ISHIELD support:

- preliminary ishield-msi ftype sport
17 years ago · cadaa7032f
parent 0e8b930665
commit cadaa7032f
4 changed files with 17 additions and 0 deletions
--- a/libclamav/filetypes.c
+++ b/libclamav/filetypes.c
@ -93,6 +93,7 @@ static const struct ftmap_s {
    { "CL_TYPE_ARJSFX",		CL_TYPE_ARJSFX		},
    { "CL_TYPE_NULSFT",		CL_TYPE_NULSFT		},
    { "CL_TYPE_AUTOIT",		CL_TYPE_AUTOIT		},
+    { "CL_TYPE_ISHIELD_MSI",	CL_TYPE_ISHIELD_MSI	},
    { NULL,			CL_TYPE_IGNORED		}
 };

--- a/libclamav/filetypes.h
+++ b/libclamav/filetypes.h
@ -80,6 +80,7 @@ typedef enum {
    CL_TYPE_ARJSFX,
    CL_TYPE_NULSFT, /* on the fly */
    CL_TYPE_AUTOIT,
+    CL_TYPE_ISHIELD_MSI,
    CL_TYPE_IGNORED /* please don't add anything below */
 } cli_file_t;

--- a/libclamav/filetypes_int.h
+++ b/libclamav/filetypes_int.h
@ -148,6 +148,7 @@ static const char *ftypes_int[] = {
  "0:0:cffaedfe:Mach-O LE 64-bit:CL_TYPE_ANY:CL_TYPE_MACHO:45",
  "0:0:feedface:Mach-O BE:CL_TYPE_ANY:CL_TYPE_MACHO:45",
  "0:0:feedfacf:Mach-O BE 64-bit:CL_TYPE_ANY:CL_TYPE_MACHO:45",
+  "1:*:496e7374616c6c536869656c6400{292}06000000:ISHIELD-MSI:CL_TYPE_ANY:CL_TYPE_ISHIELD_MSI:45",
  NULL
 };

--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@ -104,6 +104,8 @@
 #include <stddef.h>
 #endif

+static int cli_scanishield_msi(int desc, cli_ctx *ctx, off_t off) { cli_dbgmsg("in ishield-msi\n"); return CL_CLEAN; }
+
 static int cli_scanfile(const char *filename, cli_ctx *ctx);

 static int cli_scandir(const char *dirname, cli_ctx *ctx, cli_file_t container)
@ -1792,6 +1794,13 @@ static int cli_scanraw(int desc, cli_ctx *ctx, cli_file_t type, uint8_t typercg,
 			}
 			break;

+		    case CL_TYPE_ISHIELD_MSI:
+		        if(SCAN_ARCHIVE && type == CL_TYPE_MSEXE /* FIXMEISHIELD && (DCONF_ARCH & ARCH_CONF_ISHIELD)*/) {
+			    cli_dbgmsg("ISHIELD-MSI signature found at %u\n", (unsigned int) fpt->offset);
+			    nret = cli_scanishield_msi(desc, ctx, fpt->offset + 14);
+			}
+			break;
+
 		    case CL_TYPE_PDF:
 			if(type != CL_TYPE_PDF && SCAN_PDF && (DCONF_DOC & DOC_CONF_PDF)) {
 			    cli_dbgmsg("PDF signature found at %u\n", (unsigned int) fpt->offset);
@ -1965,6 +1974,11 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
 		ret = cli_scanautoit(desc, ctx, 23);
 	    break;

+        case CL_TYPE_ISHIELD_MSI:
+	    if(SCAN_ARCHIVE /* FIXMEISHIELD && (DCONF_ARCH & ARCH_CONF_ISHIELD)*/)
+		ret = cli_scanishield_msi(desc, ctx, 14);
+	    break;
+
 	case CL_TYPE_MSSZDD:
 	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_SZDD))
 		ret = cli_scanszdd(desc, ctx);