← Back to branch summary

~ubuntu-branches/ubuntu/dapper/clamav/dapper-updates

« back to all changes in this revision

Viewing changes to libclamav/pe.c

  • Committer: Bazaar Package Importer
  • Author(s): Stephen Gran
  • Date: 2009-07-12 11:02:12 UTC
  • mfrom: (0.11.4 squeeze)
  • mto: (12.1.9 dapper-security)
  • mto: This revision was merged to the branch mainline in revision 22.
  • Revision ID: james.westby@ubuntu.com-20090712110212-vv7k2bsdeyafjobj
Tags: 0.95.2+dfsg-4
Fix the changelog

Show diffs side-by-side

added added

removed removed

Lines of Context:
libclamav/pe.c
357
357
    }*/
358
358
    for (i=0; i<unnamed; i++, entry += 8) {
359
359
        uint32_t id, offs;
 
360
        if (stats->errors >= SWIZZ_MAXERRORS) {
 
361
            cli_dbgmsg("cli_parseres_special: resources broken, ignoring\n");
 
362
            return;
 
363
        }
360
364
        id = cli_readint32(entry)&0x7fffffff;
361
365
        if(level==0) {
362
366
                type = 0;
396
400
                                        cli_dbgmsg("cli_parseres_special: invalid resource table entry: %lu + %lu\n", 
397
401
                                                        (unsigned long)rawaddr, 
398
402
                                                        (unsigned long)isz);
 
403
                                        stats->errors++;
399
404
                                        continue;
400
405
                                }
401
406
                                str = cli_malloc(isz);
467
472
        if(DETECT_BROKEN) {
468
473
            if(ctx->virname)
469
474
                *ctx->virname = "Broken.Executable";
470
 
            return CL_VIRUS;
 
475
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
471
476
        }
472
477
        return CL_CLEAN;
473
478
    }
603
608
        if(DETECT_BROKEN) {
604
609
            if(ctx->virname)
605
610
                *ctx->virname = "Broken.Executable";
606
 
            return CL_VIRUS;
 
611
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
607
612
        }
608
613
        if(nsections)
609
614
            cli_warnmsg("PE file contains %d sections\n", nsections);
623
628
        if(DETECT_BROKEN) {
624
629
            if(ctx->virname)
625
630
                *ctx->virname = "Broken.Executable";
626
 
            return CL_VIRUS;
 
631
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
627
632
        }
628
633
        return CL_CLEAN;
629
634
    }
633
638
        if(DETECT_BROKEN) {
634
639
            if(ctx->virname)
635
640
                *ctx->virname = "Broken.Executable";
636
 
            return CL_VIRUS;
 
641
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
637
642
        }
638
643
        return CL_CLEAN;
639
644
    }
646
651
            if(DETECT_BROKEN) {
647
652
                if(ctx->virname)
648
653
                    *ctx->virname = "Broken.Executable";
649
 
                return CL_VIRUS;
 
654
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
650
655
            }
651
656
            return CL_CLEAN;
652
657
        }
662
667
            if(DETECT_BROKEN) {
663
668
                if(ctx->virname)
664
669
                    *ctx->virname = "Broken.Executable";
665
 
                return CL_VIRUS;
 
670
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
666
671
            }
667
672
            cli_dbgmsg("9x compatibility mode\n");
668
673
        }
704
709
            if(DETECT_BROKEN) {
705
710
                if(ctx->virname)
706
711
                    *ctx->virname = "Broken.Executable";
707
 
                return CL_VIRUS;
 
712
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
708
713
            }
709
714
            return CL_CLEAN;
710
715
        }
785
790
        cli_dbgmsg("Bad virtual alignemnt\n");
786
791
        if(ctx->virname)
787
792
            *ctx->virname = "Broken.Executable";
788
 
        return CL_VIRUS;
 
793
        return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
789
794
    }
790
795
 
791
796
    if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
792
797
        cli_dbgmsg("Bad file alignemnt\n");
793
798
        if(ctx->virname)
794
799
            *ctx->virname = "Broken.Executable";
795
 
        return CL_VIRUS;
 
800
        return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
796
801
    }
797
802
 
798
803
    if(fstat(desc, &sb) == -1) {
828
833
        if(DETECT_BROKEN) {
829
834
            if(ctx->virname)
830
835
                *ctx->virname = "Broken.Executable";
831
 
            return CL_VIRUS;
 
836
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
832
837
        }
833
838
        return CL_CLEAN;
834
839
    }
897
902
                *ctx->virname = "Broken.Executable";
898
903
            free(section_hdr);
899
904
            free(exe_sections);
900
 
            return CL_VIRUS;
 
905
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
901
906
        }
902
907
 
903
908
        if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
908
913
                if(DETECT_BROKEN) {
909
914
                    if(ctx->virname)
910
915
                        *ctx->virname = "Broken.Executable";
911
 
                    return CL_VIRUS;
 
916
                    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
912
917
                }
913
918
                return CL_CLEAN; /* no ninjas to see here! move along! */
914
919
            }
923
928
                    if(md5_sect->soff[j] == exe_sections[i].rsz) {
924
929
                        unsigned char md5_dig[16];
925
930
                        if(cli_md5sect(desc, &exe_sections[i], md5_dig) && cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_mdb, 0, 0, -1) == CL_VIRUS) {
926
 
                            /* Since .mdb sigs are not fp-prone, to save
927
 
                             * performance we don't call cli_checkfp() here,
928
 
                             * just give the possibility of whitelisting
929
 
                             * idividual .mdb entries via daily.fp
930
 
                             */
931
931
                            if(cli_bm_scanbuff(md5_dig, 16, NULL, ctx->engine->md5_fp, 0, 0, -1) != CL_VIRUS) {
932
932
 
933
933
                                free(section_hdr);
934
934
                                free(exe_sections);
935
 
                                return CL_VIRUS;
 
935
                                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
936
936
                            }
937
937
                        }
938
938
                        break;
948
948
            if(DETECT_BROKEN) {
949
949
                if(ctx->virname)
950
950
                    *ctx->virname = "Broken.Executable";
951
 
                return CL_VIRUS;
 
951
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
952
952
            }
953
953
            return CL_CLEAN;
954
954
        }
960
960
                    *ctx->virname = "Broken.Executable";
961
961
                free(section_hdr);
962
962
                free(exe_sections);
963
 
                return CL_VIRUS;
 
963
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
964
964
            }
965
965
            min = exe_sections[i].rva;
966
966
            max = exe_sections[i].rva + exe_sections[i].rsz;
971
971
                    *ctx->virname = "Broken.Executable";
972
972
                free(section_hdr);
973
973
                free(exe_sections);
974
 
                return CL_VIRUS;
 
974
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
975
975
            }
976
976
            if(exe_sections[i].rva < min)
977
977
                min = exe_sections[i].rva;
989
989
        if(DETECT_BROKEN) {
990
990
            if(ctx->virname)
991
991
                *ctx->virname = "Broken.Executable";
992
 
            return CL_VIRUS;
 
992
            return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
993
993
        }
994
994
        return CL_CLEAN;
995
995
    }
1026
1026
            if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
1027
1027
                *ctx->virname = "W32.Parite.B";
1028
1028
                free(exe_sections);
1029
 
                return CL_VIRUS;
 
1029
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
1030
1030
            }
1031
1031
        }
1032
1032
    }
1109
1109
                if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
1110
1110
                    *ctx->virname = "W32.Kriz";
1111
1111
                    free(exe_sections);
1112
 
                    return CL_VIRUS;
 
1112
                    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
1113
1113
                }
1114
1114
                cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
1115
1115
                kzstate++;
1136
1136
                if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
1137
1137
                    *ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
1138
1138
                    free(exe_sections);
1139
 
                    return CL_VIRUS;
 
1139
                    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
1140
1140
                } 
1141
1141
            }
1142
1142
 
1148
1148
                if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
1149
1149
                    *ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
1150
1150
                    free(exe_sections);
1151
 
                    return CL_VIRUS;
 
1151
                    return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
1152
1152
                } 
1153
1153
            }
1154
1154
        }
1206
1206
                *ctx->virname = "W32.Polipos.A";
1207
1207
                free(jumps);
1208
1208
                free(exe_sections);
1209
 
                return CL_VIRUS;
 
1209
                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
1210
1210
            }
1211
1211
        }
1212
1212
        free(jumps);
1231
1231
                    }
1232
1232
                    if (ret != CL_CLEAN) {
1233
1233
                            free(exe_sections);
 
1234
                            if(ret == CL_VIRUS)
 
1235
                                return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
1234
1236
                            return ret;
1235
1237
                    }
1236
1238
            }