int entrypoint () { int i; int32_t type, obj, objarr, objit, arrlen, strlen; char str[STR_MAXLEN]; /* check is json is available, alerts on inactive (optional) */ if (!json_is_active()) { return -1; } /* acquire array of internal contained objects */ objarr = json_get_object("ContainedObjects", 16, 0); type = json_get_type(objarr); /* debug print uint (no '\n' or prepended message */ debug_print_uint(type); if (type != JSON_TYPE_ARRAY) { return -1; } /* check array length for iteration over elements */ arrlen = json_get_array_length(objarr); for (i = 0; i < arrlen; ++i) { /* acquire json object @ idx i */ objit = json_get_array_idx(i, objarr); if (objit <= 0) continue; /* acquire FileType object of the array element @ idx i */ obj = json_get_object("FileType", 8, objit); if (obj <= 0) continue; /* acquire and check type */ type = json_get_type(obj); if (type == JSON_TYPE_STRING) { /* acquire string length, note +1 is for the NULL terminator */ strlen = json_get_string_length(obj)+1; /* prevent buffer overflow */ if (strlen > STR_MAXLEN) strlen = STR_MAXLEN; /* acquire string data, note strlen includes NULL terminator */ if (json_get_string(str, strlen, obj)) { /* debug print str (with '\n' and prepended message */ debug_print_str(str,strlen); /* check the contained object's type */ if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) { //if (!strcmp(str, strlen, "CL_TYPE_MSEXE", strlen)) { /* alert for submission */ foundVirus("EmbedPE"); return 0; } } } } return 0; }
void debug_print_hex (unsigned int val) { int i; debug_print_str ("0x"); for (i = 7; i >= 0; --i) { unsigned int n = (val >> (i << 2)) & 0xf; debug_print_chr (digits[n]); } }