static int sigtool_scandir (const char *dirname, int hex_output)
{
DIR *dd;
struct dirent *dent;
struct stat statbuf;
char *fname;
const char *tmpdir;
char *dir;
int ret = CL_CLEAN, desc;
if ((dd = opendir (dirname)) != NULL) {
while ((dent = readdir (dd))) {
if (dent->d_ino) {
if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
/* build the full name */
fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
sprintf (fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if (lstat (fname, &statbuf) != -1) {
if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) {
if (sigtool_scandir (fname, hex_output)) {
free (fname);
closedir (dd);
return CL_VIRUS;
}
} else {
if (S_ISREG (statbuf.st_mode)) {
tmpdir = getenv ("TMPDIR");
if (tmpdir == NULL)
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
/* generate the temporary directory */
dir = cli_gentemp (tmpdir);
if (mkdir (dir, 0700)) {
printf ("Can't create temporary directory %s\n", dir);
return CL_ETMPDIR;
}
if ((desc = open (fname, O_RDONLY)) == -1) {
printf ("Can't open file %s\n", fname);
return 1;
}
if ((ret = cli_ole2_extract (desc, dir, NULL))) {
printf ("ERROR %s\n", cl_strerror (ret));
cli_rmdirs (dir);
free (dir);
return ret;
}
sigtool_vba_scandir (dir, hex_output);
cli_rmdirs (dir);
free (dir);
}
}
}
free (fname);
}
}
}
} else {
cli_errmsg ("Can't open directory %s.\n", dirname);
return CL_EOPEN;
}
closedir (dd);
return 0;
}
int sigtool_vba_scandir (const char *dirname, int hex_output, struct uniq *U)
{
int ret = CL_CLEAN, i, j, fd, data_len;
vba_project_t *vba_project;
DIR *dd;
struct dirent *dent;
STATBUF statbuf;
char *fullname, vbaname[1024], *hash;
unsigned char *data;
uint32_t hashcnt;
hashcnt = uniq_get(U, "_vba_project", 12, NULL);
while(hashcnt--) {
if(!(vba_project = (vba_project_t *)cli_vba_readdir(dirname, U, hashcnt))) continue;
for(i = 0; i < vba_project->count; i++) {
for(j = 0; j < vba_project->colls[i]; j++) {
snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", vba_project->dir, vba_project->name[i], j);
vbaname[sizeof(vbaname)-1] = '\0';
fd = open(vbaname, O_RDONLY|O_BINARY);
if(fd == -1) continue;
data = (unsigned char *)cli_vba_inflate(fd, vba_project->offset[i], &data_len);
close(fd);
if(data) {
data = (unsigned char *) realloc (data, data_len + 1);
data[data_len]='\0';
printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data);
free(data);
}
}
}
free(vba_project->name);
free(vba_project->colls);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project);
}
if((hashcnt = uniq_get(U, "powerpoint document", 19, &hash))) {
while(hashcnt--) {
snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname)-1] = '\0';
fd = open(vbaname, O_RDONLY|O_BINARY);
if (fd == -1) continue;
if ((fullname = cli_ppt_vba_read(fd, NULL))) {
sigtool_scandir(fullname, hex_output);
cli_rmdirs(fullname);
free(fullname);
}
close(fd);
}
}
if ((hashcnt = uniq_get(U, "worddocument", 12, &hash))) {
while(hashcnt--) {
snprintf(vbaname, sizeof(vbaname), "%s"PATHSEP"%s_%u", dirname, hash, hashcnt);
vbaname[sizeof(vbaname)-1] = '\0';
fd = open(vbaname, O_RDONLY|O_BINARY);
if (fd == -1) continue;
if (!(vba_project = (vba_project_t *)cli_wm_readdir(fd))) {
close(fd);
continue;
}
for (i = 0; i < vba_project->count; i++) {
data_len = vba_project->length[i];
data = (unsigned char *)cli_wm_decrypt_macro(fd, vba_project->offset[i], data_len , vba_project->key[i]);
if(data) {
data = (unsigned char *) realloc (data, data_len + 1);
data[data_len]='\0';
printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data);
free(data);
}
}
close(fd);
free(vba_project->name);
free(vba_project->colls);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project->key);
free(vba_project->length);
free(vba_project);
}
}
if ((dd = opendir (dirname)) != NULL) {
while ((dent = readdir (dd))) {
if (dent->d_ino) {
if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
/* build the full name */
fullname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
sprintf (fullname, "%s"PATHSEP"%s", dirname, dent->d_name);
/* stat the file */
if (LSTAT (fullname, &statbuf) != -1) {
if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode))
sigtool_vba_scandir (fullname, hex_output, U);
}
free (fullname);
}
}
}
} else {
logg("!ScanDir -> Can't open directory %s.\n", dirname);
return CL_EOPEN;
}
closedir (dd);
return ret;
}
int sigtool_vba_scandir (const char *dirname, int hex_output)
{
int ret = CL_CLEAN, i, fd, data_len;
vba_project_t *vba_project;
DIR *dd;
struct dirent *dent;
struct stat statbuf;
char *fname, *fullname;
unsigned char *data;
cli_dbgmsg ("VBA scan dir: %s\n", dirname);
if ((vba_project = (vba_project_t *) vba56_dir_read (dirname))) {
for (i = 0; i < vba_project->count; i++) {
fullname = (char *) malloc (strlen (vba_project->dir) + strlen (vba_project->name[i]) + 2);
sprintf (fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open (fullname, O_RDONLY);
if (fd == -1) {
cli_errmsg ("Scan->OLE2 -> Can't open file %s\n", fullname);
free (fullname);
ret = CL_EOPEN;
break;
}
free (fullname);
cli_dbgmsg ("decompress VBA project '%s'\n", vba_project->name[i]);
printf ("-------------- start of %s ------------------\n", vba_project->name[i]);
data = (unsigned char *) vba_decompress (fd, vba_project->offset[i], &data_len);
close (fd);
if (!data) {
cli_dbgmsg ("WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]);
} else {
data = (unsigned char *) realloc (data, data_len + 1);
data[data_len] = '\0';
printf ("%s", data);
free (data);
}
printf ("-------------- end of %s ------------------\n", vba_project->name[i]);
}
for (i = 0; i < vba_project->count; i++)
free (vba_project->name[i]);
free (vba_project->name);
free (vba_project->dir);
free (vba_project->offset);
free (vba_project);
} else if ((fullname = ppt_vba_read (dirname))) {
if (sigtool_scandir (fullname, hex_output) == CL_VIRUS) {
ret = CL_VIRUS;
}
cli_rmdirs (fullname);
free (fullname);
} else if ((vba_project = (vba_project_t *) wm_dir_read (dirname))) {
for (i = 0; i < vba_project->count; i++) {
fullname = (char *) malloc (strlen (vba_project->dir) + strlen (vba_project->name[i]) + 2);
sprintf (fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open (fullname, O_RDONLY);
if (fd == -1) {
cli_errmsg ("Scan->OLE2 -> Can't open file %s\n", fullname);
free (fullname);
ret = CL_EOPEN;
break;
}
free (fullname);
cli_dbgmsg ("decompress WM project '%s' macro %d\n", vba_project->name[i], i);
printf ("\n\n-------------- start of macro:%d key:%d length:%d ------------------\n", i,
vba_project->key[i], vba_project->length[i]);
data = (unsigned char *) wm_decrypt_macro (fd, vba_project->offset[i], vba_project->length[i],
vba_project->key[i]);
close (fd);
if (!data) {
cli_dbgmsg ("WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i);
} else {
wm_decode_macro (data, vba_project->length[i], hex_output);
free (data);
}
printf ("\n-------------- end of macro %d ------------------\n\n", i);
}
for (i = 0; i < vba_project->count; i++)
free (vba_project->name[i]);
free (vba_project->key);
free (vba_project->length);
free (vba_project->offset);
free (vba_project->name);
free (vba_project->dir);
free (vba_project);
}
if ((dd = opendir (dirname)) != NULL) {
while ((dent = readdir (dd))) {
if (dent->d_ino) {
if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
/* build the full name */
fname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
sprintf (fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if (lstat (fname, &statbuf) != -1) {
if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode))
sigtool_vba_scandir (fname, hex_output);
}
free (fname);
}
}
}
} else {
cli_errmsg ("ScanDir -> Can't open directory %s.\n", dirname);
return CL_EOPEN;
}
closedir (dd);
return ret;
}
static int sigtool_scandir (const char *dirname, int hex_output)
{
DIR *dd;
struct dirent *dent;
STATBUF statbuf;
char *fname;
const char *tmpdir;
char *dir;
int ret = CL_CLEAN, desc;
cli_ctx *ctx;
fname = NULL;
if ((dd = opendir (dirname)) != NULL) {
while ((dent = readdir (dd))) {
if (dent->d_ino) {
if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
/* build the full name */
fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
if(!fname){
closedir(dd);
return -1;
}
sprintf (fname, "%s"PATHSEP"%s", dirname, dent->d_name);
/* stat the file */
if (LSTAT (fname, &statbuf) != -1) {
if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) {
if (sigtool_scandir (fname, hex_output)) {
free (fname);
closedir (dd);
return CL_VIRUS;
}
} else {
if (S_ISREG (statbuf.st_mode)) {
struct uniq *vba = NULL;
tmpdir = cli_gettmpdir();
/* generate the temporary directory */
dir = cli_gentemp (tmpdir);
if(!dir) {
printf("cli_gentemp() failed\n");
free(fname);
closedir (dd);
return -1;
}
if (mkdir (dir, 0700)) {
printf ("Can't create temporary directory %s\n", dir);
free(fname);
closedir (dd);
free(dir);
return CL_ETMPDIR;
}
if ((desc = open (fname, O_RDONLY|O_BINARY)) == -1) {
printf ("Can't open file %s\n", fname);
free(fname);
closedir (dd);
free(dir);
return 1;
}
if(!(ctx = convenience_ctx(desc))) {
free(fname);
close(desc);
closedir(dd);
free(dir);
return 1;
}
if ((ret = cli_ole2_extract (dir, ctx, &vba))) {
printf ("ERROR %s\n", cl_strerror (ret));
destroy_ctx(desc, ctx);
cli_rmdirs (dir);
free (dir);
closedir (dd);
free(fname);
return ret;
}
if(vba)
sigtool_vba_scandir (dir, hex_output, vba);
destroy_ctx(desc, ctx);
cli_rmdirs (dir);
free (dir);
}
}
}
free (fname);
}
}
}
} else {
logg("!Can't open directory %s.\n", dirname);
return CL_EOPEN;
}
closedir (dd);
return 0;
}