static int sigtool_scandir (const char *dirname, int hex_output) { DIR *dd; struct dirent *dent; struct stat statbuf; char *fname; const char *tmpdir; char *dir; int ret = CL_CLEAN, desc; if ((dd = opendir (dirname)) != NULL) { while ((dent = readdir (dd))) { if (dent->d_ino) { if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) { /* build the full name */ fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char)); sprintf (fname, "%s/%s", dirname, dent->d_name); /* stat the file */ if (lstat (fname, &statbuf) != -1) { if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) { if (sigtool_scandir (fname, hex_output)) { free (fname); closedir (dd); return CL_VIRUS; } } else { if (S_ISREG (statbuf.st_mode)) { tmpdir = getenv ("TMPDIR"); if (tmpdir == NULL) #ifdef P_tmpdir tmpdir = P_tmpdir; #else tmpdir = "/tmp"; #endif /* generate the temporary directory */ dir = cli_gentemp (tmpdir); if (mkdir (dir, 0700)) { printf ("Can't create temporary directory %s\n", dir); return CL_ETMPDIR; } if ((desc = open (fname, O_RDONLY)) == -1) { printf ("Can't open file %s\n", fname); return 1; } if ((ret = cli_ole2_extract (desc, dir, NULL))) { printf ("ERROR %s\n", cl_strerror (ret)); cli_rmdirs (dir); free (dir); return ret; } sigtool_vba_scandir (dir, hex_output); cli_rmdirs (dir); free (dir); } } } free (fname); } } } } else { cli_errmsg ("Can't open directory %s.\n", dirname); return CL_EOPEN; } closedir (dd); return 0; }
int sigtool_vba_scandir (const char *dirname, int hex_output, struct uniq *U) { int ret = CL_CLEAN, i, j, fd, data_len; vba_project_t *vba_project; DIR *dd; struct dirent *dent; STATBUF statbuf; char *fullname, vbaname[1024], *hash; unsigned char *data; uint32_t hashcnt; hashcnt = uniq_get(U, "_vba_project", 12, NULL); while(hashcnt--) { if(!(vba_project = (vba_project_t *)cli_vba_readdir(dirname, U, hashcnt))) continue; for(i = 0; i < vba_project->count; i++) { for(j = 0; j < vba_project->colls[i]; j++) { snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", vba_project->dir, vba_project->name[i], j); vbaname[sizeof(vbaname)-1] = '\0'; fd = open(vbaname, O_RDONLY|O_BINARY); if(fd == -1) continue; data = (unsigned char *)cli_vba_inflate(fd, vba_project->offset[i], &data_len); close(fd); if(data) { data = (unsigned char *) realloc (data, data_len + 1); data[data_len]='\0'; printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data); free(data); } } } free(vba_project->name); free(vba_project->colls); free(vba_project->dir); free(vba_project->offset); free(vba_project); } if((hashcnt = uniq_get(U, "powerpoint document", 19, &hash))) { while(hashcnt--) { snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname)-1] = '\0'; fd = open(vbaname, O_RDONLY|O_BINARY); if (fd == -1) continue; if ((fullname = cli_ppt_vba_read(fd, NULL))) { sigtool_scandir(fullname, hex_output); cli_rmdirs(fullname); free(fullname); } close(fd); } } if ((hashcnt = uniq_get(U, "worddocument", 12, &hash))) { while(hashcnt--) { snprintf(vbaname, sizeof(vbaname), "%s"PATHSEP"%s_%u", dirname, hash, hashcnt); vbaname[sizeof(vbaname)-1] = '\0'; fd = open(vbaname, O_RDONLY|O_BINARY); if (fd == -1) continue; if (!(vba_project = (vba_project_t *)cli_wm_readdir(fd))) { close(fd); continue; } for (i = 0; i < vba_project->count; i++) { data_len = vba_project->length[i]; data = (unsigned char *)cli_wm_decrypt_macro(fd, vba_project->offset[i], data_len , vba_project->key[i]); if(data) { data = (unsigned char *) realloc (data, data_len + 1); data[data_len]='\0'; printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data); free(data); } } close(fd); free(vba_project->name); free(vba_project->colls); free(vba_project->dir); free(vba_project->offset); free(vba_project->key); free(vba_project->length); free(vba_project); } } if ((dd = opendir (dirname)) != NULL) { while ((dent = readdir (dd))) { if (dent->d_ino) { if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) { /* build the full name */ fullname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char)); sprintf (fullname, "%s"PATHSEP"%s", dirname, dent->d_name); /* stat the file */ if (LSTAT (fullname, &statbuf) != -1) { if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) sigtool_vba_scandir (fullname, hex_output, U); } free (fullname); } } } } else { logg("!ScanDir -> Can't open directory %s.\n", dirname); return CL_EOPEN; } closedir (dd); return ret; }
int sigtool_vba_scandir (const char *dirname, int hex_output) { int ret = CL_CLEAN, i, fd, data_len; vba_project_t *vba_project; DIR *dd; struct dirent *dent; struct stat statbuf; char *fname, *fullname; unsigned char *data; cli_dbgmsg ("VBA scan dir: %s\n", dirname); if ((vba_project = (vba_project_t *) vba56_dir_read (dirname))) { for (i = 0; i < vba_project->count; i++) { fullname = (char *) malloc (strlen (vba_project->dir) + strlen (vba_project->name[i]) + 2); sprintf (fullname, "%s/%s", vba_project->dir, vba_project->name[i]); fd = open (fullname, O_RDONLY); if (fd == -1) { cli_errmsg ("Scan->OLE2 -> Can't open file %s\n", fullname); free (fullname); ret = CL_EOPEN; break; } free (fullname); cli_dbgmsg ("decompress VBA project '%s'\n", vba_project->name[i]); printf ("-------------- start of %s ------------------\n", vba_project->name[i]); data = (unsigned char *) vba_decompress (fd, vba_project->offset[i], &data_len); close (fd); if (!data) { cli_dbgmsg ("WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]); } else { data = (unsigned char *) realloc (data, data_len + 1); data[data_len] = '\0'; printf ("%s", data); free (data); } printf ("-------------- end of %s ------------------\n", vba_project->name[i]); } for (i = 0; i < vba_project->count; i++) free (vba_project->name[i]); free (vba_project->name); free (vba_project->dir); free (vba_project->offset); free (vba_project); } else if ((fullname = ppt_vba_read (dirname))) { if (sigtool_scandir (fullname, hex_output) == CL_VIRUS) { ret = CL_VIRUS; } cli_rmdirs (fullname); free (fullname); } else if ((vba_project = (vba_project_t *) wm_dir_read (dirname))) { for (i = 0; i < vba_project->count; i++) { fullname = (char *) malloc (strlen (vba_project->dir) + strlen (vba_project->name[i]) + 2); sprintf (fullname, "%s/%s", vba_project->dir, vba_project->name[i]); fd = open (fullname, O_RDONLY); if (fd == -1) { cli_errmsg ("Scan->OLE2 -> Can't open file %s\n", fullname); free (fullname); ret = CL_EOPEN; break; } free (fullname); cli_dbgmsg ("decompress WM project '%s' macro %d\n", vba_project->name[i], i); printf ("\n\n-------------- start of macro:%d key:%d length:%d ------------------\n", i, vba_project->key[i], vba_project->length[i]); data = (unsigned char *) wm_decrypt_macro (fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]); close (fd); if (!data) { cli_dbgmsg ("WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i); } else { wm_decode_macro (data, vba_project->length[i], hex_output); free (data); } printf ("\n-------------- end of macro %d ------------------\n\n", i); } for (i = 0; i < vba_project->count; i++) free (vba_project->name[i]); free (vba_project->key); free (vba_project->length); free (vba_project->offset); free (vba_project->name); free (vba_project->dir); free (vba_project); } if ((dd = opendir (dirname)) != NULL) { while ((dent = readdir (dd))) { if (dent->d_ino) { if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) { /* build the full name */ fname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char)); sprintf (fname, "%s/%s", dirname, dent->d_name); /* stat the file */ if (lstat (fname, &statbuf) != -1) { if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) sigtool_vba_scandir (fname, hex_output); } free (fname); } } } } else { cli_errmsg ("ScanDir -> Can't open directory %s.\n", dirname); return CL_EOPEN; } closedir (dd); return ret; }
static int sigtool_scandir (const char *dirname, int hex_output) { DIR *dd; struct dirent *dent; STATBUF statbuf; char *fname; const char *tmpdir; char *dir; int ret = CL_CLEAN, desc; cli_ctx *ctx; fname = NULL; if ((dd = opendir (dirname)) != NULL) { while ((dent = readdir (dd))) { if (dent->d_ino) { if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) { /* build the full name */ fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char)); if(!fname){ closedir(dd); return -1; } sprintf (fname, "%s"PATHSEP"%s", dirname, dent->d_name); /* stat the file */ if (LSTAT (fname, &statbuf) != -1) { if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) { if (sigtool_scandir (fname, hex_output)) { free (fname); closedir (dd); return CL_VIRUS; } } else { if (S_ISREG (statbuf.st_mode)) { struct uniq *vba = NULL; tmpdir = cli_gettmpdir(); /* generate the temporary directory */ dir = cli_gentemp (tmpdir); if(!dir) { printf("cli_gentemp() failed\n"); free(fname); closedir (dd); return -1; } if (mkdir (dir, 0700)) { printf ("Can't create temporary directory %s\n", dir); free(fname); closedir (dd); free(dir); return CL_ETMPDIR; } if ((desc = open (fname, O_RDONLY|O_BINARY)) == -1) { printf ("Can't open file %s\n", fname); free(fname); closedir (dd); free(dir); return 1; } if(!(ctx = convenience_ctx(desc))) { free(fname); close(desc); closedir(dd); free(dir); return 1; } if ((ret = cli_ole2_extract (dir, ctx, &vba))) { printf ("ERROR %s\n", cl_strerror (ret)); destroy_ctx(desc, ctx); cli_rmdirs (dir); free (dir); closedir (dd); free(fname); return ret; } if(vba) sigtool_vba_scandir (dir, hex_output, vba); destroy_ctx(desc, ctx); cli_rmdirs (dir); free (dir); } } } free (fname); } } } } else { logg("!Can't open directory %s.\n", dirname); return CL_EOPEN; } closedir (dd); return 0; }