checking/fixing packers... #2

TODO:
- yC + wwpack, check consistency in elf parser and rebuildpe
- remove hardcoded header size
- fix check for 1st sect rva
- ...
- regression



git-svn-id: file:///var/lib/svn/clamav-devel/branches/temp_branch_pe_cleanup@2940 77e5149b-7576-45b1-b177-96237e5ba77b

libclamav/pe.c

@@ -2221,10 +2221,10 @@ skip_upack_and_go_to_next_unpacker:
 	    }
 
 	    for(i = 0 ; i < nsections; i++) {
-		if(exe_sections[i].uraw) {
+		if(exe_sections[i].raw) {
 		  uint32_t offset = exe_sections[i].raw;
 
-		  if(lseek(desc, offset, SEEK_SET) == -1 || (unsigned int) cli_readn(desc, dest + exe_sections[i].rva - min, exe_sections[i].ursz) != exe_sections[i].uraw) {
+		  if(lseek(desc, offset, SEEK_SET) == -1 || (unsigned int) cli_readn(desc, dest + exe_sections[i].rva - min, exe_sections[i].ursz) != exe_sections[i].ursz) {
 			free(exe_sections);
 			free(dest);
 			return CL_EIO;
@@ -2247,7 +2247,7 @@ skip_upack_and_go_to_next_unpacker:
 	    }
 
 	    /* aCaB: Fixed to allow petite v2.1 unpacking (last section is a ghost) */
-	    if (!petite_inflate2x_1to9(dest, min, max - min, section_hdr,
+	    if (!petite_inflate2x_1to9(dest, min, max - min, exe_sections,
 		    nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),
 		    vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),
 		    EC32(optional_hdr32.DataDirectory[2].Size))) {
@@ -2588,7 +2588,6 @@ HERE!!!
       unsigned int nowinldr;
       char nbuff[24];
       char *src=buff, *dest;
-      FILE *asd;
 
       if (*buff=='\xe9') { /* bitched headers */
 	eprva = cli_readint32(buff+1)+vep+5;
@@ -2619,7 +2618,6 @@ HERE!!!
 
       if(ctx->limits && ctx->limits->maxfilesize && (ssize > ctx->limits->maxfilesize || dsize > ctx->limits->maxfilesize)) {
 	cli_dbgmsg("NsPack: Size exceeded\n");
-	free(section_hdr);
 	free(exe_sections);
 	if(BLOCKMAX) {
 	  *ctx->virname = "PE.NsPack.ExceededFileSize";
@@ -2651,7 +2649,6 @@ HERE!!!
       if(!(tempfile = cli_gentemp(NULL))) {
 	free(src);
 	free(dest);
-	free(section_hdr);
 	free(exe_sections);
 	return CL_EMEM;
       }
@@ -2661,7 +2658,6 @@ HERE!!!
 	free(tempfile);
 	free(src);
 	free(dest);
-	free(section_hdr);
 	free(exe_sections);
 	return CL_EIO;
       }
@@ -2677,7 +2673,6 @@ HERE!!!
 	lseek(ndesc, 0, SEEK_SET);
 
 	if(cli_magic_scandesc(ndesc, ctx) == CL_VIRUS) {
-	  free(section_hdr);
 	  free(exe_sections);
 	  close(ndesc);
 	  if(!cli_leavetemps_flag) unlink(tempfile);
@@ -2697,7 +2692,6 @@ HERE!!!
 
     /* to be continued ... */
 
-    free(section_hdr);
     free(exe_sections);
     return CL_CLEAN;
 }

libclamav/petite.c

@@ -52,13 +52,11 @@
 #include <string.h>
 
 #include "cltypes.h"
-#include "pe.h"
 #include "rebuildpe.h"
 #include "execs.h"
 #include "others.h"
 #include "petite.h"
 
-#define EC32(x) le32_to_host(x) /* Convert little endian to host */
 
 static int doubledl(char **scur, uint8_t *mydlptr, char *buffer, uint32_t buffersize)
 {
@@ -77,7 +75,7 @@ static int doubledl(char **scur, uint8_t *mydlptr, char *buffer, uint32_t buffer
   return (olddl>>7)&1;
 }
 
-int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct pe_image_section_hdr *sections, unsigned int sectcount, uint32_t Imagebase, uint32_t pep, int desc, int version, uint32_t ResRva, uint32_t ResSize)
+int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct cli_exe_section *sections, unsigned int sectcount, uint32_t Imagebase, uint32_t pep, int desc, int version, uint32_t ResRva, uint32_t ResSize)
 {
   char *adjbuf = buf - minrva;
   char *packed = NULL;
@@ -98,9 +96,9 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct pe_
    */
 
   if ( version == 2 )
-    packed = adjbuf + EC32(sections[sectcount-1].VirtualAddress) + 0x1b8;
+    packed = adjbuf + sections[sectcount-1].rva + 0x1b8;
   if ( version == 1 ) {
-    packed = adjbuf + EC32(sections[sectcount-1].VirtualAddress) + 0x178;
+    packed = adjbuf + sections[sectcount-1].rva + 0x178;
     grown=0x323;    /* My name is Harry potter */
     skew=0x34;
   }
@@ -193,7 +191,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct pe_
 	      } else {
 		api = 0xbff01337; /* KERNEL32!leet */
 	      }
-	      if (EC32(sections[sectcount-1].VirtualAddress)+Imagebase < api )
+	      if (sections[sectcount-1].rva+Imagebase < api )
 		enc_ep--;
 	      if ( api < virtaddr )
 		enc_ep--;
@@ -316,10 +314,10 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct pe_
       if (!check4resources) {
 	unsigned int q;
 	for ( q = 0 ; q < sectcount ; q++ ) {
-	  if ( thisrva <= EC32(sections[q].VirtualAddress) || thisrva >= EC32(sections[q].VirtualAddress) + EC32(sections[q].VirtualSize))
+	  if ( thisrva <= sections[q].rva || thisrva >= sections[q].rva + sections[q].vsz)
 	    continue;
-	  usects[j].rva = EC32(sections[q].VirtualAddress);
-	  usects[j].rsz = thisrva - EC32(sections[q].VirtualAddress) + size;
+	  usects[j].rva = sections[q].rva;
+	  usects[j].rsz = thisrva - sections[q].rva + size;
 	  break;
 	}
       }

libclamav/petite.h

@@ -23,6 +23,6 @@
 #include "cltypes.h"
 #include "pe.h"
 
-int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct pe_image_section_hdr *sections, unsigned int sectcount, uint32_t Imagebase, uint32_t pep, int desc, int version, uint32_t ResRva, uint32_t ResSize);
+int petite_inflate2x_1to9(char *buf, uint32_t minrva, uint32_t bufsz, struct cli_exe_section *sections, unsigned int sectcount, uint32_t Imagebase, uint32_t pep, int desc, int version, uint32_t ResRva, uint32_t ResSize);
 
 #endif

libclamav/spin.h

@@ -23,6 +23,6 @@
 #include "cltypes.h"
 #include "rebuildpe.h"
 
-int unspin(char *, int, struct pe_image_section_hdr *, int, uint32_t, int, cli_ctx *);
+int unspin(char *, int, struct cli_exe_section *, int, uint32_t, int, cli_ctx *);
 
 #endif