[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
Török Edvin
edwin at clamav.net
Sun Apr 4 00:59:05 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit d0b31fa38ce5ac348118fcedecd68af1e1258ed8
Author: Török Edvin <edwin at clamav.net>
Date: Wed Jul 15 19:42:01 2009 +0300
Make yC able to handle more samples and variants.
diff --git a/ChangeLog b/ChangeLog
index 0ea464f..c64201f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Wed Jul 15 23:36:09 EEST 2009 (edwin)
+-------------------------------------
+ * libclamav/pe.c, yc.c: Make yC able to handle more samples and variants.
+
Wed Jul 15 19:36:35 CEST 2009 (tk)
----------------------------------
* clamd: honour value of 0 in Max* options
diff --git a/libclamav/pe.c b/libclamav/pe.c
index 2b3215c..32d34f8 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -2015,11 +2015,50 @@ int cli_scanpe(int desc, cli_ctx *ctx)
}
- /* yC 1.3 */
+ /* yC 1.3 & variants */
if((DCONF & PE_CONF_YC) && nsections > 1 &&
- EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60 &&
- memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED\x6C\x28\x40\x00\xB9\x5D\x34\x40\x00\x81\xE9\xC6\x28\x40\x00\x8B\xD5\x81\xC2\xC6\x28\x40\x00\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 51) == 0 && fsize >= exe_sections[nsections - 1].raw + 0xC6 + 0xb97) {
+ (EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60)) {
+
+ uint32_t ecx = 0;
+ int16_t offset;
+
+ /* yC 1.3 */
+ if (!memcmp(epbuff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED", 15) &&
+ !memcmp(epbuff+0x26, "\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 13) &&
+ ((uint8_t)epbuff[0x13] == 0xB9) &&
+ ((uint16_t)(cli_readint16(epbuff+0x18)) == 0xE981) &&
+ !memcmp(epbuff+0x1e,"\x8B\xD5\x81\xC2", 4)) {
+
+ offset = 0;
+ if (0x6c - cli_readint32(epbuff+0xf) + cli_readint32(epbuff+0x22) == 0xC6)
+ ecx = cli_readint32(epbuff+0x14) - cli_readint32(epbuff+0x1a);
+ }
+
+ /* yC 1.3 variant */
+ if (!ecx && !memcmp(epbuff, "\x55\x8B\xEC\x83\xEC\x40\x53\x56\x57", 9) &&
+ !memcmp(epbuff+0x17, "\xe8\x00\x00\x00\x00\x5d\x81\xed", 8) &&
+ ((uint8_t)epbuff[0x23] == 0xB9)) {
+
+ offset = 0x10;
+ if (0x6c - cli_readint32(epbuff+0x1f) + cli_readint32(epbuff+0x32) == 0xC6)
+ ecx = cli_readint32(epbuff+0x24) - cli_readint32(epbuff+0x2a);
+ }
+
+ /* yC 1.x/modified */
+ if (!ecx && !memcmp(epbuff, "\x60\xe8\x00\x00\x00\x00\x5d\x81\xed",9) &&
+ ((uint8_t)epbuff[0xd] == 0xb9) &&
+ ((uint16_t)cli_readint16(epbuff + 0x12)== 0xbd8d) &&
+ !memcmp(epbuff+0x18, "\x8b\xf7\xac", 3)) {
+
+ offset = -0x18;
+ if (0x66 - cli_readint32(epbuff+0x9) + cli_readint32(epbuff+0x14) == 0xae)
+ ecx = cli_readint32(epbuff+0xe);
+ }
+
+ if (ecx > 0x800 && ecx < 0x2000 &&
+ !memcmp(epbuff+0x63+offset, "\xaa\xe2\xcc", 3) &&
+ (fsize >= exe_sections[nsections-1].raw + 0xC6 + ecx + offset)) {
char *spinned;
@@ -2037,7 +2076,8 @@ int cli_scanpe(int desc, cli_ctx *ctx)
}
CLI_UNPTEMP("yC",(spinned,exe_sections,0));
- CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc)),0,(spinned,0));
+ CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc, ecx, offset)),0,(spinned,0));
+ }
}
/* WWPack */
@@ -2051,7 +2091,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
ssize = 0;
for(i=0 ; ; i++) {
- if(exe_sections[i].raw<head)
+ if(exe_sections[i].raw<head)
head=exe_sections[i].raw;
if(i+1==nsections) break;
if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
diff --git a/libclamav/yc.c b/libclamav/yc.c
index 433ca93..dc46bcf 100644
--- a/libclamav/yc.c
+++ b/libclamav/yc.c
@@ -30,7 +30,6 @@
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
-
#include "cltypes.h"
#include "pe.h"
#include "others.h"
@@ -164,9 +163,8 @@ static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx
/* ========================================================================== */
/* Main routine which calls all others */
-int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sections, unsigned int sectcount, uint32_t peoffset, int desc)
-{
- uint32_t ycsect = sections[sectcount].raw;
+int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sections, unsigned int sectcount, uint32_t peoffset, int desc, uint32_t ecx,int16_t offset) {
+ uint32_t ycsect = sections[sectcount].raw+offset;
unsigned int i;
struct pe_image_file_hdr *pe = (struct pe_image_file_hdr*) (fbuf + peoffset);
char *sname = (char *)pe + EC16(pe->SizeOfOptionalHeader) + 0x18;
@@ -177,11 +175,12 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sectio
Start offset for analyze: Start of yC Section + 0x93
End offset for analyze: Start of yC Section + 0xC3
- Lenght to decrypt - ECX = 0xB97
+ Length to decrypt - ECX = 0xB97
*/
- cli_dbgmsg("yC: decrypting decryptor on sect %d\n", sectcount);
- if (yc_poly_emulator(fbuf + ycsect + 0x93, fbuf + ycsect + 0xc6 ,0xB97))
+ cli_dbgmsg("yC: offset: %x, length: %x\n", offset, ecx);
+ cli_dbgmsg("yC: decrypting decryptor on sect %d\n", sectcount);
+ if (yc_poly_emulator(fbuf + ycsect + 0x93, fbuf + ycsect + 0xc6, ecx))
return 1;
filesize-=sections[sectcount].ursz;
@@ -200,8 +199,8 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sectio
for(i=0;i<sectcount;i++)
{
uint32_t name = (uint32_t) cli_readint32(sname+i*0x28);
- if ( !sections[i].raw ||
- !sections[i].rsz ||
+ if (!sections[i].raw ||
+ !sections[i].rsz ||
name == 0x63727372 || /* rsrc */
name == 0x7273722E || /* .rsr */
name == 0x6F6C6572 || /* relo */
@@ -212,9 +211,9 @@ int yc_decrypt(char *fbuf, unsigned int filesize, struct cli_exe_section *sectio
name == 0x736C742E || /* .tls */
(name&0xffff) == 0x4379 /* yC */
) continue;
- cli_dbgmsg("yC: decrypting sect%d\n",i);
- if (yc_poly_emulator(fbuf + ycsect + 0x457, fbuf + sections[i].raw, sections[i].ursz))
- return 1;
+ cli_dbgmsg("yC: decrypting sect%d\n",i);
+ if (yc_poly_emulator(fbuf + ycsect + (offset == -0x18 ? 0x3ea : 0x457), fbuf + sections[i].raw, sections[i].ursz))
+ return 1;
}
/* Remove yC section */
diff --git a/libclamav/yc.h b/libclamav/yc.h
index fd0144e..cf748c2 100644
--- a/libclamav/yc.h
+++ b/libclamav/yc.h
@@ -25,6 +25,6 @@
#include "execs.h"
#include "cltypes.h"
-int yc_decrypt(char *, unsigned int, struct cli_exe_section *, unsigned int, uint32_t, int);
+int yc_decrypt(char *, unsigned int, struct cli_exe_section *, unsigned int, uint32_t, int,uint32_t,int16_t);
#endif
diff --git a/test/.split/split.clam-yc.exeaa b/test/.split/split.clam-yc.exeaa
new file mode 100644
index 0000000..c844004
Binary files /dev/null and b/test/.split/split.clam-yc.exeaa differ
diff --git a/test/.split/split.clam-yc.exeab b/test/.split/split.clam-yc.exeab
new file mode 100644
index 0000000..0f482fa
Binary files /dev/null and b/test/.split/split.clam-yc.exeab differ
diff --git a/test/Makefile.am b/test/Makefile.am
index 147ab0b..919b756 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -5,7 +5,7 @@ FILES = clam-v2.rar clam-v3.rar clam.cab clam.exe.bz2 clam.exe clam.zip \
clam.mail clam.ppt clam.tnef clam.ea05.exe clam.ea06.exe clam.d64.zip\
clam.exe.mbox.base64 clam.exe.mbox.uu clam.exe.binhex clam.ole.doc \
clam.impl.zip clam.exe.html clam.bz2.zip clam.bin-be.cpio clam.bin-le.cpio \
- clam.newc.cpio clam.odc.cpio
+ clam.newc.cpio clam.odc.cpio clam-yc.exe
SPLIT_DIR=$(top_srcdir)/test/.split
diff --git a/test/Makefile.in b/test/Makefile.in
index 31fc788..e7b8af6 100644
--- a/test/Makefile.in
+++ b/test/Makefile.in
@@ -214,7 +214,7 @@ FILES = clam-v2.rar clam-v3.rar clam.cab clam.exe.bz2 clam.exe clam.zip \
clam.mail clam.ppt clam.tnef clam.ea05.exe clam.ea06.exe clam.d64.zip\
clam.exe.mbox.base64 clam.exe.mbox.uu clam.exe.binhex clam.ole.doc \
clam.impl.zip clam.exe.html clam.bz2.zip clam.bin-be.cpio clam.bin-le.cpio \
- clam.newc.cpio clam.odc.cpio
+ clam.newc.cpio clam.odc.cpio clam-yc.exe
SPLIT_DIR = $(top_srcdir)/test/.split
EXTRA_DIST = .split
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list