||
return 0; |
||||
} |
||||
if (strlen == 15 && !memcmp(str, "CL_TYPE_MSOLE2", 15)) { |
||||
foundVirus("CL_TYPE_MSOLE2"); |
||||
return 0; |
||||
} |
||||
|
||||
foundVirus("CL_TYPE_UNKNOWN"); |
||||
return 0; |
||||
} |
||||
|
||||
return 0; |
||||
} |
||||
@ -0,0 +1,34 @@ |
||||
VIRUSNAME_PREFIX("SUBMIT.NotPDF") |
||||
VIRUSNAMES("InActive", "Submit") |
||||
|
||||
/* Target type is 13, internal JSON properties */ |
||||
TARGET(13) |
||||
|
||||
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5) |
||||
|
||||
SIGNATURES_DECL_BEGIN |
||||
DECLARE_SIGNATURE(sig1) |
||||
DECLARE_SIGNATURE(sig2) |
||||
SIGNATURES_DECL_END |
||||
|
||||
SIGNATURES_DEF_BEGIN |
||||
/* search @offset 0 : '{ "Magic": "CLAMJSON' */ |
||||
/* this can be readjusted for specific filetypes */ |
||||
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e") |
||||
/* search '"RootFileType": "CL_TYPE_PDF"' */ |
||||
DEFINE_SIGNATURE(sig2, "22526f6f7446696c6554797065223a2022434c5f545950455f50444622") |
||||
SIGNATURES_END |
||||
|
||||
bool logical_trigger(void) |
||||
{ |
||||
return matches(Signatures.sig1) && !matches(Signatures.sig2); |
||||
} |
||||
|
||||
#define STR_MAXLEN 256 |
||||
|
||||
int entrypoint () |
||||
{ |
||||
foundVirus("Submit"); |
||||
return 0; |
||||
} |
||||
@ -0,0 +1,134 @@ |
||||
VIRUSNAME_PREFIX("SUBMIT.PE") |
||||
VIRUSNAMES("Root", "Embedded", "RootEmbedded") |
||||
|
||||
/* Target type is 13, internal JSON properties */ |
||||
TARGET(13) |
||||
|
||||
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5) |
||||
|
||||
SIGNATURES_DECL_BEGIN |
||||
DECLARE_SIGNATURE(sig1) |
||||
DECLARE_SIGNATURE(sig2) |
||||
SIGNATURES_DECL_END |
||||
|
||||
SIGNATURES_DEF_BEGIN |
||||
/* search @offset 0 : '{ "Magic": "CLAMJSON' */ |
||||
/* this can be readjusted for specific filetypes */ |
||||
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e") |
||||
/* search '"FileType": "CL_TYPE_MSEXE"' */ |
||||
DEFINE_SIGNATURE(sig2, "2246696c6554797065223a2022434c5f545950455f4d5345584522") |
||||
SIGNATURES_END |
||||
|
||||
bool logical_trigger(void) |
||||
{ |
||||
return matches(Signatures.sig1) && matches(Signatures.sig2); |
||||
} |
||||
|
||||
#define STR_MAXLEN 256 |
||||
|
||||
int entrypoint () |
||||
{ |
||||
int32_t i, root = 0, embedded = 0; |
||||
int32_t type, obj, strlen, objarr, objit, arrlen; |
||||
char str[STR_MAXLEN]; |
||||
|
||||
/* check is json is available, alerts on inactive (optional) */ |
||||
if (!json_is_active()) { |
||||
return -1; |
||||
} |
||||
|
||||
/* acquire array of internal contained objects */ |
||||
obj = json_get_object("FileType", 8, 0); |
||||
if (obj <= 0) return -1; |
||||
|
||||
/* acquire and check type */ |
||||
type = json_get_type(obj); |
||||
if (type == JSON_TYPE_STRING) { |
||||
/* acquire string length, note +1 is for the NULL terminator */ |
||||
strlen = json_get_string_length(obj)+1; |
||||
/* prevent buffer overflow */ |
||||
if (strlen > STR_MAXLEN) |
||||
strlen = STR_MAXLEN; |
||||
/* acquire string data, note strlen includes NULL terminator */ |
||||
if (json_get_string(str, strlen, obj)) { |
||||
/* debug print str (with '\n' and prepended message */ |
||||
debug_print_str(str,strlen); |
||||
|
||||
/* check the contained object's type */ |
||||
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) { |
||||
//if (!strcmp(str, strlen, "CL_TYPE_MSEXE", strlen)) {
|
||||
/* alert for submission */ |
||||
root = 1; |
||||
} |
||||
} |
||||
} |
||||
|
||||
debug_print_uint(root); |
||||
|
||||
/* acquire array of internal contained objects */ |
||||
objarr = json_get_object("ContainedObjects", 16, 0); |
||||
if (objarr <= 0) { |
||||
if (root) |
||||
foundVirus("Root"); |
||||
return 0; |
||||
} |
||||
|
||||
type = json_get_type(objarr); |
||||
/* debug print uint (no '\n' or prepended message */ |
||||
debug_print_uint(type); |
||||
|
||||
if (type != JSON_TYPE_ARRAY) { |
||||
return -1; |
||||
} |
||||
|
||||
/* check array length for iteration over elements */ |
||||
arrlen = json_get_array_length(objarr); |
||||
for (i = 0; i < arrlen; ++i) { |
||||
/* acquire json object @ idx i */ |
||||
objit = json_get_array_idx(i, objarr); |
||||
if (objit <= 0) continue; |
||||
|
||||
/* acquire FileType object of the array element @ idx i */ |
||||
obj = json_get_object("FileType", 8, objit); |
||||
if (obj <= 0) continue; |
||||
|
||||
/* acquire and check type */ |
||||
type = json_get_type(obj); |
||||
if (type == JSON_TYPE_STRING) { |
||||
/* acquire string length, note +1 is for the NULL terminator */ |
||||
strlen = json_get_string_length(obj)+1; |
||||
/* prevent buffer overflow */ |
||||
if (strlen > STR_MAXLEN) |
||||
strlen = STR_MAXLEN; |
||||
/* acquire string data, note strlen includes NULL terminator */ |
||||
if (json_get_string(str, strlen, obj)) { |
||||
/* debug print str (with '\n' and prepended message */ |
||||
debug_print_str(str,strlen); |
||||
|
||||
/* check the contained object's type */ |
||||
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) { |
||||
//if (!strcmp(str, strlen, "CL_TYPE_MSEXE", strlen)) {
|
||||
/* alert for submission */ |
||||
embedded = 1; |
||||
break; |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
debug_print_uint(root); |
||||
debug_print_uint(embedded); |
||||
|
||||
if (root && embedded) { |
||||
foundVirus("RootEmbedded"); |
||||
} |
||||
else if (root) { |
||||
foundVirus("Root"); |
||||
} |
||||
else if (embedded) { |
||||
foundVirus("Embedded"); |
||||
} |
||||
|
||||
return 0; |
||||
} |
||||
@ -0,0 +1,28 @@ |
||||
VIRUSNAME_PREFIX("SUBMIT") |
||||
VIRUSNAMES("Sandbox") |
||||
|
||||
/* Target type is 13, internal JSON properties */ |
||||
TARGET(13) |
||||
|
||||
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */ |
||||
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5) |
||||
|
||||
SIGNATURES_DECL_BEGIN |
||||
DECLARE_SIGNATURE(sig1) |
||||
SIGNATURES_DECL_END |
||||
|
||||
SIGNATURES_DEF_BEGIN |
||||
/* search @offset 0 : '{ "Magic": "CLAMJSON' */ |
||||
/* this can be readjusted for specific filetypes */ |
||||
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e") |
||||
SIGNATURES_END |
||||
|
||||
bool logical_trigger(void) |
||||
{ |
||||
return matches(Signatures.sig1); |
||||
} |
||||
|
||||
int entrypoint () |
||||
{ |
||||
return 0; |
||||
} |
||||
Loading…
Reference in new issue