[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b

Török Edvin edwin at clamav.net
Sun Apr 4 00:59:05 UTC 2010


The following commit has been merged in the debian/unstable branch:
commit d0b31fa38ce5ac348118fcedecd68af1e1258ed8
Author: Török Edvin <edwin at clamav.net>
Date:   Wed Jul 15 19:42:01 2009 +0300

    Make yC able to handle more samples and variants.

diff --git a/ChangeLog b/ChangeLog
index 0ea464f..c64201f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Wed Jul 15 23:36:09 EEST 2009 (edwin)
+-------------------------------------
+ * libclamav/pe.c, yc.c: Make yC able to handle more samples and variants.
+
 Wed Jul 15 19:36:35 CEST 2009 (tk)
 ----------------------------------
  * clamd: honour value of 0 in Max* options
diff --git a/libclamav/pe.c b/libclamav/pe.c
index 2b3215c..32d34f8 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -2015,11 +2015,50 @@ int cli_scanpe(int desc, cli_ctx *ctx)
     }
 
 
-    /* yC 1.3 */
+    /* yC 1.3 & variants */
 
     if((DCONF & PE_CONF_YC) && nsections > 1 &&
-       EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60 &&
-       memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED\x6C\x28\x40\x00\xB9\x5D\x34\x40\x00\x81\xE9\xC6\x28\x40\x00\x8B\xD5\x81\xC2\xC6\x28\x40\x00\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 51) == 0 && fsize >= exe_sections[nsections - 1].raw + 0xC6 + 0xb97)  {
+       (EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60)) {
+
+	uint32_t ecx = 0;
+	int16_t offset;
+
+	/* yC 1.3 */
+	if (!memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED", 15) &&
+	    !memcmp(epbuff+0x26, "\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 13) &&
+	    ((uint8_t)epbuff[0x13] == 0xB9) &&
+	    ((uint16_t)(cli_readint16(epbuff+0x18)) == 0xE981) &&
+	    !memcmp(epbuff+0x1e,"\x8B\xD5\x81\xC2", 4)) {
+
+	    offset = 0;
+	    if (0x6c - cli_readint32(epbuff+0xf) + cli_readint32(epbuff+0x22) == 0xC6)
+		ecx = cli_readint32(epbuff+0x14) - cli_readint32(epbuff+0x1a);
+	}
+
+	/* yC 1.3 variant */
+	if (!ecx && !memcmp(epbuff, "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57", 9) &&
+	    !memcmp(epbuff+0x17, "\xe8\x00\x00\x00\x00\x5d\x81\xed", 8) &&
+	    ((uint8_t)epbuff[0x23] == 0xB9)) {
+
+	    offset = 0x10;
+	    if (0x6c - cli_readint32(epbuff+0x1f) + cli_readint32(epbuff+0x32) == 0xC6)
+		ecx = cli_readint32(epbuff+0x24) - cli_readint32(epbuff+0x2a);
+	}
+
+	/* yC 1.x/modified */
+	if (!ecx && !memcmp(epbuff, "\x60\xe8\x00\x00\x00\x00\x5d\x81\xed",9) &&
+	    ((uint8_t)epbuff[0xd] == 0xb9) &&
+	    ((uint16_t)cli_readint16(epbuff + 0x12)== 0xbd8d) &&
+	    !memcmp(epbuff+0x18, "\x8b\xf7\xac", 3)) {
+
+	    offset = -0x18;
+	    if (0x66 - cli_readint32(epbuff+0x9) + cli_readint32(epbuff+0x14) == 0xae)
+		ecx = cli_readint32(epbuff+0xe);
+	}
+
+	if (ecx > 0x800 && ecx < 0x2000 &&
+	    !memcmp(epbuff+0x63+offset, "\xaa\xe2\xcc", 3) &&
+	    (fsize >= exe_sections[nsections-1].raw + 0xC6 + ecx + offset)) {
 
 	char *spinned;
 
@@ -2037,7 +2076,8 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 	}
 
 	CLI_UNPTEMP("yC",(spinned,exe_sections,0));
-	CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc)),0,(spinned,0));
+	CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));
+	}
     }
 
     /* WWPack */
@@ -2051,7 +2091,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
 
 	ssize = 0;
 	for(i=0 ; ; i++) {
-	    if(exe_sections[i].raw<head) 
+	    if(exe_sections[i].raw<head)
 	        head=exe_sections[i].raw;
 	    if(i+1==nsections) break;
 	    if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
diff --git a/libclamav/yc.c b/libclamav/yc.c
index 433ca93..dc46bcf 100644
--- a/libclamav/yc.c
+++ b/libclamav/yc.c
@@ -30,7 +30,6 @@
 #if HAVE_CONFIG_H
 #include "clamav-config.h"
 #endif
-
 #include "cltypes.h"
 #include "pe.h"
 #include "others.h"
@@ -164,9 +163,8 @@ static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx
 /* ========================================================================== */
 /* Main routine which calls all others */
 
-int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sections, unsigned int sectcount, uint32_t peoffset, int desc)
-{
-  uint32_t ycsect = sections[sectcount].raw;
+int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sections, unsigned int sectcount, uint32_t peoffset, int desc, uint32_t ecx,int16_t offset) {
+  uint32_t ycsect = sections[sectcount].raw+offset;
   unsigned int i;
   struct pe_image_file_hdr *pe = (struct pe_image_file_hdr*) (fbuf + peoffset);
   char *sname = (char *)pe + EC16(pe->SizeOfOptionalHeader) + 0x18;
@@ -177,11 +175,12 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sectio
 
   Start offset for analyze: Start of yC Section + 0x93
   End offset for analyze: Start of yC Section + 0xC3
-  Lenght to decrypt - ECX = 0xB97
+  Length to decrypt - ECX = 0xB97
 
   */
-  cli_dbgmsg("yC: decrypting decryptor on sect %d\n", sectcount); 
-  if (yc_poly_emulator(fbuf + ycsect + 0x93, fbuf + ycsect + 0xc6 ,0xB97))
+  cli_dbgmsg("yC: offset: %x, length: %x\n", offset, ecx);
+  cli_dbgmsg("yC: decrypting decryptor on sect %d\n", sectcount);
+  if (yc_poly_emulator(fbuf + ycsect + 0x93, fbuf + ycsect + 0xc6, ecx))
     return 1;
   filesize-=sections[sectcount].ursz;
 
@@ -200,8 +199,8 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sectio
   for(i=0;i<sectcount;i++)
     {
       uint32_t name = (uint32_t) cli_readint32(sname+i*0x28);
-      if ( !sections[i].raw ||
-	   !sections[i].rsz ||
+      if (!sections[i].raw ||
+	  !sections[i].rsz ||
 	   name == 0x63727372 || /* rsrc */
 	   name == 0x7273722E || /* .rsr */
 	   name == 0x6F6C6572 || /* relo */
@@ -212,9 +211,9 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sectio
 	   name == 0x736C742E || /* .tls */
 	   (name&0xffff) == 0x4379  /* yC */
 	) continue;
-      cli_dbgmsg("yC: decrypting sect%d\n",i); 
-      if (yc_poly_emulator(fbuf + ycsect + 0x457, fbuf + sections[i].raw, sections[i].ursz))
-	return 1;
+      cli_dbgmsg("yC: decrypting sect%d\n",i);
+      if (yc_poly_emulator(fbuf + ycsect + (offset == -0x18 ? 0x3ea : 0x457), fbuf + sections[i].raw, sections[i].ursz))
+	  return 1;
     }
 
   /* Remove yC section */
diff --git a/libclamav/yc.h b/libclamav/yc.h
index fd0144e..cf748c2 100644
--- a/libclamav/yc.h
+++ b/libclamav/yc.h
@@ -25,6 +25,6 @@
 #include "execs.h"
 #include "cltypes.h"
 
-int yc_decrypt(char *, unsigned int, struct cli_exe_section *, unsigned int, uint32_t, int);
+int yc_decrypt(char *, unsigned int, struct cli_exe_section *, unsigned int, uint32_t, int,uint32_t,int16_t);
 
 #endif
diff --git a/test/.split/split.clam-yc.exeaa b/test/.split/split.clam-yc.exeaa
new file mode 100644
index 0000000..c844004
Binary files /dev/null and b/test/.split/split.clam-yc.exeaa differ
diff --git a/test/.split/split.clam-yc.exeab b/test/.split/split.clam-yc.exeab
new file mode 100644
index 0000000..0f482fa
Binary files /dev/null and b/test/.split/split.clam-yc.exeab differ
diff --git a/test/Makefile.am b/test/Makefile.am
index 147ab0b..919b756 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -5,7 +5,7 @@ FILES = clam-v2.rar clam-v3.rar clam.cab clam.exe.bz2 clam.exe clam.zip \
 	clam.mail clam.ppt clam.tnef clam.ea05.exe clam.ea06.exe clam.d64.zip\
 	clam.exe.mbox.base64 clam.exe.mbox.uu clam.exe.binhex clam.ole.doc \
 	clam.impl.zip clam.exe.html clam.bz2.zip clam.bin-be.cpio clam.bin-le.cpio \
-	clam.newc.cpio clam.odc.cpio
+	clam.newc.cpio clam.odc.cpio clam-yc.exe
 
 SPLIT_DIR=$(top_srcdir)/test/.split
 
diff --git a/test/Makefile.in b/test/Makefile.in
index 31fc788..e7b8af6 100644
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -214,7 +214,7 @@ FILES = clam-v2.rar clam-v3.rar clam.cab clam.exe.bz2 clam.exe clam.zip \
 	clam.mail clam.ppt clam.tnef clam.ea05.exe clam.ea06.exe clam.d64.zip\
 	clam.exe.mbox.base64 clam.exe.mbox.uu clam.exe.binhex clam.ole.doc \
 	clam.impl.zip clam.exe.html clam.bz2.zip clam.bin-be.cpio clam.bin-le.cpio \
-	clam.newc.cpio clam.odc.cpio
+	clam.newc.cpio clam.odc.cpio clam-yc.exe
 
 SPLIT_DIR = $(top_srcdir)/test/.split
 EXTRA_DIST = .split

-- 
Debian repository for ClamAV



More information about the Pkg-clamav-commits mailing list