/* NO-PCRE FUNCTIONS */
void cli_pcre_perf_print()
{
cli_errmsg("cli_pcre_perf_print: Cannot print PCRE performance results without PCRE support\n");
return;
}
/* TODO - handle VI and Macro offset types */
int cli_pcre_recaloff(struct cli_matcher *root, struct cli_pcre_off *data, struct cli_target_info *info, cli_ctx *ctx)
{
/* TANGENT: maintain relative offset data in cli_ac_data? */
int ret;
unsigned int i;
struct cli_pcre_meta *pm;
uint32_t endoff;
if (!data) {
return CL_ENULLARG;
}
if (!root || !root->pcre_metatable || !info || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) {
data->shift = NULL;
data->offset = NULL;
return CL_SUCCESS;
}
/* allocate data structures */
data->shift = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t));
if (!data->shift) {
cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->shift\n");
return CL_EMEM;
}
data->offset = (uint32_t *) cli_calloc(root->pcre_metas, sizeof(uint32_t));
if (!data->offset) {
cli_errmsg("cli_pcre_initoff: cannot allocate memory for data->offset\n");
free(data->shift);
return CL_EMEM;
}
pm_dbgmsg("CLI_OFF_NONE: %u\n", CLI_OFF_NONE);
pm_dbgmsg("CLI_OFF_ANY: %u\n", CLI_OFF_ANY);
/* iterate across all pcre metadata and recalc offsets */
for (i = 0; i < root->pcre_metas; ++i) {
pm = root->pcre_metatable[i];
/* skip broken pcres, not getting executed anyways */
if (pm->flags & CLI_PCRE_DISABLED) {
data->offset[i] = CLI_OFF_NONE;
data->shift[i] = 0;
continue;
}
if (pm->offdata[0] == CLI_OFF_ANY) {
data->offset[i] = CLI_OFF_ANY;
data->shift[i] = 0;
}
else if (pm->offdata[0] == CLI_OFF_NONE) {
data->offset[i] = CLI_OFF_NONE;
data->shift[i] = 0;
}
else if (pm->offdata[0] == CLI_OFF_ABSOLUTE) {
data->offset[i] = pm->offdata[1];
data->shift[i] = pm->offdata[2];
}
else {
ret = cli_caloff(NULL, info, root->type, pm->offdata, &data->offset[i], &endoff);
if (ret != CL_SUCCESS) {
cli_errmsg("cli_pcre_recaloff: cannot recalculate relative offset for signature\n");
free(data->shift);
free(data->offset);
return ret;
}
/* CLI_OFF_NONE gets passed down, CLI_OFF_ANY gets reinterpreted */
/* TODO - CLI_OFF_VERSION is interpreted as CLI_OFF_ANY(?) */
if (data->offset[i] == CLI_OFF_ANY) {
data->offset[i] = CLI_OFF_ANY;
data->shift[i] = 0;
}
else {
data->shift[i] = endoff-(data->offset[i]);
}
}
pm_dbgmsg("%u: %u %u->%u(+%u)\n", i, pm->offdata[0], data->offset[i],
data->offset[i]+data->shift[i], data->shift[i]);
}
return CL_SUCCESS;
}
int cli_pcre_scanbuf(const unsigned char *buffer, uint32_t length, const char **virname, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, const struct cli_pcre_off *data, cli_ctx *ctx)
{
struct cli_pcre_meta **metatable = root->pcre_metatable, *pm = NULL;
struct cli_pcre_data *pd;
struct cli_ac_result *newres;
uint32_t adjbuffer, adjshift, adjlength;
unsigned int i, evalcnt = 0;
uint64_t maxfilesize, evalids = 0;
uint32_t global, encompass, rolling;
int rc, lrc, offset, options=0, ovector[OVECCOUNT];
uint8_t viruses_found = 0;
if ((!root->pcre_metatable) || (ctx && ctx->dconf && !(ctx->dconf->pcre & PCRE_CONF_SUPPORT))) {
return CL_SUCCESS;
}
/* NOTE: moved pcre maxfilesize limit check to caller [matcher_run] */
for (i = 0; i < root->pcre_metas; ++i) {
pm = root->pcre_metatable[i];
pd = &(pm->pdata);
/* skip checking and running disabled pcres */
if (pm->flags & CLI_PCRE_DISABLED) {
cli_dbgmsg("cli_pcre_scanbuf: skipping disabled regex /%s/\n", pd->expression);
continue;
}
/* skip checking and running CLI_OFF_NONE pcres */
if (data && data->offset[i] == CLI_OFF_NONE) {
pm_dbgmsg("cli_pcre_scanbuf: skipping CLI_OFF_NONE regex /%s/\n", pd->expression);
continue;
}
/* evaluate trigger */
if (pm->lsigid[0]) {
cli_dbgmsg("cli_pcre_scanbuf: checking %s; running regex /%s/\n", pm->trigger, pd->expression);
#ifdef PCRE_BYPASS
if (strcmp(pm->trigger, PCRE_BYPASS))
#endif
if (cli_ac_chklsig(pm->trigger, pm->trigger + strlen(pm->trigger), mdata->lsigcnt[pm->lsigid[1]], &evalcnt, &evalids, 0) != 1)
continue;
}
else {
cli_dbgmsg("cli_pcre_scanbuf: skipping %s check due to unintialized lsigid\n", pm->trigger);
/* fall-through to unconditional execution - sigtool-only */
}
global = (pm->flags & CLI_PCRE_GLOBAL); /* globally search for all matches (within bounds) */
encompass = (pm->flags & CLI_PCRE_ENCOMPASS); /* encompass search to offset->offset+maxshift */
rolling = (pm->flags & CLI_PCRE_ROLLING); /* rolling search (unanchored) */
offset = pd->search_offset; /* this is usually 0 */
cli_dbgmsg("cli_pcre_scanbuf: triggered %s; running regex /%s/%s%s\n", pm->trigger, pd->expression,
global ? " (global)":"", rolling ? " (rolling)":"");
/* adjust the buffer sent to cli_pcre_match for offset and maxshift */
if (!data) {
if (cli_pcre_qoff(pm, length, &adjbuffer, &adjshift) != CL_SUCCESS)
continue;
}
else {
adjbuffer = data->offset[i];
adjshift = data->shift[i];
}
/* check for need to anchoring */
if (!rolling && !adjshift && (adjbuffer != CLI_OFF_ANY))
options |= PCRE_ANCHORED;
else
options = 0;
if (adjbuffer == CLI_OFF_ANY)
adjbuffer = 0;
/* check the offset bounds */
if (adjbuffer < length) {
/* handle encompass flag */
if (encompass && adjshift != 0 && adjshift != CLI_OFF_NONE) {
if (adjbuffer+adjshift > length)
adjlength = length - adjbuffer;
else
adjlength = adjshift;
}
else {
/* NOTE - if using non-encompass method 2, alter shift universally */
/* TODO - limitations on non-encompassed buffers? */
adjlength = length - adjbuffer;
}
}
else {
/* starting offset is outside bounds of file, skip pcre execution silently */
pm_dbgmsg("cli_pcre_scanbuf: starting offset is outside bounds of file %u >= %u\n", adjbuffer, length);
continue;
}
pm_dbgmsg("cli_pcre_scanbuf: passed buffer adjusted to %u +%u(%u)[%u]%s\n", adjbuffer, adjlength, adjbuffer+adjlength, adjshift, encompass ? " (encompass)":"");
/* if the global flag is set, loop through the scanning */
do {
/* performance metrics */
cli_event_time_start(p_sigevents, pm->sigtime_id);
rc = cli_pcre_match(pd, buffer+adjbuffer, adjlength, offset, options, ovector, OVECCOUNT);
cli_event_time_stop(p_sigevents, pm->sigtime_id);
/* if debug, generate a match report */
if (cli_debug_flag)
cli_pcre_report(pd, buffer+adjbuffer, adjlength, rc, ovector, OVECCOUNT);
/* matched, rc shouldn't be >0 unless a full match occurs */
if (rc > 0) {
cli_dbgmsg("cli_pcre_scanbuf: located regex match @ %d\n", adjbuffer+ovector[0]);
/* check if we've gone over offset+shift */
if (!encompass && adjshift) {
if (ovector[0] > adjshift) {
/* ignore matched offset (outside of maxshift) */
cli_dbgmsg("cli_pcre_scanbuf: match found outside of maxshift @%u\n", adjbuffer+ovector[0]);
break;
}
}
/* track the detection count */
cli_event_count(p_sigevents, pm->sigmatch_id);
/* for logical signature evaluation */
if (pm->lsigid[0]) {
pm_dbgmsg("cli_pcre_scanbuf: assigning lsigcnt[%d][%d], located @ %d\n",
pm->lsigid[1], pm->lsigid[2], adjbuffer+ovector[0]);
lrc = lsig_sub_matched(root, mdata, pm->lsigid[1], pm->lsigid[2], adjbuffer+ovector[0], 0);
if (lrc != CL_SUCCESS)
return lrc;
} else {
/* for raw match data - sigtool only */
if(res) {
newres = (struct cli_ac_result *)cli_calloc(1, sizeof(struct cli_ac_result));
if(!newres) {
cli_errmsg("cli_pcre_scanbuff: Can't allocate memory for new result\n");
return CL_EMEM;
}
newres->virname = pm->virname;
newres->customdata = NULL; /* get value? */
newres->next = *res;
newres->offset = adjbuffer+ovector[0];
*res = newres;
} else {
if (ctx && SCAN_ALL) {
viruses_found = 1;
cli_append_virus(ctx, (const char *)pm->virname);
}
if (virname)
*virname = pm->virname;
if (!ctx || !SCAN_ALL)
return CL_VIRUS;
}
}
}
/* move off to the end of the match for next match; offset is relative to adjbuffer
* NOTE: misses matches starting within the last match; TODO: start from start of last match? */
offset = ovector[1];
/* clear the ovector results (they fall through the pcre_match) */
memset(ovector, 0, sizeof(ovector));
} while (global && rc > 0 && offset < adjlength);
/* handle error codes */
if (rc < 0 && rc != PCRE_ERROR_NOMATCH) {
switch (rc) {
case PCRE_ERROR_CALLOUT:
break;
case PCRE_ERROR_NOMEMORY:
cli_errmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: out of memory\n");
return CL_EMEM;
case PCRE_ERROR_MATCHLIMIT:
cli_dbgmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: match limit exceeded\n");
break;
case PCRE_ERROR_RECURSIONLIMIT:
cli_dbgmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: recursive limit exceeded\n");
break;
default:
cli_errmsg("cli_pcre_scanbuf: cli_pcre_match: pcre_exec: returned error %d\n", rc);
return CL_BREAK;
}
}
}
if (viruses_found)
return CL_VIRUS;
return CL_SUCCESS;
}
static int scancws(cli_ctx *ctx, struct swf_file_hdr *hdr)
{
z_stream stream;
char inbuff[FILEBUFF], outbuff[FILEBUFF];
fmap_t *map = *ctx->fmap;
int offset = 8, ret, zret, outsize = 8, count, zend;
char *tmpname;
int fd;
if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
cli_errmsg("scancws: Can't generate temporary file\n");
return ret;
}
hdr->signature[0] = 'F';
if(cli_writen(fd, hdr, sizeof(struct swf_file_hdr)) != sizeof(struct swf_file_hdr)) {
cli_errmsg("scancws: Can't write to file %s\n", tmpname);
close(fd);
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EWRITE;
}
stream.avail_in = 0;
stream.next_in = (Bytef *)inbuff;
stream.next_out = (Bytef *)outbuff;
stream.zalloc = (alloc_func) NULL;
stream.zfree = (free_func) NULL;
stream.opaque = (voidpf) 0;
stream.avail_out = FILEBUFF;
zret = inflateInit(&stream);
if(zret != Z_OK) {
cli_errmsg("scancws: inflateInit() failed\n");
close(fd);
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
do {
if(stream.avail_in == 0) {
stream.next_in = (Bytef *)inbuff;
ret = fmap_readn(map, inbuff, offset, FILEBUFF);
if(ret < 0) {
cli_errmsg("scancws: Error reading SWF file\n");
close(fd);
inflateEnd(&stream);
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
if(!ret)
break;
stream.avail_in = ret;
offset += ret;
}
zret = inflate(&stream, Z_SYNC_FLUSH);
count = FILEBUFF - stream.avail_out;
if(count) {
if(cli_checklimits("SWF", ctx, outsize + count, 0, 0) != CL_SUCCESS)
break;
if(cli_writen(fd, outbuff, count) != count) {
cli_errmsg("scancws: Can't write to file %s\n", tmpname);
inflateEnd(&stream);
close(fd);
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EWRITE;
}
outsize += count;
}
stream.next_out = (Bytef *)outbuff;
stream.avail_out = FILEBUFF;
} while(zret == Z_OK);
zend = inflateEnd(&stream);
if((zret != Z_STREAM_END && zret != Z_OK) || zend != Z_OK) {
/*
* outsize is initialized to 8, it being 8 here means that we couldn't even read a single byte.
* If outsize > 8, then we have data. Let's scan what we have.
*/
if (outsize == 8) {
cli_infomsg(ctx, "scancws: Error decompressing SWF file. No data decompressed.\n");
close(fd);
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
cli_infomsg(ctx, "scancws: Error decompressing SWF file. Scanning what was decompressed.\n");
}
cli_dbgmsg("SWF: Decompressed[zlib] to %s, size %d\n", tmpname, outsize);
/* check if declared output size matches actual output size */
if (hdr->filesize != outsize) {
cli_warnmsg("SWF: declared output length != inflated stream size, %u != %llu\n",
hdr->filesize, (long long unsigned)outsize);
} else {
cli_dbgmsg("SWF: declared output length == inflated stream size, %u == %llu\n",
hdr->filesize, (long long unsigned)outsize);
}
ret = cli_magic_scandesc(fd, tmpname, ctx);
close(fd);
if(!ctx->engine->keeptmp) {
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return ret;
}
int cli_pcre_addpatt(struct cli_matcher *root, const char *virname, const char *trigger, const char *pattern, const char *cflags, const char *offset, const uint32_t *lsigid, unsigned int options)
{
struct cli_pcre_meta **newmetatable = NULL, *pm = NULL;
uint32_t pcre_count;
const char *opt;
int ret = CL_SUCCESS, rssigs;
if (!root || !trigger || !pattern || !offset) {
cli_errmsg("cli_pcre_addpatt: NULL root or NULL trigger or NULL pattern or NULL offset\n");
return CL_ENULLARG;
}
/* TODO: trigger and regex checking (backreference limitations?) (control pattern limitations?) */
/* cli_ac_chklsig will fail a empty trigger; empty patterns can cause an infinite loop */
if (*trigger == '\0' || *pattern == '\0') {
cli_errmsg("cli_pcre_addpatt: trigger or pattern cannot be an empty string\n");
return CL_EMALFDB;
}
if (cflags && *cflags == '\0') {
cflags = NULL;
}
if (lsigid)
pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) as subsig %d for lsigid %d\n",
pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger, lsigid[1], lsigid[0]);
else
pm_dbgmsg("cli_pcre_addpatt: Adding /%s/%s%s triggered on (%s) [no lsigid]\n",
pattern, cflags ? " with flags " : "", cflags ? cflags : "", trigger);
#ifdef PCRE_BYPASS
/* check for trigger bypass */
if (strcmp(trigger, PCRE_BYPASS)) {
#endif
/* validate the lsig trigger */
rssigs = cli_ac_chklsig(trigger, trigger + strlen(trigger), NULL, NULL, NULL, 1);
if(rssigs == -1) {
cli_errmsg("cli_pcre_addpatt: regex subsig /%s/ is missing a valid logical trigger\n", pattern);
return CL_EMALFDB;
}
if (lsigid) {
if (rssigs > lsigid[1]) {
cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger refers to subsequent subsig %d\n", lsigid[1], rssigs);
return CL_EMALFDB;
}
if (rssigs == lsigid[1]) {
cli_errmsg("cli_pcre_addpatt: regex subsig %d logical trigger is self-referential\n", lsigid[1]);
return CL_EMALFDB;
}
}
else {
cli_dbgmsg("cli_pcre_addpatt: regex subsig is missing lsigid data\n");
}
#ifdef PCRE_BYPASS
}
#endif
/* allocating entries */
pm = (struct cli_pcre_meta *)mpool_calloc(root->mempool, 1, sizeof(*pm));
if (!pm) {
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta\n");
return CL_EMEM;
}
pm->trigger = cli_mpool_strdup(root->mempool, trigger);
if (!pm->trigger) {
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for trigger string\n");
cli_pcre_freemeta(root, pm);
mpool_free(root->mempool, pm);
return CL_EMEM;
}
pm->virname = (char *)cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL);
if(!pm->virname) {
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for virname or NULL virname\n");
cli_pcre_freemeta(root, pm);
mpool_free(root->mempool, pm);
return CL_EMEM;
}
if (lsigid) {
root->ac_lsigtable[lsigid[0]]->virname = pm->virname;
pm->lsigid[0] = 1;
pm->lsigid[1] = lsigid[0];
pm->lsigid[2] = lsigid[1];
}
else {
/* sigtool */
pm->lsigid[0] = 0;
}
pm->pdata.expression = strdup(pattern);
if (!pm->pdata.expression) {
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for expression\n");
cli_pcre_freemeta(root, pm);
mpool_free(root->mempool, pm);
return CL_EMEM;
}
/* offset parsing and usage, similar to cli_ac_addsig */
/* relative and type-specific offsets handled during scan */
ret = cli_caloff(offset, NULL, root->type, pm->offdata, &(pm->offset_min), &(pm->offset_max));
if (ret != CL_SUCCESS) {
cli_errmsg("cli_pcre_addpatt: cannot calculate offset data: %s for pattern: %s\n", offset, pattern);
cli_pcre_freemeta(root, pm);
mpool_free(root->mempool, pm);
return ret;
}
if(pm->offdata[0] != CLI_OFF_ANY) {
if(pm->offdata[0] == CLI_OFF_ABSOLUTE)
root->pcre_absoff_num++;
else
root->pcre_reloff_num++;
}
/* parse and add options, also totally not from snort */
if (cflags) {
opt = cflags;
/* cli_pcre_addoptions handles pcre specific options */
while (cli_pcre_addoptions(&(pm->pdata), &opt, 0) != CL_SUCCESS) {
/* handle matcher specific options here */
switch (*opt) {
case 'g': pm->flags |= CLI_PCRE_GLOBAL; break;
case 'r': pm->flags |= CLI_PCRE_ROLLING; break;
case 'e': pm->flags |= CLI_PCRE_ENCOMPASS; break;
default:
cli_errmsg("cli_pcre_addpatt: unknown/extra pcre option encountered %c\n", *opt);
cli_pcre_freemeta(root, pm);
mpool_free(root->mempool, pm);
return CL_EMALFDB;
}
opt++;
}
if (pm->flags) {
pm_dbgmsg("Matcher: %s%s%s\n",
pm->flags & CLI_PCRE_GLOBAL ? "CLAMAV_GLOBAL " : "",
pm->flags & CLI_PCRE_ROLLING ? "CLAMAV_ROLLING " : "",
pm->flags & CLI_PCRE_ENCOMPASS ? "CLAMAV_ENCOMPASS " : "");
}
else
pm_dbgmsg("Matcher: NONE\n");
if (pm->pdata.options) {
pm_dbgmsg("Compiler: %s%s%s%s%s%s%s\n",
pm->pdata.options & PCRE_CASELESS ? "PCRE_CASELESS " : "",
pm->pdata.options & PCRE_DOTALL ? "PCRE_DOTALL " : "",
pm->pdata.options & PCRE_MULTILINE ? "PCRE_MULTILINE " : "",
pm->pdata.options & PCRE_EXTENDED ? "PCRE_EXTENDED " : "",
pm->pdata.options & PCRE_ANCHORED ? "PCRE_ANCHORED " : "",
pm->pdata.options & PCRE_DOLLAR_ENDONLY ? "PCRE_DOLLAR_ENDONLY " : "",
pm->pdata.options & PCRE_UNGREEDY ? "PCRE_UNGREEDY " : "");
}
else
pm_dbgmsg("Compiler: NONE\n");
}
/* add metadata to the performance tracker */
if (options & CL_DB_PCRE_STATS)
pcre_perf_events_init(pm, virname);
/* add pcre data to root after reallocation */
pcre_count = root->pcre_metas+1;
newmetatable = (struct cli_pcre_meta **)mpool_realloc(root->mempool, root->pcre_metatable,
pcre_count * sizeof(struct cli_pcre_meta *));
if (!newmetatable) {
cli_errmsg("cli_pcre_addpatt: Unable to allocate memory for new pcre meta table\n");
cli_pcre_freemeta(root, pm);
mpool_free(root->mempool, pm);
return CL_EMEM;
}
newmetatable[pcre_count-1] = pm;
root->pcre_metatable = newmetatable;
root->pcre_metas = pcre_count;
return CL_SUCCESS;
}
int cli_scandmg(cli_ctx *ctx)
{
struct dmg_koly_block hdr;
int ret, namelen, ofd;
size_t maplen, nread;
off_t pos = 0;
char *dirname, *tmpfile;
const char *outdata;
unsigned int file = 0;
struct dmg_mish_with_stripes *mish_list = NULL, *mish_list_tail = NULL;
enum dmgReadState state = DMG_FIND_BASE_PLIST;
int stateDepth[DMG_MAX_STATE];
#if HAVE_LIBXML2
xmlTextReaderPtr reader;
#endif
if (!ctx || !ctx->fmap) {
cli_errmsg("cli_scandmg: Invalid context\n");
return CL_ENULLARG;
}
maplen = (*ctx->fmap)->real_len;
pos = maplen - 512;
if (pos <= 0) {
cli_dbgmsg("cli_scandmg: Sizing problem for DMG archive.\n");
return CL_CLEAN;
}
/* Grab koly block */
if (fmap_readn(*ctx->fmap, &hdr, pos, sizeof(hdr)) != sizeof(hdr)) {
cli_dbgmsg("cli_scandmg: Invalid DMG trailer block\n");
return CL_EFORMAT;
}
/* Check magic */
hdr.magic = be32_to_host(hdr.magic);
if (hdr.magic == 0x6b6f6c79) {
cli_dbgmsg("cli_scandmg: Found koly block @ %ld\n", (long) pos);
}
else {
cli_dbgmsg("cli_scandmg: No koly magic, %8x\n", hdr.magic);
return CL_EFORMAT;
}
hdr.dataForkOffset = be64_to_host(hdr.dataForkOffset);
hdr.dataForkLength = be64_to_host(hdr.dataForkLength);
cli_dbgmsg("cli_scandmg: data offset %lu len %d\n", (unsigned long)hdr.dataForkOffset, (int)hdr.dataForkLength);
hdr.xmlOffset = be64_to_host(hdr.xmlOffset);
hdr.xmlLength = be64_to_host(hdr.xmlLength);
if (hdr.xmlLength > (uint64_t)INT_MAX) {
cli_dbgmsg("cli_scandmg: The embedded XML is way larger than necessary, and probably corrupt or tampered with.\n");
return CL_EFORMAT;
}
if ((hdr.xmlOffset > (uint64_t)maplen) || (hdr.xmlLength > (uint64_t)maplen)
|| (hdr.xmlOffset + hdr.xmlLength) > (uint64_t)maplen) {
cli_dbgmsg("cli_scandmg: XML out of range for this file\n");
return CL_EFORMAT;
}
cli_dbgmsg("cli_scandmg: XML offset %lu len %d\n", (unsigned long)hdr.xmlOffset, (int)hdr.xmlLength);
if (hdr.xmlLength == 0) {
cli_dbgmsg("cli_scandmg: Embedded XML length is zero.\n");
return CL_EFORMAT;
}
/* Create temp folder for contents */
if (!(dirname = cli_gentemp(ctx->engine->tmpdir))) {
return CL_ETMPDIR;
}
if (mkdir(dirname, 0700)) {
cli_errmsg("cli_scandmg: Cannot create temporary directory %s\n", dirname);
free(dirname);
return CL_ETMPDIR;
}
cli_dbgmsg("cli_scandmg: Extracting into %s\n", dirname);
/* Dump XML to tempfile, if needed */
if (ctx->engine->keeptmp && !(ctx->engine->engine_options & ENGINE_OPTIONS_FORCE_TO_DISK)) {
int xret;
xret = dmg_extract_xml(ctx, dirname, &hdr);
if (xret != CL_SUCCESS) {
/* Printed err detail inside dmg_extract_xml */
free(dirname);
return xret;
}
}
/* scan XML with cli_map_scandesc */
ret = cli_map_scan(*ctx->fmap, (off_t)hdr.xmlOffset, (size_t)hdr.xmlLength, ctx);
if (ret != CL_CLEAN) {
cli_dbgmsg("cli_scandmg: retcode from scanning TOC xml: %s\n", cl_strerror(ret));
if (!ctx->engine->keeptmp)
cli_rmdirs(dirname);
free(dirname);
return ret;
}
/* page data from map */
outdata = fmap_need_off_once_len(*ctx->fmap, hdr.xmlOffset, hdr.xmlLength, &nread);
if (!outdata || (nread != hdr.xmlLength)) {
cli_errmsg("cli_scandmg: Failed getting XML from map, len %d\n", (int)hdr.xmlLength);
if (!ctx->engine->keeptmp)
cli_rmdirs(dirname);
free(dirname);
return CL_EMAP;
}
/* time to walk the tree */
/* plist -> dict -> (key:resource_fork) dict -> (key:blkx) array -> dict */
/* each of those bottom level dict should have 4 parts */
/* [ Attributes, Data, ID, Name ], where Data is Base64 mish block */
/* This is the block where we require libxml2 */
#if HAVE_LIBXML2
/* XML_PARSE_NOENT | XML_PARSE_NONET | XML_PARSE_COMPACT */
#define DMG_XML_PARSE_OPTS (1 << 1 | 1 << 11 | 1 << 16)
reader = xmlReaderForMemory(outdata, (int)hdr.xmlLength, "toc.xml", NULL, DMG_XML_PARSE_OPTS);
if (!reader) {
cli_dbgmsg("cli_scandmg: Failed parsing XML!\n");
if (!ctx->engine->keeptmp)
cli_rmdirs(dirname);
free(dirname);
return CL_EFORMAT;
}
stateDepth[DMG_FIND_BASE_PLIST] = -1;
// May need to check for (xmlTextReaderIsEmptyElement(reader) == 0)
/* Break loop if have return code or reader can't read any more */
while ((ret == CL_CLEAN) && (xmlTextReaderRead(reader) == 1)) {
xmlReaderTypes nodeType;
nodeType = xmlTextReaderNodeType(reader);
if (nodeType == XML_READER_TYPE_ELEMENT) {
// New element, do name check
xmlChar *nodeName;
int depth;
depth = xmlTextReaderDepth(reader);
if (depth < 0) {
break;
}
if ((depth > 50) && SCAN_ALGO) {
// Possible heuristic, should limit runaway
cli_dbgmsg("cli_scandmg: Excessive nesting in DMG TOC.\n");
break;
}
nodeName = xmlTextReaderLocalName(reader);
if (!nodeName)
continue;
dmg_parsemsg("read: name %s depth %d\n", nodeName, depth);
if ((state == DMG_FIND_DATA_MISH)
&& (depth == stateDepth[state-1])) {
xmlChar * textValue;
struct dmg_mish_with_stripes *mish_set;
/* Reset state early, for continue cases */
stateDepth[DMG_FIND_KEY_DATA] = -1;
state--;
if (xmlStrcmp(nodeName, "data") != 0) {
cli_dbgmsg("cli_scandmg: Not blkx data element\n");
xmlFree(nodeName);
continue;
}
dmg_parsemsg("read: Found blkx data element\n");
/* Pull out data content from text */
if (xmlTextReaderIsEmptyElement(reader)) {
cli_dbgmsg("cli_scandmg: blkx data element is empty\n");
xmlFree(nodeName);
continue;
}
if (xmlTextReaderRead(reader) != 1) {
xmlFree(nodeName);
break;
}
if (xmlTextReaderNodeType(reader) != XML_READER_TYPE_TEXT) {
cli_dbgmsg("cli_scandmg: Next node not text\n");
xmlFree(nodeName);
continue;
}
textValue = xmlTextReaderValue(reader);
if (textValue == NULL) {
xmlFree(nodeName);
continue;
}
/* Have encoded mish block */
mish_set = cli_malloc(sizeof(struct dmg_mish_with_stripes));
if (mish_set == NULL) {
ret = CL_EMEM;
xmlFree(textValue);
xmlFree(nodeName);
break;
}
ret = dmg_decode_mish(ctx, &file, textValue, mish_set);
xmlFree(textValue);
if (ret == CL_EFORMAT) {
/* Didn't decode, or not a mish block */
ret = CL_CLEAN;
xmlFree(nodeName);
continue;
}
else if (ret != CL_CLEAN) {
xmlFree(nodeName);
continue;
}
/* Add mish block to list */
if (mish_list_tail != NULL) {
mish_list_tail->next = mish_set;
mish_list_tail = mish_set;
}
else {
mish_list = mish_set;
mish_list_tail = mish_set;
}
mish_list_tail->next = NULL;
}
if ((state == DMG_FIND_KEY_DATA)
&& (depth > stateDepth[state-1])
&& (xmlStrcmp(nodeName, "key") == 0)) {
xmlChar * textValue;
dmg_parsemsg("read: Found key - checking for Data\n");
if (xmlTextReaderRead(reader) != 1) {
xmlFree(nodeName);
break;
}
if (xmlTextReaderNodeType(reader) != XML_READER_TYPE_TEXT) {
cli_dbgmsg("cli_scandmg: Key node no text\n");
xmlFree(nodeName);
continue;
}
textValue = xmlTextReaderValue(reader);
if (textValue == NULL) {
cli_dbgmsg("cli_scandmg: no value from xmlTextReaderValue\n");
xmlFree(nodeName);
continue;
}
if (xmlStrcmp(textValue, "Data") == 0) {
dmg_parsemsg("read: Matched data\n");
stateDepth[DMG_FIND_KEY_DATA] = depth;
state++;
}
else {
dmg_parsemsg("read: text value is %s\n", textValue);
}
xmlFree(textValue);
}
if ((state == DMG_FIND_BLKX_CONTAINER)
&& (depth == stateDepth[state-1])) {
if (xmlStrcmp(nodeName, "array") == 0) {
dmg_parsemsg("read: Found array blkx\n");
stateDepth[DMG_FIND_BLKX_CONTAINER] = depth;
state++;
}
else if (xmlStrcmp(nodeName, "dict") == 0) {
dmg_parsemsg("read: Found dict blkx\n");
stateDepth[DMG_FIND_BLKX_CONTAINER] = depth;
state++;
}
else {
cli_dbgmsg("cli_scandmg: Bad blkx, not container\n");
stateDepth[DMG_FIND_KEY_BLKX] = -1;
state--;
}
}
if ((state == DMG_FIND_KEY_BLKX)
&& (depth == stateDepth[state-1] + 1)
&& (xmlStrcmp(nodeName, "key") == 0)) {
xmlChar * textValue;
dmg_parsemsg("read: Found key - checking for blkx\n");
if (xmlTextReaderRead(reader) != 1) {
xmlFree(nodeName);
break;
}
if (xmlTextReaderNodeType(reader) != XML_READER_TYPE_TEXT) {
cli_dbgmsg("cli_scandmg: Key node no text\n");
xmlFree(nodeName);
continue;
}
textValue = xmlTextReaderValue(reader);
if (textValue == NULL) {
cli_dbgmsg("cli_scandmg: no value from xmlTextReaderValue\n");
xmlFree(nodeName);
continue;
}
if (xmlStrcmp(textValue, "blkx") == 0) {
cli_dbgmsg("cli_scandmg: Matched blkx\n");
stateDepth[DMG_FIND_KEY_BLKX] = depth;
state++;
}
else {
cli_dbgmsg("cli_scandmg: wanted blkx, text value is %s\n", textValue);
}
xmlFree(textValue);
}
if ((state == DMG_FIND_DICT_RESOURCE_FORK)
&& (depth == stateDepth[state-1])) {
if (xmlStrcmp(nodeName, "dict") == 0) {
dmg_parsemsg("read: Found resource-fork dict\n");
stateDepth[DMG_FIND_DICT_RESOURCE_FORK] = depth;
state++;
}
else {
dmg_parsemsg("read: Not resource-fork dict\n");
stateDepth[DMG_FIND_KEY_RESOURCE_FORK] = -1;
state--;
}
}
if ((state == DMG_FIND_KEY_RESOURCE_FORK)
&& (depth == stateDepth[state-1] + 1)
&& (xmlStrcmp(nodeName, "key") == 0)) {
dmg_parsemsg("read: Found resource-fork key\n");
stateDepth[DMG_FIND_KEY_RESOURCE_FORK] = depth;
state++;
}
if ((state == DMG_FIND_BASE_DICT)
&& (depth == stateDepth[state-1] + 1)
&& (xmlStrcmp(nodeName, "dict") == 0)) {
dmg_parsemsg("read: Found dict start\n");
stateDepth[DMG_FIND_BASE_DICT] = depth;
state++;
}
if ((state == DMG_FIND_BASE_PLIST) && (xmlStrcmp(nodeName, "plist") == 0)) {
dmg_parsemsg("read: Found plist start\n");
stateDepth[DMG_FIND_BASE_PLIST] = depth;
state++;
}
xmlFree(nodeName);
}
else if ((nodeType == XML_READER_TYPE_END_ELEMENT) && (state > DMG_FIND_BASE_PLIST)) {
int significantEnd = 0;
int depth = xmlTextReaderDepth(reader);
if (depth < 0) {
break;
}
else if (depth < stateDepth[state-1]) {
significantEnd = 1;
}
else if ((depth == stateDepth[state-1])
&& (state-1 == DMG_FIND_BLKX_CONTAINER)) {
/* Special case, ending blkx container */
significantEnd = 1;
}
if (significantEnd) {
dmg_parsemsg("read: significant end tag, state %d\n", state);
stateDepth[state-1] = -1;
state--;
if ((state-1 == DMG_FIND_KEY_RESOURCE_FORK)
|| (state-1 == DMG_FIND_KEY_BLKX)) {
/* Keys end their own tag (validly) and the next state depends on the following tag */
// cli_dbgmsg("read: significant end tag ending prior key state\n");
stateDepth[state-1] = -1;
state--;
}
}
else {
dmg_parsemsg("read: not significant end tag, state %d depth %d prior depth %d\n", state, depth, stateDepth[state-1]);
}
}
}
xmlFreeTextReader(reader);
#else
cli_dbgmsg("cli_scandmg: libxml2 support is compiled out. It is required for full DMG support.\n");
#endif
/* Loop over mish array */
file = 0;
while ((ret == CL_CLEAN) && (mish_list != NULL)) {
/* Handle & scan mish block */
ret = dmg_handle_mish(ctx, file++, dirname, hdr.xmlOffset, mish_list);
free(mish_list->mish);
mish_list_tail = mish_list;
mish_list = mish_list->next;
free(mish_list_tail);
}
/* Cleanup */
/* If error occurred, need to free mish items and mish blocks */
while (mish_list != NULL) {
free(mish_list->mish);
mish_list_tail = mish_list;
mish_list = mish_list->next;
free(mish_list_tail);
}
if (!ctx->engine->keeptmp)
cli_rmdirs(dirname);
free(dirname);
return ret;
}
static int scanzws(cli_ctx *ctx, struct swf_file_hdr *hdr)
{
struct CLI_LZMA lz;
unsigned char inbuff[FILEBUFF], outbuff[FILEBUFF];
fmap_t *map = *ctx->fmap;
/* strip off header */
off_t offset = 8;
uint32_t d_insize;
size_t outsize = 8;
int ret, lret, count;
char *tmpname;
int fd;
if((ret = cli_gentempfd(ctx->engine->tmpdir, &tmpname, &fd)) != CL_SUCCESS) {
cli_errmsg("scanzws: Can't generate temporary file\n");
return ret;
}
hdr->signature[0] = 'F';
if(cli_writen(fd, hdr, sizeof(struct swf_file_hdr)) != sizeof(struct swf_file_hdr)) {
cli_errmsg("scanzws: Can't write to file %s\n", tmpname);
close(fd);
if(cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EWRITE;
}
/* read 4 bytes (for compressed 32-bit filesize) [not used for LZMA] */
if (fmap_readn(map, &d_insize, offset, sizeof(d_insize)) != sizeof(d_insize)) {
cli_errmsg("scanzws: Error reading SWF file\n");
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EREAD;
}
offset += sizeof(d_insize);
/* check if declared input size matches actual output size */
/* map->len = header (8 bytes) + d_insize (4 bytes) + flags (5 bytes) + compressed stream */
if (d_insize != (map->len - 17)) {
cli_warnmsg("SWF: declared input length != compressed stream size, %u != %llu\n",
d_insize, (long long unsigned)(map->len - 17));
} else {
cli_dbgmsg("SWF: declared input length == compressed stream size, %u == %llu\n",
d_insize, (long long unsigned)(map->len - 17));
}
/* first buffer required for initializing LZMA */
ret = fmap_readn(map, inbuff, offset, FILEBUFF);
if (ret < 0) {
cli_errmsg("scanzws: Error reading SWF file\n");
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
/* nothing written, likely truncated */
if (!ret) {
cli_errmsg("scanzws: possibly truncated file\n");
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EFORMAT;
}
offset += ret;
memset(&lz, 0, sizeof(lz));
lz.next_in = inbuff;
lz.next_out = outbuff;
lz.avail_in = ret;
lz.avail_out = FILEBUFF;
lret = cli_LzmaInit(&lz, hdr->filesize);
if (lret != LZMA_RESULT_OK) {
cli_errmsg("scanzws: LzmaInit() failed\n");
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
while (lret == LZMA_RESULT_OK) {
if (lz.avail_in == 0) {
lz.next_in = inbuff;
ret = fmap_readn(map, inbuff, offset, FILEBUFF);
if (ret < 0) {
cli_errmsg("scanzws: Error reading SWF file\n");
cli_LzmaShutdown(&lz);
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
if (!ret)
break;
lz.avail_in = ret;
offset += ret;
}
lret = cli_LzmaDecode(&lz);
count = FILEBUFF - lz.avail_out;
if (count) {
if (cli_checklimits("SWF", ctx, outsize + count, 0, 0) != CL_SUCCESS)
break;
if (cli_writen(fd, outbuff, count) != count) {
cli_errmsg("scanzws: Can't write to file %s\n", tmpname);
cli_LzmaShutdown(&lz);
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EWRITE;
}
outsize += count;
}
lz.next_out = outbuff;
lz.avail_out = FILEBUFF;
}
cli_LzmaShutdown(&lz);
if (lret != LZMA_STREAM_END && lret != LZMA_RESULT_OK) {
/* outsize starts at 8, therefore, if its still 8, nothing was decompressed */
if (outsize == 8) {
cli_infomsg(ctx, "scanzws: Error decompressing SWF file. No data decompressed.\n");
close(fd);
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
free(tmpname);
return CL_EUNPACK;
}
cli_infomsg(ctx, "scanzws: Error decompressing SWF file. Scanning what was decompressed.\n");
}
cli_dbgmsg("SWF: Decompressed[LZMA] to %s, size %llu\n", tmpname, (long long unsigned)outsize);
/* check if declared output size matches actual output size */
if (hdr->filesize != outsize) {
cli_warnmsg("SWF: declared output length != inflated stream size, %u != %llu\n",
hdr->filesize, (long long unsigned)outsize);
} else {
cli_dbgmsg("SWF: declared output length == inflated stream size, %u == %llu\n",
hdr->filesize, (long long unsigned)outsize);
}
ret = cli_magic_scandesc(fd, tmpname, ctx);
close(fd);
if (!(ctx->engine->keeptmp)) {
if (cli_unlink(tmpname)) {
free(tmpname);
return CL_EUNLINK;
}
}
free(tmpname);
return ret;
}
/* Stripe handling: ADC block (type 0x80000004) */
static int dmg_stripe_adc(cli_ctx *ctx, int fd, uint32_t index, struct dmg_mish_with_stripes *mish_set)
{
int ret = CL_CLEAN, adcret;
adc_stream strm;
size_t off = mish_set->stripes[index].dataOffset;
size_t len = mish_set->stripes[index].dataLength;
uint64_t size_so_far = 0;
uint64_t expected_len = mish_set->stripes[index].sectorCount * DMG_SECTOR_SIZE;
uint8_t obuf[BUFSIZ];
cli_dbgmsg("dmg_stripe_adc: stripe " STDu32 " initial len " STDu64 " expected len " STDu64 "\n",
index, (uint64_t)len, (uint64_t)expected_len);
if (len == 0)
return CL_CLEAN;
memset(&strm, 0, sizeof(strm));
strm.next_in = (uint8_t *)fmap_need_off_once(*ctx->fmap, off, len);
if (!strm.next_in) {
cli_warnmsg("dmg_stripe_adc: fmap need failed on stripe " STDu32 "\n", index);
return CL_EMAP;
}
strm.avail_in = len;
strm.next_out = obuf;
strm.avail_out = sizeof(obuf);
adcret = adc_decompressInit(&strm);
if(adcret != ADC_OK) {
cli_warnmsg("dmg_stripe_adc: adc_decompressInit failed\n");
return CL_EMEM;
}
while(adcret == ADC_OK) {
int written;
if (size_so_far > expected_len) {
cli_warnmsg("dmg_stripe_adc: expected size exceeded!\n");
adc_decompressEnd(&strm);
return CL_EFORMAT;
}
adcret = adc_decompress(&strm);
switch(adcret) {
case ADC_OK:
if(strm.avail_out == 0) {
if ((written=cli_writen(fd, obuf, sizeof(obuf)))!=sizeof(obuf)) {
cli_errmsg("dmg_stripe_adc: failed write to output file\n");
adc_decompressEnd(&strm);
return CL_EWRITE;
}
size_so_far += written;
strm.next_out = obuf;
strm.avail_out = sizeof(obuf);
}
continue;
case ADC_STREAM_END:
default:
written = sizeof(obuf) - strm.avail_out;
if (written) {
if ((cli_writen(fd, obuf, written))!=written) {
cli_errmsg("dmg_stripe_adc: failed write to output file\n");
adc_decompressEnd(&strm);
return CL_EWRITE;
}
size_so_far += written;
strm.next_out = obuf;
strm.avail_out = sizeof(obuf);
}
if (adcret == ADC_STREAM_END)
break;
cli_dbgmsg("dmg_stripe_adc: after writing " STDu64 " bytes, "
"got error %d decompressing stripe " STDu32 "\n",
size_so_far, adcret, index);
adc_decompressEnd(&strm);
return CL_EFORMAT;
}
break;
}
adc_decompressEnd(&strm);
cli_dbgmsg("dmg_stripe_adc: stripe " STDu32 " actual len " STDu64 " expected len " STDu64 "\n",
index, size_so_far, expected_len);
return CL_CLEAN;
}
/* Stripe handling: deflate block (type 0x80000005) */
static int dmg_stripe_inflate(cli_ctx *ctx, int fd, uint32_t index, struct dmg_mish_with_stripes *mish_set)
{
int ret = CL_CLEAN, zstat;
z_stream strm;
size_t off = mish_set->stripes[index].dataOffset;
size_t len = mish_set->stripes[index].dataLength;
uint64_t size_so_far = 0;
uint64_t expected_len = mish_set->stripes[index].sectorCount * DMG_SECTOR_SIZE;
uint8_t obuf[BUFSIZ];
cli_dbgmsg("dmg_stripe_inflate: stripe " STDu32 "\n", index);
if (len == 0)
return CL_CLEAN;
memset(&strm, 0, sizeof(strm));
strm.next_in = (void*)fmap_need_off_once(*ctx->fmap, off, len);
if (!strm.next_in) {
cli_warnmsg("dmg_stripe_inflate: fmap need failed on stripe " STDu32 "\n", index);
return CL_EMAP;
}
strm.avail_in = len;
strm.next_out = obuf;
strm.avail_out = sizeof(obuf);
zstat = inflateInit(&strm);
if(zstat != Z_OK) {
cli_warnmsg("dmg_stripe_inflate: inflateInit failed\n");
return CL_EMEM;
}
while(strm.avail_in) {
int written;
if (size_so_far > expected_len) {
cli_warnmsg("dmg_stripe_inflate: expected size exceeded!\n");
inflateEnd(&strm);
return CL_EFORMAT;
}
zstat = inflate(&strm, Z_NO_FLUSH); /* zlib */
switch(zstat) {
case Z_OK:
if(strm.avail_out == 0) {
if ((written=cli_writen(fd, obuf, sizeof(obuf)))!=sizeof(obuf)) {
cli_errmsg("dmg_stripe_inflate: failed write to output file\n");
inflateEnd(&strm);
return CL_EWRITE;
}
size_so_far += written;
strm.next_out = (Bytef *)obuf;
strm.avail_out = sizeof(obuf);
}
continue;
case Z_STREAM_END:
default:
written = sizeof(obuf) - strm.avail_out;
if (written) {
if ((cli_writen(fd, obuf, written))!=written) {
cli_errmsg("dmg_stripe_inflate: failed write to output file\n");
inflateEnd(&strm);
return CL_EWRITE;
}
size_so_far += written;
strm.next_out = (Bytef *)obuf;
strm.avail_out = sizeof(obuf);
if (zstat == Z_STREAM_END)
break;
}
if(strm.msg)
cli_dbgmsg("dmg_stripe_inflate: after writing " STDu64 " bytes, "
"got error \"%s\" inflating stripe " STDu32 "\n",
size_so_far, strm.msg, index);
else
cli_dbgmsg("dmg_stripe_inflate: after writing " STDu64 " bytes, "
"got error %d inflating stripe " STDu32 "\n",
size_so_far, zstat, index);
inflateEnd(&strm);
return CL_EFORMAT;
}
break;
}
if(strm.avail_out != sizeof(obuf)) {
if(cli_writen(fd, obuf, sizeof(obuf) - strm.avail_out) < 0) {
cli_errmsg("dmg_stripe_inflate: failed write to output file\n");
inflateEnd(&strm);
return CL_EWRITE;
}
}
inflateEnd(&strm);
return CL_CLEAN;
}
int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, unsigned char *refhash)
{
const unsigned char *buff;
int ret = CL_CLEAN, type = CL_CLEAN, bytes, compute_hash[CLI_HASH_AVAIL_TYPES];
unsigned int i = 0, j = 0, bm_offmode = 0;
uint32_t maxpatlen, offset = 0;
struct cli_ac_data gdata, tdata;
struct cli_bm_off toff;
unsigned char digest[CLI_HASH_AVAIL_TYPES][32];
struct cli_matcher *groot = NULL, *troot = NULL;
struct cli_target_info info;
fmap_t *map = *ctx->fmap;
struct cli_matcher *hdb, *fp;
const char *virname = NULL;
uint32_t viroffset = 0;
uint32_t viruses_found = 0;
void *md5ctx, *sha1ctx, *sha256ctx;
if(!ctx->engine) {
cli_errmsg("cli_scandesc: engine == NULL\n");
return CL_ENULLARG;
}
md5ctx = cl_hash_init("md5");
if (!(md5ctx))
return CL_EMEM;
sha1ctx = cl_hash_init("sha1");
if (!(sha1ctx)) {
cl_hash_destroy(md5ctx);
return CL_EMEM;
}
sha256ctx = cl_hash_init("sha256");
if (!(sha256ctx)) {
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
return CL_EMEM;
}
if(!ftonly)
groot = ctx->engine->root[0]; /* generic signatures */
if(ftype) {
for(i = 1; i < CLI_MTARGETS; i++) {
for (j = 0; j < cli_mtargets[i].target_count; ++j) {
if(cli_mtargets[i].target[j] == ftype) {
troot = ctx->engine->root[i];
break;
}
}
if (troot) break;
}
}
if(ftonly) {
if(!troot) {
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
return CL_CLEAN;
}
maxpatlen = troot->maxpatlen;
} else {
if(troot)
maxpatlen = MAX(troot->maxpatlen, groot->maxpatlen);
else
maxpatlen = groot->maxpatlen;
}
cli_targetinfo(&info, i, map);
if(!ftonly) {
if((ret = cli_ac_initdata(&gdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(groot, &gdata, &info))) {
if(info.exeinfo.section)
free(info.exeinfo.section);
cli_hashset_destroy(&info.exeinfo.vinfo);
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
return ret;
}
}
if(troot) {
if((ret = cli_ac_initdata(&tdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)) || (ret = cli_ac_caloff(troot, &tdata, &info))) {
if(!ftonly)
cli_ac_freedata(&gdata);
if(info.exeinfo.section)
free(info.exeinfo.section);
cli_hashset_destroy(&info.exeinfo.vinfo);
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
return ret;
}
if(troot->bm_offmode) {
if(map->len >= CLI_DEFAULT_BM_OFFMODE_FSIZE) {
if((ret = cli_bm_initoff(troot, &toff, &info))) {
if(!ftonly)
cli_ac_freedata(&gdata);
cli_ac_freedata(&tdata);
if(info.exeinfo.section)
free(info.exeinfo.section);
cli_hashset_destroy(&info.exeinfo.vinfo);
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
return ret;
}
bm_offmode = 1;
}
}
}
hdb = ctx->engine->hm_hdb;
fp = ctx->engine->hm_fp;
if(!ftonly && hdb) {
if(!refhash) {
if(cli_hm_have_size(hdb, CLI_HASH_MD5, map->len) || cli_hm_have_size(fp, CLI_HASH_MD5, map->len)) {
compute_hash[CLI_HASH_MD5] = 1;
} else {
compute_hash[CLI_HASH_MD5] = 0;
}
} else {
compute_hash[CLI_HASH_MD5] = 0;
memcpy(digest[CLI_HASH_MD5], refhash, 16);
}
if(cli_hm_have_size(hdb, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA1)
|| cli_hm_have_size(fp, CLI_HASH_SHA1, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA1) ) {
compute_hash[CLI_HASH_SHA1] = 1;
} else {
compute_hash[CLI_HASH_SHA1] = 0;
}
if(cli_hm_have_size(hdb, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(hdb, CLI_HASH_SHA256)
|| cli_hm_have_size(fp, CLI_HASH_SHA256, map->len) || cli_hm_have_wild(fp, CLI_HASH_SHA256)) {
compute_hash[CLI_HASH_SHA256] = 1;
} else {
compute_hash[CLI_HASH_SHA256] = 0;
}
}
while(offset < map->len) {
bytes = MIN(map->len - offset, SCANBUFF);
if(!(buff = fmap_need_off_once(map, offset, bytes)))
break;
if(ctx->scanned)
*ctx->scanned += bytes / CL_COUNT_PRECISION;
if(troot) {
virname = NULL;
viroffset = 0;
ret = matcher_run(troot, buff, bytes, &virname, &tdata, offset, &info, ftype, ftoffset, acmode, acres, map, bm_offmode ? &toff : NULL, &viroffset, ctx);
if (virname) {
/* virname already appended by matcher_run */
viruses_found = 1;
}
if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) {
if(!ftonly)
cli_ac_freedata(&gdata);
cli_ac_freedata(&tdata);
if(bm_offmode)
cli_bm_freeoff(&toff);
if(info.exeinfo.section)
free(info.exeinfo.section);
cli_hashset_destroy(&info.exeinfo.vinfo);
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
return ret;
}
}
if(!ftonly) {
virname = NULL;
viroffset = 0;
ret = matcher_run(groot, buff, bytes, &virname, &gdata, offset, &info, ftype, ftoffset, acmode, acres, map, NULL, &viroffset, ctx);
if (virname) {
/* virname already appended by matcher_run */
viruses_found = 1;
}
if((ret == CL_VIRUS && !SCAN_ALL) || ret == CL_EMEM) {
cli_ac_freedata(&gdata);
if(troot) {
cli_ac_freedata(&tdata);
if(bm_offmode)
cli_bm_freeoff(&toff);
}
if(info.exeinfo.section)
free(info.exeinfo.section);
cli_hashset_destroy(&info.exeinfo.vinfo);
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
return ret;
} else if((acmode & AC_SCAN_FT) && ret >= CL_TYPENO) {
if(ret > type)
type = ret;
}
if(hdb) {
const void *data = buff + maxpatlen * (offset!=0);
uint32_t data_len = bytes - maxpatlen * (offset!=0);
if(compute_hash[CLI_HASH_MD5])
cl_update_hash(md5ctx, (void *)data, data_len);
if(compute_hash[CLI_HASH_SHA1])
cl_update_hash(sha1ctx, (void *)data, data_len);
if(compute_hash[CLI_HASH_SHA256])
cl_update_hash(sha256ctx, (void *)data, data_len);
}
}
if(SCAN_ALL && viroffset) {
offset = viroffset;
continue;
}
if(bytes < SCANBUFF)
break;
offset += bytes - maxpatlen;
}
if(!ftonly && hdb) {
enum CLI_HASH_TYPE hashtype, hashtype2;
if(compute_hash[CLI_HASH_MD5]) {
cl_finish_hash(md5ctx, digest[CLI_HASH_MD5]);
md5ctx = NULL;
}
if(refhash)
compute_hash[CLI_HASH_MD5] = 1;
if(compute_hash[CLI_HASH_SHA1]) {
cl_finish_hash(sha1ctx, digest[CLI_HASH_SHA1]);
sha1ctx = NULL;
}
if(compute_hash[CLI_HASH_SHA256]) {
cl_finish_hash(sha256ctx, digest[CLI_HASH_SHA256]);
sha256ctx = NULL;
}
virname = NULL;
for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) {
const char * virname_w = NULL;
int found = 0;
/* If no hash, skip to next type */
if(!compute_hash[hashtype])
continue;
/* Do hash scan */
if((ret = cli_hm_scan(digest[hashtype], map->len, &virname, hdb, hashtype)) == CL_VIRUS) {
found += 1;
}
if(!found || SCAN_ALL) {
if ((ret = cli_hm_scan_wild(digest[hashtype], &virname_w, hdb, hashtype)) == CL_VIRUS)
found += 2;
}
/* If found, do immediate hash-only FP check */
if (found && fp) {
for(hashtype2 = CLI_HASH_MD5; hashtype2 < CLI_HASH_AVAIL_TYPES; hashtype2++) {
if(!compute_hash[hashtype2])
continue;
if(cli_hm_scan(digest[hashtype2], map->len, NULL, fp, hashtype2) == CL_VIRUS) {
found = 0;
ret = CL_CLEAN;
break;
}
else if(cli_hm_scan_wild(digest[hashtype2], NULL, fp, hashtype2) == CL_VIRUS) {
found = 0;
ret = CL_CLEAN;
break;
}
}
}
/* If matched size-based hash ... */
if (found % 2) {
viruses_found = 1;
cli_append_virus(ctx, virname);
if (!SCAN_ALL)
break;
virname = NULL;
}
/* If matched size-agnostic hash ... */
if (found > 1) {
viruses_found = 1;
cli_append_virus(ctx, virname_w);
if (!SCAN_ALL)
break;
}
}
}
cl_hash_destroy(md5ctx);
cl_hash_destroy(sha1ctx);
cl_hash_destroy(sha256ctx);
if(troot) {
if(ret != CL_VIRUS || SCAN_ALL)
ret = cli_lsig_eval(ctx, troot, &tdata, &info, (const char *)refhash);
if (ret == CL_VIRUS)
viruses_found++;
cli_ac_freedata(&tdata);
if(bm_offmode)
cli_bm_freeoff(&toff);
}
if(groot) {
if(ret != CL_VIRUS || SCAN_ALL)
ret = cli_lsig_eval(ctx, groot, &gdata, &info, (const char *)refhash);
cli_ac_freedata(&gdata);
}
if(info.exeinfo.section)
free(info.exeinfo.section);
cli_hashset_destroy(&info.exeinfo.vinfo);
if (SCAN_ALL && viruses_found)
return CL_VIRUS;
if(ret == CL_VIRUS)
return CL_VIRUS;
return (acmode & AC_SCAN_FT) ? type : CL_CLEAN;
}
/* Given mish data, reconstruct the partition details */
static int dmg_handle_mish(cli_ctx *ctx, unsigned int mishblocknum, char *dir,
uint64_t xmlOffset, struct dmg_mish_with_stripes *mish_set)
{
struct dmg_block_data *blocklist = mish_set->stripes;
uint64_t totalSectors = 0;
uint32_t i;
unsigned long projected_size;
int ret = CL_CLEAN, ofd;
uint8_t sorted = 1, writeable_data = 0;
char outfile[NAME_MAX + 1];
/* First loop, fix endian-ness and check if already sorted */
for (i = 0; i < mish_set->mish->blockDataCount; i++) {
blocklist[i].type = be32_to_host(blocklist[i].type);
// blocklist[i].reserved = be32_to_host(blocklist[i].reserved);
blocklist[i].startSector = be64_to_host(blocklist[i].startSector);
blocklist[i].sectorCount = be64_to_host(blocklist[i].sectorCount);
blocklist[i].dataOffset = be64_to_host(blocklist[i].dataOffset);
blocklist[i].dataLength = be64_to_host(blocklist[i].dataLength);
cli_dbgmsg("mish %u stripe " STDu32 " type " STDx32 " start " STDu64
" count " STDu64 " source " STDu64 " length " STDu64 "\n",
mishblocknum, i, blocklist[i].type, blocklist[i].startSector, blocklist[i].sectorCount,
blocklist[i].dataOffset, blocklist[i].dataLength);
if ((blocklist[i].dataOffset > xmlOffset) ||
(blocklist[i].dataOffset + blocklist[i].dataLength > xmlOffset)) {
cli_dbgmsg("dmg_handle_mish: invalid stripe offset and/or length\n");
return CL_EFORMAT;
}
if ((i > 0) && sorted && (blocklist[i].startSector < blocklist[i-1].startSector)) {
cli_dbgmsg("dmg_handle_mish: stripes not in order, will have to sort\n");
sorted = 0;
}
if (dmg_track_sectors(&totalSectors, &writeable_data, i, blocklist[i].type, blocklist[i].sectorCount)) {
/* reason was logged from dmg_track_sector_count */
return CL_EFORMAT;
}
}
if (!sorted) {
cli_qsort(blocklist, mish_set->mish->blockDataCount, sizeof(struct dmg_block_data), cmp_mish_stripes);
}
cli_dbgmsg("dmg_handle_mish: stripes in order!\n");
/* Size checks */
if ((writeable_data == 0) || (totalSectors == 0)) {
cli_dbgmsg("dmg_handle_mish: no data to output\n");
return CL_CLEAN;
}
else if (totalSectors > (ULONG_MAX / DMG_SECTOR_SIZE)) {
/* cli_checklimits only takes unsigned long for now */
cli_warnmsg("dmg_handle_mish: mish block %u too big to handle (for now)", mishblocknum);
return CL_CLEAN;
}
projected_size = (unsigned long)(totalSectors * DMG_SECTOR_SIZE);
ret = cli_checklimits("cli_scandmg", ctx, projected_size, 0, 0);
if (ret != CL_CLEAN) {
/* limits exceeded */
cli_dbgmsg("dmg_handle_mish: skipping block %u, limits exceeded\n", mishblocknum);
return ret;
}
/* Prepare for file */
snprintf(outfile, sizeof(outfile)-1, "%s"PATHSEP"dmg%02u", dir, mishblocknum);
outfile[sizeof(outfile)-1] = '\0';
ofd = open(outfile, O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_BINARY, 0600);
if (ofd < 0) {
char err[128];
cli_errmsg("cli_scandmg: Can't create temporary file %s: %s\n",
outfile, cli_strerror(errno, err, sizeof(err)));
return CL_ETMPFILE;
}
cli_dbgmsg("dmg_handle_mish: extracting block %u to %s\n", mishblocknum, outfile);
/* Push data, stripe by stripe */
for(i=0; i < mish_set->mish->blockDataCount && ret == CL_CLEAN; i++) {
switch (blocklist[i].type) {
case DMG_STRIPE_EMPTY:
case DMG_STRIPE_ZEROES:
ret = dmg_stripe_zeroes(ctx, ofd, i, mish_set);
break;
case DMG_STRIPE_STORED:
ret = dmg_stripe_store(ctx, ofd, i, mish_set);
break;
case DMG_STRIPE_ADC:
ret = dmg_stripe_adc(ctx, ofd, i, mish_set);
break;
case DMG_STRIPE_DEFLATE:
ret = dmg_stripe_inflate(ctx, ofd, i, mish_set);
break;
case DMG_STRIPE_BZ:
ret = dmg_stripe_bzip(ctx, ofd, i, mish_set);
break;
case DMG_STRIPE_SKIP:
case DMG_STRIPE_END:
default:
cli_dbgmsg("dmg_handle_mish: stripe " STDu32 ", skipped\n", i);
break;
}
}
/* If okay so far, scan rebuilt partition */
if (ret == CL_CLEAN) {
ret = cli_partition_scandesc(ofd, ctx);
}
close(ofd);
if (!ctx->engine->keeptmp)
if (cli_unlink(outfile)) return CL_EUNLINK;
return ret;
}
int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
{
char md5[33];
unsigned int i;
const char *virname=NULL;
fmap_t *map;
const char *ptr;
uint8_t shash1[SHA1_HASH_SIZE*2+1];
uint8_t shash256[SHA256_HASH_SIZE*2+1];
int have_sha1, have_sha256, do_dsig_check = 1;
stats_section_t sections;
if(cli_hm_scan(digest, size, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: %d\n", virname, (int)size);
return CL_CLEAN;
}
else if(cli_hm_scan_wild(digest, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s), size: *\n", virname);
return CL_CLEAN;
}
if(cli_debug_flag || ctx->engine->cb_hash) {
for(i = 0; i < 16; i++)
sprintf(md5 + i * 2, "%02x", digest[i]);
md5[32] = 0;
cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size,
cli_get_last_virus(ctx) ? cli_get_last_virus(ctx) : "Name");
}
if(cli_get_last_virus(ctx))
do_dsig_check = strncmp("W32S.", cli_get_last_virus(ctx), 5);
map = *ctx->fmap;
have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size)
|| cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA1)
|| (cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1) && do_dsig_check);
have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size)
|| cli_hm_have_wild(ctx->engine->hm_fp, CLI_HASH_SHA256);
if(have_sha1 || have_sha256) {
if((ptr = fmap_need_off_once(map, 0, size))) {
if(have_sha1) {
cl_sha1(ptr, size, &shash1[SHA1_HASH_SIZE], NULL);
if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
return CL_CLEAN;
}
if(cli_hm_scan_wild(&shash1[SHA1_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
return CL_CLEAN;
}
if(do_dsig_check && cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n");
return CL_CLEAN;
}
}
if(have_sha256) {
cl_sha256(ptr, size, &shash256[SHA256_HASH_SIZE], NULL);
if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
return CL_CLEAN;
}
if(cli_hm_scan_wild(&shash256[SHA256_HASH_SIZE], &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
return CL_CLEAN;
}
}
}
}
#ifdef HAVE__INTERNAL__SHA_COLLECT
if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) {
if((ptr = fmap_need_off_once(map, 0, size))) {
if(!have_sha256)
cl_sha256(ptr, size, shash256+SHA256_HASH_SIZE, NULL);
for(i=0; i<SHA256_HASH_SIZE; i++)
sprintf((char *)shash256+i*2, "%02x", shash256[SHA256_HASH_SIZE+i]);
if(!have_sha1)
cl_sha1(ptr, size, shash1+SHA1_HASH_SIZE);
for(i=0; i<SHA1_HASH_SIZE; i++)
sprintf((char *)shash1+i*2, "%02x", shash1[SHA1_HASH_SIZE+i]);
cli_errmsg("COLLECT:%s:%s:%u:%s:%s\n", shash256, shash1, size, cli_get_last_virus(ctx), ctx->entry_filename);
} else
cli_errmsg("can't compute sha\n!");
ctx->sha_collect = -1;
}
#endif
memset(§ions, 0x00, sizeof(stats_section_t));
if(do_dsig_check || ctx->engine->cb_stats_add_sample) {
uint32_t flags = (do_dsig_check ? CL_CHECKFP_PE_FLAG_AUTHENTICODE : 0);
if (!(ctx->engine->engine_options & ENGINE_OPTIONS_DISABLE_PE_STATS) && !(ctx->engine->dconf->stats & (DCONF_STATS_DISABLED | DCONF_STATS_PE_SECTION_DISABLED)))
flags |= CL_CHECKFP_PE_FLAG_STATS;
switch(cli_checkfp_pe(ctx, shash1, §ions, flags)) {
case CL_CLEAN:
cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");
return CL_CLEAN;
case CL_VIRUS:
if(cli_hm_scan(shash1, 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");
return CL_CLEAN;
}
}
}
if (ctx->engine->cb_hash)
ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, (const unsigned char *)md5, cli_get_last_virus(ctx), ctx->cb_ctx);
if (ctx->engine->cb_stats_add_sample)
ctx->engine->cb_stats_add_sample(cli_get_last_virus(ctx), digest, size, §ions, ctx->engine->stats_data);
if (sections.sections)
free(sections.sections);
return CL_VIRUS;
}
/*
* offdata[0]: type
* offdata[1]: offset value
* offdata[2]: max shift
* offdata[3]: section number
*/
int cli_caloff(const char *offstr, const struct cli_target_info *info, unsigned int target, uint32_t *offdata, uint32_t *offset_min, uint32_t *offset_max)
{
char offcpy[65];
unsigned int n, val;
char *pt;
if(!info) { /* decode offset string */
if(!offstr) {
cli_errmsg("cli_caloff: offstr == NULL\n");
return CL_ENULLARG;
}
if(!strcmp(offstr, "*")) {
offdata[0] = *offset_max = *offset_min = CLI_OFF_ANY;
return CL_SUCCESS;
}
if(strlen(offstr) > 64) {
cli_errmsg("cli_caloff: Offset string too long\n");
return CL_EMALFDB;
}
strcpy(offcpy, offstr);
if((pt = strchr(offcpy, ','))) {
if(!cli_isnumber(pt + 1)) {
cli_errmsg("cli_caloff: Invalid offset shift value\n");
return CL_EMALFDB;
}
offdata[2] = atoi(pt + 1);
*pt = 0;
} else {
offdata[2] = 0;
}
*offset_max = *offset_min = CLI_OFF_NONE;
if(!strncmp(offcpy, "EP+", 3) || !strncmp(offcpy, "EP-", 3)) {
if(offcpy[2] == '+')
offdata[0] = CLI_OFF_EP_PLUS;
else
offdata[0] = CLI_OFF_EP_MINUS;
if(!cli_isnumber(&offcpy[3])) {
cli_errmsg("cli_caloff: Invalid offset value\n");
return CL_EMALFDB;
}
offdata[1] = atoi(&offcpy[3]);
} else if(offcpy[0] == 'S') {
if(offcpy[1] == 'E') {
if(!cli_isnumber(&offcpy[2])) {
cli_errmsg("cli_caloff: Invalid section number\n");
return CL_EMALFDB;
}
offdata[0] = CLI_OFF_SE;
offdata[3] = atoi(&offcpy[2]);
} else if(!strncmp(offstr, "SL+", 3)) {
offdata[0] = CLI_OFF_SL_PLUS;
if(!cli_isnumber(&offcpy[3])) {
cli_errmsg("cli_caloff: Invalid offset value\n");
return CL_EMALFDB;
}
offdata[1] = atoi(&offcpy[3]);
} else if(sscanf(offcpy, "S%u+%u", &n, &val) == 2) {
offdata[0] = CLI_OFF_SX_PLUS;
offdata[1] = val;
offdata[3] = n;
} else {
cli_errmsg("cli_caloff: Invalid offset string\n");
return CL_EMALFDB;
}
} else if(!strncmp(offcpy, "EOF-", 4)) {
offdata[0] = CLI_OFF_EOF_MINUS;
if(!cli_isnumber(&offcpy[4])) {
cli_errmsg("cli_caloff: Invalid offset value\n");
return CL_EMALFDB;
}
offdata[1] = atoi(&offcpy[4]);
} else if(!strncmp(offcpy, "VI", 2)) {
/* versioninfo */
offdata[0] = CLI_OFF_VERSION;
} else if (strchr(offcpy, '$')) {
if (sscanf(offcpy, "$%u$", &n) != 1) {
cli_errmsg("cli_caloff: Invalid macro($) in offset: %s\n", offcpy);
return CL_EMALFDB;
}
if (n >= 32) {
cli_errmsg("cli_caloff: at most 32 macro groups supported\n");
return CL_EMALFDB;
}
offdata[0] = CLI_OFF_MACRO;
offdata[1] = n;
} else {
offdata[0] = CLI_OFF_ABSOLUTE;
if(!cli_isnumber(offcpy)) {
cli_errmsg("cli_caloff: Invalid offset value\n");
return CL_EMALFDB;
}
*offset_min = offdata[1] = atoi(offcpy);
*offset_max = *offset_min + offdata[2];
}
if(offdata[0] != CLI_OFF_ANY && offdata[0] != CLI_OFF_ABSOLUTE &&
offdata[0] != CLI_OFF_EOF_MINUS && offdata[0] != CLI_OFF_MACRO) {
if(target != 1 && target != 6 && target != 9) {
cli_errmsg("cli_caloff: Invalid offset type for target %u\n", target);
return CL_EMALFDB;
}
}
} else {
/* calculate relative offsets */
*offset_min = CLI_OFF_NONE;
if(offset_max)
*offset_max = CLI_OFF_NONE;
if(info->status == -1)
return CL_SUCCESS;
switch(offdata[0]) {
case CLI_OFF_EOF_MINUS:
*offset_min = info->fsize - offdata[1];
break;
case CLI_OFF_EP_PLUS:
*offset_min = info->exeinfo.ep + offdata[1];
break;
case CLI_OFF_EP_MINUS:
*offset_min = info->exeinfo.ep - offdata[1];
break;
case CLI_OFF_SL_PLUS:
*offset_min = info->exeinfo.section[info->exeinfo.nsections - 1].raw + offdata[1];
break;
case CLI_OFF_SX_PLUS:
if(offdata[3] >= info->exeinfo.nsections)
*offset_min = CLI_OFF_NONE;
else
*offset_min = info->exeinfo.section[offdata[3]].raw + offdata[1];
break;
case CLI_OFF_SE:
if(offdata[3] >= info->exeinfo.nsections) {
*offset_min = CLI_OFF_NONE;
} else {
*offset_min = info->exeinfo.section[offdata[3]].raw;
if (offset_max)
*offset_max = *offset_min + info->exeinfo.section[offdata[3]].rsz + offdata[2];
}
break;
case CLI_OFF_VERSION:
if (offset_max)
*offset_min = *offset_max = CLI_OFF_ANY;
break;
default:
cli_errmsg("cli_caloff: Not a relative offset (type: %u)\n", offdata[0]);
return CL_EARG;
}
if(offset_max && *offset_max == CLI_OFF_NONE && *offset_min != CLI_OFF_NONE)
*offset_max = *offset_min + offdata[2];
}
return CL_SUCCESS;
}
int cli_scanbuff(const unsigned char *buffer, uint32_t length, uint32_t offset, cli_ctx *ctx, cli_file_t ftype, struct cli_ac_data **acdata)
{
int ret = CL_CLEAN;
unsigned int i = 0, j = 0, viruses_found = 0;
struct cli_ac_data mdata;
struct cli_matcher *groot, *troot = NULL;
const char *virname = NULL;
const struct cl_engine *engine=ctx->engine;
if(!engine) {
cli_errmsg("cli_scanbuff: engine == NULL\n");
return CL_ENULLARG;
}
groot = engine->root[0]; /* generic signatures */
if(ftype) {
for(i = 1; i < CLI_MTARGETS; i++) {
for (j = 0; j < cli_mtargets[i].target_count; ++j) {
if(cli_mtargets[i].target[j] == ftype) {
troot = ctx->engine->root[i];
break;
}
}
if (troot) break;
}
}
if(troot) {
if(!acdata && (ret = cli_ac_initdata(&mdata, troot->ac_partsigs, troot->ac_lsigs, troot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)))
return ret;
ret = matcher_run(troot, buffer, length, &virname, acdata ? (acdata[0]): (&mdata), offset, NULL, ftype, NULL, AC_SCAN_VIR, NULL, *ctx->fmap, NULL, NULL, ctx);
if(!acdata)
cli_ac_freedata(&mdata);
if(ret == CL_EMEM)
return ret;
if(ret == CL_VIRUS) {
viruses_found = 1;
if(ctx && !SCAN_ALL) {
return ret;
}
}
}
virname = NULL;
if(!acdata && (ret = cli_ac_initdata(&mdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN)))
return ret;
ret = matcher_run(groot, buffer, length, &virname, acdata ? (acdata[1]): (&mdata), offset, NULL, ftype, NULL, AC_SCAN_VIR, NULL, *ctx->fmap, NULL, NULL, ctx);
if(!acdata)
cli_ac_freedata(&mdata);
if(viruses_found)
return CL_VIRUS;
return ret;
}
static int ooxml_basic_json(int fd, cli_ctx *ctx, const char *key)
{
int ret = CL_SUCCESS;
const xmlChar *stack[OOXML_JSON_RECLEVEL];
json_object *summary, *wrkptr;
int type, rlvl = 0;
int32_t val2;
const xmlChar *name, *value;
xmlTextReaderPtr reader = NULL;
cli_dbgmsg("in ooxml_basic_json\n");
reader = xmlReaderForFd(fd, "properties.xml", NULL, 0);
if (reader == NULL) {
cli_dbgmsg("ooxml_basic_json: xmlReaderForFd error for %s\n", key);
return CL_SUCCESS; // libxml2 failed!
}
summary = json_object_new_object();
if (NULL == summary) {
cli_errmsg("ooxml_basic_json: no memory for json object.\n");
ret = CL_EFORMAT;
goto ooxml_basic_exit;
}
while (xmlTextReaderRead(reader) == 1) {
name = xmlTextReaderConstLocalName(reader);
value = xmlTextReaderConstValue(reader);
type = xmlTextReaderNodeType(reader);
cli_dbgmsg("%s [%i]: %s\n", name, type, value);
switch (type) {
case XML_READER_TYPE_ELEMENT:
stack[rlvl] = name;
rlvl++;
break;
case XML_READER_TYPE_TEXT:
{
wrkptr = summary;
if (rlvl > 2) { /* 0 is root xml object */
int i;
for (i = 1; i < rlvl-1; ++i) {
json_object *newptr = json_object_object_get(wrkptr, stack[i]);
if (!newptr) {
newptr = json_object_new_object();
if (NULL == newptr) {
cli_errmsg("ooxml_basic_json: no memory for json object.\n");
ret = CL_EMEM;
goto ooxml_basic_exit;
}
json_object_object_add(wrkptr, stack[i], newptr);
}
else {
/* object already exists */
if (!json_object_is_type(newptr, json_type_object)) {
cli_warnmsg("ooxml_content_cb: json object already exists as not an object\n");
ret = CL_EFORMAT;
goto ooxml_basic_exit;
}
}
wrkptr = newptr;
cli_dbgmsg("stack %d: %s\n", i, stack[i]);
}
}
if (ooxml_is_int(value, xmlStrlen(value), &val2)) {
ret = cli_jsonint(wrkptr, stack[rlvl-1], val2);
}
else if (!xmlStrcmp(value, "true")) {
ret = cli_jsonbool(wrkptr, stack[rlvl-1], 1);
}
else if (!xmlStrcmp(value, "false")) {
ret = cli_jsonbool(wrkptr, stack[rlvl-1], 0);
}
else {
ret = cli_jsonstr(wrkptr, stack[rlvl-1], value);
}
if (ret != CL_SUCCESS)
goto ooxml_basic_exit;
}
break;
case XML_READER_TYPE_END_ELEMENT:
rlvl--;
break;
default:
cli_dbgmsg("ooxml_content_cb: unhandled xml node %s [%i]: %s\n", name, type, value);
ret = CL_EFORMAT;
goto ooxml_basic_exit;
}
}
json_object_object_add(ctx->wrkproperty, key, summary);
if (rlvl != 0) {
cli_warnmsg("ooxml_basic_json: office property file has unbalanced tags\n");
/* FAIL */
}
ooxml_basic_exit:
xmlTextReaderClose(reader);
xmlFreeTextReader(reader);
return ret;
}
static int ooxml_parse_element(xmlTextReaderPtr reader, json_object *wrkptr, int rlvl, int skip)
{
const char *element_tag = NULL, *end_tag = NULL;
const xmlChar *node_name = NULL, *node_value = NULL;
json_object *njptr;
int node_type, ret = CL_SUCCESS;
int32_t val2;
cli_dbgmsg("in ooxml_parse_element @ layer %d\n", rlvl);
/* check recursion level */
if (rlvl >= OOXML_JSON_RECLEVEL_MAX) {
return CL_EMAXREC;
}
if (wrkptr == NULL) {
skip = 1;
}
/* acquire element type */
node_type = xmlTextReaderNodeType(reader);
if (node_type != XML_READER_TYPE_ELEMENT) {
cli_dbgmsg("ooxml_parse_element: first node typed %d, not %d\n", node_type, XML_READER_TYPE_ELEMENT);
return CL_EPARSE; /* first type is not an element */
}
/* acquire element tag */
node_name = xmlTextReaderConstLocalName(reader);
if (!node_name) {
cli_dbgmsg("ooxml_parse_element: element tag node nameless\n");
return CL_EPARSE; /* no name, nameless */
}
element_tag = ooxml_check_key(node_name, xmlStrlen(node_name));
if (!element_tag) {
cli_dbgmsg("ooxml_parse_element: invalid element tag [%s]\n", node_name);
skip = 1; /* skipping element */
//return CL_EFORMAT; /* REMOVE */
}
/* handle attributes if you want */
/* loop across all element contents */
while (xmlTextReaderRead(reader) == 1) {
node_type = xmlTextReaderNodeType(reader);
switch (node_type) {
case XML_READER_TYPE_ELEMENT:
if (!skip) {
njptr = json_object_object_get(wrkptr, element_tag);
if (!njptr) {
njptr = json_object_new_object();
if (NULL == njptr) {
cli_errmsg("ooxml_basic_json: no memory for json object.\n");
return CL_EMEM;
}
cli_dbgmsg("ooxml_basic_json: added json object [%s]\n", element_tag);
json_object_object_add(wrkptr, element_tag, njptr);
}
else {
if (!json_object_is_type(njptr, json_type_object)) {
cli_warnmsg("ooxml_content_cb: json object [%s] already exists as not an object\n", element_tag);
return CL_EFORMAT;
}
}
}
else {
njptr = NULL;
}
ret = ooxml_parse_element(reader, njptr, rlvl+1, skip);
if (ret != CL_SUCCESS) {
return ret;
}
break;
case XML_READER_TYPE_END_ELEMENT:
cli_dbgmsg("in ooxml_parse_element @ layer %d closed\n", rlvl);
node_name = xmlTextReaderConstLocalName(reader);
if (!node_name) {
cli_dbgmsg("ooxml_parse_element: element end tag node nameless\n");
return CL_EPARSE; /* no name, nameless */
}
if (!skip) {
end_tag = ooxml_check_key(node_name, xmlStrlen(node_name));
if (!end_tag) {
cli_dbgmsg("ooxml_parse_element: invalid element end tag [%s]\n", node_name);
return CL_EFORMAT; /* unrecognized element tag */
}
if (strncmp(element_tag, end_tag, strlen(element_tag))) {
cli_dbgmsg("ooxml_parse_element: element tag does not match end tag\n");
return CL_EFORMAT;
}
}
return CL_SUCCESS;
case XML_READER_TYPE_TEXT:
if (!skip) {
node_value = xmlTextReaderConstValue(reader);
njptr = json_object_object_get(wrkptr, element_tag);
if (njptr) {
cli_warnmsg("ooxml_parse_element: json object [%s] already exists\n", element_tag);
}
if (ooxml_is_int(node_value, xmlStrlen(node_value), &val2)) {
ret = cli_jsonint(wrkptr, element_tag, val2);
}
else if (!xmlStrcmp(node_value, "true")) {
ret = cli_jsonbool(wrkptr, element_tag, 1);
}
else if (!xmlStrcmp(node_value, "false")) {
ret = cli_jsonbool(wrkptr, element_tag, 0);
}
else {
ret = cli_jsonstr(wrkptr, element_tag, node_value);
}
if (ret != CL_SUCCESS)
return ret;
cli_dbgmsg("ooxml_basic_json: added json value [%s: %s]\n", element_tag, node_value);
}
else {
node_name = xmlTextReaderConstLocalName(reader);
node_value = xmlTextReaderConstValue(reader);
cli_dbgmsg("ooxml_parse_element: not adding xml node %s [%d]: %s\n", node_name, node_type, node_value);
}
break;
default:
node_name = xmlTextReaderConstLocalName(reader);
node_value = xmlTextReaderConstValue(reader);
cli_dbgmsg("ooxml_parse_element: unhandled xml node %s [%d]: %s\n", node_name, node_type, node_value);
return CL_EPARSE;
}
}
return CL_SUCCESS;
}
