[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b

Tomasz Kojm tkojm at clamav.net
Sun Apr 4 01:13:19 UTC 2010 

The following commit has been merged in the debian/unstable branch:
commit 17cfd76f5b7cefd4e787f7bba25a1cb7e7394eb0
Author: Tomasz Kojm <tkojm at clamav.net>
Date:   Wed Dec 30 00:20:02 2009 +0100

    libclamav: add support for FileSize, EntryPoint and NumberOfSections in lsig's tdb

diff --git a/ChangeLog b/ChangeLog
index 4542364..7474182 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Wed Dec 30 00:19:21 CET 2009 (tk)
+---------------------------------
+ * libclamav: add support for FileSize, EntryPoint and NumberOfSections in
+	      lsig's tdb
+
 Tue Dec 29 13:50:01 CET 2009 (tk)
 ---------------------------------
  * sigtool/sigtool.c: handle lsigs created by the bytecode compiler
diff --git a/libclamav/matcher.c b/libclamav/matcher.c
index 3126107..32765ea 100644
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@@ -360,6 +360,8 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli
 	unsigned char digest[16];
 	struct cli_matcher *groot = NULL, *troot = NULL;
 	fmap_t *map = *ctx->fmap;
+	int (*einfo)(fmap_t *, struct cli_exe_info *) = NULL;
+	struct cli_exe_info exeinfo;
 
     if(!ctx->engine) {
 	cli_errmsg("cli_scandesc: engine == NULL\n");
@@ -460,53 +462,65 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli
 	offset += bytes - maxpatlen;
     }
 
+#define LSIGEVAL(xroot, xdata) \
+    for(i = 0; i < xroot->ac_lsigs; i++) { \
+	evalcnt = 0; \
+	evalids = 0; \
+	if(cli_ac_chklsig(xroot->ac_lsigtable[i]->logic, xroot->ac_lsigtable[i]->logic + strlen(xroot->ac_lsigtable[i]->logic), xdata.lsigcnt[i], &evalcnt, &evalids, 0) == 1) { \
+	    if(xroot->ac_lsigtable[i]->tdb.filesize && (xroot->ac_lsigtable[i]->tdb.filesize[0] > map->len || xroot->ac_lsigtable[i]->tdb.filesize[1] < map->len)) \
+		continue; \
+	    \
+	    if(xroot->ac_lsigtable[i]->tdb.ep || xroot->ac_lsigtable[i]->tdb.nos) { \
+		einfo = NULL; \
+		if(xroot->type == 1) \
+		    einfo = cli_peheader; \
+		else if(xroot->type == 6) \
+		    einfo = cli_elfheader; \
+		else if(xroot->type == 9) \
+		    einfo = cli_machoheader; \
+		if(!einfo) \
+		    continue; \
+		memset(&exeinfo, 0, sizeof(exeinfo)); \
+		if(einfo(map, &exeinfo)) \
+		    continue; \
+		if(exeinfo.section) \
+		    free(exeinfo.section); \
+		if(xroot->ac_lsigtable[i]->tdb.ep && (xroot->ac_lsigtable[i]->tdb.ep[0] > exeinfo.ep || xroot->ac_lsigtable[i]->tdb.ep[1] < exeinfo.ep)) \
+		    continue; \
+		if(xroot->ac_lsigtable[i]->tdb.nos && (xroot->ac_lsigtable[i]->tdb.nos[0] > exeinfo.nsections || xroot->ac_lsigtable[i]->tdb.nos[1] < exeinfo.nsections)) \
+		    continue; \
+	    } \
+	    if(xroot->ac_lsigtable[i]->tdb.icongrp1 || xroot->ac_lsigtable[i]->tdb.icongrp2) { \
+		if(matchicon(ctx, xroot->ac_lsigtable[i]->tdb.icongrp1, xroot->ac_lsigtable[i]->tdb.icongrp2) == CL_VIRUS) { \
+		    ret = CL_VIRUS; \
+		    break; \
+		} else { \
+		    continue; \
+		} \
+	    } \
+	    if(!xroot->ac_lsigtable[i]->bc) { \
+		if(ctx->virname) \
+		    *ctx->virname = xroot->ac_lsigtable[i]->virname; \
+		ret = CL_VIRUS; \
+		break; \
+	    } \
+	    if(cli_bytecode_runlsig(&ctx->engine->bcs, xroot->ac_lsigtable[i]->bc, ctx->virname, xdata.lsigcnt[i], map) == CL_VIRUS) { \
+		ret = CL_VIRUS; \
+		break; \
+	    } \
+	} \
+    }
+
     if(troot) {
-	for(i = 0; i < troot->ac_lsigs; i++) {
-	    evalcnt = 0;
-	    evalids = 0;
-	    if(cli_ac_chklsig(troot->ac_lsigtable[i]->logic, troot->ac_lsigtable[i]->logic + strlen(troot->ac_lsigtable[i]->logic), tdata.lsigcnt[i], &evalcnt, &evalids, 0) == 1) {
-		if(troot->ac_lsigtable[i]->tdb.icongrp1 || troot->ac_lsigtable[i]->tdb.icongrp2) {
-		    if(matchicon(ctx, troot->ac_lsigtable[i]->tdb.icongrp1, troot->ac_lsigtable[i]->tdb.icongrp2) == CL_VIRUS) {
-			ret = CL_VIRUS;
-			break;
-		    } else {
-			continue;
-		    }
-		}
-		if (!troot->ac_lsigtable[i]->bc) {
-		    if(ctx->virname)
-			*ctx->virname = troot->ac_lsigtable[i]->virname;
-		    ret = CL_VIRUS;
-		    break;
-		}
-		if (cli_bytecode_runlsig(&ctx->engine->bcs, troot->ac_lsigtable[i]->bc, ctx->virname, tdata.lsigcnt[i], map) == CL_VIRUS) {
-		    ret = CL_VIRUS;
-		    break;
-		}
-	    }
-	}
+	LSIGEVAL(troot, tdata);
 	cli_ac_freedata(&tdata);
 	if(bm_offmode)
 	    cli_bm_freeoff(&toff);
     }
 
     if(groot) {
-	if(ret != CL_VIRUS) for(i = 0; i < groot->ac_lsigs; i++) {
-	    evalcnt = 0;
-	    evalids = 0;
-	    if(cli_ac_chklsig(groot->ac_lsigtable[i]->logic, groot->ac_lsigtable[i]->logic + strlen(groot->ac_lsigtable[i]->logic), gdata.lsigcnt[i], &evalcnt, &evalids, 0) == 1) {
-		if (!groot->ac_lsigtable[i]->bc) {
-		    if(ctx->virname)
-			*ctx->virname = groot->ac_lsigtable[i]->virname;
-		    ret = CL_VIRUS;
-		    break;
-		}
-		if (cli_bytecode_runlsig(&ctx->engine->bcs, groot->ac_lsigtable[i]->bc, ctx->virname, gdata.lsigcnt[i], map) == CL_VIRUS) {
-		    ret = CL_VIRUS;
-		    break;
-		}
-	    }
-	}
+	if(ret != CL_VIRUS)
+	    LSIGEVAL(groot, gdata);
 	cli_ac_freedata(&gdata);
     }
 
diff --git a/libclamav/matcher.h b/libclamav/matcher.h
index e95ff56..8f6315a 100644
--- a/libclamav/matcher.h
+++ b/libclamav/matcher.h
@@ -53,7 +53,7 @@ struct cli_lsig_tdb {
     uint32_t cnt[3];
 
     const uint32_t *target;
-    const uint32_t *engine, *nos, *ep;
+    const uint32_t *engine, *nos, *ep, *filesize;
     /*
     const uint32_t *sectoff, *sectrva, *sectvsz, *sectraw, *sectrsz,
 		   *secturva, *sectuvsz, *secturaw, *sectursz;
diff --git a/libclamav/readdb.c b/libclamav/readdb.c
index 9251335..d526c6d 100644
--- a/libclamav/readdb.c
+++ b/libclamav/readdb.c
@@ -923,16 +923,18 @@ struct lsig_attrib {
 static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
 {
 	struct lsig_attrib attrtab[] = {
-#define ATTRIB_TOKENS	4
-	    { "Target",	    CLI_TDB_UINT,	(void **) &tdb->target	    },
-	    { "Engine",	    CLI_TDB_RANGE,	(void **) &tdb->engine	    },
+#define ATTRIB_TOKENS	7
+	    { "Target",		    CLI_TDB_UINT,	(void **) &tdb->target	    },
+	    { "Engine",		    CLI_TDB_RANGE,	(void **) &tdb->engine	    },
 
-	    { "IconGroup1", CLI_TDB_STR,	(void **) &tdb->icongrp1    },
-	    { "IconGroup2", CLI_TDB_STR,	(void **) &tdb->icongrp2    },
+	    { "FileSize",	    CLI_TDB_RANGE,	(void **) &tdb->filesize    },
+	    { "EntryPoint",	    CLI_TDB_RANGE,	(void **) &tdb->ep	    },
+	    { "NumberOfSections",   CLI_TDB_RANGE,	(void **) &tdb->nos	    },
+
+	    { "IconGroup1",	    CLI_TDB_STR,	(void **) &tdb->icongrp1    },
+	    { "IconGroup2",	    CLI_TDB_STR,	(void **) &tdb->icongrp2    },
 
 /*
-	    { "NoS",	    CLI_TDB_RANGE,	(void **) &tdb->nos	    },
-	    { "EP",	    CLI_TDB_RANGE,	(void **) &tdb->ep	    },
 	    { "SectOff",    CLI_TDB_RANGE2,	(void **) &tdb->sectoff	    },
 	    { "SectRVA",    CLI_TDB_RANGE2,	(void **) &tdb->sectrva	    },
 	    { "SectVSZ",    CLI_TDB_RANGE2,	(void **) &tdb->sectvsz	    },
@@ -1161,6 +1163,12 @@ static int load_oneldb(char *buffer, int chkpua, int chkign, struct cl_engine *e
 	return CL_EMALFDB;
     }
 
+    if((tdb.ep || tdb.nos) && tdb.target[0] != 1 && tdb.target[0] != 6 && tdb.target[0] != 9) {
+	cli_errmsg("cli_loadldb: IconGroup is only supported in PE/ELF/Mach-O signatures\n");
+	FREE_TDB(tdb);
+	return CL_EMALFDB;
+    }
+
     root = engine->root[tdb.target[0]];
 
     lsig = (struct cli_ac_lsig *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_ac_lsig));

-- 
Debian repository for ClamAV

More information about the Pkg-clamav-commits mailing list