~ubuntu-branches/ubuntu/feisty/clamav/feisty

static int cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hexsig, int sigid, int parts, int partno, unsigned short type, unsigned int mindist, unsigned int maxdist, const char *offset, unsigned short target)

{

char *newname, *pt;

if(!virname)

return NULL;

if((pt = strstr(virname, " (Clam)")))

*pt='\0';

if(!virname[0]) {

cli_errmsg("cli_virname: Empty virus name\n");

return NULL;

}

100

if(official)

101

return cli_strdup(virname);

102

103

newname = (char *) cli_malloc(strlen(virname) + 11 + 1);

104

if(!newname) {

105

cli_errmsg("cli_virname: Can't allocate memory for newname\n");

106

return NULL;

107

}

108

sprintf(newname, "%s.UNOFFICIAL", virname);

109

return newname;

struct cli_ac_patt *new;

char *pt, *hex;

int virlen, ret, error = 0;

unsigned int i, j, wprefix = 0;

#define FREE_ALT \

if(new->alt) { \

free(new->altn); \

for(i = 0; i < new->alt; i++) \

free(new->altc[i]); \

free(new->altc); \

free(hex); \

}

if((new = (struct cli_ac_patt *) cli_calloc(1, sizeof(struct cli_ac_patt))) == NULL)

return CL_EMEM;

new->type = type;

new->sigid = sigid;

100

new->parts = parts;

101

new->partno = partno;

102

new->mindist = mindist;

103

new->maxdist = maxdist;

104

new->target = target;

105

if(offset) {

106

new->offset = cli_strdup(offset);

107

if(!new->offset)

108

return CL_EMEM;

109

}

110

111

if(strchr(hexsig, '(')) {

112

char *hexcpy, *hexnew, *start, *h, *c;

113

114

if(!(hexcpy = cli_strdup(hexsig))) {

115

if(new->offset)

116

free(new->offset);

117

free(new);

118

return CL_EMEM;

119

}

120

121

if(!(hexnew = (char *) cli_calloc(strlen(hexsig) + 1, 1))) {

122

free(hexcpy);

123

if(new->offset)

124

free(new->offset);

125

free(new);

126

return CL_EMEM;

127

}

128

129

start = pt = hexcpy;

130

while((pt = strchr(start, '('))) {

131

*pt++ = 0;

132

133

if(!start) {

134

error = 1;

135

break;

136

}

137

138

strcat(hexnew, start);

139

strcat(hexnew, "@@");

140

141

if(!(start = strchr(pt, ')'))) {

142

error = 1;

143

break;

144

}

145

*start++ = 0;

146

147

new->alt++;

148

new->altn = (unsigned short int *) cli_realloc(new->altn, new->alt * sizeof(unsigned short int));

149

new->altn[new->alt - 1] = 0;

150

new->altc = (unsigned char **) cli_realloc(new->altc, new->alt * sizeof(char *));

151

new->altc[new->alt - 1] = NULL;

152

153

for(i = 0; i < strlen(pt); i++)

154

if(pt[i] == '|')

155

new->altn[new->alt - 1]++;

156

157

if(!new->altn[new->alt - 1]) {

158

error = 1;

159

break;

160

} else

161

new->altn[new->alt - 1]++;

162

163

if(!(new->altc[new->alt - 1] = (unsigned char *) cli_calloc(new->altn[new->alt - 1], 1))) {

164

error = 1;

165

break;

166

}

167

168

for(i = 0; i < new->altn[new->alt - 1]; i++) {

169

if((h = cli_strtok(pt, i, "|")) == NULL) {

170

error = 1;

171

break;

172

}

173

174

if((c = cli_hex2str(h)) == NULL) {

175

free(h);

176

error = 1;

177

break;

178

}

179

180

new->altc[new->alt - 1][i] = *c;

181

free(c);

182

free(h);

183

}

184

185

if(error)

186

break;

187

}

188

189

if(start)

190

strcat(hexnew, start);

191

192

hex = hexnew;

193

free(hexcpy);

194

195

if(error) {

196

FREE_ALT;

197

if(new->offset)

198

free(new->offset);

199

free(new);

200

return CL_EMALFDB;

201

}

202

203

} else

204

hex = (char *) hexsig;

205

206

if((new->pattern = cli_hex2si(hex)) == NULL) {

207

FREE_ALT;

208

if(new->offset)

209

free(new->offset);

210

free(new);

211

return CL_EMALFDB;

212

}

213

214

new->length = strlen(hex) / 2;

215

216

for(i = 0; i < AC_DEFAULT_DEPTH; i++) {

217

if(new->pattern[i] == CLI_IGN || new->pattern[i] == CLI_ALT) {

218

wprefix = 1;

219

break;

220

}

221

}

222

223

if(wprefix) {

224

for(; i < new->length - AC_DEFAULT_DEPTH + 1; i++) {

225

wprefix = 0;

226

for(j = i; j < i + AC_DEFAULT_DEPTH; j++) {

227

if(new->pattern[j] == CLI_IGN || new->pattern[j] == CLI_ALT) {

228

wprefix = 1;

229

break;

230

}

231

}

232

if(!wprefix)

233

break;

234

}

235

236

if(wprefix) {

237

FREE_ALT;

238

if(new->offset)

239

free(new->offset);

240

free(new->pattern);

241

free(new);

242

return CL_EMALFDB;

243

}

244

245

new->prefix = new->pattern;

246

new->prefix_length = i;

247

new->pattern = &new->prefix[i];

248

new->length -= i;

249

250

for(i = 0; i < new->prefix_length; i++)

251

if(new->prefix[i] == CLI_ALT)

252

new->alt_pattern++;

253

}

254

255

if(new->length > root->maxpatlen)

256

root->maxpatlen = new->length;

257

258

if((pt = strstr(virname, "(Clam)")))

259

virlen = strlen(virname) - strlen(pt) - 1;

260

else

261

virlen = strlen(virname);

262

263

if(virlen <= 0) {

264

if(new->prefix)

265

free(new->prefix);

266

else

267

free(new->pattern);

268

FREE_ALT;

269

if(new->offset)

270

free(new->offset);

271

free(new);

272

return CL_EMALFDB;

273

}

274

275

if((new->virname = cli_calloc(virlen + 1, sizeof(char))) == NULL) {

276

if(new->prefix)

277

free(new->prefix);

278

else

279

free(new->pattern);

280

FREE_ALT;

281

if(new->offset)

282

free(new->offset);

283

free(new);

284

return CL_EMEM;

285

}

286

287

strncpy(new->virname, virname, virlen);

288

289

if((ret = cli_ac_addpatt(root, new))) {

290

if(new->prefix)

291

free(new->prefix);

292

else

293

free(new->pattern);

294

free(new->virname);

295

FREE_ALT;

296

if(new->offset)

297

free(new->offset);

298

free(new);

299

return ret;

300

}

301

302

if(new->alt)

303

free(hex);

304

305

return CL_SUCCESS;

110

306

}

111

307

112

int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hexsig, uint16_t rtype, uint16_t type, const char *offset, uint8_t target, const uint32_t *lsigid, unsigned int options)

308

int cli_parse_add(struct cli_matcher *root, const char *virname, const char *hexsig, unsigned short type, const char *offset, unsigned short target)

113

309

{

114

310

struct cli_bm_patt *bm_new;

115

311

char *pt, *hexcpy, *start, *n;

116

int ret, asterisk = 0;

117

unsigned int i, j, hexlen, parts = 0;

312

int ret, virlen, asterisk = 0;

313

unsigned int i, j, len, parts = 0;

118

314

int mindist = 0, maxdist = 0, error = 0;

119

315

120

316

121

hexlen = strlen(hexsig);

122

if (hexsig[0] == '$') {

123

/* macro */

124

unsigned smin, smax, tid;

125

struct cli_ac_patt *patt;

126

if (hexsig[hexlen-1] != '$') {

127

cli_errmsg("cli_parseadd(): missing terminator $\n");

128

return CL_EMALFDB;

129

}

130

if (!lsigid) {

131

cli_errmsg("cli_parseadd(): macro signatures only valid inside logical signatures\n");

132

return CL_EMALFDB;

133

}

134

if (sscanf(hexsig,"${%u-%u}%u$",

135

&smin, &smax, &tid) != 3) {

136

cli_errmsg("cli_parseadd(): invalid macro signature format\n");

137

return CL_EMALFDB;

138

}

139

if (tid >= 32) {

140

cli_errmsg("cli_parseadd(): only 32 macro groups are supported\n");

141

return CL_EMALFDB;

142

}

143

patt = mpool_calloc(root->mempool, 1, sizeof(*patt));

144

if (!patt)

145

return CL_EMEM;

146

/* this is not a pattern that will be matched by AC itself, rather it is a

147

* pattern checked by the lsig code */

148

patt->ch_mindist[0] = smin;

149

patt->ch_maxdist[0] = smax;

150

patt->sigid = tid;

151

patt->length = root->ac_mindepth;

152

/* dummy */

153

patt->pattern = mpool_calloc(root->mempool, patt->length, sizeof(*patt->pattern));

154

if (patt->pattern) {

155

free(patt);

156

return CL_EMEM;

157

}

158

if ((ret = cli_ac_addpatt(root, patt))) {

159

mpool_free(root->mempool, patt->pattern);

160

free(patt);

161

return ret;

162

}

163

return CL_SUCCESS;

164

}

165

317

if(strchr(hexsig, '{')) {

166

318

167

319

root->ac_partsigs++;

169

321

if(!(hexcpy = cli_strdup(hexsig)))

170

322

return CL_EMEM;

171

323

172

for(i = 0; i < hexlen; i++)

324

len = strlen(hexsig);

325

for(i = 0; i < len; i++)

173

326

if(hexsig[i] == '{' || hexsig[i] == '*')

174

327

parts++;

175

328

195

348

*pt++ = 0;

196

349

}

197

350

198

if((ret = cli_ac_addsig(root, virname, start, root->ac_partsigs, parts, i, rtype, type, mindist, maxdist, offset, lsigid, options))) {

351

if((ret = cli_ac_addsig(root, virname, start, root->ac_partsigs, parts, i, type, mindist, maxdist, offset, target))) {

199

352

cli_errmsg("cli_parse_add(): Problem adding signature (1).\n");

200

353

error = 1;

201

354

break;

223

376

}

224

377

225

378

if(!strchr(pt, '-')) {

226

if(!cli_isnumber(pt) || (mindist = maxdist = atoi(pt)) < 0) {

379

if((mindist = maxdist = atoi(pt)) < 0) {

227

380

error = 1;

228

381

break;

229

382

}

230

383

} else {

231

384

if((n = cli_strtok(pt, 0, "-"))) {

232

if(!cli_isnumber(n) || (mindist = atoi(n)) < 0) {

385

if((mindist = atoi(n)) < 0) {

233

386

error = 1;

234

387

free(n);

235

388

break;

238

391

}

239

392

240

393

if((n = cli_strtok(pt, 1, "-"))) {

241

if(!cli_isnumber(n) || (maxdist = atoi(n)) < 0) {

394

if((maxdist = atoi(n)) < 0) {

242

395

error = 1;

243

396

free(n);

244

397

break;

245

398

}

246

399

free(n);

247

400

}

248

249

if((n = cli_strtok(pt, 2, "-"))) { /* strict check */

250

error = 1;

251

free(n);

252

break;

253

}

254

401

}

255

402

}

256

403

261

408

} else if(strchr(hexsig, '*')) {

262

409

root->ac_partsigs++;

263

410

264

for(i = 0; i < hexlen; i++)

411

len = strlen(hexsig);

412

for(i = 0; i < len; i++)

265

413

if(hexsig[i] == '*')

266

414

parts++;

267

415

274

422

return CL_EMALFDB;

275

423

}

276

424

277

if((ret = cli_ac_addsig(root, virname, pt, root->ac_partsigs, parts, i, rtype, type, 0, 0, offset, lsigid, options))) {

425

if((ret = cli_ac_addsig(root, virname, pt, root->ac_partsigs, parts, i, type, 0, 0, offset, target))) {

278

426

cli_errmsg("cli_parse_add(): Problem adding signature (2).\n");

279

427

free(pt);

280

428

return ret;

283

431

free(pt);

284

432

}

285

433

286

} else if(root->ac_only || type || lsigid || strpbrk(hexsig, "?([") || (root->bm_offmode && (!strcmp(offset, "*") || strchr(offset, ','))) || strstr(offset, "VI") || strchr(offset, '$')) {

287

if((ret = cli_ac_addsig(root, virname, hexsig, 0, 0, 0, rtype, type, 0, 0, offset, lsigid, options))) {

434

} else if(root->ac_only || strpbrk(hexsig, "?(") || type) {

435

if((ret = cli_ac_addsig(root, virname, hexsig, 0, 0, 0, type, 0, 0, offset, target))) {

288

436

cli_errmsg("cli_parse_add(): Problem adding signature (3).\n");

289

437

return ret;

290

438

}

291

439

292

440

} else {

293

bm_new = (struct cli_bm_patt *) mpool_calloc(root->mempool, 1, sizeof(struct cli_bm_patt));

441

bm_new = (struct cli_bm_patt *) cli_calloc(1, sizeof(struct cli_bm_patt));

294

442

if(!bm_new)

295

443

return CL_EMEM;

296

bm_new->pattern = (unsigned char *) cli_mpool_hex2str(root->mempool, hexsig);

297

if(!bm_new->pattern) {

298

mpool_free(root->mempool, bm_new);

299

return CL_EMALFDB;

300

}

301

bm_new->length = hexlen / 2;

302

303

bm_new->virname = cli_mpool_virname(root->mempool, virname, options & CL_DB_OFFICIAL);

304

if(!bm_new->virname) {

305

mpool_free(root->mempool, bm_new->pattern);

306

mpool_free(root->mempool, bm_new);

444

445

if(!(bm_new->pattern = (unsigned char *) cli_hex2str(hexsig))) {

446

free(bm_new);

447

return CL_EMALFDB;

448

}

449

450

bm_new->length = strlen(hexsig) / 2;

451

452

if((pt = strstr(virname, "(Clam)")))

453

virlen = strlen(virname) - strlen(pt) - 1;

454

else

455

virlen = strlen(virname);

456

457

if(virlen <= 0) {

458

free(bm_new->pattern);

459

free(bm_new);

460

return CL_EMALFDB;

461

}

462

463

if((bm_new->virname = cli_calloc(virlen + 1, sizeof(char))) == NULL) {

464

free(bm_new->pattern);

465

free(bm_new);

307

466

return CL_EMEM;

308

467

}

309

468

310

if(bm_new->length > root->maxpatlen) {

469

strncpy(bm_new->virname, virname, virlen);

470

471

if(offset) {

472

bm_new->offset = cli_strdup(offset);

473

if(!bm_new->offset) {

474

free(bm_new->pattern);

475

free(bm_new->virname);

476

free(bm_new);

477

return CL_EMEM;

478

}

479

}

480

481

bm_new->target = target;

482

483

if(bm_new->length > root->maxpatlen)

311

484

root->maxpatlen = bm_new->length;

312

}

313

485

314

if((ret = cli_bm_addpatt(root, bm_new, offset))) {

486

if((ret = cli_bm_addpatt(root, bm_new))) {

315

487

cli_errmsg("cli_parse_add(): Problem adding signature (4).\n");

316

mpool_free(root->mempool, bm_new->pattern);

317

mpool_free(root->mempool, bm_new->virname);

318

mpool_free(root->mempool, bm_new);

319

return ret;

320

}

321

}

322

323

return CL_SUCCESS;

324

}

325

326

int cli_initroots(struct cl_engine *engine, unsigned int options)

488

free(bm_new->pattern);

489

free(bm_new->virname);

490

free(bm_new);

491

return ret;

492

}

493

}

494

495

return CL_SUCCESS;

496

}

497

498

int cli_initengine(struct cl_engine **engine, unsigned int options)

499

{

500

#ifdef CL_EXPERIMENTAL

501

int ret;

502

#endif

503

504

505

if(!*engine) {

506

cli_dbgmsg("Initializing the engine structure\n");

507

508

*engine = (struct cl_engine *) cli_calloc(1, sizeof(struct cl_engine));

509

if(!*engine) {

510

cli_errmsg("Can't allocate memory for the engine structure!\n");

511

return CL_EMEM;

512

}

513

514

(*engine)->refcount = 1;

515

516

(*engine)->root = (struct cli_matcher **) cli_calloc(CL_TARGET_TABLE_SIZE, sizeof(struct cli_matcher *));

517

if(!(*engine)->root) {

518

/* no need to free previously allocated memory here */

519

cli_errmsg("Can't allocate memory for roots!\n");

520

return CL_EMEM;

521

}

522

523

(*engine)->dconf = cli_dconf_init();

524

if(!(*engine)->dconf) {

525

cli_errmsg("Can't initialize dynamic configuration\n");

526

return CL_EMEM;

527

}

528

}

529

530

#ifdef CL_EXPERIMENTAL

531

if(options & CL_DB_PHISHING_URLS)

532

if((ret = phishing_init(*engine)))

533

return ret;

534

#endif

535

536

return CL_SUCCESS;

537

}

538

539

static int cli_initroots(struct cl_engine *engine, unsigned int options)

327

540

{

328

541

int i, ret;

329

542

struct cli_matcher *root;

330

543

331

544

332

for(i = 0; i < CLI_MTARGETS; i++) {

545

for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) {

333

546

if(!engine->root[i]) {

334

547

cli_dbgmsg("Initializing engine->root[%d]\n", i);

335

root = engine->root[i] = (struct cli_matcher *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_matcher));

548

root = engine->root[i] = (struct cli_matcher *) cli_calloc(1, sizeof(struct cli_matcher));

336

549

if(!root) {

337

cli_errmsg("cli_initroots: Can't allocate memory for cli_matcher\n");

550

cli_errmsg("Can't initialise AC pattern matcher\n");

338

551

return CL_EMEM;

339

552

}

340

#ifdef USE_MPOOL

341

root->mempool = engine->mempool;

342

#endif

343

root->type = i;

344

if(cli_mtargets[i].ac_only || engine->ac_only)

553

554

if(options & CL_DB_ACONLY) {

555

cli_dbgmsg("Only using AC pattern matcher.\n");

345

556

root->ac_only = 1;

557

}

346

558

347

559

cli_dbgmsg("Initialising AC pattern matcher of root[%d]\n", i);

348

if((ret = cli_ac_init(root, engine->ac_mindepth, engine->ac_maxdepth, engine->dconf->other&OTHER_CONF_PREFILTERING))) {

560

root->ac_root = (struct cli_ac_node *) cli_calloc(1, sizeof(struct cli_ac_node));

561

if(!root->ac_root) {

349

562

/* no need to free previously allocated memory here */

350

cli_errmsg("cli_initroots: Can't initialise AC pattern matcher\n");

351

return ret;

563

cli_errmsg("Can't initialise AC pattern matcher\n");

564

return CL_EMEM;

352

565

}

353

566

354

567

if(!root->ac_only) {

355

cli_dbgmsg("cli_initroots: Initializing BM tables of root[%d]\n", i);

568

cli_dbgmsg("Initializing BM tables of root[%d]\n", i);

356

569

if((ret = cli_bm_init(root))) {

357

cli_errmsg("cli_initroots: Can't initialise BM pattern matcher\n");

570

cli_errmsg("Can't initialise BM pattern matcher\n");

358

571

return ret;

359

572

}

360

573

}

361

574

}

362

575

}

363

engine->root[1]->bm_offmode = 1; /* BM offset mode for PE files */

576

364

577

return CL_SUCCESS;

365

578

}

366

579

367

char *cli_dbgets(char *buff, unsigned int size, FILE *fs, struct cli_dbio *dbio)

368

{

369

if(fs)

370

return fgets(buff, size, fs);

371

372

if(dbio->usebuf) {

373

int bread;

374

char *nl;

375

376

while(1) {

377

if(!dbio->bufpt) {

378

if(!dbio->size)

379

return NULL;

380

381

if(dbio->gzs) {

382

bread = gzread(dbio->gzs, dbio->readpt, dbio->readsize);

383

if(bread == -1) {

384

cli_errmsg("cli_dbgets: gzread() failed\n");

385

return NULL;

386

}

387

} else {

388

bread = fread(dbio->readpt, 1, dbio->readsize, dbio->fs);

389

if(!bread && ferror(dbio->fs)) {

390

cli_errmsg("cli_dbgets: gzread() failed\n");

391

return NULL;

392

}

393

}

394

if(!bread)

395

return NULL;

396

dbio->readpt[bread] = 0;

397

dbio->bufpt = dbio->buf;

398

dbio->size -= bread;

399

dbio->bread += bread;

400

sha256_update(&dbio->sha256ctx, dbio->readpt, bread);

401

}

402

if(dbio->chkonly && dbio->bufpt) {

403

dbio->bufpt = NULL;

404

dbio->readsize = dbio->size < dbio->bufsize ? dbio->size : dbio->bufsize - 1;

405

continue;

406

}

407

nl = strchr(dbio->bufpt, '\n');

408

if(nl) {

409

if(nl - dbio->bufpt >= size) {

410

cli_errmsg("cli_dbgets: Line too long for provided buffer\n");

411

return NULL;

412

}

413

strncpy(buff, dbio->bufpt, nl - dbio->bufpt);

414

buff[nl - dbio->bufpt] = 0;

415

if(nl < dbio->buf + dbio->bufsize) {

416

dbio->bufpt = ++nl;

417

} else {

418

dbio->bufpt = NULL;

419

dbio->readpt = dbio->buf;

420

dbio->readsize = dbio->size < dbio->bufsize ? dbio->size : dbio->bufsize - 1;

421

}

422

return buff;

423

} else {

424

unsigned int remain = dbio->buf + dbio->bufsize - 1 - dbio->bufpt;

425

426

if(dbio->bufpt == dbio->buf) {

427

cli_errmsg("cli_dbgets: Invalid data or internal buffer too small\n");

428

return NULL;

429

}

430

memmove(dbio->buf, dbio->bufpt, remain);

431

dbio->readpt = dbio->buf + remain;

432

dbio->readsize = dbio->bufsize - remain;

433

dbio->readsize = dbio->size < dbio->bufsize - remain ? dbio->size : dbio->bufsize - remain - 1;

434

dbio->bufpt = NULL;

435

}

436

}

437

} else { /* use gzgets/fgets */

438

char *pt;

439

unsigned int bs;

440

441

if(!dbio->size)

442

return NULL;

443

444

bs = dbio->size < size ? dbio->size + 1 : size;

445

if(dbio->gzs)

446

pt = gzgets(dbio->gzs, buff, bs);

447

else

448

pt = fgets(buff, bs, dbio->fs);

449

450

if(!pt) {

451

cli_errmsg("cli_dbgets: Preliminary end of data\n");

452

return pt;

453

}

454

bs = strlen(buff);

455

dbio->size -= bs;

456

dbio->bread += bs;

457

sha256_update(&dbio->sha256ctx, buff, bs);

458

return pt;

459

}

460

}

461

462

static int cli_chkign(const struct cli_matcher *ignored, const char *signame, const char *entry)

463

{

464

const char *md5_expected = NULL;

465

cli_md5_ctx md5ctx;

466

unsigned char digest[16];

467

468

if(!ignored || !signame || !entry)

469

return 0;

470

471

if(cli_bm_scanbuff((const unsigned char *) signame, strlen(signame), &md5_expected, NULL, ignored, 0, NULL, NULL) == CL_VIRUS) {

472

if(md5_expected) {

473

cli_md5_init(&md5ctx);

474

cli_md5_update(&md5ctx, entry, strlen(entry));

475

cli_md5_final(digest, &md5ctx);

476

if(memcmp(digest, (const unsigned char *) md5_expected, 16))

477

return 0;

478

}

479

cli_dbgmsg("Ignoring signature %s\n", signame);

480

return 1;

481

}

482

483

return 0;

484

}

485

486

static int cli_chkpua(const char *signame, const char *pua_cats, unsigned int options)

487

{

488

char cat[32], *pt;

489

const char *sig;

490

int ret;

491

492

if(strncmp(signame, "PUA.", 4)) {

493

cli_dbgmsg("Skipping signature %s - no PUA prefix\n", signame);

494

return 1;

495

}

496

sig = signame + 3;

497

if(!(pt = strchr(sig + 1, '.'))) {

498

cli_dbgmsg("Skipping signature %s - bad syntax\n", signame);

499

return 1;

500

}

501

502

if((unsigned int) (pt - sig + 2) > sizeof(cat)) {

503

cli_dbgmsg("Skipping signature %s - too long category name\n", signame);

504

return 1;

505

}

506

507

strncpy(cat, sig, pt - signame + 1);

508

cat[pt - sig + 1] = 0;

509

pt = strstr(pua_cats, cat);

510

511

if(options & CL_DB_PUA_INCLUDE)

512

ret = pt ? 0 : 1;

513

else

514

ret = pt ? 1 : 0;

515

516

if(ret)

517

cli_dbgmsg("Skipping PUA signature %s - excluded category\n", signame);

518

519

return ret;

520

}

521

522

static int cli_loaddb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio, const char *dbname)

523

{

524

char buffer[FILEBUFF], *buffer_cpy = NULL, *pt, *start;

525

unsigned int line = 0, sigs = 0;

526

int ret = 0;

580

static int cli_loaddb(FILE *fd, struct cl_engine **engine, unsigned int *signo, unsigned int options)

581

{

582

char buffer[FILEBUFF], *pt, *start;

583

int line = 0, ret = 0;

527

584

struct cli_matcher *root;

528

585

529

586

530

if((ret = cli_initroots(engine, options)))

531

return ret;

532

533

root = engine->root[0];

534

535

if(engine->ignored)

536

if(!(buffer_cpy = cli_malloc(FILEBUFF)))

537

return CL_EMEM;

538

539

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

587

if((ret = cli_initengine(engine, options))) {

588

cl_free(*engine);

589

return ret;

590

}

591

592

if((ret = cli_initroots(*engine, options))) {

593

cl_free(*engine);

594

return ret;

595

}

596

597

root = (*engine)->root[0];

598

599

while(fgets(buffer, FILEBUFF, fd)) {

540

600

line++;

541

601

cli_chomp(buffer);

542

if(engine->ignored)

543

strcpy(buffer_cpy, buffer);

544

602

545

603

pt = strchr(buffer, '=');

546

604

if(!pt) {

552

610

start = buffer;

553

611

*pt++ = 0;

554

612

555

if(engine->ignored && cli_chkign(engine->ignored, start, buffer_cpy))

556

continue;

557

558

if(engine->cb_sigload && engine->cb_sigload("db", start, engine->cb_sigload_ctx)) {

559

cli_dbgmsg("cli_loaddb: skipping %s due to callback\n", start);

560

continue;

561

}

562

563

613

if(*pt == '=') continue;

564

614

565

if((ret = cli_parse_add(root, start, pt, 0, 0, "*", 0, NULL, options))) {

615

if((ret = cli_parse_add(root, start, pt, 0, NULL, 0))) {

616

cli_errmsg("Problem parsing signature at line %d\n", line);

566

617

ret = CL_EMALFDB;

567

618

break;

568

619

}

569

sigs++;

570

620

}

571

621

572

if(engine->ignored)

573

free(buffer_cpy);

574

575

622

if(!line) {

576

623

cli_errmsg("Empty database file\n");

624

cl_free(*engine);

577

625

return CL_EMALFDB;

578

626

}

579

627

580

628

if(ret) {

581

629

cli_errmsg("Problem parsing database at line %d\n", line);

582

return ret;

583

}

584

585

if(signo)

586

*signo += sigs;

587

588

return CL_SUCCESS;

589

}

590

591

#define ICO_TOKENS 4

592

static int cli_loadidb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio)

593

{

594

const char *tokens[ICO_TOKENS + 1];

595

char buffer[FILEBUFF], *buffer_cpy = NULL;

596

uint8_t *hash;

597

int ret = CL_SUCCESS;

598

unsigned int line = 0, sigs = 0, tokens_count, i, size, enginesize;

599

struct icomtr *metric;

600

struct icon_matcher *matcher;

601

602

603

if(!(matcher = (struct icon_matcher *)mpool_calloc(engine->mempool, sizeof(*matcher),1)))

604

return CL_EMEM;

605

606

if(engine->ignored)

607

if(!(buffer_cpy = cli_malloc(FILEBUFF))) {

608

mpool_free(engine->mempool, matcher);

609

return CL_EMEM;

610

}

611

612

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

613

line++;

614

if(buffer[0] == '#')

615

continue;

616

617

cli_chomp(buffer);

618

if(engine->ignored)

619

strcpy(buffer_cpy, buffer);

620

621

tokens_count = cli_strtokenize(buffer, ':', ICO_TOKENS + 1, tokens);

622

if(tokens_count != ICO_TOKENS) {

623

cli_errmsg("cli_loadidb: Malformed hash at line %u (wrong token count)\n", line);

624

ret = CL_EMALFDB;

625

break;

626

}

627

628

if(strlen(tokens[3]) != 124) {

629

cli_errmsg("cli_loadidb: Malformed hash at line %u (wrong length)\n", line);

630

ret = CL_EMALFDB;

631

break;

632

}

633

634

if(engine->ignored && cli_chkign(engine->ignored, tokens[0], buffer_cpy))

635

continue;

636

637

if(engine->cb_sigload && engine->cb_sigload("idb", tokens[0], engine->cb_sigload_ctx)) {

638

cli_dbgmsg("cli_loadidb: skipping %s due to callback\n", tokens[0]);

639

continue;

640

}

641

642

hash = (uint8_t *)tokens[3];

643

if(cli_hexnibbles((char *)hash, 124)) {

644

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad chars)\n", line);

645

ret = CL_EMALFDB;

646

break;

647

}

648

size = (hash[0] << 4) + hash[1];

649

if(size != 32 && size != 24 && size != 16) {

650

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad size)\n", line);

651

ret = CL_EMALFDB;

652

break;

653

}

654

enginesize = (size >> 3) - 2;

655

hash+=2;

656

657

metric = (struct icomtr *)mpool_realloc(engine->mempool, matcher->icons[enginesize], sizeof(struct icomtr) * (matcher->icon_counts[enginesize] + 1));

658

if(!metric) {

659

ret = CL_EMEM;

660

break;

661

}

662

663

matcher->icons[enginesize] = metric;

664

metric += matcher->icon_counts[enginesize];

665

matcher->icon_counts[enginesize]++;

666

667

for(i=0; i<3; i++) {

668

if((metric->color_avg[i] = (hash[0] << 8) | (hash[1] << 4) | hash[2]) > 4072)

669

break;

670

if((metric->color_x[i] = (hash[3] << 4) | hash[4]) > size - size / 8)

671

break;

672

if((metric->color_y[i] = (hash[5] << 4) | hash[6]) > size - size / 8)

673

break;

674

hash += 7;

675

}

676

if(i!=3) {

677

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad color data)\n", line);

678

ret = CL_EMALFDB;

679

break;

680

}

681

682

for(i=0; i<3; i++) {

683

if((metric->gray_avg[i] = (hash[0] << 8) | (hash[1] << 4) | hash[2]) > 4072)

684

break;

685

if((metric->gray_x[i] = (hash[3] << 4) | hash[4]) > size - size / 8)

686

break;

687

if((metric->gray_y[i] = (hash[5] << 4) | hash[6]) > size - size / 8)

688

break;

689

hash += 7;

690

}

691

if(i!=3) {

692

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad gray data)\n", line);

693

ret = CL_EMALFDB;

694

break;

695

}

696

697

for(i=0; i<3; i++) {

698

metric->bright_avg[i] = (hash[0] << 4) | hash[1];

699

if((metric->bright_x[i] = (hash[2] << 4) | hash[3]) > size - size / 8)

700

break;

701

if((metric->bright_y[i] = (hash[4] << 4) | hash[5]) > size - size / 8)

702

break;

703

hash += 6;

704

}

705

if(i!=3) {

706

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad bright data)\n", line);

707

ret = CL_EMALFDB;

708

break;

709

}

710

711

for(i=0; i<3; i++) {

712

metric->dark_avg[i] = (hash[0] << 4) | hash[1];

713

if((metric->dark_x[i] = (hash[2] << 4) | hash[3]) > size - size / 8)

714

break;

715

if((metric->dark_y[i] = (hash[4] << 4) | hash[5]) > size - size / 8)

716

break;

717

hash += 6;

718

}

719

if(i!=3) {

720

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad dark data)\n", line);

721

ret = CL_EMALFDB;

722

break;

723

}

724

725

for(i=0; i<3; i++) {

726

metric->edge_avg[i] = (hash[0] << 4) | hash[1];

727

if((metric->edge_x[i] = (hash[2] << 4) | hash[3]) > size - size / 8)

728

break;

729

if((metric->edge_y[i] = (hash[4] << 4) | hash[5]) > size - size / 8)

730

break;

731

hash += 6;

732

}

733

if(i!=3) {

734

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad edge data)\n", line);

735

ret = CL_EMALFDB;

736

break;

737

}

738

739

for(i=0; i<3; i++) {

740

metric->noedge_avg[i] = (hash[0] << 4) | hash[1];

741

if((metric->noedge_x[i] = (hash[2] << 4) | hash[3]) > size - size / 8)

742

break;

743

if((metric->noedge_y[i] = (hash[4] << 4) | hash[5]) > size - size / 8)

744

break;

745

hash += 6;

746

}

747

if(i!=3) {

748

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad noedge data)\n", line);

749

ret = CL_EMALFDB;

750

break;

751

}

752

753

metric->rsum = (hash[0] << 4) | hash[1];

754

metric->gsum = (hash[2] << 4) | hash[3];

755

metric->bsum = (hash[4] << 4) | hash[5];

756

metric->ccount = (hash[6] << 4) | hash[7];

757

if(metric->rsum + metric->gsum + metric->bsum > 103 || metric->ccount > 100) {

758

cli_errmsg("cli_loadidb: Malformed hash at line %u (bad spread data)\n", line);

759

ret = CL_EMALFDB;

760

break;

761

}

762

763

if(!(metric->name = cli_mpool_strdup(engine->mempool, tokens[0]))) {

764

ret = CL_EMEM;

765

break;

766

}

767

768

for(i=0; i<matcher->group_counts[0]; i++) {

769

if(!strcmp(tokens[1], matcher->group_names[0][i]))

770

break;

771

}

772

if(i==matcher->group_counts[0]) {

773

if(!(matcher->group_names[0] = mpool_realloc(engine->mempool, matcher->group_names[0], sizeof(char *) * (i + 1))) ||

774

!(matcher->group_names[0][i] = cli_mpool_strdup(engine->mempool, tokens[1]))) {

775

ret = CL_EMEM;

776

break;

777

}

778

matcher->group_counts[0]++;

779

}

780

metric->group[0] = i;

781

782

for(i=0; i<matcher->group_counts[1]; i++) {

783

if(!strcmp(tokens[2], matcher->group_names[1][i]))

784

break;

785

}

786

if(i==matcher->group_counts[1]) {

787

if(!(matcher->group_names[1] = mpool_realloc(engine->mempool, matcher->group_names[1], sizeof(char *) * (i + 1))) ||

788

!(matcher->group_names[1][i] = cli_mpool_strdup(engine->mempool, tokens[2]))) {

789

ret = CL_EMEM;

790

break;

791

}

792

matcher->group_counts[1]++;

793

}

794

metric->group[1] = i;

795

796

if(matcher->group_counts[0] > 256 || matcher->group_counts[1] > 256) {

797

cli_errmsg("cli_loadidb: too many icon groups!\n");

798

ret = CL_EMALFDB;

799

break;

800

}

801

802

sigs++;

803

}

804

if(engine->ignored)

805

free(buffer_cpy);

806

807

if(!line) {

808

cli_errmsg("cli_loadidb: Empty database file\n");

809

return CL_EMALFDB;

810

}

811

812

if(ret) {

813

cli_errmsg("cli_loadidb: Problem parsing database at line %u\n", line);

814

return ret;

815

}

816

817

if(signo)

818

*signo += sigs;

819

820

engine->iconcheck = matcher;

821

return CL_SUCCESS;

822

}

823

824

static int cli_loadwdb(FILE *fs, struct cl_engine *engine, unsigned int options, struct cli_dbio *dbio)

825

{

826

int ret = 0;

827

828

829

if(!(engine->dconf->phishing & PHISHING_CONF_ENGINE))

830

return CL_SUCCESS;

831

832

if(!engine->whitelist_matcher) {

833

if((ret = init_whitelist(engine))) {

834

return ret;

835

}

836

}

837

838

if((ret = load_regex_matcher(engine, engine->whitelist_matcher, fs, NULL, options, 1, dbio, engine->dconf->other&OTHER_CONF_PREFILTERING))) {

839

return ret;

840

}

841

842

return CL_SUCCESS;

843

}

844

845

static int cli_loadpdb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio)

846

{

847

int ret = 0;

848

849

850

if(!(engine->dconf->phishing & PHISHING_CONF_ENGINE))

851

return CL_SUCCESS;

852

853

if(!engine->domainlist_matcher) {

854

if((ret = init_domainlist(engine))) {

855

return ret;

856

}

857

}

858

859

if((ret = load_regex_matcher(engine, engine->domainlist_matcher, fs, signo, options, 0, dbio, engine->dconf->other&OTHER_CONF_PREFILTERING))) {

860

return ret;

861

}

862

863

return CL_SUCCESS;

864

}

865

866

#define NDB_TOKENS 6

867

static int cli_loadndb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned short sdb, unsigned int options, struct cli_dbio *dbio, const char *dbname)

868

{

869

const char *tokens[NDB_TOKENS + 1];

870

char buffer[FILEBUFF], *buffer_cpy = NULL;

871

const char *sig, *virname, *offset, *pt;

630

cl_free(*engine);

631

return ret;

632

}

633

634

if(signo)

635

*signo += line;

636

637

return CL_SUCCESS;

638

}

639

640

#ifdef CL_EXPERIMENTAL

641

static int cli_loadwdb(FILE *fd, struct cl_engine **engine, unsigned int options)

642

{

643

int ret = 0;

644

645

646

if((ret = cli_initengine(engine, options))) {

647

cl_free(*engine);

648

return ret;

649

}

650

651

if(!(*engine)->whitelist_matcher) {

652

if((ret = init_whitelist(*engine))) {

653

phishing_done(*engine);

654

cl_free(*engine);

655

return ret;

656

}

657

}

658

659

if((ret = load_regex_matcher((*engine)->whitelist_matcher, fd, options, 1))) {

660

phishing_done(*engine);

661

cl_free(*engine);

662

return ret;

663

}

664

665

return CL_SUCCESS;

666

}

667

668

static int cli_loadpdb(FILE *fd, struct cl_engine **engine, unsigned int options)

669

{

670

int ret = 0;

671

672

673

if((ret = cli_initengine(engine, options))) {

674

cl_free(*engine);

675

return ret;

676

}

677

678

if(!(*engine)->domainlist_matcher) {

679

if((ret = init_domainlist(*engine))) {

680

phishing_done(*engine);

681

cl_free(*engine);

682

return ret;

683

}

684

}

685

686

if((ret = load_regex_matcher((*engine)->domainlist_matcher, fd, options, 0))) {

687

phishing_done(*engine);

688

cl_free(*engine);

689

return ret;

690

}

691

692

return CL_SUCCESS;

693

}

694

#endif

695

696

static int cli_loadndb(FILE *fd, struct cl_engine **engine, unsigned int *signo, unsigned short sdb, unsigned int options)

697

{

698

char buffer[FILEBUFF], *sig, *virname, *offset, *pt;

872

699

struct cli_matcher *root;

873

int line = 0, sigs = 0, ret = 0, tokens_count;

700

int line = 0, sigs = 0, ret = 0;

874

701

unsigned short target;

875

702

unsigned int phish = options & CL_DB_PHISHING;

876

703

877

704

878

if((ret = cli_initroots(engine, options)))

879

return ret;

880

881

if(engine->ignored)

882

if(!(buffer_cpy = cli_malloc(FILEBUFF)))

883

return CL_EMEM;

884

885

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

705

if((ret = cli_initengine(engine, options))) {

706

cl_free(*engine);

707

return ret;

708

}

709

710

if((ret = cli_initroots(*engine, options))) {

711

cl_free(*engine);

712

return ret;

713

}

714

715

while(fgets(buffer, FILEBUFF, fd)) {

886

716

line++;

887

717

718

if(!strncmp(buffer, "Exploit.JPEG.Comment", 20)) /* temporary */

719

continue;

720

888

721

if(!phish)

889

722

if(!strncmp(buffer, "HTML.Phishing", 13) || !strncmp(buffer, "Email.Phishing", 14))

890

723

continue;

891

724

725

sigs++;

892

726

cli_chomp(buffer);

893

if(engine->ignored)

894

strcpy(buffer_cpy, buffer);

895

727

896

tokens_count = cli_strtokenize(buffer, ':', NDB_TOKENS + 1, tokens);

897

if(tokens_count < 4 || tokens_count > 6) {

728

if(!(virname = cli_strtok(buffer, 0, ":"))) {

898

729

ret = CL_EMALFDB;

899

730

break;

900

731

}

901

732

902

virname = tokens[0];

903

904

if(engine->pua_cats && (options & CL_DB_PUA_MODE) && (options & (CL_DB_PUA_INCLUDE | CL_DB_PUA_EXCLUDE)))

905

if(cli_chkpua(virname, engine->pua_cats, options))

906

continue;

907

908

if(engine->ignored && cli_chkign(engine->ignored, virname, buffer_cpy))

909

continue;

910

911

if(!sdb && engine->cb_sigload && engine->cb_sigload("ndb", virname, engine->cb_sigload_ctx)) {

912

cli_dbgmsg("cli_loadndb: skipping %s due to callback\n", virname);

913

continue;

914

}

915

916

if(tokens_count > 4) { /* min version */

917

pt = tokens[4];

918

919

if(!cli_isnumber(pt)) {

733

if((pt = cli_strtok(buffer, 4, ":"))) { /* min version */

734

if(!isdigit(*pt)) {

735

free(virname);

736

free(pt);

920

737

ret = CL_EMALFDB;

921

738

break;

922

739

}

923

740

924

741

if((unsigned int) atoi(pt) > cl_retflevel()) {

925

742

cli_dbgmsg("Signature for %s not loaded (required f-level: %d)\n", virname, atoi(pt));

743

sigs--;

744

free(virname);

745

free(pt);

926

746

continue;

927

747

}

928

748

929

if(tokens_count == 6) { /* max version */

930

pt = tokens[5];

931

if(!cli_isnumber(pt)) {

749

free(pt);

750

751

if((pt = cli_strtok(buffer, 5, ":"))) { /* max version */

752

if(!isdigit(*pt)) {

753

free(virname);

754

free(pt);

932

755

ret = CL_EMALFDB;

933

756

break;

934

757

}

935

758

936

759

if((unsigned int) atoi(pt) < cl_retflevel()) {

760

sigs--;

761

free(virname);

762

free(pt);

937

763

continue;

938

764

}

765

766

free(pt);

939

767

}

940

768

}

941

769

942

if(!(pt = tokens[1]) || (strcmp(pt, "*") && !cli_isnumber(pt))) {

770

if(!(pt = cli_strtok(buffer, 1, ":")) || !isdigit(*pt)) {

771

free(virname);

772

if(pt)

773

free(pt);

943

774

ret = CL_EMALFDB;

944

775

break;

945

776

}

946

777

target = (unsigned short) atoi(pt);

778

free(pt);

947

779

948

if(target >= CLI_MTARGETS) {

780

if(target >= CL_TARGET_TABLE_SIZE) {

949

781

cli_dbgmsg("Not supported target type in signature for %s\n", virname);

782

sigs--;

783

free(virname);

950

784

continue;

951

785

}

952

786

953

root = engine->root[target];

954

955

offset = tokens[2];

956

sig = tokens[3];

957

958

if((ret = cli_parse_add(root, virname, sig, 0, 0, offset, target, NULL, options))) {

959

ret = CL_EMALFDB;

960

break;

961

}

962

sigs++;

787

root = (*engine)->root[target];

788

789

if(!(offset = cli_strtok(buffer, 2, ":"))) {

790

free(virname);

791

ret = CL_EMALFDB;

792

break;

793

} else if(!strcmp(offset, "*")) {

794

free(offset);

795

offset = NULL;

796

}

797

798

if(!(sig = cli_strtok(buffer, 3, ":"))) {

799

free(virname);

800

free(offset);

801

ret = CL_EMALFDB;

802

break;

803

}

804

805

if((ret = cli_parse_add(root, virname, sig, 0, offset, target))) {

806

cli_errmsg("Problem parsing signature at line %d\n", line);

807

free(virname);

808

free(offset);

809

free(sig);

810

ret = CL_EMALFDB;

811

break;

812

}

813

814

free(virname);

815

free(offset);

816

free(sig);

963

817

}

964

if(engine->ignored)

965

free(buffer_cpy);

966

818

967

819

if(!line) {

968

820

cli_errmsg("Empty database file\n");

821

cl_free(*engine);

969

822

return CL_EMALFDB;

970

823

}

971

824

972

825

if(ret) {

973

826

cli_errmsg("Problem parsing database at line %d\n", line);

827

cl_free(*engine);

974

828

return ret;

975

829

}

976

830

977

831

if(signo)

978

832

*signo += sigs;

979

833

980

if(sdb && sigs && !engine->sdb) {

981

engine->sdb = 1;

834

if(sdb && sigs && !(*engine)->sdb) {

835

(*engine)->sdb = 1;

982

836

cli_dbgmsg("*** Self protection mechanism activated.\n");

983

837

}

984

838

985

839

return CL_SUCCESS;

986

840

}

987

841

988

struct lsig_attrib {

989

const char *name;

990

unsigned int type;

991

void **pt;

992

};

993

994

/* TODO: rework this */

995

static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)

996

{

997

struct lsig_attrib attrtab[] = {

998

#define ATTRIB_TOKENS 9

999

{ "Target", CLI_TDB_UINT, (void **) &tdb->target },

1000

{ "Engine", CLI_TDB_RANGE, (void **) &tdb->engine },

1001

1002

{ "FileSize", CLI_TDB_RANGE, (void **) &tdb->filesize },

1003

{ "EntryPoint", CLI_TDB_RANGE, (void **) &tdb->ep },

1004

{ "NumberOfSections", CLI_TDB_RANGE, (void **) &tdb->nos },

1005

1006

{ "IconGroup1", CLI_TDB_STR, (void **) &tdb->icongrp1 },

1007

{ "IconGroup2", CLI_TDB_STR, (void **) &tdb->icongrp2 },

1008

1009

{ "Container", CLI_TDB_FTYPE, (void **) &tdb->container },

1010

{ "HandlerType", CLI_TDB_FTYPE, (void **) &tdb->handlertype },

1011

1012

{ "SectOff", CLI_TDB_RANGE2, (void **) &tdb->sectoff },

1013

{ "SectRVA", CLI_TDB_RANGE2, (void **) &tdb->sectrva },

1014

{ "SectVSZ", CLI_TDB_RANGE2, (void **) &tdb->sectvsz },

1015

{ "SectRAW", CLI_TDB_RANGE2, (void **) &tdb->sectraw },

1016

{ "SectRSZ", CLI_TDB_RANGE2, (void **) &tdb->sectrsz },

1017

{ "SectURVA", CLI_TDB_RANGE2, (void **) &tdb->secturva },

1018

{ "SectUVSZ", CLI_TDB_RANGE2, (void **) &tdb->sectuvsz },

1019

{ "SectURAW", CLI_TDB_RANGE2, (void **) &tdb->secturaw },

1020

{ "SectURSZ", CLI_TDB_RANGE2, (void **) &tdb->sectursz },

1021

1022

{ NULL, 0, NULL, }

1023

};

1024

struct lsig_attrib *apt;

1025

char *tokens[ATTRIB_TOKENS], *pt, *pt2;

1026

unsigned int v1, v2, v3, i, j, tokens_count, have_newext = 0;

1027

uint32_t cnt, off[ATTRIB_TOKENS];

1028

1029

1030

tokens_count = cli_strtokenize(attribs, ',', ATTRIB_TOKENS, (const char **) tokens);

1031

1032

for(i = 0; i < tokens_count; i++) {

1033

if(!(pt = strchr(tokens[i], ':'))) {

1034

cli_errmsg("lsigattribs: Incorrect format of attribute '%s'\n", tokens[i]);

1035

return -1;

1036

}

1037

*pt++ = 0;

1038

1039

apt = NULL;

1040

for(j = 0; attrtab[j].name; j++) {

1041

if(!strcmp(attrtab[j].name, tokens[i])) {

1042

apt = &attrtab[j];

1043

break;

1044

}

1045

}

1046

1047

if(!apt) {

1048

cli_dbgmsg("lsigattribs: Unknown attribute name '%s'\n", tokens[i]);

1049

return 1;

1050

}

1051

1052

if(!strcmp(apt->name, "Engine")) {

1053

if(i) {

1054

cli_errmsg("lsigattribs: For backward compatibility the Engine attribute must be on the first position\n");

1055

return -1;

1056

}

1057

} else if(strcmp(apt->name, "Target"))

1058

have_newext = 1;

1059

1060

switch(apt->type) {

1061

case CLI_TDB_UINT:

1062

if(!cli_isnumber(pt)) {

1063

cli_errmsg("lsigattribs: Invalid argument for %s\n", tokens[i]);

1064

return -1;

1065

}

1066

off[i] = cnt = tdb->cnt[CLI_TDB_UINT]++;

1067

tdb->val = (uint32_t *) mpool_realloc2(tdb->mempool, tdb->val, tdb->cnt[CLI_TDB_UINT] * sizeof(uint32_t));

1068

if(!tdb->val) {

1069

tdb->cnt[CLI_TDB_UINT] = 0;

1070

return -1;

1071

}

1072

tdb->val[cnt] = atoi(pt);

1073

break;

1074

1075

case CLI_TDB_FTYPE:

1076

if((v1 = cli_ftcode(pt)) == CL_TYPE_ERROR) {

1077

cli_dbgmsg("lsigattribs: Unknown file type in %s\n", tokens[i]);

1078

return 1; /* skip */

1079

}

1080

off[i] = cnt = tdb->cnt[CLI_TDB_UINT]++;

1081

tdb->val = (uint32_t *) mpool_realloc2(tdb->mempool, tdb->val, tdb->cnt[CLI_TDB_UINT] * sizeof(uint32_t));

1082

if(!tdb->val) {

1083

tdb->cnt[CLI_TDB_UINT] = 0;

1084

return -1;

1085

}

1086

tdb->val[cnt] = v1;

1087

break;

1088

1089

case CLI_TDB_RANGE:

1090

if(!(pt2 = strchr(pt, '-'))) {

1091

cli_errmsg("lsigattribs: Incorrect parameters in '%s'\n", tokens[i]);

1092

return -1;

1093

}

1094

*pt2++ = 0;

1095

off[i] = cnt = tdb->cnt[CLI_TDB_RANGE];

1096

tdb->cnt[CLI_TDB_RANGE] += 2;

1097

tdb->range = (uint32_t *) mpool_realloc2(tdb->mempool, tdb->range, tdb->cnt[CLI_TDB_RANGE] * sizeof(uint32_t));

1098

if(!tdb->range) {

1099

tdb->cnt[CLI_TDB_RANGE] = 0;

1100

return -1;

1101

}

1102

if(!cli_isnumber(pt) || !cli_isnumber(pt2)) {

1103

cli_errmsg("lsigattribs: Invalid argument for %s\n", tokens[i]);

1104

return -1;

1105

}

1106

tdb->range[cnt] = atoi(pt);

1107

tdb->range[cnt + 1] = atoi(pt2);

1108

break;

1109

1110

case CLI_TDB_RANGE2:

1111

if(!strchr(pt, '-') || !strchr(pt, '.')) {

1112

cli_errmsg("lsigattribs: Incorrect parameters in '%s'\n", tokens[i]);

1113

return -1;

1114

}

1115

off[i] = cnt = tdb->cnt[CLI_TDB_RANGE];

1116

tdb->cnt[CLI_TDB_RANGE] += 3;

1117

tdb->range = (uint32_t *) mpool_realloc2(tdb->mempool, tdb->range, tdb->cnt[CLI_TDB_RANGE] * sizeof(uint32_t));

1118

if(!tdb->range) {

1119

tdb->cnt[CLI_TDB_RANGE] = 0;

1120

return -1;

1121

}

1122

if(sscanf(pt, "%u.%u-%u", &v1, &v2, &v3) != 3) {

1123

cli_errmsg("lsigattribs: Can't parse parameters in '%s'\n", tokens[i]);

1124

return -1;

1125

}

1126

tdb->range[cnt] = (uint32_t) v1;

1127

tdb->range[cnt + 1] = (uint32_t) v2;

1128

tdb->range[cnt + 2] = (uint32_t) v3;

1129

break;

1130

1131

case CLI_TDB_STR:

1132

off[i] = cnt = tdb->cnt[CLI_TDB_STR];

1133

tdb->cnt[CLI_TDB_STR] += strlen(pt) + 1;

1134

tdb->str = (char *) mpool_realloc2(tdb->mempool, tdb->str, tdb->cnt[CLI_TDB_STR] * sizeof(char));

1135

if(!tdb->str) {

1136

cli_errmsg("lsigattribs: Can't allocate memory for tdb->str\n");

1137

return -1;

1138

}

1139

memcpy(&tdb->str[cnt], pt, strlen(pt));

1140

tdb->str[tdb->cnt[CLI_TDB_STR] - 1] = 0;

1141

break;

1142

}

1143

}

1144

1145

if(!i) {

1146

cli_errmsg("lsigattribs: Empty TDB\n");

1147

return -1;

1148

}

1149

1150

for(i = 0; i < tokens_count; i++) {

1151

for(j = 0; attrtab[j].name; j++) {

1152

if(!strcmp(attrtab[j].name, tokens[i])) {

1153

apt = &attrtab[j];

1154

break;

1155

}

1156

}

1157

if(!apt)

1158

continue;

1159

switch(apt->type) {

1160

case CLI_TDB_UINT:

1161

case CLI_TDB_FTYPE:

1162

*apt->pt = (uint32_t *) &tdb->val[off[i]];

1163

break;

1164

1165

case CLI_TDB_RANGE:

1166

case CLI_TDB_RANGE2:

1167

*apt->pt = (uint32_t *) &tdb->range[off[i]];

1168

break;

1169

1170

case CLI_TDB_STR:

1171

*apt->pt = (char *) &tdb->str[off[i]];

1172

break;

1173

}

1174

}

1175

1176

if(have_newext && (!tdb->engine || tdb->engine[0] < 51)) {

1177

cli_errmsg("lsigattribs: For backward compatibility all signatures using new attributes must have the Engine attribute present and set to min_level of at least 51 (0.96)\n");

1178

return -1;

1179

}

1180

return 0;

1181

}

1182

1183

#define FREE_TDB(x) do { \

1184

if(x.cnt[CLI_TDB_UINT]) \

1185

mpool_free(x.mempool, x.val); \

1186

if(x.cnt[CLI_TDB_RANGE]) \

1187

mpool_free(x.mempool, x.range); \

1188

if(x.cnt[CLI_TDB_STR]) \

1189

mpool_free(x.mempool, x.str); \

1190

if(x.macro_ptids)\

1191

mpool_free(x.mempool, x.macro_ptids);\

1192

} while(0);

1193

1194

#define LDB_TOKENS 67

1195

static int load_oneldb(char *buffer, int chkpua, int chkign, struct cl_engine *engine, unsigned int options, const char *dbname, unsigned int line, unsigned int *sigs, unsigned bc_idx, const char *buffer_cpy)

1196

{

1197

const char *sig, *virname, *offset, *logic;

1198

struct cli_ac_lsig **newtable, *lsig;

1199

char *tokens[LDB_TOKENS+1], *pt;

1200

int i, subsigs, tokens_count;

1201

unsigned short target = 0;

1202

struct cli_matcher *root;

1203

struct cli_lsig_tdb tdb;

1204

uint32_t lsigid[2];

1205

int ret;

1206

1207

tokens_count = cli_strtokenize(buffer, ';', LDB_TOKENS + 1, (const char **) tokens);

1208

if(tokens_count < 4) {

1209

return CL_EMALFDB;

1210

}

1211

virname = tokens[0];

1212

logic = tokens[2];

1213

1214

if (chkpua && cli_chkpua(virname, engine->pua_cats, options))

1215

return CL_SUCCESS;

1216

1217

if (chkign && cli_chkign(engine->ignored, virname, buffer_cpy))

1218

return CL_SUCCESS;

1219

1220

if(engine->cb_sigload && engine->cb_sigload("ldb", virname, engine->cb_sigload_ctx)) {

1221

cli_dbgmsg("cli_loadldb: skipping %s due to callback\n", virname);

1222

(*sigs)--;

1223

return CL_SUCCESS;

1224

}

1225

1226

subsigs = cli_ac_chklsig(logic, logic + strlen(logic), NULL, NULL, NULL, 1);

1227

if(subsigs == -1) {

1228

return CL_EMALFDB;

1229

}

1230

subsigs++;

1231

if(subsigs > 64) {

1232

cli_errmsg("cli_loadldb: Broken logical expression or too many subsignatures\n");

1233

return CL_EMALFDB;

1234

}

1235

if (!line) {

1236

/* This is a logical signature from the bytecode, we need all

1237

* subsignatures, even if not referenced from the logical expression */

1238

if (subsigs > tokens_count-3) {

1239

cli_errmsg("load_oneldb: Too many subsignatures: %u (max %u)\n",

1240

subsigs, tokens_count-3);

1241

return CL_EMALFDB;

1242

}

1243

subsigs = tokens_count-3;

1244

} else if(subsigs != tokens_count - 3) {

1245

cli_errmsg("cli_loadldb: The number of subsignatures (== %u) doesn't match the IDs in the logical expression (== %u)\n", tokens_count - 3, subsigs);

1246

return CL_EMALFDB;

1247

}

1248

1249

/* TDB */

1250

memset(&tdb, 0, sizeof(tdb));

1251

#ifdef USE_MPOOL

1252

tdb.mempool = engine->mempool;

1253

#endif

1254

if((ret = lsigattribs(tokens[1], &tdb))) {

1255

FREE_TDB(tdb);

1256

if(ret == 1) {

1257

cli_dbgmsg("cli_loadldb: Not supported attribute(s) in logical signature for %s, skipping\n", virname);

1258

(*sigs)--;

1259

return CL_SUCCESS;

1260

}

1261

return CL_EMALFDB;

1262

}

1263

1264

if(tdb.engine) {

1265

if(tdb.engine[0] > cl_retflevel()) {

1266

cli_dbgmsg("cli_loadldb: Signature for %s not loaded (required f-level: %u)\n", virname, tdb.engine[0]);

1267

FREE_TDB(tdb);

1268

(*sigs)--;

1269

return CL_SUCCESS;

1270

} else if(tdb.engine[1] < cl_retflevel()) {

1271

FREE_TDB(tdb);

1272

(*sigs)--;

1273

return CL_SUCCESS;

1274

}

1275

}

1276

1277

if(!tdb.target) {

1278

cli_errmsg("cli_loadldb: No target specified in TDB\n");

1279

FREE_TDB(tdb);

1280

return CL_EMALFDB;

1281

} else if(tdb.target[0] >= CLI_MTARGETS) {

1282

cli_dbgmsg("cli_loadldb: Not supported target type in logical signature for %s, skipping\n", virname);

1283

FREE_TDB(tdb);

1284

(*sigs)--;

1285

return CL_SUCCESS;

1286

}

1287

1288

if((tdb.icongrp1 || tdb.icongrp2) && tdb.target[0] != 1) {

1289

cli_errmsg("cli_loadldb: IconGroup is only supported in PE (target 1) signatures\n");

1290

FREE_TDB(tdb);

1291

return CL_EMALFDB;

1292

}

1293

1294

if((tdb.ep || tdb.nos) && tdb.target[0] != 1 && tdb.target[0] != 6 && tdb.target[0] != 9) {

1295

cli_errmsg("cli_loadldb: EntryPoint/NumberOfSections is only supported in PE/ELF/Mach-O signatures\n");

1296

FREE_TDB(tdb);

1297

return CL_EMALFDB;

1298

}

1299

1300

root = engine->root[tdb.target[0]];

1301

1302

lsig = (struct cli_ac_lsig *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_ac_lsig));

1303

if(!lsig) {

1304

cli_errmsg("cli_loadldb: Can't allocate memory for lsig\n");

1305

FREE_TDB(tdb);

1306

return CL_EMEM;

1307

}

1308

1309

lsig->logic = cli_mpool_strdup(engine->mempool, logic);

1310

if(!lsig->logic) {

1311

cli_errmsg("cli_loadldb: Can't allocate memory for lsig->logic\n");

1312

FREE_TDB(tdb);

1313

mpool_free(engine->mempool, lsig);

1314

return CL_EMEM;

1315

}

1316

1317

lsigid[0] = lsig->id = root->ac_lsigs;

1318

1319

root->ac_lsigs++;

1320

newtable = (struct cli_ac_lsig **) mpool_realloc(engine->mempool, root->ac_lsigtable, root->ac_lsigs * sizeof(struct cli_ac_lsig *));

1321

if(!newtable) {

1322

root->ac_lsigs--;

1323

cli_errmsg("cli_loadldb: Can't realloc root->ac_lsigtable\n");

1324

FREE_TDB(tdb);

1325

mpool_free(engine->mempool, lsig);

1326

return CL_EMEM;

1327

}

1328

/* 0 marks no bc, we can't use a pointer to bc, since that is

1329

* realloced/moved during load */

1330

lsig->bc_idx = bc_idx;

1331

newtable[root->ac_lsigs - 1] = lsig;

1332

root->ac_lsigtable = newtable;

1333

tdb.subsigs = subsigs;

1334

1335

for(i = 0; i < subsigs; i++) {

1336

lsigid[1] = i;

1337

sig = tokens[3 + i];

1338

1339

if((pt = strchr(tokens[3 + i], ':'))) {

1340

*pt = 0;

1341

sig = ++pt;

1342

offset = tokens[3 + i];

1343

} else {

1344

offset = "*";

1345

sig = tokens[3 + i];

1346

}

1347

1348

if((ret = cli_parse_add(root, virname, sig, 0, 0, offset, target, lsigid, options)))

1349

return ret;

1350

if(sig[0] == '$' && i) {

1351

/* allow mapping from lsig back to pattern for macros */

1352

if (!tdb.macro_ptids)

1353

tdb.macro_ptids = mpool_calloc(root->mempool, subsigs, sizeof(*tdb.macro_ptids));

1354

if (!tdb.macro_ptids)

1355

return CL_EMEM;

1356

tdb.macro_ptids[i-1] = root->ac_patterns-1;

1357

}

1358

}

1359

memcpy(&lsig->tdb, &tdb, sizeof(tdb));

1360

return CL_SUCCESS;

1361

}

1362

1363

static int cli_loadldb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio, const char *dbname)

1364

{

1365

char buffer[CLI_DEFAULT_LSIG_BUFSIZE + 1], *buffer_cpy = NULL;

1366

unsigned int line = 0, sigs = 0;

1367

int ret;

1368

1369

1370

if((ret = cli_initroots(engine, options)))

842

static int cli_loadhdb(FILE *fd, struct cl_engine **engine, unsigned int *signo, unsigned short mode, unsigned int options)

843

{

844

char buffer[FILEBUFF], *pt;

845

int line = 0, ret = 0;

846

unsigned int md5f = 0, sizef = 1;

847

struct cli_md5_node *new, *mpt, *last;

848

849

850

if((ret = cli_initengine(engine, options))) {

851

cl_free(*engine);

1371

852

return ret;

1372

1373

if(engine->ignored)

1374

if(!(buffer_cpy = cli_malloc(sizeof(buffer))))

1375

return CL_EMEM;

1376

while(cli_dbgets(buffer, sizeof(buffer), fs, dbio)) {

853

}

854

855

if(mode == 2) {

856

md5f = 1;

857

sizef = 0;

858

}

859

860

while(fgets(buffer, FILEBUFF, fd)) {

1377

861

line++;

1378

sigs++;

1379

862

cli_chomp(buffer);

1380

863

1381

if(engine->ignored)

1382

strcpy(buffer_cpy, buffer);

1383

ret = load_oneldb(buffer,

1384

engine->pua_cats && (options & CL_DB_PUA_MODE) && (options & (CL_DB_PUA_INCLUDE | CL_DB_PUA_EXCLUDE)),

1385

!!engine->ignored,

1386

engine, options, dbname, line, &sigs, 0, buffer_cpy);

1387

if (ret)

1388

break;

1389

}

1390

if(engine->ignored)

1391

free(buffer_cpy);

1392

1393

if(!line) {

1394

cli_errmsg("Empty database file\n");

1395

return CL_EMALFDB;

1396

}

1397

1398

if(ret) {

1399

cli_errmsg("Problem parsing database at line %u\n", line);

1400

return ret;

1401

}

1402

1403

if(signo)

1404

*signo += sigs;

1405

1406

return CL_SUCCESS;

1407

}

1408

1409

static int cli_loadcbc(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio, const char *dbname)

1410

{

1411

char buf[4096];

1412

int rc;

1413

struct cli_all_bc *bcs = &engine->bcs;

1414

struct cli_bc *bc;

1415

unsigned sigs = 0;

1416

unsigned security_trust = 0;

1417

unsigned i;

1418

1419

1420

/* TODO: virusname have a common prefix, and whitelist by that */

1421

if((rc = cli_initroots(engine, options)))

1422

return rc;

1423

1424

if(!(engine->dconf->bytecode & BYTECODE_ENGINE_MASK)) {

1425

return CL_SUCCESS;

1426

}

1427

1428

if(engine->cb_sigload && engine->cb_sigload("cbc", dbname, engine->cb_sigload_ctx)) {

1429

cli_dbgmsg("cli_loadcbc: skipping %s due to callback\n", dbname);

1430

return CL_SUCCESS;

1431

}

1432

1433

#ifndef CL_BCUNSIGNED

1434

if (!(options & CL_DB_SIGNED)) {

1435

cli_warnmsg("Only loading signed bytecode, skipping load of unsigned bytecode!\n");

1436

cli_warnmsg("Build with ./configure --enable-unsigned-bytecode to enable loading of unsigned bytecode\n");

1437

return CL_SUCCESS;

1438

}

1439

#endif

1440

bcs->all_bcs = cli_realloc2(bcs->all_bcs, sizeof(*bcs->all_bcs)*(bcs->count+1));

1441

if (!bcs->all_bcs) {

1442

cli_errmsg("cli_loadcbc: Can't allocate memory for bytecode entry\n");

1443

return CL_EMEM;

1444

}

1445

bcs->count++;

1446

bc = &bcs->all_bcs[bcs->count-1];

1447

1448

switch (engine->bytecode_security) {

1449

case CL_BYTECODE_TRUST_ALL:

1450

security_trust = 1;

1451

cli_dbgmsg("bytecode: trusting all bytecode!\n");

1452

break;

1453

case CL_BYTECODE_TRUST_SIGNED:

1454

security_trust = !!(options & CL_DB_SIGNED);

1455

break;

1456

default:

1457

security_trust = 0;

1458

}

1459

1460

rc = cli_bytecode_load(bc, fs, dbio, security_trust);

1461

/* read remainder of DB, needed because cvd.c checks that we read the entire

1462

* file */

1463

while (cli_dbgets(buf, sizeof(buf), fs, dbio)) {}

1464

1465

if (rc != CL_SUCCESS) {

1466

cli_bytecode_destroy(bc);

1467

cli_errmsg("Unable to load %s bytecode: %s\n", dbname, cl_strerror(rc));

1468

return rc;

1469

}

1470

if (bc->state == bc_skip) {

1471

cli_bytecode_destroy(bc);

1472

bcs->count--;

1473

return CL_SUCCESS;

1474

}

1475

bc->id = bcs->count;/* must set after _load, since load zeroes */

1476

if (engine->bytecode_mode == CL_BYTECODE_MODE_TEST)

1477

cli_infomsg(NULL, "bytecode %u -> %s\n", bc->id, dbname);

1478

sigs++;

1479

if (bc->kind == BC_LOGICAL || bc->lsig) {

1480

unsigned oldsigs = sigs;

1481

if (!bc->lsig) {

1482

cli_errmsg("Bytecode %s has logical kind, but missing logical signature!\n", dbname);

1483

return CL_EMALFDB;

1484

}

1485

cli_dbgmsg("Bytecode %s(%u) has logical signature: %s\n", dbname, bc->id, bc->lsig);

1486

rc = load_oneldb(bc->lsig, 0, 0, engine, options, dbname, 0, &sigs, bcs->count, NULL);

1487

if (rc != CL_SUCCESS) {

1488

cli_errmsg("Problem parsing logical signature %s for bytecode %s: %s\n",

1489

bc->lsig, dbname, cl_strerror(rc));

1490

return rc;

1491

}

1492

if (sigs != oldsigs) {

1493

/* compiler ensures Engine field in lsig matches the one in bytecode,

1494

* so this should never happen. */

1495

cli_errmsg("Bytecode logical signature skipped, but bytecode itself not?");

1496

return CL_EMALFDB;

1497

}

1498

}

1499

if (bc->kind != BC_LOGICAL) {

1500

if (bc->lsig) {

1501

/* runlsig will only flip a status bit, not report a match,

1502

* when the hooks are executed we only execute the hook if its

1503

* status bit is on */

1504

bc->hook_lsig_id = ++engine->hook_lsig_ids;

1505

}

1506

if (bc->kind >= _BC_START_HOOKS && bc->kind < _BC_LAST_HOOK) {

1507

unsigned hook = bc->kind - _BC_START_HOOKS;

1508

unsigned cnt = ++engine->hooks_cnt[hook];

1509

engine->hooks[hook] = cli_realloc2(engine->hooks[hook],

1510

sizeof(*engine->hooks[0])*cnt);

1511

if (!engine->hooks[hook]) {

1512

cli_errmsg("Out of memory allocating memory for hook %u", hook);

1513

return CL_EMEM;

1514

}

1515

engine->hooks[hook][cnt-1] = bcs->count-1;

1516

} else switch (bc->kind) {

1517

case BC_STARTUP:

1518

for (i=0;i<bcs->count-1;i++)

1519

if (bcs->all_bcs[i].kind == BC_STARTUP) {

1520

struct cli_bc *bc0 = &bcs->all_bcs[i];

1521

cli_errmsg("Can only load 1 BC_STARTUP bytecode, attempted to load 2nd!\n");

1522

cli_warnmsg("Previous BC_STARTUP: %d %d by %s\n",

1523

bc0->id, (uint32_t)bc0->metadata.timestamp,

1524

bc0->metadata.sigmaker ? bc0->metadata.sigmaker : "N/A");

1525

cli_warnmsg("Conflicting BC_STARTUP: %d %d by %s\n",

1526

bc->id, (uint32_t)bc->metadata.timestamp,

1527

bc->metadata.sigmaker ? bc->metadata.sigmaker : "N/A");

1528

return CL_EMALFDB;

864

new = (struct cli_md5_node *) cli_calloc(1, sizeof(struct cli_md5_node));

865

if(!new) {

866

ret = CL_EMEM;

867

break;

868

}

869

870

if(mode == 1) /* fp */

871

new->fp = 1;

872

873

if(!(pt = cli_strtok(buffer, md5f, ":"))) {

874

free(new);

875

ret = CL_EMALFDB;

876

break;

877

}

878

879

if(!(new->md5 = (unsigned char *) cli_hex2str(pt))) {

880

cli_errmsg("Malformed MD5 string at line %d\n", line);

881

free(pt);

882

free(new);

883

ret = CL_EMALFDB;

884

break;

885

}

886

free(pt);

887

888

if(!(pt = cli_strtok(buffer, sizef, ":"))) {

889

free(new->md5);

890

free(new);

891

ret = CL_EMALFDB;

892

break;

893

}

894

new->size = atoi(pt);

895

free(pt);

896

897

if(!(new->virname = cli_strtok(buffer, 2, ":"))) {

898

free(new->md5);

899

free(new);

900

ret = CL_EMALFDB;

901

break;

902

}

903

904

new->viralias = cli_strtok(buffer, 3, ":"); /* aliases are optional */

905

906

if(mode == 2) { /* section MD5 */

907

if(!(*engine)->md5_sect) {

908

(*engine)->md5_sect = new;

909

} else {

910

if(new->size <= (*engine)->md5_sect->size) {

911

new->next = (*engine)->md5_sect;

912

(*engine)->md5_sect = new;

913

} else {

914

mpt = (*engine)->md5_sect;

915

while(mpt) {

916

last = mpt;

917

if(!mpt->next || new->size <= mpt->next->size)

918

break;

919

mpt = mpt->next;

1529

920

}

1530

break;

1531

default:

1532

cli_errmsg("Bytecode: unhandled bytecode kind %u\n", bc->kind);

1533

return CL_EMALFDB;

1534

}

1535

}

1536

if (signo)

1537

*signo += sigs;

1538

return CL_SUCCESS;

1539

}

1540

1541

#define FTM_TOKENS 8

1542

static int cli_loadftm(FILE *fs, struct cl_engine *engine, unsigned int options, unsigned int internal, struct cli_dbio *dbio)

1543

{

1544

const char *tokens[FTM_TOKENS + 1], *pt;

1545

char buffer[FILEBUFF];

1546

unsigned int line = 0, sigs = 0, tokens_count;

1547

struct cli_ftype *new;

1548

cli_file_t rtype, type;

1549

int ret;

1550

1551

1552

if((ret = cli_initroots(engine, options)))

1553

return ret;

1554

1555

while(1) {

1556

if(internal) {

1557

options |= CL_DB_OFFICIAL;

1558

if(!ftypes_int[line])

1559

break;

1560

strncpy(buffer, ftypes_int[line], sizeof(buffer));

1561

buffer[sizeof(buffer)-1]='\0';

1562

} else {

1563

if(!cli_dbgets(buffer, FILEBUFF, fs, dbio))

1564

break;

1565

cli_chomp(buffer);

1566

}

1567

line++;

1568

tokens_count = cli_strtokenize(buffer, ':', FTM_TOKENS + 1, tokens);

1569

1570

if(tokens_count < 6 || tokens_count > 8) {

1571

ret = CL_EMALFDB;

1572

break;

1573

}

1574

1575

if(tokens_count > 6) { /* min version */

1576

pt = tokens[6];

1577

if(!cli_isnumber(pt)) {

1578

ret = CL_EMALFDB;

1579

break;

1580

}

1581

if((unsigned int) atoi(pt) > cl_retflevel()) {

1582

cli_dbgmsg("cli_loadftm: File type signature for %s not loaded (required f-level: %u)\n", tokens[3], atoi(pt));

1583

continue;

1584

}

1585

if(tokens_count == 8) { /* max version */

1586

pt = tokens[7];

1587

if(!cli_isnumber(pt)) {

1588

ret = CL_EMALFDB;

1589

break;

1590

}

1591

if((unsigned int) atoi(pt) < cl_retflevel())

1592

continue;

1593

}

1594

}

1595

1596

rtype = cli_ftcode(tokens[4]);

1597

type = cli_ftcode(tokens[5]);

1598

if(rtype == CL_TYPE_ERROR || type == CL_TYPE_ERROR) {

1599

ret = CL_EMALFDB;

1600

break;

1601

}

1602

1603

if(!cli_isnumber(tokens[0])) {

1604

cli_errmsg("cli_loadftm: Invalid value for the first field\n");

1605

ret = CL_EMALFDB;

1606

break;

1607

}

1608

1609

if(atoi(tokens[0]) == 1) { /* A-C */

1610

if((ret = cli_parse_add(engine->root[0], tokens[3], tokens[2], rtype, type, tokens[1], 0, NULL, options)))

1611

break;

1612

1613

} else if(atoi(tokens[0]) == 0) { /* memcmp() */

1614

if(!cli_isnumber(tokens[1])) {

1615

cli_errmsg("cli_loadftm: Invalid offset\n");

1616

ret = CL_EMALFDB;

1617

break;

1618

}

1619

new = (struct cli_ftype *) mpool_malloc(engine->mempool, sizeof(struct cli_ftype));

1620

if(!new) {

1621

ret = CL_EMEM;

1622

break;

1623

}

1624

new->type = type;

1625

new->offset = atoi(tokens[1]);

1626

new->magic = (unsigned char *) cli_mpool_hex2str(engine->mempool, tokens[2]);

1627

if(!new->magic) {

1628

cli_errmsg("cli_loadftm: Can't decode the hex string\n");

1629

ret = CL_EMALFDB;

1630

mpool_free(engine->mempool, new);

1631

break;

1632

}

1633

new->length = strlen(tokens[2]) / 2;

1634

new->tname = cli_mpool_strdup(engine->mempool, tokens[3]);

1635

if(!new->tname) {

1636

mpool_free(engine->mempool, new->magic);

1637

mpool_free(engine->mempool, new);

1638

ret = CL_EMEM;

1639

break;

1640

}

1641

new->next = engine->ftypes;

1642

engine->ftypes = new;

1643

1644

} else {

1645

cli_dbgmsg("cli_loadftm: Unsupported mode %u\n", atoi(tokens[0]));

1646

continue;

1647

}

1648

sigs++;

1649

}

1650

1651

if(ret) {

1652

cli_errmsg("Problem parsing %s filetype database at line %u\n", internal ? "built-in" : "external", line);

1653

return ret;

1654

}

1655

1656

if(!sigs) {

1657

cli_errmsg("Empty %s filetype database\n", internal ? "built-in" : "external");

1658

return CL_EMALFDB;

1659

}

1660

1661

cli_dbgmsg("Loaded %u filetype definitions\n", sigs);

1662

return CL_SUCCESS;

1663

}

1664

1665

#define INFO_NSTR "11088894983048545473659556106627194923928941791795047620591658697413581043322715912172496806525381055880964520618400224333320534660299233983755341740679502866829909679955734391392668378361221524205396631090105151641270857277080310734320951653700508941717419168723942507890702904702707587451621691050754307850383399865346487203798464178537392211402786481359824461197231102895415093770394216666324484593935762408468516826633192140826667923494822045805347809932848454845886971706424360558667862775876072059437703365380209101697738577515476935085469455279994113145977994084618328482151013142393373316337519977244732747977"

1666

#define INFO_ESTR "100002049"

1667

#define INFO_TOKENS 3

1668

static int cli_loadinfo(FILE *fs, struct cl_engine *engine, unsigned int options, struct cli_dbio *dbio)

1669

{

1670

const char *tokens[INFO_TOKENS + 1];

1671

char buffer[FILEBUFF];

1672

unsigned int line = 0, tokens_count, len;

1673

unsigned char hash[32];

1674

struct cli_dbinfo *last = NULL, *new;

1675

int ret = CL_SUCCESS, dsig = 0;

1676

SHA256_CTX ctx;

1677

1678

1679

if(!dbio) {

1680

cli_errmsg("cli_loadinfo: .info files can only be loaded from within database container files\n");

1681

return CL_EMALFDB;

1682

}

1683

sha256_init(&ctx);

1684

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

1685

line++;

1686

if(!strncmp(buffer, "DSIG:", 5)) {

1687

dsig = 1;

1688

sha256_final(&ctx, hash);

1689

if(cli_versig2(hash, buffer + 5, INFO_NSTR, INFO_ESTR) != CL_SUCCESS) {

1690

cli_errmsg("cli_loadinfo: Incorrect digital signature\n");

1691

ret = CL_EMALFDB;

1692

}

1693

break;

1694

}

1695

len = strlen(buffer);

1696

if(dbio->usebuf && buffer[len - 1] != '\n' && len + 1 < FILEBUFF) {

1697

/* cli_dbgets in buffered mode strips \n */

1698

buffer[len] = '\n';

1699

buffer[len + 1] = 0;

1700

}

1701

sha256_update(&ctx, buffer, strlen(buffer));

1702

cli_chomp(buffer);

1703

if(!strncmp("ClamAV-VDB:", buffer, 11)) {

1704

if(engine->dbinfo) { /* shouldn't be initialized at this point */

1705

cli_errmsg("cli_loadinfo: engine->dbinfo already initialized\n");

1706

ret = CL_EMALFDB;

1707

break;

1708

}

1709

last = engine->dbinfo = (struct cli_dbinfo *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_bm_patt));

1710

if(!engine->dbinfo) {

1711

ret = CL_EMEM;

1712

break;

1713

}

1714

engine->dbinfo->cvd = cl_cvdparse(buffer);

1715

if(!engine->dbinfo->cvd) {

1716

cli_errmsg("cli_loadinfo: Can't parse header entry\n");

1717

ret = CL_EMALFDB;

1718

break;

1719

}

1720

continue;

1721

}

1722

1723

if(!last) {

1724

cli_errmsg("cli_loadinfo: Incorrect file format\n");

1725

ret = CL_EMALFDB;

1726

break;

1727

}

1728

tokens_count = cli_strtokenize(buffer, ':', INFO_TOKENS + 1, tokens);

1729

if(tokens_count != INFO_TOKENS) {

1730

ret = CL_EMALFDB;

1731

break;

1732

}

1733

new = (struct cli_dbinfo *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_dbinfo));

1734

if(!new) {

1735

ret = CL_EMEM;

1736

break;

1737

}

1738

new->name = cli_mpool_strdup(engine->mempool, tokens[0]);

1739

if(!new->name) {

1740

mpool_free(engine->mempool, new);

1741

ret = CL_EMEM;

1742

break;

1743

}

1744

1745

if(!cli_isnumber(tokens[1])) {

1746

cli_errmsg("cli_loadinfo: Invalid value in the size field\n");

1747

mpool_free(engine->mempool, new->name);

1748

mpool_free(engine->mempool, new);

1749

ret = CL_EMALFDB;

1750

break;

1751

}

1752

new->size = atoi(tokens[1]);

1753

1754

if(strlen(tokens[2]) != 64 || !(new->hash = cli_mpool_hex2str(engine->mempool, tokens[2]))) {

1755

cli_errmsg("cli_loadinfo: Malformed SHA256 string at line %u\n", line);

1756

mpool_free(engine->mempool, new->name);

1757

mpool_free(engine->mempool, new);

1758

ret = CL_EMALFDB;

1759

break;

1760

}

1761

last->next = new;

1762

last = new;

1763

}

1764

1765

if(!dsig) {

1766

cli_errmsg("cli_loadinfo: Digital signature not found\n");

1767

return CL_EMALFDB;

1768

}

1769

1770

if(ret) {

1771

cli_errmsg("cli_loadinfo: Problem parsing database at line %u\n", line);

1772

return ret;

1773

}

1774

1775

return CL_SUCCESS;

1776

}

1777

1778

#define IGN_MAX_TOKENS 3

1779

static int cli_loadign(FILE *fs, struct cl_engine *engine, unsigned int options, struct cli_dbio *dbio)

1780

{

1781

const char *tokens[IGN_MAX_TOKENS + 1], *signame, *hash = NULL;

1782

char buffer[FILEBUFF];

1783

unsigned int line = 0, tokens_count, len;

1784

struct cli_bm_patt *new;

1785

int ret = CL_SUCCESS;

1786

1787

if(!engine->ignored) {

1788

engine->ignored = (struct cli_matcher *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_matcher));

1789

if(!engine->ignored)

1790

return CL_EMEM;

1791

#ifdef USE_MPOOL

1792

engine->ignored->mempool = engine->mempool;

1793

#endif

1794

if((ret = cli_bm_init(engine->ignored))) {

1795

cli_errmsg("cli_loadign: Can't initialise AC pattern matcher\n");

1796

return ret;

1797

}

1798

}

1799

1800

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

1801

line++;

1802

cli_chomp(buffer);

1803

1804

tokens_count = cli_strtokenize(buffer, ':', IGN_MAX_TOKENS + 1, tokens);

1805

if(tokens_count > IGN_MAX_TOKENS) {

1806

ret = CL_EMALFDB;

1807

break;

1808

}

1809

1810

if(tokens_count == 1) {

1811

signame = buffer;

1812

} else if(tokens_count == 2) {

1813

signame = tokens[0];

1814

hash = tokens[1];

1815

} else { /* old mode */

1816

signame = tokens[2];

1817

}

1818

if(!(len = strlen(signame))) {

1819

cli_errmsg("cli_loadign: No signature name provided\n");

1820

ret = CL_EMALFDB;

1821

break;

1822

}

1823

1824

new = (struct cli_bm_patt *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_bm_patt));

1825

if(!new) {

1826

ret = CL_EMEM;

1827

break;

1828

}

1829

new->pattern = (unsigned char *) cli_mpool_strdup(engine->mempool, signame);

1830

if(!new->pattern) {

1831

mpool_free(engine->mempool, new);

1832

ret = CL_EMEM;

1833

break;

1834

}

1835

if(hash) {

1836

if(strlen(hash) != 32 || !(new->virname = (char *) cli_mpool_hex2str(engine->mempool, hash))) {

1837

cli_errmsg("cli_loadign: Malformed MD5 string at line %u\n", line);

1838

mpool_free(engine->mempool, new->pattern);

1839

mpool_free(engine->mempool, new);

1840

ret = CL_EMALFDB;

1841

break;

1842

}

1843

}

1844

new->length = len;

1845

new->boundary |= BM_BOUNDARY_EOL;

1846

1847

if((ret = cli_bm_addpatt(engine->ignored, new, "0"))) {

1848

if(hash)

1849

mpool_free(engine->mempool, new->virname);

1850

mpool_free(engine->mempool, new->pattern);

1851

mpool_free(engine->mempool, new);

1852

break;

1853

}

1854

}

1855

1856

if(ret) {

1857

cli_errmsg("cli_loadign: Problem parsing database at line %u\n", line);

1858

return ret;

1859

}

1860

1861

return CL_SUCCESS;

1862

}

1863

1864

#define MD5_HDB 0

1865

#define MD5_MDB 1

1866

#define MD5_FP 2

1867

1868

#define MD5_TOKENS 5

1869

static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int mode, unsigned int options, struct cli_dbio *dbio, const char *dbname)

1870

{

1871

const char *tokens[MD5_TOKENS + 1];

1872

char buffer[FILEBUFF], *buffer_cpy = NULL;

1873

const char *pt, *virname;

1874

int ret = CL_SUCCESS;

1875

unsigned int size_field = 1, md5_field = 0, line = 0, sigs = 0, tokens_count;

1876

struct cli_matcher *db = NULL;

1877

unsigned long size;

1878

1879

1880

if(mode == MD5_MDB) {

1881

size_field = 0;

1882

md5_field = 1;

1883

}

1884

1885

if(engine->ignored)

1886

if(!(buffer_cpy = cli_malloc(FILEBUFF)))

1887

return CL_EMEM;

1888

1889

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

1890

line++;

1891

cli_chomp(buffer);

1892

if(engine->ignored)

1893

strcpy(buffer_cpy, buffer);

1894

1895

tokens_count = cli_strtokenize(buffer, ':', MD5_TOKENS + 1, tokens);

1896

if(tokens_count < 3) {

1897

ret = CL_EMALFDB;

1898

break;

1899

}

1900

if(tokens_count > MD5_TOKENS - 2) {

1901

unsigned int req_fl = atoi(tokens[MD5_TOKENS - 2]);

1902

1903

if(tokens_count > MD5_TOKENS) {

1904

ret = CL_EMALFDB;

1905

break;

1906

}

1907

1908

if(cl_retflevel() < req_fl)

1909

continue;

1910

if(tokens_count == MD5_TOKENS) {

1911

req_fl = atoi(tokens[MD5_TOKENS - 1]);

1912

if(cl_retflevel() > req_fl)

1913

continue;

1914

}

1915

}

1916

1917

size = strtol(tokens[size_field], (char **)&pt, 10);

1918

if(*pt || !size || size >= 0xffffffff) {

1919

cli_errmsg("cli_loadhash: Invalid value for the size field\n");

1920

ret = CL_EMALFDB;

1921

break;

1922

}

1923

1924

pt = tokens[2]; /* virname */

1925

if(engine->pua_cats && (options & CL_DB_PUA_MODE) && (options & (CL_DB_PUA_INCLUDE | CL_DB_PUA_EXCLUDE)))

1926

if(cli_chkpua(pt, engine->pua_cats, options))

1927

continue;

1928

1929

if(engine->ignored && cli_chkign(engine->ignored, pt, buffer_cpy))

1930

continue;

1931

1932

if(engine->cb_sigload) {

1933

const char *dot = strchr(dbname, '.');

1934

if(!dot)

1935

dot = dbname;

1936

else

1937

dot++;

1938

if(engine->cb_sigload(dot, pt, engine->cb_sigload_ctx)) {

1939

cli_dbgmsg("cli_loadhash: skipping %s (%s) due to callback\n", pt, dot);

1940

continue;

1941

}

1942

}

1943

1944

virname = cli_mpool_virname(engine->mempool, pt, options & CL_DB_OFFICIAL);

1945

if(!virname) {

1946

ret = CL_EMALFDB;

1947

break;

1948

}

1949

1950

if(mode == MD5_HDB)

1951

db = engine->hm_hdb;

1952

else if(mode == MD5_MDB)

1953

db = engine->hm_mdb;

1954

else

1955

db = engine->hm_fp;

1956

1957

if(!db) {

1958

if(!(db = mpool_calloc(engine->mempool, 1, sizeof(*db)))) {

1959

ret = CL_EMEM;

1960

break;

1961

}

1962

#ifdef USE_MPOOL

1963

db->mempool = engine->mempool;

1964

#endif

1965

if(mode == MD5_HDB)

1966

engine->hm_hdb = db;

1967

else if(mode == MD5_MDB)

1968

engine->hm_mdb = db;

1969

else

1970

engine->hm_fp = db;

1971

}

1972

1973

if((ret = hm_addhash(db, tokens[md5_field], size, virname))) {

1974

cli_errmsg("cli_loadhash: Malformed MD5 string at line %u\n", line);

1975

mpool_free(engine->mempool, (void *)virname);

1976

break;

1977

}

1978

1979

sigs++;

1980

}

1981

if(engine->ignored)

1982

free(buffer_cpy);

1983

1984

if(!line) {

1985

cli_errmsg("cli_loadhash: Empty database file\n");

1986

return CL_EMALFDB;

1987

}

1988

1989

if(ret) {

1990

cli_errmsg("cli_loadhash: Problem parsing database at line %u\n", line);

1991

return ret;

1992

}

1993

1994

if(signo)

1995

*signo += sigs;

1996

1997

return CL_SUCCESS;

1998

}

1999

2000

#define MD_TOKENS 9

2001

static int cli_loadmd(FILE *fs, struct cl_engine *engine, unsigned int *signo, int type, unsigned int options, struct cli_dbio *dbio, const char *dbname)

2002

{

2003

const char *tokens[MD_TOKENS + 1];

2004

char buffer[FILEBUFF], *buffer_cpy = NULL;

2005

unsigned int line = 0, sigs = 0, tokens_count;

2006

int ret = CL_SUCCESS;

2007

struct cli_cdb *new;

2008

2009

2010

if(engine->ignored)

2011

if(!(buffer_cpy = cli_malloc(FILEBUFF)))

2012

return CL_EMEM;

2013

2014

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

2015

line++;

2016

if(buffer[0] == '#')

2017

continue;

2018

2019

cli_chomp(buffer);

2020

if(engine->ignored)

2021

strcpy(buffer_cpy, buffer);

2022

2023

tokens_count = cli_strtokenize(buffer, ':', MD_TOKENS + 1, tokens);

2024

if(tokens_count != MD_TOKENS) {

2025

ret = CL_EMALFDB;

2026

break;

2027

}

2028

2029

if(strcmp(tokens[1], "*") && !cli_isnumber(tokens[1])) {

2030

cli_errmsg("cli_loadmd: Invalid value for the 'encrypted' field\n");

2031

ret = CL_EMALFDB;

2032

break;

2033

}

2034

if(strcmp(tokens[3], "*") && !cli_isnumber(tokens[3])) {

2035

cli_errmsg("cli_loadmd: Invalid value for the 'original size' field\n");

2036

ret = CL_EMALFDB;

2037

break;

2038

}

2039

if(strcmp(tokens[4], "*") && !cli_isnumber(tokens[4])) {

2040

cli_errmsg("cli_loadmd: Invalid value for the 'compressed size' field\n");

2041

ret = CL_EMALFDB;

2042

break;

2043

}

2044

if(strcmp(tokens[6], "*") && !cli_isnumber(tokens[6])) {

2045

cli_errmsg("cli_loadmd: Invalid value for the 'compression method' field\n");

2046

ret = CL_EMALFDB;

2047

break;

2048

}

2049

if(strcmp(tokens[7], "*") && !cli_isnumber(tokens[7])) {

2050

cli_errmsg("cli_loadmd: Invalid value for the 'file number' field\n");

2051

ret = CL_EMALFDB;

2052

break;

2053

}

2054

if(strcmp(tokens[8], "*") && !cli_isnumber(tokens[8])) {

2055

cli_errmsg("cli_loadmd: Invalid value for the 'max depth' field\n");

2056

ret = CL_EMALFDB;

2057

break;

2058

}

2059

2060

new = (struct cli_cdb *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_cdb));

2061

if(!new) {

2062

ret = CL_EMEM;

2063

break;

2064

}

2065

2066

new->virname = cli_mpool_virname(engine->mempool, tokens[0], options & CL_DB_OFFICIAL);

2067

if(!new->virname) {

2068

mpool_free(engine->mempool, new);

2069

ret = CL_EMEM;

2070

break;

2071

}

2072

new->ctype = (type == 1) ? CL_TYPE_ZIP : CL_TYPE_RAR;

2073

2074

if(engine->ignored && cli_chkign(engine->ignored, new->virname, buffer/*_cpy*/)) {

2075

mpool_free(engine->mempool, new->virname);

2076

mpool_free(engine->mempool, new);

2077

continue;

2078

}

2079

2080

if(engine->cb_sigload && engine->cb_sigload("md", new->virname, engine->cb_sigload_ctx)) {

2081

cli_dbgmsg("cli_loadmd: skipping %s due to callback\n", new->virname);

2082

mpool_free(engine->mempool, new->virname);

2083

mpool_free(engine->mempool, new);

2084

continue;

2085

}

2086

2087

new->encrypted = strcmp(tokens[1], "*") ? atoi(tokens[1]) : 2;

2088

2089

if(strcmp(tokens[2], "*") && cli_regcomp(&new->name, tokens[2], REG_EXTENDED | REG_NOSUB)) {

2090

cli_errmsg("cli_loadmd: Can't compile regular expression %s in signature for %s\n", tokens[2], tokens[0]);

2091

mpool_free(engine->mempool, new->virname);

2092

mpool_free(engine->mempool, new);

2093

ret = CL_EMEM;

2094

break;

2095

}

2096

new->csize[0] = new->csize[1] = CLI_OFF_ANY;

2097

2098

if(!strcmp(tokens[3], "*"))

2099

new->fsizer[0] = new->fsizer[1] = CLI_OFF_ANY;

2100

else

2101

new->fsizer[0] = new->fsizer[1] = atoi(tokens[3]);

2102

2103

if(!strcmp(tokens[4], "*"))

2104

new->fsizec[0] = new->fsizec[1] = CLI_OFF_ANY;

2105

else

2106

new->fsizec[0] = new->fsizec[1] = atoi(tokens[4]);

2107

2108

if(strcmp(tokens[5], "*")) {

2109

new->res1 = cli_hex2num(tokens[5]);

2110

if(new->res1 == -1) {

2111

mpool_free(engine->mempool, new->virname);

2112

mpool_free(engine->mempool, new);

2113

if(new->name.re_magic)

2114

cli_regfree(&new->name);

2115

ret = CL_EMALFDB;

2116

break;

2117

}

2118

}

2119

2120

/* tokens[6] - not used */

2121

2122

new->filepos[0] = new->filepos[1] = strcmp(tokens[7], "*") ? atoi(tokens[7]) : (int) CLI_OFF_ANY;

2123

2124

/* tokens[8] - not used */

2125

2126

new->next = engine->cdb;

2127

engine->cdb = new;

2128

sigs++;

2129

}

2130

if(engine->ignored)

2131

free(buffer_cpy);

2132

2133

if(!line) {

2134

cli_errmsg("Empty database file\n");

2135

return CL_EMALFDB;

2136

}

2137

2138

if(ret) {

2139

cli_errmsg("Problem parsing database at line %d\n", line);

2140

return ret;

2141

}

2142

2143

if(signo)

2144

*signo += sigs;

2145

2146

return CL_SUCCESS;

2147

}

2148

2149

/* 0 1 2 3 4 5 6 7 8 9 10 11

2150

* VirusName:ContainerType:ContainerSize:FileNameREGEX:FileSizeInContainer:FileSizeReal:IsEncrypted:FilePos:Res1:Res2[:MinFL[:MaxFL]]

2151

2152

2153

#define CDB_TOKENS 12

2154

static int cli_loadcdb(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio)

2155

{

2156

const char *tokens[CDB_TOKENS + 1];

2157

char buffer[FILEBUFF], *buffer_cpy = NULL;

2158

unsigned int line = 0, sigs = 0, tokens_count, n0, n1;

2159

int ret = CL_SUCCESS;

2160

struct cli_cdb *new;

2161

2162

2163

if(engine->ignored)

2164

if(!(buffer_cpy = cli_malloc(FILEBUFF)))

2165

return CL_EMEM;

2166

2167

while(cli_dbgets(buffer, FILEBUFF, fs, dbio)) {

2168

line++;

2169

if(buffer[0] == '#')

2170

continue;

2171

2172

cli_chomp(buffer);

2173

if(engine->ignored)

2174

strcpy(buffer_cpy, buffer);

2175

2176

tokens_count = cli_strtokenize(buffer, ':', CDB_TOKENS + 1, tokens);

2177

if(tokens_count > CDB_TOKENS || tokens_count < CDB_TOKENS - 2) {

2178

ret = CL_EMALFDB;

2179

break;

2180

}

2181

2182

if(tokens_count > 10) { /* min version */

2183

if(!cli_isnumber(tokens[10])) {

2184

ret = CL_EMALFDB;

2185

break;

2186

}

2187

if((unsigned int) atoi(tokens[10]) > cl_retflevel()) {

2188

cli_dbgmsg("cli_loadcdb: Container signature for %s not loaded (required f-level: %u)\n", tokens[0], atoi(tokens[10]));

2189

continue;

2190

}

2191

if(tokens_count == CDB_TOKENS) { /* max version */

2192

if(!cli_isnumber(tokens[11])) {

2193

ret = CL_EMALFDB;

2194

break;

2195

}

2196

if((unsigned int) atoi(tokens[11]) < cl_retflevel())

2197

continue;

2198

}

2199

}

2200

2201

new = (struct cli_cdb *) mpool_calloc(engine->mempool, 1, sizeof(struct cli_cdb));

2202

if(!new) {

2203

ret = CL_EMEM;

2204

break;

2205

}

2206

2207

new->virname = cli_mpool_virname(engine->mempool, tokens[0], options & CL_DB_OFFICIAL);

2208

if(!new->virname) {

2209

mpool_free(engine->mempool, new);

2210

ret = CL_EMEM;

2211

break;

2212

}

2213

2214

if(engine->ignored && cli_chkign(engine->ignored, new->virname, buffer/*_cpy*/)) {

2215

mpool_free(engine->mempool, new->virname);

2216

mpool_free(engine->mempool, new);

2217

continue;

2218

}

2219

2220

if(engine->cb_sigload && engine->cb_sigload("cdb", new->virname, engine->cb_sigload_ctx)) {

2221

cli_dbgmsg("cli_loadcdb: skipping %s due to callback\n", new->virname);

2222

mpool_free(engine->mempool, new->virname);

2223

mpool_free(engine->mempool, new);

2224

continue;

2225

}

2226

2227

if(!strcmp(tokens[1], "*")) {

2228

new->ctype = CL_TYPE_ANY;

2229

} else if((new->ctype = cli_ftcode(tokens[1])) == CL_TYPE_ERROR) {

2230

cli_dbgmsg("cli_loadcdb: Unknown container type %s in signature for %s, skipping\n", tokens[1], tokens[0]);

2231

mpool_free(engine->mempool, new->virname);

2232

mpool_free(engine->mempool, new);

2233

continue;

2234

}

2235

2236

if(strcmp(tokens[3], "*") && cli_regcomp(&new->name, tokens[3], REG_EXTENDED | REG_NOSUB)) {

2237

cli_errmsg("cli_loadcdb: Can't compile regular expression %s in signature for %s\n", tokens[3], tokens[0]);

2238

mpool_free(engine->mempool, new->virname);

2239

mpool_free(engine->mempool, new);

2240

ret = CL_EMEM;

2241

break;

2242

}

2243

2244

#define CDBRANGE(token_str, dest) \

2245

if(strcmp(token_str, "*")) { \

2246

if(strchr(token_str, '-')) { \

2247

if(sscanf(token_str, "%u-%u", &n0, &n1) != 2) { \

2248

ret = CL_EMALFDB; \

2249

} else { \

2250

dest[0] = n0; \

2251

dest[1] = n1; \

2252

} \

2253

} else { \

2254

if(!cli_isnumber(token_str)) \

2255

ret = CL_EMALFDB; \

2256

else \

2257

dest[0] = dest[1] = atoi(token_str); \

2258

} \

2259

if(ret != CL_SUCCESS) { \

2260

cli_errmsg("cli_loadcdb: Invalid value %s in signature for %s\n",\

2261

token_str, tokens[0]); \

2262

if(new->name.re_magic) \

2263

cli_regfree(&new->name); \

2264

mpool_free(engine->mempool, new->virname); \

2265

mpool_free(engine->mempool, new); \

2266

ret = CL_EMEM; \

2267

break; \

2268

} \

2269

} else { \

2270

dest[0] = dest[1] = CLI_OFF_ANY; \

2271

}

2272

2273

CDBRANGE(tokens[2], new->csize);

2274

CDBRANGE(tokens[4], new->fsizec);

2275

CDBRANGE(tokens[5], new->fsizer);

2276

CDBRANGE(tokens[7], new->filepos);

2277

2278

if(!strcmp(tokens[6], "*")) {

2279

new->encrypted = 2;

2280

} else {

2281

if(strcmp(tokens[6], "0") && strcmp(tokens[6], "1")) {

2282

cli_errmsg("cli_loadcdb: Invalid encryption flag value in signature for %s\n", tokens[0]);

2283

if(new->name.re_magic)

2284

cli_regfree(&new->name);

2285

mpool_free(engine->mempool, new->virname);

2286

mpool_free(engine->mempool, new);

2287

ret = CL_EMEM;

2288

break;

2289

}

2290

new->encrypted = *tokens[6] - 0x30;

2291

}

2292

2293

if(strcmp(tokens[9], "*")) {

2294

new->res2 = cli_mpool_strdup(engine->mempool, tokens[9]);

2295

if(!new->res2) {

2296

cli_errmsg("cli_loadcdb: Can't allocate memory for res2 in signature for %s\n", tokens[0]);

2297

if(new->name.re_magic)

2298

cli_regfree(&new->name);

2299

mpool_free(engine->mempool, new->virname);

2300

mpool_free(engine->mempool, new);

2301

ret = CL_EMEM;

2302

break;

2303

}

2304

}

2305

2306

new->next = engine->cdb;

2307

engine->cdb = new;

2308

sigs++;

2309

}

2310

if(engine->ignored)

2311

free(buffer_cpy);

2312

2313

if(!line) {

2314

cli_errmsg("Empty database file\n");

2315

return CL_EMALFDB;

2316

}

2317

2318

if(ret) {

2319

cli_errmsg("Problem parsing database at line %u\n", line);

2320

return ret;

2321

}

2322

2323

if(signo)

2324

*signo += sigs;

2325

2326

return CL_SUCCESS;

2327

}

2328

2329

static int cli_loaddbdir(const char *dirname, struct cl_engine *engine, unsigned int *signo, unsigned int options);

2330

2331

int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo, unsigned int options, struct cli_dbio *dbio)

2332

{

2333

FILE *fs = NULL;

921

new->next = last->next;

922

last->next = new;

923

}

924

}

925

} else {

926

if(!(*engine)->md5_hlist) {

927

cli_dbgmsg("Initializing md5 list structure\n");

928

(*engine)->md5_hlist = (struct cli_md5_node **) cli_calloc(256, sizeof(struct cli_md5_node *));

929

if(!(*engine)->md5_hlist) {

930

ret = CL_EMEM;

931

break;

932

}

933

}

934

935

new->next = (*engine)->md5_hlist[new->md5[0] & 0xff];

936

(*engine)->md5_hlist[new->md5[0] & 0xff] = new;

937

}

938

}

939

940

if(!line) {

941

cli_errmsg("Empty database file\n");

942

cl_free(*engine);

943

return CL_EMALFDB;

944

}

945

946

if(ret) {

947

cli_errmsg("Problem parsing database at line %d\n", line);

948

cl_free(*engine);

949

return ret;

950

}

951

952

if(signo)

953

*signo += line;

954

955

return CL_SUCCESS;

956

}

957

958

static int cli_loadmd(FILE *fd, struct cl_engine **engine, unsigned int *signo, int type, unsigned int options)

959

{

960

char buffer[FILEBUFF], *pt;

961

int line = 0, comments = 0, ret = 0, crc32;

962

struct cli_meta_node *new;

963

964

965

if((ret = cli_initengine(engine, options))) {

966

cl_free(*engine);

967

return ret;

968

}

969

970

while(fgets(buffer, FILEBUFF, fd)) {

971

line++;

972

if(buffer[0] == '#') {

973

comments++;

974

continue;

975

}

976

977

cli_chomp(buffer);

978

979

new = (struct cli_meta_node *) cli_calloc(1, sizeof(struct cli_meta_node));

980

if(!new) {

981

ret = CL_EMEM;

982

break;

983

}

984

985

if(!(new->virname = cli_strtok(buffer, 0, ":"))) {

986

free(new);

987

ret = CL_EMALFDB;

988

break;

989

}

990

991

if(!(pt = cli_strtok(buffer, 1, ":"))) {

992

free(new->virname);

993

free(new);

994

ret = CL_EMALFDB;

995

break;

996

} else {

997

new->encrypted = atoi(pt);

998

free(pt);

999

}

1000

1001

if(!(new->filename = cli_strtok(buffer, 2, ":"))) {

1002

free(new->virname);

1003

free(new);

1004

ret = CL_EMALFDB;

1005

break;

1006

} else {

1007

if(!strcmp(new->filename, "*")) {

1008

free(new->filename);

1009

new->filename = NULL;

1010

}

1011

}

1012

1013

if(!(pt = cli_strtok(buffer, 3, ":"))) {

1014

free(new->filename);

1015

free(new->virname);

1016

free(new);

1017

ret = CL_EMALFDB;

1018

break;

1019

} else {

1020

if(!strcmp(pt, "*"))

1021

new->size = -1;

1022

else

1023

new->size = atoi(pt);

1024

free(pt);

1025

}

1026

1027

if(!(pt = cli_strtok(buffer, 4, ":"))) {

1028

free(new->filename);

1029

free(new->virname);

1030

free(new);

1031

ret = CL_EMALFDB;

1032

break;

1033

} else {

1034

if(!strcmp(pt, "*"))

1035

new->csize = -1;

1036

else

1037

new->csize = atoi(pt);

1038

free(pt);

1039

}

1040

1041

if(!(pt = cli_strtok(buffer, 5, ":"))) {

1042

free(new->filename);

1043

free(new->virname);

1044

free(new);

1045

ret = CL_EMALFDB;

1046

break;

1047

} else {

1048

if(!strcmp(pt, "*")) {

1049

new->crc32 = 0;

1050

} else {

1051

crc32 = cli_hex2num(pt);

1052

if(crc32 == -1) {

1053

ret = CL_EMALFDB;

1054

break;

1055

}

1056

new->crc32 = (unsigned int) crc32;

1057

}

1058

free(pt);

1059

}

1060

1061

if(!(pt = cli_strtok(buffer, 6, ":"))) {

1062

free(new->filename);

1063

free(new->virname);

1064

free(new);

1065

ret = CL_EMALFDB;

1066

break;

1067

} else {

1068

if(!strcmp(pt, "*"))

1069

new->method = -1;

1070

else

1071

new->method = atoi(pt);

1072

free(pt);

1073

}

1074

1075

if(!(pt = cli_strtok(buffer, 7, ":"))) {

1076

free(new->filename);

1077

free(new->virname);

1078

free(new);

1079

ret = CL_EMALFDB;

1080

break;

1081

} else {

1082

if(!strcmp(pt, "*"))

1083

new->fileno = 0;

1084

else

1085

new->fileno = atoi(pt);

1086

free(pt);

1087

}

1088

1089

if(!(pt = cli_strtok(buffer, 8, ":"))) {

1090

free(new->filename);

1091

free(new->virname);

1092

free(new);

1093

ret = CL_EMALFDB;

1094

break;

1095

} else {

1096

if(!strcmp(pt, "*"))

1097

new->maxdepth = 0;

1098

else

1099

new->maxdepth = atoi(pt);

1100

free(pt);

1101

}

1102

1103

if(type == 1) {

1104

new->next = (*engine)->zip_mlist;

1105

(*engine)->zip_mlist = new;

1106

} else {

1107

new->next = (*engine)->rar_mlist;

1108

(*engine)->rar_mlist = new;

1109

}

1110

}

1111

1112

if(!line) {

1113

cli_errmsg("Empty database file\n");

1114

cl_free(*engine);

1115

return CL_EMALFDB;

1116

}

1117

1118

if(ret) {

1119

cli_errmsg("Problem parsing database at line %d\n", line);

1120

cl_free(*engine);

1121

return ret;

1122

}

1123

1124

if(signo)

1125

*signo += (line - comments);

1126

1127

return CL_SUCCESS;

1128

}

1129

1130

static int cli_loaddbdir(const char *dirname, struct cl_engine **engine, unsigned int *signo, unsigned int options);

1131

1132

static int cli_load(const char *filename, struct cl_engine **engine, unsigned int *signo, unsigned int options)

1133

{

1134

FILE *fd;

2334

1135

int ret = CL_SUCCESS;

2335

1136

uint8_t skipped = 0;

2336

const char *dbname;

2337

char buff[FILEBUFF];

2338

2339

2340

if(dbio && dbio->chkonly) {

2341

while(cli_dbgets(buff, FILEBUFF, NULL, dbio));

2342

return CL_SUCCESS;

2343

}

2344

2345

if(!dbio && (fs = fopen(filename, "rb")) == NULL) {

2346

if(options & CL_DB_DIRECTORY) { /* bb#1624 */

2347

if(access(filename, R_OK)) {

2348

if(errno == ENOENT) {

2349

cli_dbgmsg("Detected race condition, ignoring old file %s\n", filename);

2350

return CL_SUCCESS;

2351

}

2352

}

2353

}

1137

1138

1139

if(cli_strbcasestr(filename, ".inc"))

1140

return cli_loaddbdir(filename, engine, signo, options);

1141

1142

if((fd = fopen(filename, "rb")) == NULL) {

2354

1143

cli_errmsg("cli_load(): Can't open file %s\n", filename);

2355

1144

return CL_EOPEN;

2356

1145

}

2357

1146

2358

if((dbname = strrchr(filename, *PATHSEP)))

2359

dbname++;

2360

else

2361

dbname = filename;

2362

2363

if(cli_strbcasestr(dbname, ".db")) {

2364

ret = cli_loaddb(fs, engine, signo, options, dbio, dbname);

2365

2366

} else if(cli_strbcasestr(dbname, ".cvd")) {

2367

ret = cli_cvdload(fs, engine, signo, options, 0, filename, 0);

2368

2369

} else if(cli_strbcasestr(dbname, ".cld")) {

2370

ret = cli_cvdload(fs, engine, signo, options, 1, filename, 0);

2371

2372

} else if(cli_strbcasestr(dbname, ".hdb") || cli_strbcasestr(dbname, ".hsb")) {

2373

ret = cli_loadhash(fs, engine, signo, MD5_HDB, options, dbio, dbname);

2374

} else if(cli_strbcasestr(dbname, ".hdu") || cli_strbcasestr(dbname, ".hsu")) {

2375

if(options & CL_DB_PUA)

2376

ret = cli_loadhash(fs, engine, signo, MD5_HDB, options | CL_DB_PUA_MODE, dbio, dbname);

2377

else

2378

skipped = 1;

2379

2380

} else if(cli_strbcasestr(dbname, ".fp") || cli_strbcasestr(dbname, ".sfp")) {

2381

ret = cli_loadhash(fs, engine, signo, MD5_FP, options, dbio, dbname);

2382

} else if(cli_strbcasestr(dbname, ".mdb") || cli_strbcasestr(dbname, ".msb")) {

2383

ret = cli_loadhash(fs, engine, signo, MD5_MDB, options, dbio, dbname);

2384

2385

} else if(cli_strbcasestr(dbname, ".mdu") || cli_strbcasestr(dbname, ".msu")) {

2386

if(options & CL_DB_PUA)

2387

ret = cli_loadhash(fs, engine, signo, MD5_MDB, options | CL_DB_PUA_MODE, dbio, dbname);

2388

else

2389

skipped = 1;

2390

2391

} else if(cli_strbcasestr(dbname, ".ndb")) {

2392

ret = cli_loadndb(fs, engine, signo, 0, options, dbio, dbname);

2393

2394

} else if(cli_strbcasestr(dbname, ".ndu")) {

2395

if(!(options & CL_DB_PUA))

2396

skipped = 1;

2397

else

2398

ret = cli_loadndb(fs, engine, signo, 0, options | CL_DB_PUA_MODE, dbio, dbname);

2399

2400

} else if(cli_strbcasestr(filename, ".ldb")) {

2401

ret = cli_loadldb(fs, engine, signo, options, dbio, dbname);

2402

2403

} else if(cli_strbcasestr(filename, ".ldu")) {

2404

if(options & CL_DB_PUA)

2405

ret = cli_loadldb(fs, engine, signo, options | CL_DB_PUA_MODE, dbio, dbname);

2406

else

2407

skipped = 1;

2408

} else if(cli_strbcasestr(filename, ".cbc")) {

2409

if(options & CL_DB_BYTECODE)

2410

ret = cli_loadcbc(fs, engine, signo, options, dbio, dbname);

2411

else

2412

skipped = 1;

2413

} else if(cli_strbcasestr(dbname, ".sdb")) {

2414

ret = cli_loadndb(fs, engine, signo, 1, options, dbio, dbname);

2415

2416

} else if(cli_strbcasestr(dbname, ".zmd")) {

2417

ret = cli_loadmd(fs, engine, signo, 1, options, dbio, dbname);

2418

2419

} else if(cli_strbcasestr(dbname, ".rmd")) {

2420

ret = cli_loadmd(fs, engine, signo, 2, options, dbio, dbname);

2421

2422

} else if(cli_strbcasestr(dbname, ".cfg")) {

2423

ret = cli_dconf_load(fs, engine, options, dbio);

2424

2425

} else if(cli_strbcasestr(dbname, ".info")) {

2426

ret = cli_loadinfo(fs, engine, options, dbio);

2427

2428

} else if(cli_strbcasestr(dbname, ".wdb")) {

2429

if(options & CL_DB_PHISHING_URLS) {

2430

ret = cli_loadwdb(fs, engine, options, dbio);

2431

} else

2432

skipped = 1;

2433

} else if(cli_strbcasestr(dbname, ".pdb") || cli_strbcasestr(dbname, ".gdb")) {

2434

if(options & CL_DB_PHISHING_URLS) {

2435

ret = cli_loadpdb(fs, engine, signo, options, dbio);

2436

} else

2437

skipped = 1;

2438

} else if(cli_strbcasestr(dbname, ".ftm")) {

2439

ret = cli_loadftm(fs, engine, options, 0, dbio);

2440

2441

} else if(cli_strbcasestr(dbname, ".ign") || cli_strbcasestr(dbname, ".ign2")) {

2442

ret = cli_loadign(fs, engine, options, dbio);

2443

2444

} else if(cli_strbcasestr(dbname, ".idb")) {

2445

ret = cli_loadidb(fs, engine, signo, options, dbio);

2446

2447

} else if(cli_strbcasestr(dbname, ".cdb")) {

2448

ret = cli_loadcdb(fs, engine, signo, options, dbio);

1147

if(cli_strbcasestr(filename, ".db")) {

1148

if(options & CL_DB_NCORE)

1149

skipped = 1;

1150

else

1151

ret = cli_loaddb(fd, engine, signo, options);

1152

1153

} else if(cli_strbcasestr(filename, ".cvd")) {

1154

int warn = 0;

1155

1156

if(strstr(filename, "daily.cvd"))

1157

warn = 1;

1158

1159

ret = cli_cvdload(fd, engine, signo, warn, options);

1160

1161

} else if(cli_strbcasestr(filename, ".hdb")) {

1162

ret = cli_loadhdb(fd, engine, signo, 0, options);

1163

1164

} else if(cli_strbcasestr(filename, ".fp")) {

1165

ret = cli_loadhdb(fd, engine, signo, 1, options);

1166

1167

} else if(cli_strbcasestr(filename, ".mdb")) {

1168

ret = cli_loadhdb(fd, engine, signo, 2, options);

1169

1170

} else if(cli_strbcasestr(filename, ".ndb")) {

1171

if(options & CL_DB_NCORE)

1172

skipped = 1;

1173

else

1174

ret = cli_loadndb(fd, engine, signo, 0, options);

1175

1176

} else if(cli_strbcasestr(filename, ".sdb")) {

1177

/* FIXME: Add support in ncore mode */

1178

if(options & CL_DB_NCORE)

1179

skipped = 1;

1180

else

1181

ret = cli_loadndb(fd, engine, signo, 1, options);

1182

1183

} else if(cli_strbcasestr(filename, ".zmd")) {

1184

ret = cli_loadmd(fd, engine, signo, 1, options);

1185

1186

} else if(cli_strbcasestr(filename, ".rmd")) {

1187

ret = cli_loadmd(fd, engine, signo, 2, options);

1188

1189

} else if(cli_strbcasestr(filename, ".cfg")) {

1190

ret = cli_dconf_load(fd, engine, options);

1191

1192

} else if(cli_strbcasestr(filename, ".ncdb")) {

1193

#ifdef HAVE_NCORE

1194

if(options & CL_DB_NCORE)

1195

ret = cli_ncore_load(filename, engine, signo, options);

1196

else

1197

#endif

1198

skipped = 1;

1199

#ifdef CL_EXPERIMENTAL

1200

} else if(cli_strbcasestr(filename, ".wdb")) {

1201

if(options & CL_DB_PHISHING_URLS)

1202

ret = cli_loadwdb(fd, engine, options);

1203

else

1204

skipped = 1;

1205

} else if(cli_strbcasestr(filename, ".pdb")) {

1206

if(options & CL_DB_PHISHING_URLS)

1207

ret = cli_loadpdb(fd, engine, options);

1208

else

1209

skipped = 1;

1210

#endif

2449

1211

} else {

2450

1212

cli_dbgmsg("cli_load: unknown extension - assuming old database format\n");

2451

ret = cli_loaddb(fs, engine, signo, options, dbio, dbname);

1213

ret = cli_loaddb(fd, engine, signo, options);

2452

1214

}

2453

1215

2454

1216

if(ret) {

2460

1222

cli_dbgmsg("%s loaded\n", filename);

2461

1223

}

2462

1224

2463

if(fs)

2464

fclose(fs);

2465

1225

fclose(fd);

2466

1226

return ret;

2467

1227

}

2468

1228

2469

static int cli_loaddbdir(const char *dirname, struct cl_engine *engine, unsigned int *signo, unsigned int options)

1229

int cl_loaddb(const char *filename, struct cl_engine **engine, unsigned int *signo) {

1230

return cli_load(filename, engine, signo, 0);

1231

}

1232

1233

static int cli_loaddbdir_l(const char *dirname, struct cl_engine **engine, unsigned int *signo, unsigned int options)

2470

1234

{

2471

1235

DIR *dd;

2472

1236

struct dirent *dent;

2477

1241

} result;

2478

1242

#endif

2479

1243

char *dbfile;

2480

int ret = CL_EOPEN, have_cld;

2481

struct cl_cvd *daily_cld, *daily_cvd;

2482

1244

int ret = CL_ESUPPORT;

1245

1246

1247

if((dd = opendir(dirname)) == NULL) {

1248

cli_errmsg("cli_loaddbdir(): Can't open directory %s\n", dirname);

1249

return CL_EOPEN;

1250

}

2483

1251

2484

1252

cli_dbgmsg("Loading databases from %s\n", dirname);

2485

1253

2486

if((dd = opendir(dirname)) == NULL) {

2487

cli_errmsg("cli_loaddbdir(): Can't open directory %s\n", dirname);

2488

return CL_EOPEN;

2489

}

2490

2491

/* first round - load .ign and .ign2 files */

2492

#ifdef HAVE_READDIR_R_3

2493

while(!readdir_r(dd, &result.d, &dent) && dent) {

2494

#elif defined(HAVE_READDIR_R_2)

2495

while((dent = (struct dirent *) readdir_r(dd, &result.d))) {

2496

#else

2497

while((dent = readdir(dd))) {

2498

#endif

2499

if(dent->d_ino)

2500

{

2501

if(cli_strbcasestr(dent->d_name, ".ign") || cli_strbcasestr(dent->d_name, ".ign2")) {

2502

dbfile = (char *) cli_malloc(strlen(dent->d_name) + strlen(dirname) + 2);

2503

if(!dbfile) {

2504

cli_dbgmsg("cli_loaddbdir(): dbfile == NULL\n");

2505

closedir(dd);

2506

return CL_EMEM;

2507

}

2508

sprintf(dbfile, "%s"PATHSEP"%s", dirname, dent->d_name);

2509

ret = cli_load(dbfile, engine, signo, options, NULL);

2510

if(ret) {

2511

cli_dbgmsg("cli_loaddbdir(): error loading database %s\n", dbfile);

2512

free(dbfile);

2513

closedir(dd);

2514

return ret;

2515

}

2516

free(dbfile);

2517

}

2518

}

2519

}

2520

2521

/* the daily db must be loaded before main */

2522

dbfile = (char *) cli_malloc(strlen(dirname) + 20);

2523

if(!dbfile) {

2524

closedir(dd);

2525

return CL_EMEM;

2526

}

2527

2528

sprintf(dbfile, "%s"PATHSEP"daily.cld", dirname);

2529

have_cld = !access(dbfile, R_OK);

2530

if(have_cld) {

2531

daily_cld = cl_cvdhead(dbfile);

2532

if(!daily_cld) {

2533

cli_errmsg("cli_loaddbdir(): error parsing header of %s\n", dbfile);

2534

free(dbfile);

2535

closedir(dd);

2536

return CL_EMALFDB;

2537

}

2538

}

2539

sprintf(dbfile, "%s"PATHSEP"daily.cvd", dirname);

2540

if(!access(dbfile, R_OK)) {

2541

if(have_cld) {

2542

daily_cvd = cl_cvdhead(dbfile);

2543

if(!daily_cvd) {

2544

cli_errmsg("cli_loaddbdir(): error parsing header of %s\n", dbfile);

2545

free(dbfile);

2546

cl_cvdfree(daily_cld);

2547

closedir(dd);

2548

return CL_EMALFDB;

2549

}

2550

if(daily_cld->version > daily_cvd->version)

2551

sprintf(dbfile, "%s"PATHSEP"daily.cld", dirname);

2552

cl_cvdfree(daily_cvd);

2553

}

2554

} else {

2555

sprintf(dbfile, "%s"PATHSEP"daily.cld", dirname);

2556

}

2557

if(have_cld)

2558

cl_cvdfree(daily_cld);

2559

2560

if(!access(dbfile, R_OK) && (ret = cli_load(dbfile, engine, signo, options, NULL))) {

2561

free(dbfile);

2562

closedir(dd);

2563

return ret;

2564

}

2565

2566

/* try to load local.gdb next */

2567

sprintf(dbfile, "%s"PATHSEP"local.gdb", dirname);

2568

if(!access(dbfile, R_OK) && (ret = cli_load(dbfile, engine, signo, options, NULL))) {

2569

free(dbfile);

2570

closedir(dd);

2571

return ret;

2572

}

2573

2574

/* check for and load daily.cfg */

2575

sprintf(dbfile, "%s"PATHSEP"daily.cfg", dirname);

2576

if(!access(dbfile, R_OK) && (ret = cli_load(dbfile, engine, signo, options, NULL))) {

2577

free(dbfile);

2578

closedir(dd);

2579

return ret;

2580

}

2581

free(dbfile);

2582

2583

/* second round - load everything else */

2584

rewinddir(dd);

2585

#ifdef HAVE_READDIR_R_3

2586

while(!readdir_r(dd, &result.d, &dent) && dent) {

2587

#elif defined(HAVE_READDIR_R_2)

2588

while((dent = (struct dirent *) readdir_r(dd, &result.d))) {

2589

#else

2590

while((dent = readdir(dd))) {

2591

#endif

2592

if(dent->d_ino)

2593

{

2594

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") && strcmp(dent->d_name, "daily.cvd") && strcmp(dent->d_name, "daily.cld") && strcmp(dent->d_name, "daily.cfg") && CLI_DBEXT(dent->d_name)) {

2595

if((options & CL_DB_OFFICIAL_ONLY) && !strstr(dirname, "clamav-") && !cli_strbcasestr(dent->d_name, ".cld") && !cli_strbcasestr(dent->d_name, ".cvd")) {

2596

cli_dbgmsg("Skipping unofficial database %s\n", dent->d_name);

2597

continue;

2598

}

2599

2600

dbfile = (char *) cli_malloc(strlen(dent->d_name) + strlen(dirname) + 2);

2601

if(!dbfile) {

2602

cli_dbgmsg("cli_loaddbdir(): dbfile == NULL\n");

2603

closedir(dd);

2604

return CL_EMEM;

2605

}

2606

sprintf(dbfile, "%s"PATHSEP"%s", dirname, dent->d_name);

2607

ret = cli_load(dbfile, engine, signo, options, NULL);

2608

if(ret) {

2609

cli_dbgmsg("cli_loaddbdir(): error loading database %s\n", dbfile);

2610

free(dbfile);

2611

closedir(dd);

2612

return ret;

2613

}

2614

free(dbfile);

2615

}

2616

}

2617

}

1254

#ifdef HAVE_READDIR_R_3

1255

while(!readdir_r(dd, &result.d, &dent) && dent) {

1256

#elif defined(HAVE_READDIR_R_2)

1257

while((dent = (struct dirent *) readdir_r(dd, &result.d))) {

1258

#else

1259

while((dent = readdir(dd))) {

1260

#endif

1261

#if (!defined(C_INTERIX)) && (!defined(C_WINDOWS)) && (!defined(C_CYGWIN))

1262

if(dent->d_ino)

1263

#endif

1264

{

1265

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") &&

1266

(cli_strbcasestr(dent->d_name, ".db") ||

1267

cli_strbcasestr(dent->d_name, ".db2") ||

1268

cli_strbcasestr(dent->d_name, ".db3") ||

1269

cli_strbcasestr(dent->d_name, ".hdb") ||

1270

cli_strbcasestr(dent->d_name, ".fp") ||

1271

cli_strbcasestr(dent->d_name, ".mdb") ||

1272

cli_strbcasestr(dent->d_name, ".ndb") ||

1273

cli_strbcasestr(dent->d_name, ".sdb") ||

1274

cli_strbcasestr(dent->d_name, ".zmd") ||

1275

cli_strbcasestr(dent->d_name, ".rmd") ||

1276

cli_strbcasestr(dent->d_name, ".cfg") ||

1277

#ifdef CL_EXPERIMENTAL

1278

cli_strbcasestr(dent->d_name, ".pdb") ||

1279

cli_strbcasestr(dent->d_name, ".wdb") ||

1280

#endif

1281

cli_strbcasestr(dent->d_name, ".ncdb") ||

1282

cli_strbcasestr(dent->d_name, ".inc") ||

1283

cli_strbcasestr(dent->d_name, ".cvd"))) {

1284

1285

dbfile = (char *) cli_calloc(strlen(dent->d_name) + strlen(dirname) + 2, sizeof(char));

1286

1287

if(!dbfile) {

1288

cli_dbgmsg("cli_loaddbdir(): dbfile == NULL\n");

1289

closedir(dd);

1290

return CL_EMEM;

1291

}

1292

sprintf(dbfile, "%s/%s", dirname, dent->d_name);

1293

if((ret = cli_load(dbfile, engine, signo, options))) {

1294

cli_dbgmsg("cli_loaddbdir(): error loading database %s\n", dbfile);

1295

free(dbfile);

1296

closedir(dd);

1297

return ret;

1298

}

1299

free(dbfile);

1300

}

1301

}

1302

}

1303

2618

1304

closedir(dd);

2619

if(ret == CL_EOPEN)

1305

if(ret == CL_ESUPPORT)

2620

1306

cli_errmsg("cli_loaddb(): No supported database files found in %s\n", dirname);

2621

1307

2622

1308

return ret;

2623

1309

}

2624

1310

2625

int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, unsigned int dboptions)

1311

static int cli_loaddbdir(const char *dirname, struct cl_engine **engine, unsigned int *signo, unsigned int options)

1312

{

1313

int ret, try = 0, lock;

1314

1315

1316

cli_dbgmsg("cli_loaddbdir: Acquiring dbdir lock\n");

1317

while((lock = cli_readlockdb(dirname, 0)) == CL_ELOCKDB) {

1318

sleep(5);

1319

if(try++ > 24) {

1320

cli_errmsg("cl_load(): Unable to lock database directory: %s\n", dirname);

1321

return CL_ELOCKDB;

1322

}

1323

}

1324

1325

ret = cli_loaddbdir_l(dirname, engine, signo, options);

1326

if(lock == CL_SUCCESS)

1327

cli_unlockdb(dirname);

1328

1329

return ret;

1330

}

1331

1332

int cl_loaddbdir(const char *dirname, struct cl_engine **engine, unsigned int *signo) {

1333

return cli_loaddbdir(dirname, engine, signo, 0);

1334

}

1335

1336

int cl_load(const char *path, struct cl_engine **engine, unsigned int *signo, unsigned int options)

2626

1337

{

2627

1338

struct stat sb;

2628

1339

int ret;

2629

1340

2630

if(!engine) {

2631

cli_errmsg("cl_load: engine == NULL\n");

2632

return CL_ENULLARG;

2633

}

2634

2635

if(engine->dboptions & CL_DB_COMPILED) {

2636

cli_errmsg("cl_load(): can't load new databases when engine is already compiled\n");

2637

return CL_EARG;

2638

}

2639

1341

2640

1342

if(stat(path, &sb) == -1) {

2641

cli_errmsg("cl_load(): Can't get status of %s\n", path);

2642

return CL_ESTAT;

2643

}

2644

2645

if((dboptions & CL_DB_PHISHING_URLS) && !engine->phishcheck && (engine->dconf->phishing & PHISHING_CONF_ENGINE))

2646

if((ret = phishing_init(engine)))

2647

return ret;

2648

2649

if((dboptions & CL_DB_BYTECODE) && !engine->bcs.inited) {

2650

if((ret = cli_bytecode_init(&engine->bcs)))

2651

return ret;

2652

} else {

2653

cli_dbgmsg("Bytecode engine disabled\n");

2654

}

2655

2656

if(cli_cache_init(engine))

2657

return CL_EMEM;

2658

2659

engine->dboptions |= dboptions;

1343

cli_errmsg("cl_loaddbdir(): Can't get status of %s\n", path);

1344

return CL_EIO;

1345

}

1346

1347

if((ret = cli_initengine(engine, options))) {

1348

cl_free(*engine);

1349

return ret;

1350

}

1351

1352

(*engine)->dboptions = options;

2660

1353

2661

1354

switch(sb.st_mode & S_IFMT) {

2662

case S_IFREG:

2663

ret = cli_load(path, engine, signo, dboptions, NULL);

1355

case S_IFREG:

1356

ret = cli_load(path, engine, signo, options);

2664

1357

break;

2665

1358

2666

1359

case S_IFDIR:

2667

ret = cli_loaddbdir(path, engine, signo, dboptions | CL_DB_DIRECTORY);

1360

ret = cli_loaddbdir(path, engine, signo, options);

2668

1361

break;

2669

1362

2670

1363

default:

2671

1364

cli_errmsg("cl_load(%s): Not supported database file type\n", path);

2672

1365

return CL_EOPEN;

2673

1366

}

1367

1368

if(ret == CL_SUCCESS)

1369

cli_dconf_print((*engine)->dconf);

1370

2674

1371

return ret;

2675

1372

}

2676

1373

2717

1414

#else

2718

1415

while((dent = readdir(dd))) {

2719

1416

#endif

1417

#if (!defined(C_INTERIX)) && (!defined(C_WINDOWS)) && (!defined(C_CYGWIN))

2720

1418

if(dent->d_ino)

1419

#endif

2721

1420

{

2722

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") && CLI_DBEXT(dent->d_name)) {

1421

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") &&

1422

(cli_strbcasestr(dent->d_name, ".db") ||

1423

cli_strbcasestr(dent->d_name, ".db2") ||

1424

cli_strbcasestr(dent->d_name, ".db3") ||

1425

cli_strbcasestr(dent->d_name, ".hdb") ||

1426

cli_strbcasestr(dent->d_name, ".fp") ||

1427

cli_strbcasestr(dent->d_name, ".mdb") ||

1428

cli_strbcasestr(dent->d_name, ".ndb") ||

1429

cli_strbcasestr(dent->d_name, ".sdb") ||

1430

cli_strbcasestr(dent->d_name, ".zmd") ||

1431

cli_strbcasestr(dent->d_name, ".rmd") ||

1432

cli_strbcasestr(dent->d_name, ".cfg") ||

1433

#ifdef CL_EXPERIMENTAL

1434

cli_strbcasestr(dent->d_name, ".pdb") ||

1435

cli_strbcasestr(dent->d_name, ".wdb") ||

1436

#endif

1437

cli_strbcasestr(dent->d_name, ".ncdb") ||

1438

cli_strbcasestr(dent->d_name, ".inc") ||

1439

cli_strbcasestr(dent->d_name, ".cvd"))) {

1440

2723

1441

dbstat->entries++;

2724

dbstat->stattab = (struct stat *) cli_realloc2(dbstat->stattab, dbstat->entries * sizeof(struct stat));

1442

dbstat->stattab = (struct stat *) cli_realloc(dbstat->stattab, dbstat->entries * sizeof(struct stat));

2725

1443

if(!dbstat->stattab) {

1444

/* FIXME: Minor error path memleak here. Change the

1445

* behaviour of cli_realloc() to free old block on error

1446

* (and review all calls to cli_realloc()).

1447

2726

1448

cl_statfree(dbstat);

2727

1449

closedir(dd);

2728

1450

return CL_EMEM;

2729

1451

}

2730

1452

2731

#ifdef _WIN32

2732

dbstat->statdname = (char **) cli_realloc2(dbstat->statdname, dbstat->entries * sizeof(char *));

1453

#if defined(C_INTERIX) || defined(C_OS2)

1454

dbstat->statdname = (char **) cli_realloc(dbstat->statdname, dbstat->entries * sizeof(char *));

2733

1455

if(!dbstat->statdname) {

2734

1456

cl_statfree(dbstat);

2735

1457

closedir(dd);

2737

1459

}

2738

1460

#endif

2739

1461

2740

fname = cli_malloc(strlen(dirname) + strlen(dent->d_name) + 32);

1462

fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 32, sizeof(char));

2741

1463

if(!fname) {

2742

1464

cl_statfree(dbstat);

2743

1465

closedir(dd);

2744

1466

return CL_EMEM;

2745

1467

}

2746

sprintf(fname, "%s"PATHSEP"%s", dirname, dent->d_name);

2747

#ifdef _WIN32

2748

dbstat->statdname[dbstat->entries - 1] = (char *) cli_malloc(strlen(dent->d_name) + 1);

1468

1469

if(cli_strbcasestr(dent->d_name, ".inc")) {

1470

if(strstr(dent->d_name, "main"))

1471

sprintf(fname, "%s/main.inc/main.info", dirname);

1472

else

1473

sprintf(fname, "%s/daily.inc/daily.info", dirname);

1474

} else {

1475

sprintf(fname, "%s/%s", dirname, dent->d_name);

1476

}

1477

#if defined(C_INTERIX) || defined(C_OS2)

1478

dbstat->statdname[dbstat->entries - 1] = (char *) cli_calloc(strlen(dent->d_name) + 1, sizeof(char));

2749

1479

if(!dbstat->statdname[dbstat->entries - 1]) {

2750

1480

cl_statfree(dbstat);

2751

1481

closedir(dd);

2798

1528

#else

2799

1529

while((dent = readdir(dd))) {

2800

1530

#endif

1531

#if (!defined(C_INTERIX)) && (!defined(C_WINDOWS)) && (!defined(C_CYGWIN))

2801

1532

if(dent->d_ino)

1533

#endif

2802

1534

{

2803

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") && CLI_DBEXT(dent->d_name)) {

2804

fname = cli_malloc(strlen(dbstat->dir) + strlen(dent->d_name) + 32);

1535

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") &&

1536

(cli_strbcasestr(dent->d_name, ".db") ||

1537

cli_strbcasestr(dent->d_name, ".db2") ||

1538

cli_strbcasestr(dent->d_name, ".db3") ||

1539

cli_strbcasestr(dent->d_name, ".hdb") ||

1540

cli_strbcasestr(dent->d_name, ".fp") ||

1541

cli_strbcasestr(dent->d_name, ".mdb") ||

1542

cli_strbcasestr(dent->d_name, ".ndb") ||

1543

cli_strbcasestr(dent->d_name, ".sdb") ||

1544

cli_strbcasestr(dent->d_name, ".zmd") ||

1545

cli_strbcasestr(dent->d_name, ".rmd") ||

1546

cli_strbcasestr(dent->d_name, ".cfg") ||

1547

#ifdef CL_EXPERIMENTAL

1548

cli_strbcasestr(dent->d_name, ".pdb") ||

1549

cli_strbcasestr(dent->d_name, ".wdb") ||

1550

#endif

1551

cli_strbcasestr(dent->d_name, ".ncdb") ||

1552

cli_strbcasestr(dent->d_name, ".inc") ||

1553

cli_strbcasestr(dent->d_name, ".cvd"))) {

1554

1555

fname = cli_calloc(strlen(dbstat->dir) + strlen(dent->d_name) + 32, sizeof(char));

2805

1556

if(!fname) {

2806

1557

closedir(dd);

2807

1558

return CL_EMEM;

2808

1559

}

2809

1560

2810

sprintf(fname, "%s"PATHSEP"%s", dbstat->dir, dent->d_name);

1561

if(cli_strbcasestr(dent->d_name, ".inc")) {

1562

if(strstr(dent->d_name, "main"))

1563

sprintf(fname, "%s/main.inc/main.info", dbstat->dir);

1564

else

1565

sprintf(fname, "%s/daily.inc/daily.info", dbstat->dir);

1566

} else {

1567

sprintf(fname, "%s/%s", dbstat->dir, dent->d_name);

1568

}

2811

1569

stat(fname, &sb);

2812

1570

free(fname);

2813

1571

2814

1572

found = 0;

2815

1573

for(i = 0; i < dbstat->entries; i++)

2816

#ifdef _WIN32

1574

#if defined(C_INTERIX) || defined(C_OS2)

2817

1575

if(!strcmp(dbstat->statdname[i], dent->d_name)) {

2818

1576

#else

2819

1577

if(dbstat->stattab[i].st_ino == sb.st_ino) {

2842

1600

2843

1601

if(dbstat) {

2844

1602

2845

#ifdef _WIN32

1603

#if defined(C_INTERIX) || defined(C_OS2)

2846

1604

int i;

2847

1605

2848

1606

if(dbstat->statdname) {

2874

1632

return CL_SUCCESS;

2875

1633

}

2876

1634

2877

int cl_engine_free(struct cl_engine *engine)

1635

void cl_free(struct cl_engine *engine)

2878

1636

{

2879

unsigned int i, j;

1637

int i;

1638

struct cli_md5_node *md5pt, *md5h;

1639

struct cli_meta_node *metapt, *metah;

2880

1640

struct cli_matcher *root;

2881

1641

2882

1642

2883

1643

if(!engine) {

2884

1644

cli_errmsg("cl_free: engine == NULL\n");

2885

return CL_ENULLARG;

1645

return;

2886

1646

}

2887

1647

2888

1648

#ifdef CL_THREAD_SAFE

2889

1649

pthread_mutex_lock(&cli_ref_mutex);

2890

1650

#endif

2891

1651

2892

if(engine->refcount)

2893

engine->refcount--;

2894

1652

engine->refcount--;

2895

1653

if(engine->refcount) {

2896

1654

#ifdef CL_THREAD_SAFE

2897

1655

pthread_mutex_unlock(&cli_ref_mutex);

2898

1656

#endif

2899

return CL_SUCCESS;

1657

return;

2900

1658

}

2901

1659

2902

1660

#ifdef CL_THREAD_SAFE

2903

1661

pthread_mutex_unlock(&cli_ref_mutex);

2904

1662

#endif

1663

1664

#ifdef HAVE_NCORE

1665

if(engine->ncore)

1666

cli_ncore_unload(engine);

1667

#endif

1668

2905

1669

if(engine->root) {

2906

for(i = 0; i < CLI_MTARGETS; i++) {

1670

for(i = 0; i < CL_TARGET_TABLE_SIZE; i++) {

2907

1671

if((root = engine->root[i])) {

2908

if(!root->ac_only)

1672

cli_ac_free(root);

1673

if(!engine->root[i]->ac_only)

2909

1674

cli_bm_free(root);

2910

cli_ac_free(root);

2911

if(root->ac_lsigtable) {

2912

for(j = 0; j < root->ac_lsigs; j++) {

2913

mpool_free(engine->mempool, root->ac_lsigtable[j]->logic);

2914

FREE_TDB(root->ac_lsigtable[j]->tdb);

2915

mpool_free(engine->mempool, root->ac_lsigtable[j]);

2916

}

2917

mpool_free(engine->mempool, root->ac_lsigtable);

2918

}

2919

mpool_free(engine->mempool, root);

2920

}

2921

}

2922

mpool_free(engine->mempool, engine->root);

2923

}

2924

2925

if((root = engine->hm_hdb)) {

2926

hm_free(root);

2927

mpool_free(engine->mempool, root);

2928

}

2929

2930

if((root = engine->hm_mdb)) {

2931

hm_free(root);

2932

mpool_free(engine->mempool, root);

2933

}

2934

2935

if((root = engine->hm_fp)) {

2936

hm_free(root);

2937

mpool_free(engine->mempool, root);

2938

}

2939

2940

while(engine->cdb) {

2941

struct cli_cdb *pt = engine->cdb;

2942

engine->cdb = pt->next;

2943

if(pt->name.re_magic)

2944

cli_regfree(&pt->name);

2945

mpool_free(engine->mempool, pt->res2);

2946

mpool_free(engine->mempool, pt->virname);

2947

mpool_free(engine->mempool, pt);

2948

}

2949

2950

while(engine->dbinfo) {

2951

struct cli_dbinfo *pt = engine->dbinfo;

2952

engine->dbinfo = pt->next;

2953

mpool_free(engine->mempool, pt->name);

2954

mpool_free(engine->mempool, pt->hash);

2955

if(pt->cvd)

2956

cl_cvdfree(pt->cvd);

2957

mpool_free(engine->mempool, pt);

2958

}

2959

2960

if(engine->dconf->bytecode & BYTECODE_ENGINE_MASK) {

2961

if (engine->bcs.all_bcs)

2962

for(i=0;i<engine->bcs.count;i++)

2963

cli_bytecode_destroy(&engine->bcs.all_bcs[i]);

2964

cli_bytecode_done(&engine->bcs);

2965

free(engine->bcs.all_bcs);

2966

for (i=0;i<_BC_LAST_HOOK - _BC_START_HOOKS;i++) {

2967

free (engine->hooks[i]);

2968

}

2969

}

2970

if(engine->dconf->phishing & PHISHING_CONF_ENGINE)

2971

phishing_done(engine);

1675

free(root);

1676

}

1677

}

1678

1679

free(engine->root);

1680

}

1681

1682

if(engine->md5_hlist) {

1683

for(i = 0; i < 256; i++) {

1684

md5pt = engine->md5_hlist[i];

1685

while(md5pt) {

1686

md5h = md5pt;

1687

md5pt = md5pt->next;

1688

free(md5h->md5);

1689

free(md5h->virname);

1690

if(md5h->viralias)

1691

free(md5h->viralias);

1692

free(md5h);

1693

}

1694

}

1695

free(engine->md5_hlist);

1696

}

1697

1698

metapt = engine->zip_mlist;

1699

while(metapt) {

1700

metah = metapt;

1701

metapt = metapt->next;

1702

free(metah->virname);

1703

if(metah->filename)

1704

free(metah->filename);

1705

free(metah);

1706

}

1707

1708

metapt = engine->rar_mlist;

1709

while(metapt) {

1710

metah = metapt;

1711

metapt = metapt->next;

1712

free(metah->virname);

1713

if(metah->filename)

1714

free(metah->filename);

1715

free(metah);

1716

}

1717

1718

#ifdef CL_EXPERIMENTAL

1719

phishing_done(engine);

1720

#endif

1721

2972

1722

if(engine->dconf)

2973

mpool_free(engine->mempool, engine->dconf);

2974

2975

if(engine->pua_cats)

2976

mpool_free(engine->mempool, engine->pua_cats);

2977

2978

if(engine->iconcheck) {

2979

struct icon_matcher *iconcheck = engine->iconcheck;

2980

for(i=0; i<3; i++) {

2981

if(iconcheck->icons[i]) {

2982

for (j=0;j<iconcheck->icon_counts[i];j++) {

2983

struct icomtr* metric = iconcheck->icons[i];

2984

mpool_free(engine->mempool, metric[j].name);

2985

}

2986

mpool_free(engine->mempool, iconcheck->icons[i]);

2987

}

2988

}

2989

if(iconcheck->group_names[0]) {

2990

for(i=0; i<iconcheck->group_counts[0]; i++)

2991

mpool_free(engine->mempool, iconcheck->group_names[0][i]);

2992

mpool_free(engine->mempool, iconcheck->group_names[0]);

2993

}

2994

if(iconcheck->group_names[1]) {

2995

for(i=0; i<iconcheck->group_counts[1]; i++)

2996

mpool_free(engine->mempool, iconcheck->group_names[1][i]);

2997

mpool_free(engine->mempool, iconcheck->group_names[1]);

2998

}

2999

mpool_free(engine->mempool, iconcheck);

3000

}

3001

3002

if(engine->tmpdir)

3003

mpool_free(engine->mempool, engine->tmpdir);

3004

3005

if(engine->cache)

3006

cli_cache_destroy(engine);

3007

3008

cli_ftfree(engine);

3009

if(engine->ignored) {

3010

cli_bm_free(engine->ignored);

3011

mpool_free(engine->mempool, engine->ignored);

3012

}

3013

3014

#ifdef USE_MPOOL

3015

if(engine->mempool) mpool_destroy(engine->mempool);

3016

#endif

1723

free(engine->dconf);

1724

1725

cli_freelocks();

3017

1726

free(engine);

3018

return CL_SUCCESS;

3019

1727

}

3020

1728

3021

int cl_engine_compile(struct cl_engine *engine)

1729

int cl_build(struct cl_engine *engine)

3022

1730

{

3023

unsigned int i;

3024

int ret;

1731

int i, ret;

3025

1732

struct cli_matcher *root;

3026

1733

3027

1734

3028

if(!engine)

3029

return CL_ENULLARG;

3030

3031

if(!engine->ftypes)

3032

if((ret = cli_loadftm(NULL, engine, 0, 1, NULL)))

3033

return ret;

3034

3035

for(i = 0; i < CLI_MTARGETS; i++) {

3036

if((root = engine->root[i])) {

3037

if((ret = cli_ac_buildtrie(root)))

3038

return ret;

3039

cli_dbgmsg("Matcher[%u]: %s: AC sigs: %u (reloff: %u, absoff: %u) BM sigs: %u (reloff: %u, absoff: %u) maxpatlen %u %s\n", i, cli_mtargets[i].name, root->ac_patterns, root->ac_reloff_num, root->ac_absoff_num, root->bm_patterns, root->bm_reloff_num, root->bm_absoff_num, root->maxpatlen, root->ac_only ? "(ac_only mode)" : "");

3040

}

3041

}

3042

if(engine->hm_hdb)

3043

hm_flush(engine->hm_hdb);

3044

3045

if(engine->hm_mdb)

3046

hm_flush(engine->hm_mdb);

3047

3048

if(engine->hm_fp)

3049

hm_flush(engine->hm_fp);

3050

3051

if((ret = cli_build_regex_list(engine->whitelist_matcher))) {

3052

return ret;

3053

}

3054

if((ret = cli_build_regex_list(engine->domainlist_matcher))) {

3055

return ret;

3056

}

3057

if(engine->ignored) {

3058

cli_bm_free(engine->ignored);

3059

mpool_free(engine->mempool, engine->ignored);

3060

engine->ignored = NULL;

3061

}

3062

cli_dconf_print(engine->dconf);

3063

mpool_flush(engine->mempool);

3064

3065

/* Compile bytecode */

3066

if((ret = cli_bytecode_prepare2(engine, &engine->bcs, engine->dconf->bytecode))) {

3067

cli_errmsg("Unable to compile/load bytecode: %s\n", cl_strerror(ret));

1735

if((ret = cli_addtypesigs(engine)))

3068

1736

return ret;

3069

}

3070

3071

engine->dboptions |= CL_DB_COMPILED;

1737

1738

for(i = 0; i < CL_TARGET_TABLE_SIZE; i++)

1739

if((root = engine->root[i]))

1740

cli_ac_buildtrie(root);

1741

/* FIXME: check return values of cli_ac_buildtree */

1742

3072

1743

return CL_SUCCESS;

3073

1744

}

3074

1745

3075

int cl_engine_addref(struct cl_engine *engine)

1746

struct cl_engine *cl_dup(struct cl_engine *engine)

3076

1747

{

3077

1748

if(!engine) {

3078

cli_errmsg("cl_engine_addref: engine == NULL\n");

3079

return CL_ENULLARG;

1749

cli_errmsg("cl_dup: engine == NULL\n");

1750

return NULL;

3080

1751

}

3081

1752

3082

1753

#ifdef CL_THREAD_SAFE

3089

1760

pthread_mutex_unlock(&cli_ref_mutex);

3090

1761

#endif

3091

1762

3092

return CL_SUCCESS;

3093

}

3094

3095

static int countentries(const char *dbname, unsigned int *sigs)

3096

{

3097

char buffer[CLI_DEFAULT_LSIG_BUFSIZE + 1];

3098

FILE *fs;

3099

unsigned int entry = 0;

3100

3101

fs = fopen(dbname, "r");

3102

if(!fs) {

3103

cli_errmsg("countentries: Can't open file %s\n", dbname);

3104

return CL_EOPEN;

3105

}

3106

while(fgets(buffer, sizeof(buffer), fs)) {

3107

if(buffer[0] == '#')

3108

continue;

3109

entry++;

3110

}

3111

fclose(fs);

3112

*sigs += entry;

3113

return CL_SUCCESS;

3114

}

3115

3116

static int countsigs(const char *dbname, unsigned int options, unsigned int *sigs)

3117

{

3118

if((cli_strbcasestr(dbname, ".cvd") || cli_strbcasestr(dbname, ".cld"))) {

3119

if(options & CL_COUNTSIGS_OFFICIAL) {

3120

struct cl_cvd *cvd = cl_cvdhead(dbname);

3121

if(!cvd) {

3122

cli_errmsg("countsigs: Can't parse %s\n", dbname);

3123

return CL_ECVD;

3124

}

3125

*sigs += cvd->sigs;

3126

cl_cvdfree(cvd);

3127

}

3128

} else if(cli_strbcasestr(dbname, ".cbc")) {

3129

if(options & CL_COUNTSIGS_UNOFFICIAL)

3130

(*sigs)++;

3131

3132

} else if(cli_strbcasestr(dbname, ".wdb") || cli_strbcasestr(dbname, ".fp") || cli_strbcasestr(dbname, ".ftm") || cli_strbcasestr(dbname, ".cfg")) {

3133

/* ignore */

3134

3135

} else if((options & CL_COUNTSIGS_UNOFFICIAL) && CLI_DBEXT(dbname)) {

3136

return countentries(dbname, sigs);

3137

}

3138

3139

return CL_SUCCESS;

3140

}

3141

3142

int cl_countsigs(const char *path, unsigned int countoptions, unsigned int *sigs)

3143

{

3144

struct stat sb;

3145

char fname[1024];

3146

struct dirent *dent;

3147

#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)

3148

union {

3149

struct dirent d;

3150

char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];

3151

} result;

3152

#endif

3153

DIR *dd;

3154

int ret;

3155

3156

if(!sigs)

3157

return CL_ENULLARG;

3158

3159

if(stat(path, &sb) == -1) {

3160

cli_errmsg("cl_countsigs: Can't stat %s\n", path);

3161

return CL_ESTAT;

3162

}

3163

3164

if((sb.st_mode & S_IFMT) == S_IFREG) {

3165

return countsigs(path, countoptions, sigs);

3166

3167

} else if((sb.st_mode & S_IFMT) == S_IFDIR) {

3168

if((dd = opendir(path)) == NULL) {

3169

cli_errmsg("cl_countsigs: Can't open directory %s\n", path);

3170

return CL_EOPEN;

3171

}

3172

#ifdef HAVE_READDIR_R_3

3173

while(!readdir_r(dd, &result.d, &dent) && dent) {

3174

#elif defined(HAVE_READDIR_R_2)

3175

while((dent = (struct dirent *) readdir_r(dd, &result.d))) {

3176

#else

3177

while((dent = readdir(dd))) {

3178

#endif

3179

if(dent->d_ino) {

3180

if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..") && CLI_DBEXT(dent->d_name)) {

3181

snprintf(fname, sizeof(fname), "%s"PATHSEP"%s", path, dent->d_name);

3182

fname[sizeof(fname) - 1] = 0;

3183

ret = countsigs(fname, countoptions, sigs);

3184

if(ret != CL_SUCCESS) {

3185

closedir(dd);

3186

return ret;

3187

}

3188

}

3189

}

3190

}

3191

closedir(dd);

3192

} else {

3193

cli_errmsg("cl_countsigs: Unsupported file type\n");

3194

return CL_EARG;

3195

}

3196

3197

return CL_SUCCESS;

1763

return engine;

3198

1764

}

Older »