[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
aCaB
acab at clamav.net
Sun Apr 4 01:13:10 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit f018e8b145be04683f90c26f9966275f01430344
Author: aCaB <acab at clamav.net>
Date: Tue Dec 22 04:16:30 2009 +0100
versioninfo parser
diff --git a/libclamav/pe.c b/libclamav/pe.c
index 1cc2890..619fd1a 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -193,6 +193,14 @@ static void cli_multifree(void *f, ...) {
va_end(ap);
}
+int versioninfo(void *opaque, uint32_t type, uint32_t name, uint32_t lang, uint32_t rva) {
+ uint32_t *rvas = (uint32_t *)opaque;
+ cli_errmsg("type: %x, name: %x, lang: %x, rva: %x\n", type, name, lang, rva);
+ *rvas = rva;
+ return 0;
+}
+
+
uint32_t cli_rawaddr(uint32_t rva, struct cli_exe_section *shp, uint16_t nos, unsigned int *err, size_t fsize, uint32_t hdr_size)
{
int i, found = 0;
@@ -1043,6 +1051,119 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
cli_dbgmsg("EntryPoint offset: 0x%x (%d)\n", ep, ep);
+ if(dirs[2].Size) {
+ uint32_t rvas, res_sz;
+ uint8_t *vptr;
+ findres(0x10, 0xffffffff, EC32(dirs[2].VirtualAddress), ctx, exe_sections, nsections, hdr_size, versioninfo, &rvas);
+ rvas = cli_rawaddr(rvas, exe_sections, nsections, &err, fsize, hdr_size); /* FIXME: this shall be an array */
+ vptr = fmap_need_off_once(map, rvas, 16); /* FIXME: check for failure */
+ rvas = cli_readint32(vptr);
+ res_sz = cli_readint32(vptr+4);
+ rvas = cli_rawaddr(rvas, exe_sections, nsections, &err, fsize, hdr_size); /* FIXME: check for failure */
+ vptr = fmap_need_off_once(map, rvas, res_sz); /* FIXME: check for failure */
+
+ while(res_sz>4) { /* look for versioninfo */
+ uint32_t vinfo_sz, vinfo_val_sz;
+
+ vinfo_sz = vinfo_val_sz = cli_readint32(vptr);
+ vinfo_sz &= 0xffff;
+ if(vinfo_sz > res_sz) {
+ /* the content is larger than the container */
+ break; /* this is a hard fail */
+ }
+ vinfo_val_sz >>= 16;
+ if(vinfo_sz <= 6 + 0x22 + 0x34 ||
+ vinfo_val_sz != 0x34 ||
+ memcmp(vptr+6, "V\0S\0_\0V\0E\0R\0S\0I\0O\0N\0_\0I\0N\0F\0O\0\0\0", 0x20) ||
+ cli_readint32(vptr + 0x28) != 0xfeef04bd) {
+ /* - there should be enough room for the header(6), the key "VS_VERSION_INFO"(20), the padding(2) and the value(34)
+ * - the value should be sizeof(fixedfileinfo)
+ * - the key should match
+ * - there should be some proper magic for fixedfileinfo */
+ vptr += vinfo_sz;
+ res_sz -= vinfo_sz;
+ continue; /* this is a soft fail - FIXME: is there anything else we can find here? */
+ }
+
+ /* move to the end of fixedfileinfo where the child elements are located */
+ vptr += 6 + 0x20 + 2 + 0x34;
+ vinfo_sz -= 6 + 0x20 + 2 + 0x34;
+
+ while(vinfo_sz > 6) { /* look for stringfileinfo */
+ uint32_t sfi_sz = cli_readint32(vptr) & 0xffff;
+
+ if(sfi_sz > vinfo_sz) {
+ res_sz = 0;
+ break; /* this is a hard fail */
+ }
+ if(sfi_sz <= 6 + 0x1e || memcmp(vptr+6, "S\0t\0r\0i\0n\0g\0F\0i\0l\0e\0I\0n\0f\0o\0\0\0", 0x1e)) {
+ /* - there should be enough room for the header(6) and the key "StringFileInfo"(1e)
+ * - the key should match */
+ vptr += sfi_sz;
+ vinfo_sz -= sfi_sz;
+ continue; /* this is a soft fail - FIXME: we might only find VarFileInfo, and at most ONCE */
+ }
+
+ /* move to the end of stringfileinfo where the child elements are located */
+ vptr += 6 + 0x1e;
+ sfi_sz -= 6 + 0x1e;
+
+ while(sfi_sz > 6) { /* look for stringtable */
+ uint32_t st_sz = cli_readint32(vptr) & 0xffff;
+
+ if(st_sz > sfi_sz || st_sz <= 24) {
+ /* - the content is larger than the container
+ - there's no room for a stringtables (headers(6) + key(16) + padding(2)) */
+ res_sz = 0;
+ vinfo_sz = 0;
+ break; /* this is a hard fail */
+ }
+
+ /* move to the end of stringtable where the child elements are located */
+ vptr += 24;
+ st_sz -= 24;
+
+ while(st_sz > 6) { /* look for string */
+ uint32_t s_sz, s_key_sz, s_val_sz;
+ char *k, *v;
+
+ s_sz = s_val_sz = cli_readint32(vptr);
+ s_sz &= 0xffff;
+ s_val_sz = (s_val_sz & 0xffff0000)>>15;
+ if(s_sz > st_sz || s_sz <= 6 + 2 + 2 + 2 || s_val_sz > s_sz - 6 - 2 - 2) {
+ /* - the content is larger than the container
+ * - there's no room for a minimal string (headers(6) + key(2) + padding(2) + value(2))
+ * - there's no room for the value */
+ res_sz = 0;
+ vinfo_sz = 0;
+ sfi_sz = 0;
+ break; /* this is a hard fail */
+ }
+ for(s_key_sz = 0; s_key_sz < s_sz - 6 - s_val_sz; s_key_sz += 2) {
+ if(vptr[6+s_key_sz] || vptr[6+s_key_sz+1]) continue;
+ s_key_sz += 2;
+ break;
+ }
+ if(s_key_sz >= s_sz - 6 - s_val_sz) {
+ /* key overflow */
+ vptr += s_sz;
+ st_sz -= s_sz;
+ continue;
+ }
+ k = cli_utf16toascii(vptr + 6, s_key_sz);
+ s_key_sz += 6 + 3;
+ s_key_sz &= ~3;
+ v = cli_utf16toascii(vptr + s_key_sz, s_val_sz);
+ cli_errmsg("%x - %s=%s\n", s_key_sz, k, v);
+ vptr += s_sz;
+ st_sz -= s_sz;
+ }
+ /* FIXME: resmue here */
+ }
+ }
+ }
+ }
+
if(iconset){
if(!dll && dirs[2].Size && cli_scanicon(iconset, EC32(dirs[2].VirtualAddress), ctx, exe_sections, nsections, hdr_size) == CL_VIRUS) {
free(exe_sections);
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list