open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Replace tabs with spaces in pe.c and crtmgr.c, move debug message

Browse Source
pull/51/head
Andrew 7 years ago committed by Micah Snyder
parent b851a649af
commit 50873c8a58
2 changed files with 317 additions and 317 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 366
      libclamav/crtmgr.c
  2. 268
      libclamav/pe.c

366
libclamav/crtmgr.c
Unescape View File

@ -39,8 +39,8 @@
int cli_crt_init(cli_crt *x509) {
int ret;
if((ret = mp_init_multi(&x509->n, &x509->e, &x509->sig, NULL))) {
cli_errmsg("cli_crt_init: mp_init_multi failed with %d\n", ret);
return 1;
cli_errmsg("cli_crt_init: mp_init_multi failed with %d\n", ret);
return 1;
}
x509->name = NULL;
x509->isBlacklisted = 0;
@ -58,17 +58,17 @@ void cli_crt_clear(cli_crt *x509) {
cli_crt *crtmgr_lookup(crtmgr *m, cli_crt *x509) {
cli_crt *i;
for(i = m->crts; i; i = i->next) {
if(x509->not_before >= i->not_before &&
x509->not_after <= i->not_after &&
(i->certSign | x509->certSign) == i->certSign &&
(i->codeSign | x509->codeSign) == i->codeSign &&
(i->timeSign | x509->timeSign) == i->timeSign &&
!memcmp(x509->subject, i->subject, sizeof(i->subject)) &&
!memcmp(x509->serial, i->serial, sizeof(i->serial)) &&
!mp_cmp(&x509->n, &i->n) &&
!mp_cmp(&x509->e, &i->e) && !(i->isBlacklisted)) {
return i;
}
if(x509->not_before >= i->not_before &&
x509->not_after <= i->not_after &&
(i->certSign | x509->certSign) == i->certSign &&
(i->codeSign | x509->codeSign) == i->codeSign &&
(i->timeSign | x509->timeSign) == i->timeSign &&
!memcmp(x509->subject, i->subject, sizeof(i->subject)) &&
!memcmp(x509->serial, i->serial, sizeof(i->serial)) &&
!mp_cmp(&x509->n, &i->n) &&
!mp_cmp(&x509->e, &i->e) && !(i->isBlacklisted)) {
return i;
}
}
return NULL;
}
@ -78,66 +78,66 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {
int ret = 0;
for(i = m->crts; i; i = i->next) {
if(!memcmp(x509->subject, i->subject, sizeof(i->subject)) &&
!memcmp(x509->serial, i->subject, sizeof(i->serial)) &&
!mp_cmp(&x509->n, &i->n) &&
!mp_cmp(&x509->e, &i->e)) {
if(x509->not_before >= i->not_before && x509->not_after <= i->not_after) {
/* Already same or broader */
ret = 1;
}
if(i->not_before > x509->not_before && i->not_before <= x509->not_after) {
/* Extend left */
i->not_before = x509->not_before;
ret = 1;
}
if(i->not_after >= x509->not_before && i->not_after < x509->not_after) {
/* Extend right */
i->not_after = x509->not_after;
ret = 1;
}
if(!ret)
continue;
i->certSign |= x509->certSign;
i->codeSign |= x509->codeSign;
i->timeSign |= x509->timeSign;
return 0;
}
/* If certs match, we're likely just revoking it */
if (!memcmp(x509->subject, i->subject, sizeof(x509->subject)) &&
!memcmp(x509->issuer, i->issuer, sizeof(x509->issuer)) &&
!memcmp(x509->serial, i->serial, sizeof(x509->serial)) &&
!mp_cmp(&x509->n, &i->n) &&
!mp_cmp(&x509->e, &i->e)) {
if (i->isBlacklisted != x509->isBlacklisted)
i->isBlacklisted = x509->isBlacklisted;
if(!memcmp(x509->subject, i->subject, sizeof(i->subject)) &&
!memcmp(x509->serial, i->subject, sizeof(i->serial)) &&
!mp_cmp(&x509->n, &i->n) &&
!mp_cmp(&x509->e, &i->e)) {
if(x509->not_before >= i->not_before && x509->not_after <= i->not_after) {
/* Already same or broader */
ret = 1;
}
if(i->not_before > x509->not_before && i->not_before <= x509->not_after) {
/* Extend left */
i->not_before = x509->not_before;
ret = 1;
}
if(i->not_after >= x509->not_before && i->not_after < x509->not_after) {
/* Extend right */
i->not_after = x509->not_after;
ret = 1;
}
if(!ret)
continue;
i->certSign |= x509->certSign;
i->codeSign |= x509->codeSign;
i->timeSign |= x509->timeSign;
return 0;
}
}
/* If certs match, we're likely just revoking it */
if (!memcmp(x509->subject, i->subject, sizeof(x509->subject)) &&
!memcmp(x509->issuer, i->issuer, sizeof(x509->issuer)) &&
!memcmp(x509->serial, i->serial, sizeof(x509->serial)) &&
!mp_cmp(&x509->n, &i->n) &&
!mp_cmp(&x509->e, &i->e)) {
if (i->isBlacklisted != x509->isBlacklisted)
i->isBlacklisted = x509->isBlacklisted;
return 0;
}
}
i = cli_malloc(sizeof(*i));
if(!i)
return 1;
return 1;
if((ret = mp_init_multi(&i->n, &i->e, &i->sig, NULL))) {
cli_warnmsg("crtmgr_add: failed to mp_init failed with %d\n", ret);
free(i);
return 1;
cli_warnmsg("crtmgr_add: failed to mp_init failed with %d\n", ret);
free(i);
return 1;
}
if((ret = mp_copy(&x509->n, &i->n)) || (ret = mp_copy(&x509->e, &i->e)) || (ret = mp_copy(&x509->sig, &i->sig))) {
cli_warnmsg("crtmgr_add: failed to mp_init failed with %d\n", ret);
cli_crt_clear(i);
free(i);
return 1;
cli_warnmsg("crtmgr_add: failed to mp_init failed with %d\n", ret);
cli_crt_clear(i);
free(i);
return 1;
}
if ((x509->name))
i->name = strdup(x509->name);
i->name = strdup(x509->name);
else
i->name = NULL;
i->name = NULL;
memcpy(i->raw_subject, x509->raw_subject, sizeof(i->raw_subject));
memcpy(i->raw_issuer, x509->raw_issuer, sizeof(i->raw_issuer));
@ -156,7 +156,7 @@ int crtmgr_add(crtmgr *m, cli_crt *x509) {
i->next = m->crts;
i->prev = NULL;
if(m->crts)
m->crts->prev = i;
m->crts->prev = i;
m->crts = i;
m->items++;
@ -171,26 +171,26 @@ void crtmgr_init(crtmgr *m) {
void crtmgr_del(crtmgr *m, cli_crt *x509) {
cli_crt *i;
for(i = m->crts; i; i = i->next) {
if(i==x509) {
if(i->prev)
i->prev->next = i->next;
else
m->crts = i->next;
if(i->next)
i->next->prev = i->prev;
cli_crt_clear(x509);
if ((x509->name))
free(x509->name);
free(x509);
m->items--;
return;
}
if(i==x509) {
if(i->prev)
i->prev->next = i->next;
else
m->crts = i->next;
if(i->next)
i->next->prev = i->prev;
cli_crt_clear(x509);
if ((x509->name))
free(x509->name);
free(x509);
m->items--;
return;
}
}
}
void crtmgr_free(crtmgr *m) {
while(m->items)
crtmgr_del(m, m->crts);
crtmgr_del(m, m->crts);
}
static int crtmgr_rsa_verify(cli_crt *x509, mp_int *sig, cli_crt_hashtype hashtype, const uint8_t *refhash) {
@ -211,94 +211,94 @@ static int crtmgr_rsa_verify(cli_crt *x509, mp_int *sig, cli_crt_hashtype hashty
}
if((ret = mp_init(&x))) {
cli_errmsg("crtmgr_rsa_verify: mp_init failed with %d\n", ret);
return 1;
cli_errmsg("crtmgr_rsa_verify: mp_init failed with %d\n", ret);
return 1;
}
do {
if(MAX(keylen, siglen) - MIN(keylen, siglen) > 1)
break;
if((ret = mp_exptmod(sig, &x509->e, &x509->n, &x))) {
cli_warnmsg("crtmgr_rsa_verify: verification failed: mp_exptmod failed with %d\n", ret);
break;
}
if(mp_unsigned_bin_size(&x) != keylen - 1)
break;
if((ret = mp_to_unsigned_bin(&x, d))) {
cli_warnmsg("crtmgr_rsa_verify: mp_unsigned_bin_size failed with %d\n", ret);
break;
}
if(*d != 1) /* block type 1 */
break;
keylen -= 1; /* 0xff padding */
for(j=1; j<keylen-2; j++)
if(d[j] != 0xff)
break;
if(j == keylen - 2)
break;
if(d[j] != 0) /* 0x00 separator */
break;
j++;
keylen -= j; /* asn1 size */
if(keylen < hashlen)
break;
if(keylen > hashlen) {
/* hash is asn1 der encoded */
/* SEQ { SEQ { OID, NULL }, OCTET STRING */
if(keylen < 2 || d[j] != 0x30 || d[j+1] + 2 != keylen)
break;
keylen -= 2;
j+=2;
if(keylen <2 || d[j] != 0x30)
break;
objlen = d[j+1];
keylen -= 2;
j+=2;
if(keylen < objlen)
break;
if(objlen == 9) {
if(MAX(keylen, siglen) - MIN(keylen, siglen) > 1)
break;
if((ret = mp_exptmod(sig, &x509->e, &x509->n, &x))) {
cli_warnmsg("crtmgr_rsa_verify: verification failed: mp_exptmod failed with %d\n", ret);
break;
}
if(mp_unsigned_bin_size(&x) != keylen - 1)
break;
if((ret = mp_to_unsigned_bin(&x, d))) {
cli_warnmsg("crtmgr_rsa_verify: mp_unsigned_bin_size failed with %d\n", ret);
break;
}
if(*d != 1) /* block type 1 */
break;
keylen -= 1; /* 0xff padding */
for(j=1; j<keylen-2; j++)
if(d[j] != 0xff)
break;
if(j == keylen - 2)
break;
if(d[j] != 0) /* 0x00 separator */
break;
j++;
keylen -= j; /* asn1 size */
if(keylen < hashlen)
break;
if(keylen > hashlen) {
/* hash is asn1 der encoded */
/* SEQ { SEQ { OID, NULL }, OCTET STRING */
if(keylen < 2 || d[j] != 0x30 || d[j+1] + 2 != keylen)
break;
keylen -= 2;
j+=2;
if(keylen <2 || d[j] != 0x30)
break;
objlen = d[j+1];
keylen -= 2;
j+=2;
if(keylen < objlen)
break;
if(objlen == 9) {
// Check for OID type indicating a length of 5, OID_sha1, and the NULL type/value
if(hashtype != CLI_SHA1RSA || memcmp(&d[j], "\x06\x05" OID_sha1 "\x05\x00", 9)) {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
} else if(objlen == 12) {
if(hashtype != CLI_SHA1RSA || memcmp(&d[j], "\x06\x05" OID_sha1 "\x05\x00", 9)) {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
} else if(objlen == 12) {
// Check for OID type indicating a length of 8, OID_md5, and the NULL type/value
if(hashtype != CLI_MD5RSA || memcmp(&d[j], "\x06\x08" OID_md5 "\x05\x00", 12)) {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
} else if(objlen == 13) {
if(hashtype != CLI_MD5RSA || memcmp(&d[j], "\x06\x08" OID_md5 "\x05\x00", 12)) {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
} else if(objlen == 13) {
// Check for OID type indicating a length of 9, OID_sha256, and the NULL type/value
if(hashtype != CLI_SHA256RSA || memcmp(&d[j], "\x06\x09" OID_sha256 "\x05\x00", 13)) {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
} else {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
keylen -= objlen;
j += objlen;
if(keylen < 2 || d[j] != 0x04 || d[j+1] != hashlen)
break;
keylen -= 2;
j+=2;
if(keylen != hashlen)
break;
}
if(memcmp(&d[j], refhash, hashlen))
break;
mp_clear(&x);
return 0;
if(hashtype != CLI_SHA256RSA || memcmp(&d[j], "\x06\x09" OID_sha256 "\x05\x00", 13)) {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
} else {
cli_errmsg("crtmgr_rsa_verify: FIXME ACAB - CRYPTO MISSING?\n");
break;
}
keylen -= objlen;
j += objlen;
if(keylen < 2 || d[j] != 0x04 || d[j+1] != hashlen)
break;
keylen -= 2;
j+=2;
if(keylen != hashlen)
break;
}
if(memcmp(&d[j], refhash, hashlen))
break;
mp_clear(&x);
return 0;
} while(0);
@ -320,18 +320,18 @@ cli_crt *crtmgr_verify_crt(crtmgr *m, cli_crt *x509) {
}
for(i = m->crts; i; i = i->next) {
if(i->certSign &&
!memcmp(i->subject, x509->issuer, sizeof(i->subject)) &&
!crtmgr_rsa_verify(i, &x509->sig, x509->hashtype, x509->tbshash)) {
int curscore;
if((x509->codeSign & i->codeSign) == x509->codeSign && (x509->timeSign & i->timeSign) == x509->timeSign)
return i;
curscore = (x509->codeSign & i->codeSign) + (x509->timeSign & i->timeSign);
if(curscore > score) {
best = i;
score = curscore;
}
}
if(i->certSign &&
!memcmp(i->subject, x509->issuer, sizeof(i->subject)) &&
!crtmgr_rsa_verify(i, &x509->sig, x509->hashtype, x509->tbshash)) {
int curscore;
if((x509->codeSign & i->codeSign) == x509->codeSign && (x509->timeSign & i->timeSign) == x509->timeSign)
return i;
curscore = (x509->codeSign & i->codeSign) + (x509->timeSign & i->timeSign);
if(curscore > score) {
best = i;
score = curscore;
}
}
}
return best;
}
@ -342,28 +342,28 @@ cli_crt *crtmgr_verify_pkcs7(crtmgr *m, const uint8_t *issuer, const uint8_t *se
int ret;
if(signature_len < 1024/8 || signature_len > 4096/8+1) {
cli_dbgmsg("crtmgr_verify_pkcs7: unsupported sig len: %u\n", signature_len);
return NULL;
cli_dbgmsg("crtmgr_verify_pkcs7: unsupported sig len: %u\n", signature_len);
return NULL;
}
if((ret = mp_init(&sig))) {
cli_errmsg("crtmgr_verify_pkcs7: mp_init failed with %d\n", ret);
return NULL;
cli_errmsg("crtmgr_verify_pkcs7: mp_init failed with %d\n", ret);
return NULL;
}
if((ret=mp_read_unsigned_bin(&sig, signature, signature_len))) {
cli_warnmsg("crtmgr_verify_pkcs7: mp_read_unsigned_bin failed with %d\n", ret);
return NULL;
cli_warnmsg("crtmgr_verify_pkcs7: mp_read_unsigned_bin failed with %d\n", ret);
return NULL;
}
for(i = m->crts; i; i = i->next) {
if(vrfytype == VRFY_CODE && !i->codeSign)
continue;
if(vrfytype == VRFY_TIME && !i->timeSign)
continue;
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) &&
!memcmp(i->serial, serial, sizeof(i->serial)) &&
!crtmgr_rsa_verify(i, &sig, hashtype, refhash)) {
break;
if(vrfytype == VRFY_CODE && !i->codeSign)
continue;
if(vrfytype == VRFY_TIME && !i->timeSign)
continue;
if(!memcmp(i->issuer, issuer, sizeof(i->issuer)) &&
!memcmp(i->serial, serial, sizeof(i->serial)) &&
!crtmgr_rsa_verify(i, &sig, hashtype, refhash)) {
break;
}
}
mp_clear(&sig);

268
libclamav/pe.c
Unescape View File

@ -90,11 +90,11 @@
#define DCONF ctx->dconf->pe
#define PE_IMAGE_DOS_SIGNATURE 0x5a4d /* MZ */
#define PE_IMAGE_DOS_SIGNATURE 0x5a4d /* MZ */
#define PE_IMAGE_DOS_SIGNATURE_OLD 0x4d5a /* ZM */
#define PE_IMAGE_NT_SIGNATURE 0x00004550
#define PE32_SIGNATURE 0x010b
#define PE32P_SIGNATURE 0x020b
#define PE_IMAGE_NT_SIGNATURE 0x00004550
#define PE32_SIGNATURE 0x010b
#define PE32P_SIGNATURE 0x020b
#define optional_hdr64 pe_opt.opt64
#define optional_hdr32 pe_opt.opt32
@ -118,9 +118,9 @@
#define PESALIGN(o,a) (((a))?(((o)/(a)+((o)%(a)!=0))*(a)):(o))
#define CLI_UNPSIZELIMITS(NAME,CHK) \
if(cli_checklimits(NAME, ctx, (CHK), 0, 0)!=CL_CLEAN) { \
free(exe_sections); \
return CL_CLEAN; \
if(cli_checklimits(NAME, ctx, (CHK), 0, 0)!=CL_CLEAN) { \
free(exe_sections); \
return CL_CLEAN; \
}
#define CLI_UNPTEMP(NAME,FREEME) \
@ -349,62 +349,62 @@ void findres(uint32_t by_type, uint32_t by_name, uint32_t res_rva, fmap_t *map,
uint16_t type_cnt, name_cnt, lang_cnt;
if (!(resdir = fmap_need_off_once(map, cli_rawaddr(res_rva, exe_sections, nsections, &err, map->len, hdr_size), 16)) || err)
return;
return;
type_cnt = (uint16_t)cli_readint16(resdir+12);
type_entry = resdir+16;
if(!(by_type>>31)) {
type_entry += type_cnt * 8;
type_cnt = (uint16_t)cli_readint16(resdir+14);
type_entry += type_cnt * 8;
type_cnt = (uint16_t)cli_readint16(resdir+14);
}
while(type_cnt--) {
if(!fmap_need_ptr_once(map, type_entry, 8))
return;
type = cli_readint32(type_entry);
type_offs = cli_readint32(type_entry+4);
if(type == by_type && (type_offs>>31)) {
type_offs &= 0x7fffffff;
if (!(resdir = fmap_need_off_once(map, cli_rawaddr(res_rva + type_offs, exe_sections, nsections, &err, map->len, hdr_size), 16)) || err)
return;
name_cnt = (uint16_t)cli_readint16(resdir+12);
name_entry = resdir+16;
if(by_name == 0xffffffff)
name_cnt += (uint16_t)cli_readint16(resdir+14);
else if(!(by_name>>31)) {
name_entry += name_cnt * 8;
name_cnt = (uint16_t)cli_readint16(resdir+14);
}
while(name_cnt--) {
if(!fmap_need_ptr_once(map, name_entry, 8))
return;
name = cli_readint32(name_entry);
name_offs = cli_readint32(name_entry+4);
if((by_name == 0xffffffff || name == by_name) && (name_offs>>31)) {
name_offs &= 0x7fffffff;
if (!(resdir = fmap_need_off_once(map, cli_rawaddr(res_rva + name_offs, exe_sections, nsections, &err, map->len, hdr_size), 16)) || err)
return;
lang_cnt = (uint16_t)cli_readint16(resdir+12) + (uint16_t)cli_readint16(resdir+14);
lang_entry = resdir+16;
while(lang_cnt--) {
if(!fmap_need_ptr_once(map, lang_entry, 8))
return;
lang = cli_readint32(lang_entry);
lang_offs = cli_readint32(lang_entry+4);
if(!(lang_offs >>31)) {
if(cb(opaque, type, name, lang, res_rva + lang_offs))
return;
}
lang_entry += 8;
}
}
name_entry += 8;
}
return; /* FIXME: unless we want to find ALL types */
}
type_entry += 8;
if(!fmap_need_ptr_once(map, type_entry, 8))
return;
type = cli_readint32(type_entry);
type_offs = cli_readint32(type_entry+4);
if(type == by_type && (type_offs>>31)) {
type_offs &= 0x7fffffff;
if (!(resdir = fmap_need_off_once(map, cli_rawaddr(res_rva + type_offs, exe_sections, nsections, &err, map->len, hdr_size), 16)) || err)
return;
name_cnt = (uint16_t)cli_readint16(resdir+12);
name_entry = resdir+16;
if(by_name == 0xffffffff)
name_cnt += (uint16_t)cli_readint16(resdir+14);
else if(!(by_name>>31)) {
name_entry += name_cnt * 8;
name_cnt = (uint16_t)cli_readint16(resdir+14);
}
while(name_cnt--) {
if(!fmap_need_ptr_once(map, name_entry, 8))
return;
name = cli_readint32(name_entry);
name_offs = cli_readint32(name_entry+4);
if((by_name == 0xffffffff || name == by_name) && (name_offs>>31)) {
name_offs &= 0x7fffffff;
if (!(resdir = fmap_need_off_once(map, cli_rawaddr(res_rva + name_offs, exe_sections, nsections, &err, map->len, hdr_size), 16)) || err)
return;
lang_cnt = (uint16_t)cli_readint16(resdir+12) + (uint16_t)cli_readint16(resdir+14);
lang_entry = resdir+16;
while(lang_cnt--) {
if(!fmap_need_ptr_once(map, lang_entry, 8))
return;
lang = cli_readint32(lang_entry);
lang_offs = cli_readint32(lang_entry+4);
if(!(lang_offs >>31)) {
if(cb(opaque, type, name, lang, res_rva + lang_offs))
return;
}
lang_entry += 8;
}
}
name_entry += 8;
}
return; /* FIXME: unless we want to find ALL types */
}
type_entry += 8;
}
}
@ -419,82 +419,82 @@ static void cli_parseres_special(uint32_t base, uint32_t rva, fmap_t *map, struc
if(level>2 || !*maxres) return;
*maxres-=1;
if(err || !(resdir = fmap_need_off_once(map, rawaddr, 16)))
return;
return;
named = (uint16_t)cli_readint16(resdir+12);
unnamed = (uint16_t)cli_readint16(resdir+14);
entries = /*named+*/unnamed;
if (!entries)
return;
return;
rawaddr += named*8; /* skip named */
/* this is just used in a heuristic detection, so don't give error on failure */
if(!(entry = fmap_need_off(map, rawaddr+16, entries*8))) {
cli_dbgmsg("cli_parseres_special: failed to read resource directory at:%lu\n", (unsigned long)rawaddr+16);
return;
cli_dbgmsg("cli_parseres_special: failed to read resource directory at:%lu\n", (unsigned long)rawaddr+16);
return;
}
oentry = entry;
/*for (i=0; i<named; i++) {
uint32_t id, offs;
id = cli_readint32(entry);
offs = cli_readint32(entry+4);
if(offs>>31)
cli_parseres( base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats);
entry+=8;
uint32_t id, offs;
id = cli_readint32(entry);
offs = cli_readint32(entry+4);
if(offs>>31)
cli_parseres( base, base + (offs&0x7fffffff), srcfd, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats);
entry+=8;
}*/
for (i=0; i<unnamed; i++, entry += 8) {
uint32_t id, offs;
if (stats->errors >= SWIZZ_MAXERRORS) {
cli_dbgmsg("cli_parseres_special: resources broken, ignoring\n");
return;
}
id = cli_readint32(entry)&0x7fffffff;
if(level==0) {
type = 0;
switch(id) {
case 4: /* menu */
case 5: /* dialog */
case 6: /* string */
case 11:/* msgtable */
type = id;
break;
case 16:
type = id;
/* 14: version */
stats->has_version = 1;
break;
case 24: /* manifest */
stats->has_manifest = 1;
break;
/* otherwise keep it 0, we don't want it */
}
}
if (!type) {
/* if we are not interested in this type, skip */
continue;
}
offs = cli_readint32(entry+4);
if(offs>>31)
cli_parseres_special(base, base + (offs&0x7fffffff), map, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats);
else {
offs = cli_readint32(entry+4);
rawaddr = cli_rawaddr(base + offs, exe_sections, nsections, &err, fsize, hdr_size);
if (!err && (resdir = fmap_need_off_once(map, rawaddr, 16))) {
uint32_t isz = cli_readint32(resdir+4);
const uint8_t *str;
rawaddr = cli_rawaddr(cli_readint32(resdir), exe_sections, nsections, &err, fsize, hdr_size);
if (err || !isz || isz >= fsize || rawaddr+isz >= fsize) {
cli_dbgmsg("cli_parseres_special: invalid resource table entry: %lu + %lu\n",
(unsigned long)rawaddr,
(unsigned long)isz);
stats->errors++;
continue;
}
if ((id&0xff) != 0x09) /* english res only */
continue;
if((str = fmap_need_off_once(map, rawaddr, isz)))
cli_detect_swizz_str(str, isz, stats, type);
}
}
uint32_t id, offs;
if (stats->errors >= SWIZZ_MAXERRORS) {
cli_dbgmsg("cli_parseres_special: resources broken, ignoring\n");
return;
}
id = cli_readint32(entry)&0x7fffffff;
if(level==0) {
type = 0;
switch(id) {
case 4: /* menu */
case 5: /* dialog */
case 6: /* string */
case 11:/* msgtable */
type = id;
break;
case 16:
type = id;
/* 14: version */
stats->has_version = 1;
break;
case 24: /* manifest */
stats->has_manifest = 1;
break;
/* otherwise keep it 0, we don't want it */
}
}
if (!type) {
/* if we are not interested in this type, skip */
continue;
}
offs = cli_readint32(entry+4);
if(offs>>31)
cli_parseres_special(base, base + (offs&0x7fffffff), map, exe_sections, nsections, fsize, hdr_size, level+1, type, maxres, stats);
else {
offs = cli_readint32(entry+4);
rawaddr = cli_rawaddr(base + offs, exe_sections, nsections, &err, fsize, hdr_size);
if (!err && (resdir = fmap_need_off_once(map, rawaddr, 16))) {
uint32_t isz = cli_readint32(resdir+4);
const uint8_t *str;
rawaddr = cli_rawaddr(cli_readint32(resdir), exe_sections, nsections, &err, fsize, hdr_size);
if (err || !isz || isz >= fsize || rawaddr+isz >= fsize) {
cli_dbgmsg("cli_parseres_special: invalid resource table entry: %lu + %lu\n",
(unsigned long)rawaddr,
(unsigned long)isz);
stats->errors++;
continue;
}
if ((id&0xff) != 0x09) /* english res only */
continue;
if((str = fmap_need_off_once(map, rawaddr, isz)))
cli_detect_swizz_str(str, isz, stats, type);
}
}
}
fmap_unneed_ptr(map, oentry, entries*8);
}
@ -3447,13 +3447,13 @@ int cli_scanpe(cli_ctx *ctx)
/* CLI_UNPTEMP("DISASM",(exe_sections,0)); */
/* if(disasmbuf((unsigned char*)epbuff, epsize, ndesc)) */
/* ret = cli_scandesc(ndesc, ctx, CL_TYPE_PE_DISASM, 1, NULL, AC_SCAN_VIR); */
/* ret = cli_scandesc(ndesc, ctx, CL_TYPE_PE_DISASM, 1, NULL, AC_SCAN_VIR); */
/* close(ndesc); */
/* CLI_TMPUNLK(); */
/* free(tempfile); */
/* if(ret == CL_VIRUS) { */
/* free(exe_sections); */
/* return ret; */
/* free(exe_sections); */
/* return ret; */
/* } */
if(overlays) {
@ -4601,20 +4601,20 @@ int cli_scanpe(cli_ctx *ctx)
for(i = 0 ; i < nsections; i++) {
if(exe_sections[i].raw) {
unsigned int r_ret;
unsigned int r_ret;
if (!exe_sections[i].rsz)
goto out_no_petite;
if (!exe_sections[i].rsz)
goto out_no_petite;
if (!CLI_ISCONTAINED(dest, dsize,
dest + exe_sections[i].rva - min,
exe_sections[i].ursz))
goto out_no_petite;
if (!CLI_ISCONTAINED(dest, dsize,
dest + exe_sections[i].rva - min,
exe_sections[i].ursz))
goto out_no_petite;
r_ret = fmap_readn(map, dest + exe_sections[i].rva - min,
exe_sections[i].raw,
exe_sections[i].ursz);
if (r_ret != exe_sections[i].ursz) {
r_ret = fmap_readn(map, dest + exe_sections[i].rva - min,
exe_sections[i].raw,
exe_sections[i].ursz);
if (r_ret != exe_sections[i].ursz) {
out_no_petite:
free(exe_sections);
free(dest);
@ -5588,10 +5588,10 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1, stats_section_t *hashes, uin
// and that the certificate table is the last thing in the file
// (according to the MS13-098 bulletin, this is a requirement)
if (fsize != EC32(dirs[4].Size) + EC32(dirs[4].VirtualAddress)) {
cli_dbgmsg("cli_checkfp_pe: expected authenticode data at the end of the file\n");
if (flags & CL_CHECKFP_PE_FLAG_STATS) {
flags ^= CL_CHECKFP_PE_FLAG_AUTHENTICODE;
} else {
cli_dbgmsg("cli_checkfp_pe: expected authenticode data at the end of the file\n");
free(exe_sections);
if (hashctx)
cl_hash_destroy(hashctx);

Write Preview
Loading…
Cancel
Save