384
382
const char *virname;
387
uint8_t shash1[SHA1_HASH_SIZE*2+1];
388
uint8_t shash256[SHA256_HASH_SIZE*2+1];
389
int have_sha1, have_sha256;
386
if(ctx->engine->md5_fp && cli_md5m_scan(digest, size, &virname, ctx->engine->md5_fp) == CL_VIRUS) {
387
cli_dbgmsg("cli_checkfp(): Found false positive detection (fp sig: %s)\n", virname);
391
if(cli_hm_scan(digest, size, &virname, ctx->engine->hm_fp, CLI_HASH_MD5) == CL_VIRUS) {
392
cli_dbgmsg("cli_checkfp(md5): Found false positive detection (fp sig: %s)\n", virname);
390
396
for(i = 0; i < 16; i++)
391
397
sprintf(md5 + i * 2, "%02x", digest[i]);
393
399
cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size, *ctx->virname ? *ctx->virname : "Name");
402
have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size);
403
have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size);
404
if(have_sha1 || have_sha256) {
405
if((ptr = fmap_need_off_once(map, 0, size))) {
408
SHA1Update(&sha1, ptr, size);
409
SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
410
if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS){
411
cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
416
sha256_init(&sha256);
417
sha256_update(&sha256, ptr, size);
418
sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
419
if(cli_hm_scan(&shash256[SHA256_HASH_SIZE], size, &virname, ctx->engine->hm_fp, CLI_HASH_SHA256) == CL_VIRUS){
420
cli_dbgmsg("cli_checkfp(sha256): Found false positive detection (fp sig: %s)\n", virname);
395
426
#ifdef HAVE__INTERNAL__SHA_COLLECT
396
427
if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) {
399
fmap_t *map = *ctx->fmap;
401
uint8_t shash1[SHA1_HASH_SIZE*2+1];
402
uint8_t shash256[SHA256_HASH_SIZE*2+1];
404
428
if((ptr = fmap_need_off_once(map, 0, size))) {
405
sha256_init(&sha256);
406
sha256_update(&sha256, ptr, size);
407
sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
430
sha256_init(&sha256);
431
sha256_update(&sha256, ptr, size);
432
sha256_final(&sha256, &shash256[SHA256_HASH_SIZE]);
408
434
for(i=0; i<SHA256_HASH_SIZE; i++)
409
435
sprintf((char *)shash256+i*2, "%02x", shash256[SHA256_HASH_SIZE+i]);
412
SHA1Update(&sha1, ptr, size);
413
SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
439
SHA1Update(&sha1, ptr, size);
440
SHA1Final(&sha1, &shash1[SHA1_HASH_SIZE]);
414
442
for(i=0; i<SHA1_HASH_SIZE; i++)
415
443
sprintf((char *)shash1+i*2, "%02x", shash1[SHA1_HASH_SIZE+i]);
530
if(root->ac_lsigtable[i]->tdb.handlertype) {
532
if(cli_magic_scandesc_type(map->fd, ctx, root->ac_lsigtable[i]->tdb.handlertype[0]) == CL_VIRUS) {
558
if(hash && root->ac_lsigtable[i]->tdb.handlertype) {
559
if(memcmp(ctx->handlertype_hash, hash, 16)) {
561
memcpy(ctx->handlertype_hash, hash, 16);
562
if(cli_magic_scandesc_type(map->fd, ctx, root->ac_lsigtable[i]->tdb.handlertype[0]) == CL_VIRUS) {
533
566
ctx->recursion--;
540
571
if(root->ac_lsigtable[i]->tdb.icongrp1 || root->ac_lsigtable[i]->tdb.icongrp2) {
546
577
*ctx->virname = root->ac_lsigtable[i]->virname;
548
} else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff[i], map) == CL_VIRUS) {
579
} else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff_first[i], map) == CL_VIRUS) {
556
587
*ctx->virname = root->ac_lsigtable[i]->virname;
559
if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff[i], map) == CL_VIRUS) {
590
if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff_first[i], map) == CL_VIRUS) {
567
598
int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres, unsigned char *refhash)
569
600
unsigned char *buff;
570
int ret = CL_CLEAN, type = CL_CLEAN, bytes;
601
int ret = CL_CLEAN, type = CL_CLEAN, bytes, compute_hash[CLI_HASH_AVAIL_TYPES];
571
602
unsigned int i = 0, bm_offmode = 0;
572
603
uint32_t maxpatlen, offset = 0;
573
604
struct cli_ac_data gdata, tdata;
574
605
struct cli_bm_off toff;
575
606
cli_md5_ctx md5ctx;
576
unsigned char digest[16];
607
SHA256_CTX sha256ctx;
609
unsigned char digest[CLI_HASH_AVAIL_TYPES][32];
577
610
struct cli_matcher *groot = NULL, *troot = NULL;
578
611
struct cli_target_info info;
579
612
fmap_t *map = *ctx->fmap;
613
struct cli_matcher *hdb, *fp;
581
615
if(!ctx->engine) {
582
616
cli_errmsg("cli_scandesc: engine == NULL\n");
645
if(!refhash && !ftonly && ctx->engine->md5_hdb)
646
cli_md5_init(&md5ctx);
679
hdb = ctx->engine->hm_hdb;
680
fp = ctx->engine->hm_fp;
684
if(cli_hm_have_size(hdb, CLI_HASH_MD5, map->len) || cli_hm_have_size(fp, CLI_HASH_MD5, map->len)) {
685
cli_md5_init(&md5ctx);
686
compute_hash[CLI_HASH_MD5] = 1;
688
compute_hash[CLI_HASH_MD5] = 0;
690
compute_hash[CLI_HASH_MD5] = 0;
691
memcpy(digest[CLI_HASH_MD5], refhash, 16);
694
if(cli_hm_have_size(hdb, CLI_HASH_SHA1, map->len) || cli_hm_have_size(fp, CLI_HASH_SHA1, map->len)) {
696
compute_hash[CLI_HASH_SHA1] = 1;
698
compute_hash[CLI_HASH_SHA1] = 0;
700
if(cli_hm_have_size(hdb, CLI_HASH_SHA256, map->len) || cli_hm_have_size(fp, CLI_HASH_SHA256, map->len)) {
701
sha256_init(&sha256ctx);
702
compute_hash[CLI_HASH_SHA256] = 1;
704
compute_hash[CLI_HASH_SHA256] = 0;
648
707
while(offset < map->len) {
649
708
bytes = MIN(map->len - offset, SCANBUFF);
690
if(!refhash && ctx->engine->md5_hdb)
691
cli_md5_update(&md5ctx, buff + maxpatlen * (offset!=0), bytes - maxpatlen * (offset!=0));
750
void *data = buff + maxpatlen * (offset!=0);
751
uint32_t data_len = bytes - maxpatlen * (offset!=0);
753
if(compute_hash[CLI_HASH_MD5])
754
cli_md5_update(&md5ctx, data, data_len);
755
if(compute_hash[CLI_HASH_SHA1])
756
SHA1Update(&sha1ctx, data, data_len);
757
if(compute_hash[CLI_HASH_SHA256])
758
sha256_update(&sha256ctx, data, data_len);
694
762
if(bytes < SCANBUFF) break;
695
763
offset += bytes - maxpatlen;
767
enum CLI_HASH_TYPE hashtype;
769
if(compute_hash[CLI_HASH_MD5])
770
cli_md5_final(digest[CLI_HASH_MD5], &md5ctx);
772
compute_hash[CLI_HASH_MD5] = 1;
773
if(compute_hash[CLI_HASH_SHA1])
774
SHA1Final(&sha1ctx, digest[CLI_HASH_SHA1]);
775
if(compute_hash[CLI_HASH_SHA256])
776
sha256_final(&sha256ctx, digest[CLI_HASH_SHA256]);
778
for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) {
779
if(compute_hash[hashtype] && (ret = cli_hm_scan(digest[hashtype], map->len, ctx->virname, hdb, hashtype)) == CL_VIRUS)
783
if(ret == CL_VIRUS && fp) {
784
for(hashtype = CLI_HASH_MD5; hashtype < CLI_HASH_AVAIL_TYPES; hashtype++) {
785
if(compute_hash[hashtype] && cli_hm_scan(digest[hashtype], map->len, ctx->virname, fp, hashtype) == CL_VIRUS) {
699
ret = cli_lsig_eval(ctx, troot, &tdata, &info);
795
ret = cli_lsig_eval(ctx, troot, &tdata, &info, refhash);
700
796
cli_ac_freedata(&tdata);
702
798
cli_bm_freeoff(&toff);
715
811
if(ret == CL_VIRUS)
718
if(!ftonly && ctx->engine->md5_hdb) {
720
cli_md5_final(digest, &md5ctx);
723
if(cli_md5m_scan(refhash, map->len, ctx->virname, ctx->engine->md5_hdb) == CL_VIRUS && cli_md5m_scan(refhash, map->len, NULL, ctx->engine->md5_fp) != CL_VIRUS)
727
814
return (acmode & AC_SCAN_FT) ? type : CL_CLEAN;
730
int cli_matchmeta(cli_ctx *ctx, const char *fname, size_t fsizec, size_t fsizer, int encrypted, int filepos, int res1, void *res2)
817
int cli_matchmeta(cli_ctx *ctx, const char *fname, size_t fsizec, size_t fsizer, int encrypted, unsigned int filepos, int res1, void *res2)
732
819
const struct cli_cdb *cdb;