open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libclamav: unify fp checking; output fp signatures in debug mode

Browse Source
0.96
Tomasz Kojm 16 years ago
parent 3e9193dd05
commit 6416cdef15
8 changed files with 69 additions and 71 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      ChangeLog
  2. 18
      libclamav/elf.c
  3. 2
      libclamav/macho.c
  4. 31
      libclamav/matcher.c
  5. 46
      libclamav/pe.c
  6. 29
      libclamav/scanners.c
  7. 2
      libclamav/special.c
  8. 8
      libclamav/unzip.c

4
ChangeLog
Unescape View File

@ -1,3 +1,7 @@
Fri Oct 2 14:35:42 CEST 2009 (tk)
----------------------------------
* libclamav: unify fp checking; output fp signatures in debug mode
Fri Oct 2 14:33:09 CEST 2009 (tk)
----------------------------------
* libclamav/scanners.c: fix whitelisting of scripts (bb#1706)

18
libclamav/elf.c
Unescape View File

@ -216,7 +216,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_EFORMAT;
}
@ -229,7 +229,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_EFORMAT;
}
@ -240,7 +240,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -282,7 +282,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -303,7 +303,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_EFORMAT;
}
@ -320,7 +320,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_EFORMAT;
}
@ -331,7 +331,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_EFORMAT;
}
@ -343,7 +343,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -387,7 +387,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}

2
libclamav/macho.c
Unescape View File

@ -176,7 +176,7 @@ struct macho_fat_arch
if(DETECT_BROKEN) { \
if(ctx->virname) \
*ctx->virname = "Broken.Executable"; \
return cli_checkfp(fd, ctx) ? CL_CLEAN : CL_VIRUS; \
return CL_VIRUS; \
} \
return CL_EFORMAT

31
libclamav/matcher.c
Unescape View File

@ -287,8 +287,11 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, int fd, unsigne
int cli_checkfp(int fd, cli_ctx *ctx)
{
unsigned char *digest;
char md5[33];
unsigned int i;
const char *virname;
off_t pos;
struct stat sb;
if((pos = lseek(fd, 0, SEEK_CUR)) == -1) {
@ -311,6 +314,14 @@ int cli_checkfp(int fd, cli_ctx *ctx)
lseek(fd, pos, SEEK_SET);
return 1;
}
if(fstat(fd, &sb) != -1) {
for(i = 0; i < 16; i++)
sprintf(md5 + i * 2, "%02x", digest[i]);
md5[32] = 0;
cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) sb.st_size, *ctx->virname ? *ctx->virname : "Name");
}
free(digest);
}
@ -424,11 +435,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
cli_ac_freedata(&tdata);
if(bm_offmode)
cli_bm_freeoff(&toff, troot);
if(cli_checkfp(desc, ctx))
return CL_CLEAN;
else
return CL_VIRUS;
return CL_VIRUS;
}
}
@ -444,10 +451,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
if(bm_offmode)
cli_bm_freeoff(&toff, troot);
}
if(cli_checkfp(desc, ctx))
return CL_CLEAN;
else
return CL_VIRUS;
return CL_VIRUS;
} else if((acmode & AC_SCAN_FT) && ret >= CL_TYPENO) {
if(ret > type)
@ -506,13 +510,8 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
cli_ac_freedata(&gdata);
}
if(ret == CL_VIRUS) {
lseek(desc, 0, SEEK_SET);
if(cli_checkfp(desc, ctx))
return CL_CLEAN;
else
return CL_VIRUS;
}
if(ret == CL_VIRUS)
return CL_VIRUS;
if(!ftonly && ctx->engine->md5_hdb) {
cli_md5_final(digest, &md5ctx);

46
libclamav/pe.c
Unescape View File

@ -469,7 +469,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -605,7 +605,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if(nsections)
cli_warnmsg("PE file contains %d sections\n", nsections);
@ -625,7 +625,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -635,7 +635,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -648,7 +648,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -664,7 +664,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
cli_dbgmsg("9x compatibility mode\n");
}
@ -706,7 +706,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -787,14 +787,14 @@ int cli_scanpe(int desc, cli_ctx *ctx)
cli_dbgmsg("Bad virtual alignemnt\n");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
cli_dbgmsg("Bad file alignemnt\n");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if(fstat(desc, &sb) == -1) {
@ -830,7 +830,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -899,7 +899,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
@ -910,7 +910,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN; /* no ninjas to see here! move along! */
}
@ -929,7 +929,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
free(section_hdr);
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
}
break;
@ -945,7 +945,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -957,7 +957,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
min = exe_sections[i].rva;
max = exe_sections[i].rva + exe_sections[i].rsz;
@ -968,7 +968,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if(exe_sections[i].rva < min)
min = exe_sections[i].rva;
@ -988,7 +988,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
}
@ -1036,7 +1036,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
*ctx->virname = "W32.Parite.B";
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
}
}
@ -1119,7 +1119,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
*ctx->virname = "W32.Kriz";
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
kzstate++;
@ -1146,7 +1146,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
*ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
}
@ -1158,7 +1158,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
*ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
}
}
@ -1216,7 +1216,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "W32.Polipos.A";
free(jumps);
free(exe_sections);
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
}
free(jumps);
@ -1242,7 +1242,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if (ret != CL_CLEAN) {
free(exe_sections);
if(ret == CL_VIRUS)
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
return ret;
}
}

29
libclamav/scanners.c
Unescape View File

@ -209,7 +209,7 @@ static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx
if(mdata) {
*ctx->virname = mdata->virname;
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if(DETECT_ENCRYPTED && metadata->encrypted) {
@ -1316,10 +1316,8 @@ static int cli_scanriff(int desc, cli_ctx *ctx)
int ret = CL_CLEAN;
if(cli_check_riff_exploit(desc) == 2) {
if(!cli_checkfp(desc, ctx)) {
ret = CL_VIRUS;
*ctx->virname = "Exploit.W32.MS05-002";
}
ret = CL_VIRUS;
*ctx->virname = "Exploit.W32.MS05-002";
}
return ret;
@ -1330,10 +1328,8 @@ static int cli_scanjpeg(int desc, cli_ctx *ctx)
int ret = CL_CLEAN;
if(cli_check_jpeg_exploit(desc, ctx) == 1) {
if(!cli_checkfp(desc, ctx)) {
ret = CL_VIRUS;
*ctx->virname = "Exploit.W32.MS04-028";
}
ret = CL_VIRUS;
*ctx->virname = "Exploit.W32.MS04-028";
}
return ret;
@ -1595,13 +1591,13 @@ static int cli_scan_structured(int desc, cli_ctx *ctx)
if(cc_count != 0 && cc_count >= ctx->engine->min_cc_count) {
cli_dbgmsg("cli_scan_structured: %u credit card numbers detected\n", cc_count);
*ctx->virname = "Structured.CreditCardNumber";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
if(ssn_count != 0 && ssn_count >= ctx->engine->min_ssn_count) {
cli_dbgmsg("cli_scan_structured: %u social security numbers detected\n", ssn_count);
*ctx->virname = "Structured.SSN";
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
return CL_VIRUS;
}
return CL_CLEAN;
@ -1878,8 +1874,10 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
cli_dbgmsg("cli_magic_scandesc: Hit recursion limit, only scanning raw file\n");
else
cli_dbgmsg("Raw mode: No support for special files\n");
if((ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR)) == CL_VIRUS)
if((ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR)) == CL_VIRUS) {
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc);
return CL_VIRUS;
}
return ret;
}
@ -2097,7 +2095,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
ctx->container_type = current_container;
if(ret == CL_VIRUS)
return CL_VIRUS;
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
if(type == CL_TYPE_ZIP && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) {
if(sb.st_size > 1048576) {
@ -2109,7 +2107,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
/* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */
if(type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb) {
if(cli_scanraw(desc, ctx, type, typercg, &dettype) == CL_VIRUS)
return CL_VIRUS;
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
}
ctx->recursion++;
@ -2139,6 +2137,9 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
}
ctx->recursion--;
if(ret == CL_VIRUS)
return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
switch(ret) {
case CL_EFORMAT:
case CL_EMAXREC:

2
libclamav/special.c
Unescape View File

@ -77,8 +77,6 @@ int cli_check_mydoom_log(int desc, cli_ctx *ctx)
if (j < 2) {
retval = CL_CLEAN;
} else if (retval==CL_VIRUS) {
if(cli_checkfp(desc, ctx))
return CL_CLEAN;
*ctx->virname = "Worm.Mydoom.M.log";
}

8
libclamav/unzip.c
Unescape View File

@ -355,12 +355,8 @@ static unsigned int lhdr(uint8_t *zip, uint32_t zsize, unsigned int *fu, unsigne
)
) meta = meta->next;
if(meta) {
if(!cli_checkfp(fd, ctx)) {
*ctx->virname = meta->virname;
*ret = CL_VIRUS;
} else
*ret = CL_CLEAN;
*ctx->virname = meta->virname;
*ret = CL_VIRUS;
return 0;
}

Write Preview
Loading…
Cancel
Save