Ejemplo n.º 1
0
static int sigtool_scandir (const char *dirname, int hex_output)
{
    DIR *dd;
    struct dirent *dent;
    struct stat statbuf;
    char *fname;
    const char *tmpdir;
    char *dir;
    int ret = CL_CLEAN, desc;


    if ((dd = opendir (dirname)) != NULL) {
	while ((dent = readdir (dd))) {
	    if (dent->d_ino) {
		if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
		    /* build the full name */
		    fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
		    sprintf (fname, "%s/%s", dirname, dent->d_name);

		    /* stat the file */
		    if (lstat (fname, &statbuf) != -1) {
			if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) {
			    if (sigtool_scandir (fname, hex_output)) {
				free (fname);
				closedir (dd);
				return CL_VIRUS;
			    }
			} else {
			    if (S_ISREG (statbuf.st_mode)) {
				tmpdir = getenv ("TMPDIR");

				if (tmpdir == NULL)
#ifdef P_tmpdir
				    tmpdir = P_tmpdir;
#else
				    tmpdir = "/tmp";
#endif

				/* generate the temporary directory */
				dir = cli_gentemp (tmpdir);
				if (mkdir (dir, 0700)) {
				    printf ("Can't create temporary directory %s\n", dir);
				    return CL_ETMPDIR;
				}

				if ((desc = open (fname, O_RDONLY)) == -1) {
				    printf ("Can't open file %s\n", fname);
				    return 1;
				}

				if ((ret = cli_ole2_extract (desc, dir, NULL))) {
				    printf ("ERROR %s\n", cl_strerror (ret));
				    cli_rmdirs (dir);
				    free (dir);
				    return ret;
				}

				sigtool_vba_scandir (dir, hex_output);

				cli_rmdirs (dir);
				free (dir);
			    }
			}

		    }
		    free (fname);
		}
	    }
	}
    } else {
	cli_errmsg ("Can't open directory %s.\n", dirname);
	return CL_EOPEN;
    }

    closedir (dd);
    return 0;
}
Ejemplo n.º 2
0
int sigtool_vba_scandir (const char *dirname, int hex_output, struct uniq *U)
{
    int ret = CL_CLEAN, i, j, fd, data_len;
    vba_project_t *vba_project;
    DIR *dd;
    struct dirent *dent;
    STATBUF statbuf;
    char *fullname, vbaname[1024], *hash;
    unsigned char *data;
    uint32_t hashcnt;

    hashcnt = uniq_get(U, "_vba_project", 12, NULL);
    while(hashcnt--) {
	if(!(vba_project = (vba_project_t *)cli_vba_readdir(dirname, U, hashcnt))) continue;

	for(i = 0; i < vba_project->count; i++) {
	    for(j = 0; j < vba_project->colls[i]; j++) {
		snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", vba_project->dir, vba_project->name[i], j);
		vbaname[sizeof(vbaname)-1] = '\0';
		fd = open(vbaname, O_RDONLY|O_BINARY);
		if(fd == -1) continue;
		data = (unsigned char *)cli_vba_inflate(fd, vba_project->offset[i], &data_len);
		close(fd);

		if(data) {
		    data = (unsigned char *) realloc (data, data_len + 1);
		    data[data_len]='\0';
		    printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data);
		    free(data);
		}
	    }
	}

	free(vba_project->name);
	free(vba_project->colls);
	free(vba_project->dir);
	free(vba_project->offset);
	free(vba_project);
    }


    if((hashcnt = uniq_get(U, "powerpoint document", 19, &hash))) {
	while(hashcnt--) {
	    snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", dirname, hash, hashcnt);
	    vbaname[sizeof(vbaname)-1] = '\0';
	    fd = open(vbaname, O_RDONLY|O_BINARY);
	    if (fd == -1) continue;
	    if ((fullname = cli_ppt_vba_read(fd, NULL))) {
	      sigtool_scandir(fullname, hex_output);
	      cli_rmdirs(fullname);
	      free(fullname);
	    }
	    close(fd);
	}
    }


    if ((hashcnt = uniq_get(U, "worddocument", 12, &hash))) {
	while(hashcnt--) {
	    snprintf(vbaname, sizeof(vbaname), "%s"PATHSEP"%s_%u", dirname, hash, hashcnt);
	    vbaname[sizeof(vbaname)-1] = '\0';
	    fd = open(vbaname, O_RDONLY|O_BINARY);
	    if (fd == -1) continue;
	    
	    if (!(vba_project = (vba_project_t *)cli_wm_readdir(fd))) {
		close(fd);
		continue;
	    }

	    for (i = 0; i < vba_project->count; i++) {
		data_len = vba_project->length[i];
		data = (unsigned char *)cli_wm_decrypt_macro(fd, vba_project->offset[i], data_len , vba_project->key[i]);
		if(data) {
		    data = (unsigned char *) realloc (data, data_len + 1);
		    data[data_len]='\0';
		    printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data);
		    free(data);
		}
	    }

	    close(fd);
	    free(vba_project->name);
	    free(vba_project->colls);
	    free(vba_project->dir);
	    free(vba_project->offset);
	    free(vba_project->key);
	    free(vba_project->length);
	    free(vba_project);
	}
    }

    if ((dd = opendir (dirname)) != NULL) {
	while ((dent = readdir (dd))) {
	    if (dent->d_ino) {
		if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
		    /* build the full name */
		    fullname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
		    sprintf (fullname, "%s"PATHSEP"%s", dirname, dent->d_name);

		    /* stat the file */
		    if (LSTAT (fullname, &statbuf) != -1) {
			if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode))
			    sigtool_vba_scandir (fullname, hex_output, U); 
		    }
		    free (fullname);
		}
	    }
	}
    } else {
	logg("!ScanDir -> Can't open directory %s.\n", dirname);
	return CL_EOPEN;
    }


    closedir (dd);
    return ret;
}
Ejemplo n.º 3
0
int sigtool_vba_scandir (const char *dirname, int hex_output)
{
    int ret = CL_CLEAN, i, fd, data_len;
    vba_project_t *vba_project;
    DIR *dd;
    struct dirent *dent;
    struct stat statbuf;
    char *fname, *fullname;
    unsigned char *data;

    cli_dbgmsg ("VBA scan dir: %s\n", dirname);
    if ((vba_project = (vba_project_t *) vba56_dir_read (dirname))) {

	for (i = 0; i < vba_project->count; i++) {
	    fullname = (char *) malloc (strlen (vba_project->dir) + strlen (vba_project->name[i]) + 2);
	    sprintf (fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
	    fd = open (fullname, O_RDONLY);
	    if (fd == -1) {
		cli_errmsg ("Scan->OLE2 -> Can't open file %s\n", fullname);
		free (fullname);
		ret = CL_EOPEN;
		break;
	    }
	    free (fullname);
	    cli_dbgmsg ("decompress VBA project '%s'\n", vba_project->name[i]);
	    printf ("-------------- start of %s ------------------\n", vba_project->name[i]);
	    data = (unsigned char *) vba_decompress (fd, vba_project->offset[i], &data_len);
	    close (fd);

	    if (!data) {
		cli_dbgmsg ("WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]);
	    } else {
		data = (unsigned char *) realloc (data, data_len + 1);
		data[data_len] = '\0';
		printf ("%s", data);
		free (data);

	    }
	    printf ("-------------- end of %s ------------------\n", vba_project->name[i]);
	}

	for (i = 0; i < vba_project->count; i++)
	    free (vba_project->name[i]);
	free (vba_project->name);
	free (vba_project->dir);
	free (vba_project->offset);
	free (vba_project);
    } else if ((fullname = ppt_vba_read (dirname))) {
	if (sigtool_scandir (fullname, hex_output) == CL_VIRUS) {
	    ret = CL_VIRUS;
	}
	cli_rmdirs (fullname);
	free (fullname);
    } else if ((vba_project = (vba_project_t *) wm_dir_read (dirname))) {
	for (i = 0; i < vba_project->count; i++) {
	    fullname = (char *) malloc (strlen (vba_project->dir) + strlen (vba_project->name[i]) + 2);
	    sprintf (fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
	    fd = open (fullname, O_RDONLY);
	    if (fd == -1) {
		cli_errmsg ("Scan->OLE2 -> Can't open file %s\n", fullname);
		free (fullname);
		ret = CL_EOPEN;
		break;
	    }
	    free (fullname);
	    cli_dbgmsg ("decompress WM project '%s' macro %d\n", vba_project->name[i], i);
	    printf ("\n\n-------------- start of macro:%d key:%d length:%d ------------------\n", i,
		    vba_project->key[i], vba_project->length[i]);
	    data = (unsigned char *) wm_decrypt_macro (fd, vba_project->offset[i], vba_project->length[i],
						    vba_project->key[i]);
	    close (fd);

	    if (!data) {
		cli_dbgmsg ("WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i);
	    } else {
		wm_decode_macro (data, vba_project->length[i], hex_output);
		free (data);
	    }
	    printf ("\n-------------- end of macro %d ------------------\n\n", i);
	}
	for (i = 0; i < vba_project->count; i++)
	    free (vba_project->name[i]);
	free (vba_project->key);
	free (vba_project->length);
	free (vba_project->offset);
	free (vba_project->name);
	free (vba_project->dir);
	free (vba_project);
    }

    if ((dd = opendir (dirname)) != NULL) {
	while ((dent = readdir (dd))) {
	    if (dent->d_ino) {
		if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
		    /* build the full name */
		    fname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
		    sprintf (fname, "%s/%s", dirname, dent->d_name);

		    /* stat the file */
		    if (lstat (fname, &statbuf) != -1) {
			if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode))
			    sigtool_vba_scandir (fname, hex_output);
		    }
		    free (fname);
		}
	    }
	}
    } else {
	cli_errmsg ("ScanDir -> Can't open directory %s.\n", dirname);
	return CL_EOPEN;
    }


    closedir (dd);
    return ret;
}
Ejemplo n.º 4
0
static int sigtool_scandir (const char *dirname, int hex_output)
{
    DIR *dd;
    struct dirent *dent;
    STATBUF statbuf;
    char *fname;
    const char *tmpdir;
    char *dir;
    int ret = CL_CLEAN, desc;
    cli_ctx *ctx;

    fname = NULL;
    if ((dd = opendir (dirname)) != NULL) {
	while ((dent = readdir (dd))) {
	    if (dent->d_ino) {
		if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
		    /* build the full name */
		    fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
		    if(!fname){
		        closedir(dd);
		        return -1;	    
		    }	
		    sprintf (fname, "%s"PATHSEP"%s", dirname, dent->d_name);

		    /* stat the file */
		    if (LSTAT (fname, &statbuf) != -1) {
			if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) {
			    if (sigtool_scandir (fname, hex_output)) {
				free (fname);
				closedir (dd);
				return CL_VIRUS;
			    }
			} else {
			    if (S_ISREG (statbuf.st_mode)) {
			        struct uniq *vba = NULL;
				tmpdir = cli_gettmpdir();

				/* generate the temporary directory */
				dir = cli_gentemp (tmpdir);
				if(!dir) {
				    printf("cli_gentemp() failed\n");
				    free(fname);
				    closedir (dd);
				    return -1;
				}

				if (mkdir (dir, 0700)) {
				    printf ("Can't create temporary directory %s\n", dir);
				    free(fname);
				    closedir (dd);
				    free(dir);
				    return CL_ETMPDIR;
				}

				if ((desc = open (fname, O_RDONLY|O_BINARY)) == -1) {
				    printf ("Can't open file %s\n", fname);
				    free(fname);
				    closedir (dd);
				    free(dir);
				    return 1;
				}

				if(!(ctx = convenience_ctx(desc))) {
				    free(fname);	
				    close(desc);
				    closedir(dd);
				    free(dir);
				    return 1;
				}
				if ((ret = cli_ole2_extract (dir, ctx, &vba))) {
				    printf ("ERROR %s\n", cl_strerror (ret));
				    destroy_ctx(desc, ctx);
				    cli_rmdirs (dir);
				    free (dir);
				    closedir (dd);
				    free(fname);
				    return ret;
				}

				if(vba)
				    sigtool_vba_scandir (dir, hex_output, vba);
				destroy_ctx(desc, ctx);
				cli_rmdirs (dir);
				free (dir);
			    }
			}

		    }
		    free (fname);
		}
	    }
	}
    } else {
	logg("!Can't open directory %s.\n", dirname);
	return CL_EOPEN;
    }

    closedir (dd);
    return 0;
}