[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
aCaB
acab at clamav.net
Sun Apr 4 00:58:33 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 56e5821b493b19abf3feceb811b9f1eff6235d1e
Author: aCaB <acab at clamav.net>
Date: Tue Jul 14 09:36:36 2009 +0200
initial IS overlay parser
diff --git a/libclamav/ishield.c b/libclamav/ishield.c
index d739ba6..2899588 100644
--- a/libclamav/ishield.c
+++ b/libclamav/ishield.c
@@ -24,6 +24,8 @@
#include "clamav-config.h"
#endif
+#define _XOPEN_SOURCE 500
+
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
@@ -197,3 +199,53 @@ int cli_scanishield_msi(int desc, cli_ctx *ctx, off_t off) {
}
return CL_CLEAN;
}
+
+
+int cli_scanishield(int desc, cli_ctx *ctx, off_t off, size_t sz) {
+ char *fname, *path, *version, *strsz, *eostr, *data;
+ char buf[2048];
+ int rd;
+ long int fsize;
+ off_t coff = off;
+
+ while(1) {
+ rd = pread(desc, buf, sizeof(buf), coff);
+ if(rd <= 0)
+ break;
+
+ fname = buf;
+ if(!*fname) break;
+ path = memchr(fname, 0, rd);
+ if(!path)
+ break;
+
+ path++;
+ rd -= (path - buf);
+ if(rd<=0 || !(version = memchr(path, 0, rd)))
+ break;
+
+ version++;
+ rd -= (version - path);
+ if(rd<=0 || !(strsz = memchr(version, 0, rd)))
+ break;
+
+ strsz++;
+ rd -= (strsz - version);
+ if(rd<=0 || !(data = memchr(strsz, 0, rd)))
+ break;
+
+ data++;
+ fsize = strtol(strsz, &eostr, 10);
+ if(fsize == LONG_MIN || fsize == LONG_MAX || !*strsz || !eostr || eostr == strsz || *eostr)
+ break;
+
+ if((data - buf) + fsize > sz)
+ break;
+
+ cli_errmsg("@%x: found file %s (%s) - version %s - size %u\n", coff, fname, path, version, fsize);
+ sz -= (data - buf) + fsize;
+ coff += (data - buf) + fsize;
+
+ }
+ return CL_CLEAN;
+}
diff --git a/libclamav/ishield.h b/libclamav/ishield.h
index 71d0f61..0147102 100644
--- a/libclamav/ishield.h
+++ b/libclamav/ishield.h
@@ -24,5 +24,6 @@
#include "others.h"
int cli_scanishield_msi(int desc, cli_ctx *ctx, off_t off);
+int cli_scanishield(int desc, cli_ctx *ctx, off_t off, size_t sz);
#endif
diff --git a/libclamav/pe.c b/libclamav/pe.c
index 60d6b45..2b3215c 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -57,6 +57,7 @@
#include "matcher-bm.h"
#include "disasm.h"
#include "special.h"
+#include "ishield.h"
#ifndef O_BINARY
#define O_BINARY 0
@@ -436,7 +437,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
char sname[9], buff[4096], epbuff[4096], *tempfile;
uint32_t epsize;
ssize_t bytes;
- unsigned int i, found, upx_success = 0, min = 0, max = 0, err;
+ unsigned int i, found, upx_success = 0, min = 0, max = 0, err, overlays = 0;
unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0;
int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;
char *src = NULL, *dest = NULL;
@@ -976,8 +977,10 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(exe_sections[i].rva < min)
min = exe_sections[i].rva;
- if(exe_sections[i].rva + exe_sections[i].rsz > max)
+ if(exe_sections[i].rva + exe_sections[i].rsz > max) {
max = exe_sections[i].rva + exe_sections[i].rsz;
+ overlays = exe_sections[i].raw + exe_sections[i].rsz;
+ }
}
}
@@ -1016,6 +1019,12 @@ int cli_scanpe(int desc, cli_ctx *ctx)
return ret;
}
+ if(overlays) {
+ int overlays_sz = fsize - overlays;
+ if(overlays_sz > 0)
+ cli_scanishield(desc, ctx, overlays, overlays_sz);
+ }
+
/* Attempt to detect some popular polymorphic viruses */
/* W32.Parite.B */
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list