/* NO-PCRE FUNCTIONS */ void cli_pcre_perf_print() { cli_errmsg("cli_pcre_perf_print: Cannot print PCRE performance results without PCRE support\n"); return; }
/* TODO - handle VI and Macro offset types */ int cli_pcre_recaloff(struct cli_matcher *root, struct cli_pcre_off *data, struct cli_target_info *info, cli_ctx *ctx) { /* TANGENT: maintain relative offset data in cli_ac_data? */ int ret; unsigned int i; struct cli_pcre_meta *pm; uint32_t endoff; if (!data) { return CL_ENULLARG; } if (!root || !root->pcre_metatable || !info || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) { data->shift = NULL; data->offset = NULL; return CL_SUCCESS; } /* allocate data structures */ data->shift = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t)); if (!data->shift) { cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->shift\n"); return CL_EMEM; } data->offset = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t)); if (!data->offset) { cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->offset\n"); free(data->shift); return CL_EMEM; } pm_dbgmsg("CLI_OFF_NONE: %u\n", CLI_OFF_NONE); pm_dbgmsg("CLI_OFF_ANY: %u\n", CLI_OFF_ANY); /* iterate across all pcre metadata and recalc offsets */ for (i = 0; i < root->pcre_metas; ++i) { pm = root->pcre_metatable[i]; /* skip broken pcres, not getting executed anyways */ if (pm->flags & CLI_PCRE_DISABLED) { data->offset[i] = CLI_OFF_NONE; data->shift[i] = 0; continue; } if (pm->offdata[0] == CLI_OFF_ANY) { data->offset[i] = CLI_OFF_ANY; data->shift[i] = 0; } else if (pm->offdata[0] == CLI_OFF_NONE) { data->offset[i] = CLI_OFF_NONE; data->shift[i] = 0; } else if (pm->offdata[0] == CLI_OFF_ABSOLUTE) { data->offset[i] = pm->offdata[1]; data->shift[i] = pm->offdata[2]; } else { ret = cli_caloff(NULL, info, root->type, pm->offdata, &data->offset[i], &endoff); if (ret != CL_SUCCESS) { cli_errmsg("cli_pcre_recaloff: cannot recalculate relative offset for signature\n"); free(data->shift); free(data->offset); return ret; } /* CLI_OFF_NONE gets passed down, CLI_OFF_ANY gets reinterpreted */ /* TODO - CLI_OFF_VERSION is interpreted as CLI_OFF_ANY(?) */ if (data->offset[i] == CLI_OFF_ANY) { data->offset[i] = CLI_OFF_ANY; data->shift[i] = 0; } else { data->shift[i] = endoff-(data->offset[i]); } } pm_dbgmsg("%u: %u %u->%u(+%u)\n", i, pm->offdata[0], data->offset[i], data->offset[i]+data->shift[i], data->shift[i]); } return CL_SUCCESS; }
int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, const struct cli_pcre_off *data, cli_ctx *ctx) { struct cli_pcre_meta **metatable = root->pcre_metatable, *pm = NULL; struct cli_pcre_data *pd; struct cli_ac_result *newres; uint32_t adjbuffer, adjshift, adjlength; unsigned int i, evalcnt = 0; uint64_t maxfilesize, evalids = 0; uint32_t global, encompass, rolling; int rc, lrc, offset, options=0, ovector[OVECCOUNT]; uint8_t viruses_found = 0; if ((!root->pcre_metatable) || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) { return CL_SUCCESS; } /* NOTE: moved pcre maxfilesize limit check to caller [matcher_run] */ for (i = 0; i < root->pcre_metas; ++i) { pm = root->pcre_metatable[i]; pd = &(pm->pdata); /* skip checking and running disabled pcres */ if (pm->flags & CLI_PCRE_DISABLED) { cli_dbgmsg("cli_pcre_scanbuf: skipping disabled regex /%s/\n", pd->expression); continue; } /* skip checking and running CLI_OFF_NONE pcres */ if (data && data->offset[i] == CLI_OFF_NONE) { pm_dbgmsg("cli_pcre_scanbuf: skipping CLI_OFF_NONE regex /%s/\n", pd->expression); continue; } /* evaluate trigger */ if (pm->lsigid[0]) { cli_dbgmsg("cli_pcre_scanbuf: checking %s; running regex /%s/\n", pm->trigger, pd->expression); #ifdef PCRE_BYPASS if (strcmp(pm->trigger, PCRE_BYPASS)) #endif if (cli_ac_chklsig(pm->trigger, pm->trigger + strlen(pm->trigger), mdata->lsigcnt[pm->lsigid[1]], &evalcnt, &evalids, 0) != 1) continue; } else { cli_dbgmsg("cli_pcre_scanbuf: skipping %s check due to unintialized lsigid\n", pm->trigger); /* fall-through to unconditional execution - sigtool-only */ } global = (pm->flags & CLI_PCRE_GLOBAL); /* globally search for all matches (within bounds) */ encompass = (pm->flags & CLI_PCRE_ENCOMPASS); /* encompass search to offset->offset+maxshift */ rolling = (pm->flags & CLI_PCRE_ROLLING); /* rolling search (unanchored) */ offset = pd->search_offset; /* this is usually 0 */ cli_dbgmsg("cli_pcre_scanbuf: triggered %s; running regex /%s/%s%s\n", pm->trigger, pd->expression, global ? " (global)":"", rolling ? " (rolling)":""); /* adjust the buffer sent to cli_pcre_match for offset and maxshift */ if (!data) { if (cli_pcre_qoff(pm, length, &adjbuffer, &adjshift) != CL_SUCCESS) continue; } else { adjbuffer = data->offset[i]; adjshift = data->shift[i]; } /* check for need to anchoring */ if (!rolling && !adjshift && (adjbuffer != CLI_OFF_ANY)) options |= PCRE_ANCHORED; else options = 0; if (adjbuffer == CLI_OFF_ANY) adjbuffer = 0; /* check the offset bounds */ if (adjbuffer < length) { /* handle encompass flag */ if (encompass && adjshift != 0 && adjshift != CLI_OFF_NONE) { if (adjbuffer+adjshift > length) adjlength = length - adjbuffer; else adjlength = adjshift; } else { /* NOTE - if using non-encompass method 2, alter shift universally */ /* TODO - limitations on non-encompassed buffers? */ adjlength = length - adjbuffer; } } else { /* starting offset is outside bounds of file, skip pcre execution silently */ pm_dbgmsg("cli_pcre_scanbuf: starting offset is outside bounds of file %u >= %u\n", adjbuffer, length); continue; } pm_dbgmsg("cli_pcre_scanbuf: passed buffer adjusted to %u +%u(%u)[%u]%s\n", adjbuffer, adjlength, adjbuffer+adjlength, adjshift, encompass ? " (encompass)":""); /* if the global flag is set, loop through the scanning */ do { /* performance metrics */ cli_event_time_start(p_sigevents, pm->sigtime_id); rc = cli_pcre_match(pd, buffer+adjbuffer, adjlength, offset, options, ovector, OVECCOUNT); cli_event_time_stop(p_sigevents, pm->sigtime_id); /* if debug, generate a match report */ if (cli_debug_flag) cli_pcre_report(pd, buffer+adjbuffer, adjlength, rc, ovector, OVECCOUNT); /* matched, rc shouldn't be >0 unless a full match occurs */ if (rc > 0) { cli_dbgmsg("cli_pcre_scanbuf: located regex match @ %d\n", adjbuffer+ovector[0]); /* check if we've gone over offset+shift */ if (!encompass && adjshift) { if (ovector[0] > adjshift) { /* ignore matched offset (outside of maxshift) */ cli_dbgmsg("cli_pcre_scanbuf: match found outside of maxshift @%u\n", adjbuffer+ovector[0]); break; } } /* track the detection count */ cli_event_count(p_sigevents, pm->sigmatch_id); /* for logical signature evaluation */ if (pm->lsigid[0]) { pm_dbgmsg("cli_pcre_scanbuf: assigning lsigcnt[%d][%d], located @ %d\n", pm->lsigid[1], pm->lsigid[2], adjbuffer+ovector[0]); lrc = lsig_sub_matched(root, mdata, pm->lsigid[1], pm->lsigid[2], adjbuffer+ovector[0], 0); if (lrc != CL_SUCCESS) return lrc; } else { /* for raw match data - sigtool only */ if(res) { newres = (struct cli_ac_result *)cli_calloc(1, sizeof(struct cli_ac_result)); if(!newres) { cli_errmsg("cli_pcre_scanbuff: Can't allocate memory for new result\n"); return CL_EMEM; } newres->virname = pm->virname; newres->customdata = NULL; /* get value? */ newres->next = *res; newres->offset = adjbuffer+ovector[0]; *res = newres; } else { if (ctx && SCAN_ALL) { viruses_found = 1; cli_append_virus(ctx, (const char *)pm->virname); } if (virname) *virname = pm->virname; if (!ctx || !SCAN_ALL) return CL_VIRUS; } } } /* move off to the end of the match for next match; offset is relative to adjbuffer * NOTE: misses matches starting within the last match; TODO: start from start of last match? */ offset = ovector[1]; /* clear the ovector results (they fall through the pcre_match) */ memset(ovector, 0, sizeof(ovector)); } while (global && rc > 0 && offset < adjlength); /* handle error codes */ if (rc < 0 && rc != PCRE_ERROR_NOMATCH) { switch (rc) { case PCRE_ERROR_CALLOUT: break; case PCRE_ERROR_NOMEMORY: cli_errmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: out of memory\n"); return CL_EMEM; case PCRE_ERROR_MATCHLIMIT: cli_dbgmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: match limit exceeded\n"); break; case PCRE_ERROR_RECURSIONLIMIT: cli_dbgmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: recursive limit exceeded\n"); break; default: cli_errmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: returned error %d\n", rc); return CL_BREAK; } } } if (viruses_found) return CL_VIRUS; return CL_SUCCESS; }
static int scancws(cli_ctx *ctx, struct swf_file_hdr *hdr) { z_stream stream; char inbuff[FILEBUFF], outbuff[FILEBUFF]; fmap_t *map = *ctx->fmap; int offset = 8, ret, zret, outsize = 8, count, zend; char *tmpname; int fd; if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { cli_errmsg("scancws: Can't generate temporary file\n"); return ret; } hdr->signature[0] = 'F'; if(cli_writen(fd, hdr, sizeof(struct swf_file_hdr)) != sizeof(struct swf_file_hdr)) { cli_errmsg("scancws: Can't write to file %s\n", tmpname); close(fd); if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EWRITE; } stream.avail_in = 0; stream.next_in = (Bytef *)inbuff; stream.next_out = (Bytef *)outbuff; stream.zalloc = (alloc_func) NULL; stream.zfree = (free_func) NULL; stream.opaque = (voidpf) 0; stream.avail_out = FILEBUFF; zret = inflateInit(&stream); if(zret != Z_OK) { cli_errmsg("scancws: inflateInit() failed\n"); close(fd); if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } do { if(stream.avail_in == 0) { stream.next_in = (Bytef *)inbuff; ret = fmap_readn(map, inbuff, offset, FILEBUFF); if(ret < 0) { cli_errmsg("scancws: Error reading SWF file\n"); close(fd); inflateEnd(&stream); if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } if(!ret) break; stream.avail_in = ret; offset += ret; } zret = inflate(&stream, Z_SYNC_FLUSH); count = FILEBUFF - stream.avail_out; if(count) { if(cli_checklimits("SWF", ctx, outsize + count, 0, 0) != CL_SUCCESS) break; if(cli_writen(fd, outbuff, count) != count) { cli_errmsg("scancws: Can't write to file %s\n", tmpname); inflateEnd(&stream); close(fd); if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EWRITE; } outsize += count; } stream.next_out = (Bytef *)outbuff; stream.avail_out = FILEBUFF; } while(zret == Z_OK); zend = inflateEnd(&stream); if((zret != Z_STREAM_END && zret != Z_OK) || zend != Z_OK) { /* * outsize is initialized to 8, it being 8 here means that we couldn't even read a single byte. * If outsize > 8, then we have data. Let's scan what we have. */ if (outsize == 8) { cli_infomsg(ctx, "scancws: Error decompressing SWF file. No data decompressed.\n"); close(fd); if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } cli_infomsg(ctx, "scancws: Error decompressing SWF file. Scanning what was decompressed.\n"); } cli_dbgmsg("SWF: Decompressed[zlib] to %s, size %d\n", tmpname, outsize); /* check if declared output size matches actual output size */ if (hdr->filesize != outsize) { cli_warnmsg("SWF: declared output length != inflated stream size, %u != %llu\n", hdr->filesize, (long long unsigned)outsize); } else { cli_dbgmsg("SWF: declared output length == inflated stream size, %u == %llu\n", hdr->filesize, (long long unsigned)outsize); } ret = cli_magic_scandesc(fd, tmpname, ctx); close(fd); if(!ctx->engine->keeptmp) { if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return ret; }
int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *trigger, const char *pattern, const char *cflags, const char *offset, const uint32_t *lsigid, unsigned int options) { struct cli_pcre_meta **newmetatable = NULL, *pm = NULL; uint32_t pcre_count; const char *opt; int ret = CL_SUCCESS, rssigs; if (!root || !trigger || !pattern || !offset) { cli_errmsg("cli_pcre_addpatt: NULL root or NULL trigger or NULL pattern or NULL offset\n"); return CL_ENULLARG; } /* TODO: trigger and regex checking (backreference limitations?) (control pattern limitations?) */ /* cli_ac_chklsig will fail a empty trigger; empty patterns can cause an infinite loop */ if (*trigger == '\0' || *pattern == '\0') { cli_errmsg("cli_pcre_addpatt: trigger or pattern cannot be an empty string\n"); return CL_EMALFDB; } if (cflags && *cflags == '\0') { cflags = NULL; } if (lsigid) pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) as subsig %d for lsigid %d\n", pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger, lsigid[1], lsigid[0]); else pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) [no lsigid]\n", pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger); #ifdef PCRE_BYPASS /* check for trigger bypass */ if (strcmp(trigger, PCRE_BYPASS)) { #endif /* validate the lsig trigger */ rssigs = cli_ac_chklsig(trigger, trigger + strlen(trigger), NULL, NULL, NULL, 1); if(rssigs == -1) { cli_errmsg("cli_pcre_addpatt: regex subsig /%s/ is missing a valid logical trigger\n", pattern); return CL_EMALFDB; } if (lsigid) { if (rssigs > lsigid[1]) { cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger refers to subsequent subsig %d\n", lsigid[1], rssigs); return CL_EMALFDB; } if (rssigs == lsigid[1]) { cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger is self-referential\n", lsigid[1]); return CL_EMALFDB; } } else { cli_dbgmsg("cli_pcre_addpatt: regex subsig is missing lsigid data\n"); } #ifdef PCRE_BYPASS } #endif /* allocating entries */ pm = (struct cli_pcre_meta *)mpool_calloc(root->mempool, 1, sizeof(*pm)); if (!pm) { cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta\n"); return CL_EMEM; } pm->trigger = cli_mpool_strdup(root->mempool, trigger); if (!pm->trigger) { cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for trigger string\n"); cli_pcre_freemeta(root, pm); mpool_free(root->mempool, pm); return CL_EMEM; } pm->virname = (char *)cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL); if(!pm->virname) { cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for virname or NULL virname\n"); cli_pcre_freemeta(root, pm); mpool_free(root->mempool, pm); return CL_EMEM; } if (lsigid) { root->ac_lsigtable[lsigid[0]]->virname = pm->virname; pm->lsigid[0] = 1; pm->lsigid[1] = lsigid[0]; pm->lsigid[2] = lsigid[1]; } else { /* sigtool */ pm->lsigid[0] = 0; } pm->pdata.expression = strdup(pattern); if (!pm->pdata.expression) { cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for expression\n"); cli_pcre_freemeta(root, pm); mpool_free(root->mempool, pm); return CL_EMEM; } /* offset parsing and usage, similar to cli_ac_addsig */ /* relative and type-specific offsets handled during scan */ ret = cli_caloff(offset, NULL, root->type, pm->offdata, &(pm->offset_min), &(pm->offset_max)); if (ret != CL_SUCCESS) { cli_errmsg("cli_pcre_addpatt: cannot calculate offset data: %s for pattern: %s\n", offset, pattern); cli_pcre_freemeta(root, pm); mpool_free(root->mempool, pm); return ret; } if(pm->offdata[0] != CLI_OFF_ANY) { if(pm->offdata[0] == CLI_OFF_ABSOLUTE) root->pcre_absoff_num++; else root->pcre_reloff_num++; } /* parse and add options, also totally not from snort */ if (cflags) { opt = cflags; /* cli_pcre_addoptions handles pcre specific options */ while (cli_pcre_addoptions(&(pm->pdata), &opt, 0) != CL_SUCCESS) { /* handle matcher specific options here */ switch (*opt) { case 'g': pm->flags |= CLI_PCRE_GLOBAL; break; case 'r': pm->flags |= CLI_PCRE_ROLLING; break; case 'e': pm->flags |= CLI_PCRE_ENCOMPASS; break; default: cli_errmsg("cli_pcre_addpatt: unknown/extra pcre option encountered %c\n", *opt); cli_pcre_freemeta(root, pm); mpool_free(root->mempool, pm); return CL_EMALFDB; } opt++; } if (pm->flags) { pm_dbgmsg("Matcher: %s%s%s\n", pm->flags & CLI_PCRE_GLOBAL ? "CLAMAV_GLOBAL " : "", pm->flags & CLI_PCRE_ROLLING ? "CLAMAV_ROLLING " : "", pm->flags & CLI_PCRE_ENCOMPASS ? "CLAMAV_ENCOMPASS " : ""); } else pm_dbgmsg("Matcher: NONE\n"); if (pm->pdata.options) { pm_dbgmsg("Compiler: %s%s%s%s%s%s%s\n", pm->pdata.options & PCRE_CASELESS ? "PCRE_CASELESS " : "", pm->pdata.options & PCRE_DOTALL ? "PCRE_DOTALL " : "", pm->pdata.options & PCRE_MULTILINE ? "PCRE_MULTILINE " : "", pm->pdata.options & PCRE_EXTENDED ? "PCRE_EXTENDED " : "", pm->pdata.options & PCRE_ANCHORED ? "PCRE_ANCHORED " : "", pm->pdata.options & PCRE_DOLLAR_ENDONLY ? "PCRE_DOLLAR_ENDONLY " : "", pm->pdata.options & PCRE_UNGREEDY ? "PCRE_UNGREEDY " : ""); } else pm_dbgmsg("Compiler: NONE\n"); } /* add metadata to the performance tracker */ if (options & CL_DB_PCRE_STATS) pcre_perf_events_init(pm, virname); /* add pcre data to root after reallocation */ pcre_count = root->pcre_metas+1; newmetatable = (struct cli_pcre_meta **)mpool_realloc(root->mempool, root->pcre_metatable, pcre_count * sizeof(struct cli_pcre_meta *)); if (!newmetatable) { cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta table\n"); cli_pcre_freemeta(root, pm); mpool_free(root->mempool, pm); return CL_EMEM; } newmetatable[pcre_count-1] = pm; root->pcre_metatable = newmetatable; root->pcre_metas = pcre_count; return CL_SUCCESS; }
int cli_scandmg(cli_ctx *ctx) { struct dmg_koly_block hdr; int ret, namelen, ofd; size_t maplen, nread; off_t pos = 0; char *dirname, *tmpfile; const char *outdata; unsigned int file = 0; struct dmg_mish_with_stripes *mish_list = NULL, *mish_list_tail = NULL; enum dmgReadState state = DMG_FIND_BASE_PLIST; int stateDepth[DMG_MAX_STATE]; #if HAVE_LIBXML2 xmlTextReaderPtr reader; #endif if (!ctx || !ctx->fmap) { cli_errmsg("cli_scandmg: Invalid context\n"); return CL_ENULLARG; } maplen = (*ctx->fmap)->real_len; pos = maplen - 512; if (pos <= 0) { cli_dbgmsg("cli_scandmg: Sizing problem for DMG archive.\n"); return CL_CLEAN; } /* Grab koly block */ if (fmap_readn(*ctx->fmap, &hdr, pos, sizeof(hdr)) != sizeof(hdr)) { cli_dbgmsg("cli_scandmg: Invalid DMG trailer block\n"); return CL_EFORMAT; } /* Check magic */ hdr.magic = be32_to_host(hdr.magic); if (hdr.magic == 0x6b6f6c79) { cli_dbgmsg("cli_scandmg: Found koly block @ %ld\n", (long) pos); } else { cli_dbgmsg("cli_scandmg: No koly magic, %8x\n", hdr.magic); return CL_EFORMAT; } hdr.dataForkOffset = be64_to_host(hdr.dataForkOffset); hdr.dataForkLength = be64_to_host(hdr.dataForkLength); cli_dbgmsg("cli_scandmg: data offset %lu len %d\n", (unsigned long)hdr.dataForkOffset, (int)hdr.dataForkLength); hdr.xmlOffset = be64_to_host(hdr.xmlOffset); hdr.xmlLength = be64_to_host(hdr.xmlLength); if (hdr.xmlLength > (uint64_t)INT_MAX) { cli_dbgmsg("cli_scandmg: The embedded XML is way larger than necessary, and probably corrupt or tampered with.\n"); return CL_EFORMAT; } if ((hdr.xmlOffset > (uint64_t)maplen) || (hdr.xmlLength > (uint64_t)maplen) || (hdr.xmlOffset + hdr.xmlLength) > (uint64_t)maplen) { cli_dbgmsg("cli_scandmg: XML out of range for this file\n"); return CL_EFORMAT; } cli_dbgmsg("cli_scandmg: XML offset %lu len %d\n", (unsigned long)hdr.xmlOffset, (int)hdr.xmlLength); if (hdr.xmlLength == 0) { cli_dbgmsg("cli_scandmg: Embedded XML length is zero.\n"); return CL_EFORMAT; } /* Create temp folder for contents */ if (!(dirname = cli_gentemp(ctx->engine->tmpdir))) { return CL_ETMPDIR; } if (mkdir(dirname, 0700)) { cli_errmsg("cli_scandmg: Cannot create temporary directory %s\n", dirname); free(dirname); return CL_ETMPDIR; } cli_dbgmsg("cli_scandmg: Extracting into %s\n", dirname); /* Dump XML to tempfile, if needed */ if (ctx->engine->keeptmp && !(ctx->engine->engine_options & ENGINE_OPTIONS_FORCE_TO_DISK)) { int xret; xret = dmg_extract_xml(ctx, dirname, &hdr); if (xret != CL_SUCCESS) { /* Printed err detail inside dmg_extract_xml */ free(dirname); return xret; } } /* scan XML with cli_map_scandesc */ ret = cli_map_scan(*ctx->fmap, (off_t)hdr.xmlOffset, (size_t)hdr.xmlLength, ctx); if (ret != CL_CLEAN) { cli_dbgmsg("cli_scandmg: retcode from scanning TOC xml: %s\n", cl_strerror(ret)); if (!ctx->engine->keeptmp) cli_rmdirs(dirname); free(dirname); return ret; } /* page data from map */ outdata = fmap_need_off_once_len(*ctx->fmap, hdr.xmlOffset, hdr.xmlLength, &nread); if (!outdata || (nread != hdr.xmlLength)) { cli_errmsg("cli_scandmg: Failed getting XML from map, len %d\n", (int)hdr.xmlLength); if (!ctx->engine->keeptmp) cli_rmdirs(dirname); free(dirname); return CL_EMAP; } /* time to walk the tree */ /* plist -> dict -> (key:resource_fork) dict -> (key:blkx) array -> dict */ /* each of those bottom level dict should have 4 parts */ /* [ Attributes, Data, ID, Name ], where Data is Base64 mish block */ /* This is the block where we require libxml2 */ #if HAVE_LIBXML2 /* XML_PARSE_NOENT | XML_PARSE_NONET | XML_PARSE_COMPACT */ #define DMG_XML_PARSE_OPTS (1 << 1 | 1 << 11 | 1 << 16) reader = xmlReaderForMemory(outdata, (int)hdr.xmlLength, "toc.xml", NULL, DMG_XML_PARSE_OPTS); if (!reader) { cli_dbgmsg("cli_scandmg: Failed parsing XML!\n"); if (!ctx->engine->keeptmp) cli_rmdirs(dirname); free(dirname); return CL_EFORMAT; } stateDepth[DMG_FIND_BASE_PLIST] = -1; // May need to check for (xmlTextReaderIsEmptyElement(reader) == 0) /* Break loop if have return code or reader can't read any more */ while ((ret == CL_CLEAN) && (xmlTextReaderRead(reader) == 1)) { xmlReaderTypes nodeType; nodeType = xmlTextReaderNodeType(reader); if (nodeType == XML_READER_TYPE_ELEMENT) { // New element, do name check xmlChar *nodeName; int depth; depth = xmlTextReaderDepth(reader); if (depth < 0) { break; } if ((depth > 50) && SCAN_ALGO) { // Possible heuristic, should limit runaway cli_dbgmsg("cli_scandmg: Excessive nesting in DMG TOC.\n"); break; } nodeName = xmlTextReaderLocalName(reader); if (!nodeName) continue; dmg_parsemsg("read: name %s depth %d\n", nodeName, depth); if ((state == DMG_FIND_DATA_MISH) && (depth == stateDepth[state-1])) { xmlChar * textValue; struct dmg_mish_with_stripes *mish_set; /* Reset state early, for continue cases */ stateDepth[DMG_FIND_KEY_DATA] = -1; state--; if (xmlStrcmp(nodeName, "data") != 0) { cli_dbgmsg("cli_scandmg: Not blkx data element\n"); xmlFree(nodeName); continue; } dmg_parsemsg("read: Found blkx data element\n"); /* Pull out data content from text */ if (xmlTextReaderIsEmptyElement(reader)) { cli_dbgmsg("cli_scandmg: blkx data element is empty\n"); xmlFree(nodeName); continue; } if (xmlTextReaderRead(reader) != 1) { xmlFree(nodeName); break; } if (xmlTextReaderNodeType(reader) != XML_READER_TYPE_TEXT) { cli_dbgmsg("cli_scandmg: Next node not text\n"); xmlFree(nodeName); continue; } textValue = xmlTextReaderValue(reader); if (textValue == NULL) { xmlFree(nodeName); continue; } /* Have encoded mish block */ mish_set = cli_malloc(sizeof(struct dmg_mish_with_stripes)); if (mish_set == NULL) { ret = CL_EMEM; xmlFree(textValue); xmlFree(nodeName); break; } ret = dmg_decode_mish(ctx, &file, textValue, mish_set); xmlFree(textValue); if (ret == CL_EFORMAT) { /* Didn't decode, or not a mish block */ ret = CL_CLEAN; xmlFree(nodeName); continue; } else if (ret != CL_CLEAN) { xmlFree(nodeName); continue; } /* Add mish block to list */ if (mish_list_tail != NULL) { mish_list_tail->next = mish_set; mish_list_tail = mish_set; } else { mish_list = mish_set; mish_list_tail = mish_set; } mish_list_tail->next = NULL; } if ((state == DMG_FIND_KEY_DATA) && (depth > stateDepth[state-1]) && (xmlStrcmp(nodeName, "key") == 0)) { xmlChar * textValue; dmg_parsemsg("read: Found key - checking for Data\n"); if (xmlTextReaderRead(reader) != 1) { xmlFree(nodeName); break; } if (xmlTextReaderNodeType(reader) != XML_READER_TYPE_TEXT) { cli_dbgmsg("cli_scandmg: Key node no text\n"); xmlFree(nodeName); continue; } textValue = xmlTextReaderValue(reader); if (textValue == NULL) { cli_dbgmsg("cli_scandmg: no value from xmlTextReaderValue\n"); xmlFree(nodeName); continue; } if (xmlStrcmp(textValue, "Data") == 0) { dmg_parsemsg("read: Matched data\n"); stateDepth[DMG_FIND_KEY_DATA] = depth; state++; } else { dmg_parsemsg("read: text value is %s\n", textValue); } xmlFree(textValue); } if ((state == DMG_FIND_BLKX_CONTAINER) && (depth == stateDepth[state-1])) { if (xmlStrcmp(nodeName, "array") == 0) { dmg_parsemsg("read: Found array blkx\n"); stateDepth[DMG_FIND_BLKX_CONTAINER] = depth; state++; } else if (xmlStrcmp(nodeName, "dict") == 0) { dmg_parsemsg("read: Found dict blkx\n"); stateDepth[DMG_FIND_BLKX_CONTAINER] = depth; state++; } else { cli_dbgmsg("cli_scandmg: Bad blkx, not container\n"); stateDepth[DMG_FIND_KEY_BLKX] = -1; state--; } } if ((state == DMG_FIND_KEY_BLKX) && (depth == stateDepth[state-1] + 1) && (xmlStrcmp(nodeName, "key") == 0)) { xmlChar * textValue; dmg_parsemsg("read: Found key - checking for blkx\n"); if (xmlTextReaderRead(reader) != 1) { xmlFree(nodeName); break; } if (xmlTextReaderNodeType(reader) != XML_READER_TYPE_TEXT) { cli_dbgmsg("cli_scandmg: Key node no text\n"); xmlFree(nodeName); continue; } textValue = xmlTextReaderValue(reader); if (textValue == NULL) { cli_dbgmsg("cli_scandmg: no value from xmlTextReaderValue\n"); xmlFree(nodeName); continue; } if (xmlStrcmp(textValue, "blkx") == 0) { cli_dbgmsg("cli_scandmg: Matched blkx\n"); stateDepth[DMG_FIND_KEY_BLKX] = depth; state++; } else { cli_dbgmsg("cli_scandmg: wanted blkx, text value is %s\n", textValue); } xmlFree(textValue); } if ((state == DMG_FIND_DICT_RESOURCE_FORK) && (depth == stateDepth[state-1])) { if (xmlStrcmp(nodeName, "dict") == 0) { dmg_parsemsg("read: Found resource-fork dict\n"); stateDepth[DMG_FIND_DICT_RESOURCE_FORK] = depth; state++; } else { dmg_parsemsg("read: Not resource-fork dict\n"); stateDepth[DMG_FIND_KEY_RESOURCE_FORK] = -1; state--; } } if ((state == DMG_FIND_KEY_RESOURCE_FORK) && (depth == stateDepth[state-1] + 1) && (xmlStrcmp(nodeName, "key") == 0)) { dmg_parsemsg("read: Found resource-fork key\n"); stateDepth[DMG_FIND_KEY_RESOURCE_FORK] = depth; state++; } if ((state == DMG_FIND_BASE_DICT) && (depth == stateDepth[state-1] + 1) && (xmlStrcmp(nodeName, "dict") == 0)) { dmg_parsemsg("read: Found dict start\n"); stateDepth[DMG_FIND_BASE_DICT] = depth; state++; } if ((state == DMG_FIND_BASE_PLIST) && (xmlStrcmp(nodeName, "plist") == 0)) { dmg_parsemsg("read: Found plist start\n"); stateDepth[DMG_FIND_BASE_PLIST] = depth; state++; } xmlFree(nodeName); } else if ((nodeType == XML_READER_TYPE_END_ELEMENT) && (state > DMG_FIND_BASE_PLIST)) { int significantEnd = 0; int depth = xmlTextReaderDepth(reader); if (depth < 0) { break; } else if (depth < stateDepth[state-1]) { significantEnd = 1; } else if ((depth == stateDepth[state-1]) && (state-1 == DMG_FIND_BLKX_CONTAINER)) { /* Special case, ending blkx container */ significantEnd = 1; } if (significantEnd) { dmg_parsemsg("read: significant end tag, state %d\n", state); stateDepth[state-1] = -1; state--; if ((state-1 == DMG_FIND_KEY_RESOURCE_FORK) || (state-1 == DMG_FIND_KEY_BLKX)) { /* Keys end their own tag (validly) and the next state depends on the following tag */ // cli_dbgmsg("read: significant end tag ending prior key state\n"); stateDepth[state-1] = -1; state--; } } else { dmg_parsemsg("read: not significant end tag, state %d depth %d prior depth %d\n", state, depth, stateDepth[state-1]); } } } xmlFreeTextReader(reader); #else cli_dbgmsg("cli_scandmg: libxml2 support is compiled out. It is required for full DMG support.\n"); #endif /* Loop over mish array */ file = 0; while ((ret == CL_CLEAN) && (mish_list != NULL)) { /* Handle & scan mish block */ ret = dmg_handle_mish(ctx, file++, dirname, hdr.xmlOffset, mish_list); free(mish_list->mish); mish_list_tail = mish_list; mish_list = mish_list->next; free(mish_list_tail); } /* Cleanup */ /* If error occurred, need to free mish items and mish blocks */ while (mish_list != NULL) { free(mish_list->mish); mish_list_tail = mish_list; mish_list = mish_list->next; free(mish_list_tail); } if (!ctx->engine->keeptmp) cli_rmdirs(dirname); free(dirname); return ret; }
static int scanzws(cli_ctx *ctx, struct swf_file_hdr *hdr) { struct CLI_LZMA lz; unsigned char inbuff[FILEBUFF], outbuff[FILEBUFF]; fmap_t *map = *ctx->fmap; /* strip off header */ off_t offset = 8; uint32_t d_insize; size_t outsize = 8; int ret, lret, count; char *tmpname; int fd; if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) { cli_errmsg("scanzws: Can't generate temporary file\n"); return ret; } hdr->signature[0] = 'F'; if(cli_writen(fd, hdr, sizeof(struct swf_file_hdr)) != sizeof(struct swf_file_hdr)) { cli_errmsg("scanzws: Can't write to file %s\n", tmpname); close(fd); if(cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EWRITE; } /* read 4 bytes (for compressed 32-bit filesize) [not used for LZMA] */ if (fmap_readn(map, &d_insize, offset, sizeof(d_insize)) != sizeof(d_insize)) { cli_errmsg("scanzws: Error reading SWF file\n"); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EREAD; } offset += sizeof(d_insize); /* check if declared input size matches actual output size */ /* map->len = header (8 bytes) + d_insize (4 bytes) + flags (5 bytes) + compressed stream */ if (d_insize != (map->len - 17)) { cli_warnmsg("SWF: declared input length != compressed stream size, %u != %llu\n", d_insize, (long long unsigned)(map->len - 17)); } else { cli_dbgmsg("SWF: declared input length == compressed stream size, %u == %llu\n", d_insize, (long long unsigned)(map->len - 17)); } /* first buffer required for initializing LZMA */ ret = fmap_readn(map, inbuff, offset, FILEBUFF); if (ret < 0) { cli_errmsg("scanzws: Error reading SWF file\n"); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } /* nothing written, likely truncated */ if (!ret) { cli_errmsg("scanzws: possibly truncated file\n"); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EFORMAT; } offset += ret; memset(&lz, 0, sizeof(lz)); lz.next_in = inbuff; lz.next_out = outbuff; lz.avail_in = ret; lz.avail_out = FILEBUFF; lret = cli_LzmaInit(&lz, hdr->filesize); if (lret != LZMA_RESULT_OK) { cli_errmsg("scanzws: LzmaInit() failed\n"); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } while (lret == LZMA_RESULT_OK) { if (lz.avail_in == 0) { lz.next_in = inbuff; ret = fmap_readn(map, inbuff, offset, FILEBUFF); if (ret < 0) { cli_errmsg("scanzws: Error reading SWF file\n"); cli_LzmaShutdown(&lz); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } if (!ret) break; lz.avail_in = ret; offset += ret; } lret = cli_LzmaDecode(&lz); count = FILEBUFF - lz.avail_out; if (count) { if (cli_checklimits("SWF", ctx, outsize + count, 0, 0) != CL_SUCCESS) break; if (cli_writen(fd, outbuff, count) != count) { cli_errmsg("scanzws: Can't write to file %s\n", tmpname); cli_LzmaShutdown(&lz); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EWRITE; } outsize += count; } lz.next_out = outbuff; lz.avail_out = FILEBUFF; } cli_LzmaShutdown(&lz); if (lret != LZMA_STREAM_END && lret != LZMA_RESULT_OK) { /* outsize starts at 8, therefore, if its still 8, nothing was decompressed */ if (outsize == 8) { cli_infomsg(ctx, "scanzws: Error decompressing SWF file. No data decompressed.\n"); close(fd); if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } free(tmpname); return CL_EUNPACK; } cli_infomsg(ctx, "scanzws: Error decompressing SWF file. Scanning what was decompressed.\n"); } cli_dbgmsg("SWF: Decompressed[LZMA] to %s, size %llu\n", tmpname, (long long unsigned)outsize); /* check if declared output size matches actual output size */ if (hdr->filesize != outsize) { cli_warnmsg("SWF: declared output length != inflated stream size, %u != %llu\n", hdr->filesize, (long long unsigned)outsize); } else { cli_dbgmsg("SWF: declared output length == inflated stream size, %u == %llu\n", hdr->filesize, (long long unsigned)outsize); } ret = cli_magic_scandesc(fd, tmpname, ctx); close(fd); if (!(ctx->engine->keeptmp)) { if (cli_unlink(tmpname)) { free(tmpname); return CL_EUNLINK; } } free(tmpname); return ret; }
/* Stripe handling: ADC block (type 0x80000004) */ static int dmg_stripe_adc(cli_ctx *ctx, int fd, uint32_t index, struct dmg_mish_with_stripes *mish_set) { int ret = CL_CLEAN, adcret; adc_stream strm; size_t off = mish_set->stripes[index].dataOffset; size_t len = mish_set->stripes[index].dataLength; uint64_t size_so_far = 0; uint64_t expected_len = mish_set->stripes[index].sectorCount * DMG_SECTOR_SIZE; uint8_t obuf[BUFSIZ]; cli_dbgmsg("dmg_stripe_adc: stripe " STDu32 " initial len " STDu64 " expected len " STDu64 "\n", index, (uint64_t)len, (uint64_t)expected_len); if (len == 0) return CL_CLEAN; memset(&strm, 0, sizeof(strm)); strm.next_in = (uint8_t *)fmap_need_off_once(*ctx->fmap, off, len); if (!strm.next_in) { cli_warnmsg("dmg_stripe_adc: fmap need failed on stripe " STDu32 "\n", index); return CL_EMAP; } strm.avail_in = len; strm.next_out = obuf; strm.avail_out = sizeof(obuf); adcret = adc_decompressInit(&strm); if(adcret != ADC_OK) { cli_warnmsg("dmg_stripe_adc: adc_decompressInit failed\n"); return CL_EMEM; } while(adcret == ADC_OK) { int written; if (size_so_far > expected_len) { cli_warnmsg("dmg_stripe_adc: expected size exceeded!\n"); adc_decompressEnd(&strm); return CL_EFORMAT; } adcret = adc_decompress(&strm); switch(adcret) { case ADC_OK: if(strm.avail_out == 0) { if ((written=cli_writen(fd, obuf, sizeof(obuf)))!=sizeof(obuf)) { cli_errmsg("dmg_stripe_adc: failed write to output file\n"); adc_decompressEnd(&strm); return CL_EWRITE; } size_so_far += written; strm.next_out = obuf; strm.avail_out = sizeof(obuf); } continue; case ADC_STREAM_END: default: written = sizeof(obuf) - strm.avail_out; if (written) { if ((cli_writen(fd, obuf, written))!=written) { cli_errmsg("dmg_stripe_adc: failed write to output file\n"); adc_decompressEnd(&strm); return CL_EWRITE; } size_so_far += written; strm.next_out = obuf; strm.avail_out = sizeof(obuf); } if (adcret == ADC_STREAM_END) break; cli_dbgmsg("dmg_stripe_adc: after writing " STDu64 " bytes, " "got error %d decompressing stripe " STDu32 "\n", size_so_far, adcret, index); adc_decompressEnd(&strm); return CL_EFORMAT; } break; } adc_decompressEnd(&strm); cli_dbgmsg("dmg_stripe_adc: stripe " STDu32 " actual len " STDu64 " expected len " STDu64 "\n", index, size_so_far, expected_len); return CL_CLEAN; }
/* Stripe handling: deflate block (type 0x80000005) */ static int dmg_stripe_inflate(cli_ctx *ctx, int fd, uint32_t index, struct dmg_mish_with_stripes *mish_set) { int ret = CL_CLEAN, zstat; z_stream strm; size_t off = mish_set->stripes[index].dataOffset; size_t len = mish_set->stripes[index].dataLength; uint64_t size_so_far = 0; uint64_t expected_len = mish_set->stripes[index].sectorCount * DMG_SECTOR_SIZE; uint8_t obuf[BUFSIZ]; cli_dbgmsg("dmg_stripe_inflate: stripe " STDu32 "\n", index); if (len == 0) return CL_CLEAN; memset(&strm, 0, sizeof(strm)); strm.next_in = (void*)fmap_need_off_once(*ctx->fmap, off, len); if (!strm.next_in) { cli_warnmsg("dmg_stripe_inflate: fmap need failed on stripe " STDu32 "\n", index); return CL_EMAP; } strm.avail_in = len; strm.next_out = obuf; strm.avail_out = sizeof(obuf); zstat = inflateInit(&strm); if(zstat != Z_OK) { cli_warnmsg("dmg_stripe_inflate: inflateInit failed\n"); return CL_EMEM; } while(strm.avail_in) { int written; if (size_so_far > expected_len) { cli_warnmsg("dmg_stripe_inflate: expected size exceeded!\n"); inflateEnd(&strm); return CL_EFORMAT; } zstat = inflate(&strm, Z_NO_FLUSH); /* zlib */ switch(zstat) { case Z_OK: if(strm.avail_out == 0) { if ((written=cli_writen(fd, obuf, sizeof(obuf)))!=sizeof(obuf)) { cli_errmsg("dmg_stripe_inflate: failed write to output file\n"); inflateEnd(&strm); return CL_EWRITE; } size_so_far += written; strm.next_out = (Bytef *)obuf; strm.avail_out = sizeof(obuf); } continue; case Z_STREAM_END: default: written = sizeof(obuf) - strm.avail_out; if (written) { if ((cli_writen(fd, obuf, written))!=written) { cli_errmsg("dmg_stripe_inflate: failed write to output file\n"); inflateEnd(&strm); return CL_EWRITE; } size_so_far += written; strm.next_out = (Bytef *)obuf; strm.avail_out = sizeof(obuf); if (zstat == Z_STREAM_END) break; } if(strm.msg) cli_dbgmsg("dmg_stripe_inflate: after writing " STDu64 " bytes, " "got error \"%s\" inflating stripe " STDu32 "\n", size_so_far, strm.msg, index); else cli_dbgmsg("dmg_stripe_inflate: after writing " STDu64 " bytes, " "got error %d inflating stripe " STDu32 "\n", size_so_far, zstat, index); inflateEnd(&strm); return CL_EFORMAT; } break; } if(strm.avail_out != sizeof(obuf)) { if(cli_writen(fd, obuf, sizeof(obuf) - strm.avail_out) < 0) { cli_errmsg("dmg_stripe_inflate: failed write to output file\n"); inflateEnd(&strm); return CL_EWRITE; } } inflateEnd(&strm); return CL_CLEAN; }
int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, unsigned char *refhash) { const unsigned char *buff; int ret = CL_CLEAN, type = CL_CLEAN, bytes, compute_hash[CLI_HASH_AVAIL_TYPES]; unsigned int i = 0, j = 0, bm_offmode = 0; uint32_t maxpatlen, offset = 0; struct cli_ac_data gdata, tdata; struct cli_bm_off toff; unsigned char digest[CLI_HASH_AVAIL_TYPES][32]; struct cli_matcher *groot = NULL, *troot = NULL; struct cli_target_info info; fmap_t *map = *ctx->fmap; struct cli_matcher *hdb, *fp; const char *virname = NULL; uint32_t viroffset = 0; uint32_t viruses_found = 0; void *md5ctx, *sha1ctx, *sha256ctx; if(!ctx->engine) { cli_errmsg("cli_scandesc: engine == NULL\n"); return CL_ENULLARG; } md5ctx = cl_hash_init("md5"); if (!(md5ctx)) return CL_EMEM; sha1ctx = cl_hash_init("sha1"); if (!(sha1ctx)) { cl_hash_destroy(md5ctx); return CL_EMEM; } sha256ctx = cl_hash_init("sha256"); if (!(sha256ctx)) { cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); return CL_EMEM; } if(!ftonly) groot = ctx->engine->root[0]; /* generic signatures */ if(ftype) { for(i = 1; i < CLI_MTARGETS; i++) { for (j = 0; j < cli_mtargets[i].target_count; ++j) { if(cli_mtargets[i].target[j] == ftype) { troot = ctx->engine->root[i]; break; } } if (troot) break; } } if(ftonly) { if(!troot) { cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); return CL_CLEAN; } maxpatlen = troot->maxpatlen; } else { if(troot) maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen); else maxpatlen = groot->maxpatlen; } cli_targetinfo(&info, i, map); if(!ftonly) { if((ret = cli_ac_initdata(&gdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(groot, &gdata, &info))) { if(info.exeinfo.section) free(info.exeinfo.section); cli_hashset_destroy(&info.exeinfo.vinfo); cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); return ret; } } if(troot) { if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(troot, &tdata, &info))) { if(!ftonly) cli_ac_freedata(&gdata); if(info.exeinfo.section) free(info.exeinfo.section); cli_hashset_destroy(&info.exeinfo.vinfo); cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); return ret; } if(troot->bm_offmode) { if(map->len >= CLI_DEFAULT_BM_OFFMODE_FSIZE) { if((ret = cli_bm_initoff(troot, &toff, &info))) { if(!ftonly) cli_ac_freedata(&gdata); cli_ac_freedata(&tdata); if(info.exeinfo.section) free(info.exeinfo.section); cli_hashset_destroy(&info.exeinfo.vinfo); cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); return ret; } bm_offmode = 1; } } } hdb = ctx->engine->hm_hdb; fp = ctx->engine->hm_fp; if(!ftonly && hdb) { if(!refhash) { if(cli_hm_have_size(hdb, CLI_HASH_MD5, map->len) || cli_hm_have_size(fp, CLI_HASH_MD5, map->len)) { compute_hash[CLI_HASH_MD5] = 1; } else { compute_hash[CLI_HASH_MD5] = 0; } } else { compute_hash[CLI_HASH_MD5] = 0; memcpy(digest[CLI_HASH_MD5], refhash, 16); } if(cli_hm_have_size(hdb, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA1) || cli_hm_have_size(fp, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA1) ) { compute_hash[CLI_HASH_SHA1] = 1; } else { compute_hash[CLI_HASH_SHA1] = 0; } if(cli_hm_have_size(hdb, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA256) || cli_hm_have_size(fp, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA256)) { compute_hash[CLI_HASH_SHA256] = 1; } else { compute_hash[CLI_HASH_SHA256] = 0; } } while(offset < map->len) { bytes = MIN(map->len - offset, SCANBUFF); if(!(buff = fmap_need_off_once(map, offset, bytes))) break; if(ctx->scanned) *ctx->scanned += bytes / CL_COUNT_PRECISION; if(troot) { virname = NULL; viroffset = 0; ret = matcher_run(troot, buff, bytes, &virname, &tdata, offset, &info, ftype, ftoffset, acmode, acres, map, bm_offmode ? &toff : NULL, &viroffset, ctx); if (virname) { /* virname already appended by matcher_run */ viruses_found = 1; } if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) { if(!ftonly) cli_ac_freedata(&gdata); cli_ac_freedata(&tdata); if(bm_offmode) cli_bm_freeoff(&toff); if(info.exeinfo.section) free(info.exeinfo.section); cli_hashset_destroy(&info.exeinfo.vinfo); cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); return ret; } } if(!ftonly) { virname = NULL; viroffset = 0; ret = matcher_run(groot, buff, bytes, &virname, &gdata, offset, &info, ftype, ftoffset, acmode, acres, map, NULL, &viroffset, ctx); if (virname) { /* virname already appended by matcher_run */ viruses_found = 1; } if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) { cli_ac_freedata(&gdata); if(troot) { cli_ac_freedata(&tdata); if(bm_offmode) cli_bm_freeoff(&toff); } if(info.exeinfo.section) free(info.exeinfo.section); cli_hashset_destroy(&info.exeinfo.vinfo); cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); return ret; } else if((acmode & AC_SCAN_FT) && ret >= CL_TYPENO) { if(ret > type) type = ret; } if(hdb) { const void *data = buff + maxpatlen * (offset!=0); uint32_t data_len = bytes - maxpatlen * (offset!=0); if(compute_hash[CLI_HASH_MD5]) cl_update_hash(md5ctx, (void *)data, data_len); if(compute_hash[CLI_HASH_SHA1]) cl_update_hash(sha1ctx, (void *)data, data_len); if(compute_hash[CLI_HASH_SHA256]) cl_update_hash(sha256ctx, (void *)data, data_len); } } if(SCAN_ALL && viroffset) { offset = viroffset; continue; } if(bytes < SCANBUFF) break; offset += bytes - maxpatlen; } if(!ftonly && hdb) { enum CLI_HASH_TYPE hashtype, hashtype2; if(compute_hash[CLI_HASH_MD5]) { cl_finish_hash(md5ctx, digest[CLI_HASH_MD5]); md5ctx = NULL; } if(refhash) compute_hash[CLI_HASH_MD5] = 1; if(compute_hash[CLI_HASH_SHA1]) { cl_finish_hash(sha1ctx, digest[CLI_HASH_SHA1]); sha1ctx = NULL; } if(compute_hash[CLI_HASH_SHA256]) { cl_finish_hash(sha256ctx, digest[CLI_HASH_SHA256]); sha256ctx = NULL; } virname = NULL; for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) { const char * virname_w = NULL; int found = 0; /* If no hash, skip to next type */ if(!compute_hash[hashtype]) continue; /* Do hash scan */ if((ret = cli_hm_scan(digest[hashtype], map->len, &virname, hdb, hashtype)) == CL_VIRUS) { found += 1; } if(!found || SCAN_ALL) { if ((ret = cli_hm_scan_wild(digest[hashtype], &virname_w, hdb, hashtype)) == CL_VIRUS) found += 2; } /* If found, do immediate hash-only FP check */ if (found && fp) { for(hashtype2 = CLI_HASH_MD5; hashtype2 < CLI_HASH_AVAIL_TYPES; hashtype2++) { if(!compute_hash[hashtype2]) continue; if(cli_hm_scan(digest[hashtype2], map->len, NULL, fp, hashtype2) == CL_VIRUS) { found = 0; ret = CL_CLEAN; break; } else if(cli_hm_scan_wild(digest[hashtype2], NULL, fp, hashtype2) == CL_VIRUS) { found = 0; ret = CL_CLEAN; break; } } } /* If matched size-based hash ... */ if (found % 2) { viruses_found = 1; cli_append_virus(ctx, virname); if (!SCAN_ALL) break; virname = NULL; } /* If matched size-agnostic hash ... */ if (found > 1) { viruses_found = 1; cli_append_virus(ctx, virname_w); if (!SCAN_ALL) break; } } } cl_hash_destroy(md5ctx); cl_hash_destroy(sha1ctx); cl_hash_destroy(sha256ctx); if(troot) { if(ret != CL_VIRUS || SCAN_ALL) ret = cli_lsig_eval(ctx, troot, &tdata, &info, (const char *)refhash); if (ret == CL_VIRUS) viruses_found++; cli_ac_freedata(&tdata); if(bm_offmode) cli_bm_freeoff(&toff); } if(groot) { if(ret != CL_VIRUS || SCAN_ALL) ret = cli_lsig_eval(ctx, groot, &gdata, &info, (const char *)refhash); cli_ac_freedata(&gdata); } if(info.exeinfo.section) free(info.exeinfo.section); cli_hashset_destroy(&info.exeinfo.vinfo); if (SCAN_ALL && viruses_found) return CL_VIRUS; if(ret == CL_VIRUS) return CL_VIRUS; return (acmode & AC_SCAN_FT) ? type : CL_CLEAN; }
/* Given mish data, reconstruct the partition details */ static int dmg_handle_mish(cli_ctx *ctx, unsigned int mishblocknum, char *dir, uint64_t xmlOffset, struct dmg_mish_with_stripes *mish_set) { struct dmg_block_data *blocklist = mish_set->stripes; uint64_t totalSectors = 0; uint32_t i; unsigned long projected_size; int ret = CL_CLEAN, ofd; uint8_t sorted = 1, writeable_data = 0; char outfile[NAME_MAX + 1]; /* First loop, fix endian-ness and check if already sorted */ for (i = 0; i < mish_set->mish->blockDataCount; i++) { blocklist[i].type = be32_to_host(blocklist[i].type); // blocklist[i].reserved = be32_to_host(blocklist[i].reserved); blocklist[i].startSector = be64_to_host(blocklist[i].startSector); blocklist[i].sectorCount = be64_to_host(blocklist[i].sectorCount); blocklist[i].dataOffset = be64_to_host(blocklist[i].dataOffset); blocklist[i].dataLength = be64_to_host(blocklist[i].dataLength); cli_dbgmsg("mish %u stripe " STDu32 " type " STDx32 " start " STDu64 " count " STDu64 " source " STDu64 " length " STDu64 "\n", mishblocknum, i, blocklist[i].type, blocklist[i].startSector, blocklist[i].sectorCount, blocklist[i].dataOffset, blocklist[i].dataLength); if ((blocklist[i].dataOffset > xmlOffset) || (blocklist[i].dataOffset + blocklist[i].dataLength > xmlOffset)) { cli_dbgmsg("dmg_handle_mish: invalid stripe offset and/or length\n"); return CL_EFORMAT; } if ((i > 0) && sorted && (blocklist[i].startSector < blocklist[i-1].startSector)) { cli_dbgmsg("dmg_handle_mish: stripes not in order, will have to sort\n"); sorted = 0; } if (dmg_track_sectors(&totalSectors, &writeable_data, i, blocklist[i].type, blocklist[i].sectorCount)) { /* reason was logged from dmg_track_sector_count */ return CL_EFORMAT; } } if (!sorted) { cli_qsort(blocklist, mish_set->mish->blockDataCount, sizeof(struct dmg_block_data), cmp_mish_stripes); } cli_dbgmsg("dmg_handle_mish: stripes in order!\n"); /* Size checks */ if ((writeable_data == 0) || (totalSectors == 0)) { cli_dbgmsg("dmg_handle_mish: no data to output\n"); return CL_CLEAN; } else if (totalSectors > (ULONG_MAX / DMG_SECTOR_SIZE)) { /* cli_checklimits only takes unsigned long for now */ cli_warnmsg("dmg_handle_mish: mish block %u too big to handle (for now)", mishblocknum); return CL_CLEAN; } projected_size = (unsigned long)(totalSectors * DMG_SECTOR_SIZE); ret = cli_checklimits("cli_scandmg", ctx, projected_size, 0, 0); if (ret != CL_CLEAN) { /* limits exceeded */ cli_dbgmsg("dmg_handle_mish: skipping block %u, limits exceeded\n", mishblocknum); return ret; } /* Prepare for file */ snprintf(outfile, sizeof(outfile)-1, "%s"PATHSEP"dmg%02u", dir, mishblocknum); outfile[sizeof(outfile)-1] = '\0'; ofd = open(outfile, O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_BINARY, 0600); if (ofd < 0) { char err[128]; cli_errmsg("cli_scandmg: Can't create temporary file %s: %s\n", outfile, cli_strerror(errno, err, sizeof(err))); return CL_ETMPFILE; } cli_dbgmsg("dmg_handle_mish: extracting block %u to %s\n", mishblocknum, outfile); /* Push data, stripe by stripe */ for(i=0; i < mish_set->mish->blockDataCount && ret == CL_CLEAN; i++) { switch (blocklist[i].type) { case DMG_STRIPE_EMPTY: case DMG_STRIPE_ZEROES: ret = dmg_stripe_zeroes(ctx, ofd, i, mish_set); break; case DMG_STRIPE_STORED: ret = dmg_stripe_store(ctx, ofd, i, mish_set); break; case DMG_STRIPE_ADC: ret = dmg_stripe_adc(ctx, ofd, i, mish_set); break; case DMG_STRIPE_DEFLATE: ret = dmg_stripe_inflate(ctx, ofd, i, mish_set); break; case DMG_STRIPE_BZ: ret = dmg_stripe_bzip(ctx, ofd, i, mish_set); break; case DMG_STRIPE_SKIP: case DMG_STRIPE_END: default: cli_dbgmsg("dmg_handle_mish: stripe " STDu32 ", skipped\n", i); break; } } /* If okay so far, scan rebuilt partition */ if (ret == CL_CLEAN) { ret = cli_partition_scandesc(ofd, ctx); } close(ofd); if (!ctx->engine->keeptmp) if (cli_unlink(outfile)) return CL_EUNLINK; return ret; }
int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx) { char md5[33]; unsigned int i; const char *virname=NULL; fmap_t *map; const char *ptr; uint8_t shash1[SHA1_HASH_SIZE*2+1]; uint8_t shash256[SHA256_HASH_SIZE*2+1]; int have_sha1, have_sha256, do_dsig_check = 1; stats_section_t sections; if(cli_hm_scan(digest, size, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: %d\n", virname, (int)size); return CL_CLEAN; } else if(cli_hm_scan_wild(digest, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: *\n", virname); return CL_CLEAN; } if(cli_debug_flag || ctx->engine->cb_hash) { for(i = 0; i < 16; i++) sprintf(md5 + i * 2, "%02x", digest[i]); md5[32] = 0; cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size, cli_get_last_virus(ctx) ? cli_get_last_virus(ctx) : "Name"); } if(cli_get_last_virus(ctx)) do_dsig_check = strncmp("W32S.", cli_get_last_virus(ctx), 5); map = *ctx->fmap; have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size) || cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA1) || (cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1) && do_dsig_check); have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size) || cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA256); if(have_sha1 || have_sha256) { if((ptr = fmap_need_off_once(map, 0, size))) { if(have_sha1) { cl_sha1(ptr, size, &shash1[SHA1_HASH_SIZE], NULL); if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname); return CL_CLEAN; } if(cli_hm_scan_wild(&shash1[SHA1_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname); return CL_CLEAN; } if(do_dsig_check && cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n"); return CL_CLEAN; } } if(have_sha256) { cl_sha256(ptr, size, &shash256[SHA256_HASH_SIZE], NULL); if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname); return CL_CLEAN; } if(cli_hm_scan_wild(&shash256[SHA256_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname); return CL_CLEAN; } } } } #ifdef HAVE__INTERNAL__SHA_COLLECT if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) { if((ptr = fmap_need_off_once(map, 0, size))) { if(!have_sha256) cl_sha256(ptr, size, shash256+SHA256_HASH_SIZE, NULL); for(i=0; i<SHA256_HASH_SIZE; i++) sprintf((char *)shash256+i*2, "%02x", shash256[SHA256_HASH_SIZE+i]); if(!have_sha1) cl_sha1(ptr, size, shash1+SHA1_HASH_SIZE); for(i=0; i<SHA1_HASH_SIZE; i++) sprintf((char *)shash1+i*2, "%02x", shash1[SHA1_HASH_SIZE+i]); cli_errmsg("COLLECT:%s:%s:%u:%s:%s\n", shash256, shash1, size, cli_get_last_virus(ctx), ctx->entry_filename); } else cli_errmsg("can't compute sha\n!"); ctx->sha_collect = -1; } #endif memset(§ions, 0x00, sizeof(stats_section_t)); if(do_dsig_check || ctx->engine->cb_stats_add_sample) { uint32_t flags = (do_dsig_check ? CL_CHECKFP_PE_FLAG_AUTHENTICODE : 0); if (!(ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_STATS) && !(ctx->engine->dconf->stats & (DCONF_STATS_DISABLED | DCONF_STATS_PE_SECTION_DISABLED))) flags |= CL_CHECKFP_PE_FLAG_STATS; switch(cli_checkfp_pe(ctx, shash1, §ions, flags)) { case CL_CLEAN: cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n"); return CL_CLEAN; case CL_VIRUS: if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) { cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n"); return CL_CLEAN; } } } if (ctx->engine->cb_hash) ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, (const unsigned char *)md5, cli_get_last_virus(ctx), ctx->cb_ctx); if (ctx->engine->cb_stats_add_sample) ctx->engine->cb_stats_add_sample(cli_get_last_virus(ctx), digest, size, §ions, ctx->engine->stats_data); if (sections.sections) free(sections.sections); return CL_VIRUS; }
/* * offdata[0]: type * offdata[1]: offset value * offdata[2]: max shift * offdata[3]: section number */ int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned int target, uint32_t *offdata, uint32_t *offset_min, uint32_t *offset_max) { char offcpy[65]; unsigned int n, val; char *pt; if(!info) { /* decode offset string */ if(!offstr) { cli_errmsg("cli_caloff: offstr == NULL\n"); return CL_ENULLARG; } if(!strcmp(offstr, "*")) { offdata[0] = *offset_max = *offset_min = CLI_OFF_ANY; return CL_SUCCESS; } if(strlen(offstr) > 64) { cli_errmsg("cli_caloff: Offset string too long\n"); return CL_EMALFDB; } strcpy(offcpy, offstr); if((pt = strchr(offcpy, ','))) { if(!cli_isnumber(pt + 1)) { cli_errmsg("cli_caloff: Invalid offset shift value\n"); return CL_EMALFDB; } offdata[2] = atoi(pt + 1); *pt = 0; } else { offdata[2] = 0; } *offset_max = *offset_min = CLI_OFF_NONE; if(!strncmp(offcpy, "EP+", 3) || !strncmp(offcpy, "EP-", 3)) { if(offcpy[2] == '+') offdata[0] = CLI_OFF_EP_PLUS; else offdata[0] = CLI_OFF_EP_MINUS; if(!cli_isnumber(&offcpy[3])) { cli_errmsg("cli_caloff: Invalid offset value\n"); return CL_EMALFDB; } offdata[1] = atoi(&offcpy[3]); } else if(offcpy[0] == 'S') { if(offcpy[1] == 'E') { if(!cli_isnumber(&offcpy[2])) { cli_errmsg("cli_caloff: Invalid section number\n"); return CL_EMALFDB; } offdata[0] = CLI_OFF_SE; offdata[3] = atoi(&offcpy[2]); } else if(!strncmp(offstr, "SL+", 3)) { offdata[0] = CLI_OFF_SL_PLUS; if(!cli_isnumber(&offcpy[3])) { cli_errmsg("cli_caloff: Invalid offset value\n"); return CL_EMALFDB; } offdata[1] = atoi(&offcpy[3]); } else if(sscanf(offcpy, "S%u+%u", &n, &val) == 2) { offdata[0] = CLI_OFF_SX_PLUS; offdata[1] = val; offdata[3] = n; } else { cli_errmsg("cli_caloff: Invalid offset string\n"); return CL_EMALFDB; } } else if(!strncmp(offcpy, "EOF-", 4)) { offdata[0] = CLI_OFF_EOF_MINUS; if(!cli_isnumber(&offcpy[4])) { cli_errmsg("cli_caloff: Invalid offset value\n"); return CL_EMALFDB; } offdata[1] = atoi(&offcpy[4]); } else if(!strncmp(offcpy, "VI", 2)) { /* versioninfo */ offdata[0] = CLI_OFF_VERSION; } else if (strchr(offcpy, '$')) { if (sscanf(offcpy, "$%u$", &n) != 1) { cli_errmsg("cli_caloff: Invalid macro($) in offset: %s\n", offcpy); return CL_EMALFDB; } if (n >= 32) { cli_errmsg("cli_caloff: at most 32 macro groups supported\n"); return CL_EMALFDB; } offdata[0] = CLI_OFF_MACRO; offdata[1] = n; } else { offdata[0] = CLI_OFF_ABSOLUTE; if(!cli_isnumber(offcpy)) { cli_errmsg("cli_caloff: Invalid offset value\n"); return CL_EMALFDB; } *offset_min = offdata[1] = atoi(offcpy); *offset_max = *offset_min + offdata[2]; } if(offdata[0] != CLI_OFF_ANY && offdata[0] != CLI_OFF_ABSOLUTE && offdata[0] != CLI_OFF_EOF_MINUS && offdata[0] != CLI_OFF_MACRO) { if(target != 1 && target != 6 && target != 9) { cli_errmsg("cli_caloff: Invalid offset type for target %u\n", target); return CL_EMALFDB; } } } else { /* calculate relative offsets */ *offset_min = CLI_OFF_NONE; if(offset_max) *offset_max = CLI_OFF_NONE; if(info->status == -1) return CL_SUCCESS; switch(offdata[0]) { case CLI_OFF_EOF_MINUS: *offset_min = info->fsize - offdata[1]; break; case CLI_OFF_EP_PLUS: *offset_min = info->exeinfo.ep + offdata[1]; break; case CLI_OFF_EP_MINUS: *offset_min = info->exeinfo.ep - offdata[1]; break; case CLI_OFF_SL_PLUS: *offset_min = info->exeinfo.section[info->exeinfo.nsections - 1].raw + offdata[1]; break; case CLI_OFF_SX_PLUS: if(offdata[3] >= info->exeinfo.nsections) *offset_min = CLI_OFF_NONE; else *offset_min = info->exeinfo.section[offdata[3]].raw + offdata[1]; break; case CLI_OFF_SE: if(offdata[3] >= info->exeinfo.nsections) { *offset_min = CLI_OFF_NONE; } else { *offset_min = info->exeinfo.section[offdata[3]].raw; if (offset_max) *offset_max = *offset_min + info->exeinfo.section[offdata[3]].rsz + offdata[2]; } break; case CLI_OFF_VERSION: if (offset_max) *offset_min = *offset_max = CLI_OFF_ANY; break; default: cli_errmsg("cli_caloff: Not a relative offset (type: %u)\n", offdata[0]); return CL_EARG; } if(offset_max && *offset_max == CLI_OFF_NONE && *offset_min != CLI_OFF_NONE) *offset_max = *offset_min + offdata[2]; } return CL_SUCCESS; }
int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata) { int ret = CL_CLEAN; unsigned int i = 0, j = 0, viruses_found = 0; struct cli_ac_data mdata; struct cli_matcher *groot, *troot = NULL; const char *virname = NULL; const struct cl_engine *engine=ctx->engine; if(!engine) { cli_errmsg("cli_scanbuff: engine == NULL\n"); return CL_ENULLARG; } groot = engine->root[0]; /* generic signatures */ if(ftype) { for(i = 1; i < CLI_MTARGETS; i++) { for (j = 0; j < cli_mtargets[i].target_count; ++j) { if(cli_mtargets[i].target[j] == ftype) { troot = ctx->engine->root[i]; break; } } if (troot) break; } } if(troot) { if(!acdata && (ret = cli_ac_initdata(&mdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) return ret; ret = matcher_run(troot, buffer, length, &virname, acdata ? (acdata[0]): (&mdata), offset, NULL, ftype, NULL, AC_SCAN_VIR, NULL, *ctx->fmap, NULL, NULL, ctx); if(!acdata) cli_ac_freedata(&mdata); if(ret == CL_EMEM) return ret; if(ret == CL_VIRUS) { viruses_found = 1; if(ctx && !SCAN_ALL) { return ret; } } } virname = NULL; if(!acdata && (ret = cli_ac_initdata(&mdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) return ret; ret = matcher_run(groot, buffer, length, &virname, acdata ? (acdata[1]): (&mdata), offset, NULL, ftype, NULL, AC_SCAN_VIR, NULL, *ctx->fmap, NULL, NULL, ctx); if(!acdata) cli_ac_freedata(&mdata); if(viruses_found) return CL_VIRUS; return ret; }
static int ooxml_basic_json(int fd, cli_ctx *ctx, const char *key) { int ret = CL_SUCCESS; const xmlChar *stack[OOXML_JSON_RECLEVEL]; json_object *summary, *wrkptr; int type, rlvl = 0; int32_t val2; const xmlChar *name, *value; xmlTextReaderPtr reader = NULL; cli_dbgmsg("in ooxml_basic_json\n"); reader = xmlReaderForFd(fd, "properties.xml", NULL, 0); if (reader == NULL) { cli_dbgmsg("ooxml_basic_json: xmlReaderForFd error for %s\n", key); return CL_SUCCESS; // libxml2 failed! } summary = json_object_new_object(); if (NULL == summary) { cli_errmsg("ooxml_basic_json: no memory for json object.\n"); ret = CL_EFORMAT; goto ooxml_basic_exit; } while (xmlTextReaderRead(reader) == 1) { name = xmlTextReaderConstLocalName(reader); value = xmlTextReaderConstValue(reader); type = xmlTextReaderNodeType(reader); cli_dbgmsg("%s [%i]: %s\n", name, type, value); switch (type) { case XML_READER_TYPE_ELEMENT: stack[rlvl] = name; rlvl++; break; case XML_READER_TYPE_TEXT: { wrkptr = summary; if (rlvl > 2) { /* 0 is root xml object */ int i; for (i = 1; i < rlvl-1; ++i) { json_object *newptr = json_object_object_get(wrkptr, stack[i]); if (!newptr) { newptr = json_object_new_object(); if (NULL == newptr) { cli_errmsg("ooxml_basic_json: no memory for json object.\n"); ret = CL_EMEM; goto ooxml_basic_exit; } json_object_object_add(wrkptr, stack[i], newptr); } else { /* object already exists */ if (!json_object_is_type(newptr, json_type_object)) { cli_warnmsg("ooxml_content_cb: json object already exists as not an object\n"); ret = CL_EFORMAT; goto ooxml_basic_exit; } } wrkptr = newptr; cli_dbgmsg("stack %d: %s\n", i, stack[i]); } } if (ooxml_is_int(value, xmlStrlen(value), &val2)) { ret = cli_jsonint(wrkptr, stack[rlvl-1], val2); } else if (!xmlStrcmp(value, "true")) { ret = cli_jsonbool(wrkptr, stack[rlvl-1], 1); } else if (!xmlStrcmp(value, "false")) { ret = cli_jsonbool(wrkptr, stack[rlvl-1], 0); } else { ret = cli_jsonstr(wrkptr, stack[rlvl-1], value); } if (ret != CL_SUCCESS) goto ooxml_basic_exit; } break; case XML_READER_TYPE_END_ELEMENT: rlvl--; break; default: cli_dbgmsg("ooxml_content_cb: unhandled xml node %s [%i]: %s\n", name, type, value); ret = CL_EFORMAT; goto ooxml_basic_exit; } } json_object_object_add(ctx->wrkproperty, key, summary); if (rlvl != 0) { cli_warnmsg("ooxml_basic_json: office property file has unbalanced tags\n"); /* FAIL */ } ooxml_basic_exit: xmlTextReaderClose(reader); xmlFreeTextReader(reader); return ret; }
static int ooxml_parse_element(xmlTextReaderPtr reader, json_object *wrkptr, int rlvl, int skip) { const char *element_tag = NULL, *end_tag = NULL; const xmlChar *node_name = NULL, *node_value = NULL; json_object *njptr; int node_type, ret = CL_SUCCESS; int32_t val2; cli_dbgmsg("in ooxml_parse_element @ layer %d\n", rlvl); /* check recursion level */ if (rlvl >= OOXML_JSON_RECLEVEL_MAX) { return CL_EMAXREC; } if (wrkptr == NULL) { skip = 1; } /* acquire element type */ node_type = xmlTextReaderNodeType(reader); if (node_type != XML_READER_TYPE_ELEMENT) { cli_dbgmsg("ooxml_parse_element: first node typed %d, not %d\n", node_type, XML_READER_TYPE_ELEMENT); return CL_EPARSE; /* first type is not an element */ } /* acquire element tag */ node_name = xmlTextReaderConstLocalName(reader); if (!node_name) { cli_dbgmsg("ooxml_parse_element: element tag node nameless\n"); return CL_EPARSE; /* no name, nameless */ } element_tag = ooxml_check_key(node_name, xmlStrlen(node_name)); if (!element_tag) { cli_dbgmsg("ooxml_parse_element: invalid element tag [%s]\n", node_name); skip = 1; /* skipping element */ //return CL_EFORMAT; /* REMOVE */ } /* handle attributes if you want */ /* loop across all element contents */ while (xmlTextReaderRead(reader) == 1) { node_type = xmlTextReaderNodeType(reader); switch (node_type) { case XML_READER_TYPE_ELEMENT: if (!skip) { njptr = json_object_object_get(wrkptr, element_tag); if (!njptr) { njptr = json_object_new_object(); if (NULL == njptr) { cli_errmsg("ooxml_basic_json: no memory for json object.\n"); return CL_EMEM; } cli_dbgmsg("ooxml_basic_json: added json object [%s]\n", element_tag); json_object_object_add(wrkptr, element_tag, njptr); } else { if (!json_object_is_type(njptr, json_type_object)) { cli_warnmsg("ooxml_content_cb: json object [%s] already exists as not an object\n", element_tag); return CL_EFORMAT; } } } else { njptr = NULL; } ret = ooxml_parse_element(reader, njptr, rlvl+1, skip); if (ret != CL_SUCCESS) { return ret; } break; case XML_READER_TYPE_END_ELEMENT: cli_dbgmsg("in ooxml_parse_element @ layer %d closed\n", rlvl); node_name = xmlTextReaderConstLocalName(reader); if (!node_name) { cli_dbgmsg("ooxml_parse_element: element end tag node nameless\n"); return CL_EPARSE; /* no name, nameless */ } if (!skip) { end_tag = ooxml_check_key(node_name, xmlStrlen(node_name)); if (!end_tag) { cli_dbgmsg("ooxml_parse_element: invalid element end tag [%s]\n", node_name); return CL_EFORMAT; /* unrecognized element tag */ } if (strncmp(element_tag, end_tag, strlen(element_tag))) { cli_dbgmsg("ooxml_parse_element: element tag does not match end tag\n"); return CL_EFORMAT; } } return CL_SUCCESS; case XML_READER_TYPE_TEXT: if (!skip) { node_value = xmlTextReaderConstValue(reader); njptr = json_object_object_get(wrkptr, element_tag); if (njptr) { cli_warnmsg("ooxml_parse_element: json object [%s] already exists\n", element_tag); } if (ooxml_is_int(node_value, xmlStrlen(node_value), &val2)) { ret = cli_jsonint(wrkptr, element_tag, val2); } else if (!xmlStrcmp(node_value, "true")) { ret = cli_jsonbool(wrkptr, element_tag, 1); } else if (!xmlStrcmp(node_value, "false")) { ret = cli_jsonbool(wrkptr, element_tag, 0); } else { ret = cli_jsonstr(wrkptr, element_tag, node_value); } if (ret != CL_SUCCESS) return ret; cli_dbgmsg("ooxml_basic_json: added json value [%s: %s]\n", element_tag, node_value); } else { node_name = xmlTextReaderConstLocalName(reader); node_value = xmlTextReaderConstValue(reader); cli_dbgmsg("ooxml_parse_element: not adding xml node %s [%d]: %s\n", node_name, node_type, node_value); } break; default: node_name = xmlTextReaderConstLocalName(reader); node_value = xmlTextReaderConstValue(reader); cli_dbgmsg("ooxml_parse_element: unhandled xml node %s [%d]: %s\n", node_name, node_type, node_value); return CL_EPARSE; } } return CL_SUCCESS; }