2
* Copyright (C) 2004 - 2005 Tomasz Kojm <tkojm@clamav.net>
4
* With additions from aCaB <acab@clamav.net>
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* This program is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22
#include "clamav-config.h"
27
#include <sys/types.h>
42
#include "rebuildpe.h"
45
#define IMAGE_DOS_SIGNATURE 0x5a4d /* MZ */
46
#define IMAGE_DOS_SIGNATURE_OLD 0x4d5a /* ZM */
47
#define IMAGE_NT_SIGNATURE 0x00004550
48
#define IMAGE_OPTIONAL_SIGNATURE 0x010b
50
#define DETECT_BROKEN (options & CL_SCAN_BLOCKBROKEN)
52
#define UPX_NRV2B "\x11\xdb\x11\xc9\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9\x11\xc9\x75\x20\x41\x01\xdb"
53
#define UPX_NRV2D "\x83\xf0\xff\x74\x78\xd1\xf8\x89\xc5\xeb\x0b\x01\xdb\x75\x07\x8b\x1e\x83\xee\xfc\x11\xdb\x11\xc9"
54
#define UPX_NRV2E "\xeb\x52\x31\xc9\x83\xe8\x03\x72\x11\xc1\xe0\x08\x8a\x06\x46\x83\xf0\xff\x74\x75\xd1\xf8\x89\xc5"
56
#if WORDS_BIGENDIAN == 0
60
static inline uint16_t EC16(uint16_t v)
62
return ((v >> 8) + (v << 8));
65
static inline uint32_t EC32(uint32_t v)
67
return ((v >> 24) | ((v & 0x00FF0000) >> 8) | ((v & 0x0000FF00) << 8) | (v << 24));
71
extern short cli_leavetemps_flag;
73
static uint32_t cli_rawaddr(uint32_t rva, struct pe_image_section_hdr *shp, uint16_t nos, unsigned int *err)
78
for(i = 0; i < nos; i++) {
79
if(EC32(shp[i].VirtualAddress) <= rva && EC32(shp[i].VirtualAddress) + EC32(shp[i].SizeOfRawData) > rva) {
86
cli_dbgmsg("Can't calculate raw address from RVA 0x%x\n", rva);
92
return rva - EC32(shp[i].VirtualAddress) + EC32(shp[i].PointerToRawData);
96
static int cli_ddump(int desc, int offset, int size, const char *file)
98
int pos, ndesc, bread, sum = 0;
102
cli_dbgmsg("in ddump()\n");
104
if((pos = lseek(desc, 0, SEEK_CUR)) == -1) {
105
cli_dbgmsg("Invalid descriptor\n");
109
if(lseek(desc, offset, SEEK_SET) == -1) {
110
cli_dbgmsg("lseek() failed\n");
111
lseek(desc, pos, SEEK_SET);
115
if((ndesc = open(file, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {
116
cli_dbgmsg("Can't create file %s\n", file);
117
lseek(desc, pos, SEEK_SET);
121
while((bread = read(desc, buff, FILEBUFF)) > 0) {
122
if(sum + bread >= size) {
123
if(write(ndesc, buff, size - sum) == -1) {
124
cli_dbgmsg("Can't write to file\n");
125
lseek(desc, pos, SEEK_SET);
132
if(write(ndesc, buff, bread) == -1) {
133
cli_dbgmsg("Can't write to file\n");
134
lseek(desc, pos, SEEK_SET);
144
lseek(desc, pos, SEEK_SET);
149
int cli_scanpe(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec)
151
uint16_t e_magic; /* DOS signature ("MZ") */
153
uint32_t e_lfanew; /* address of new exe header */
154
uint32_t ep; /* entry point (raw) */
156
struct pe_image_file_hdr file_hdr;
157
struct pe_image_optional_hdr optional_hdr;
158
struct pe_image_section_hdr *section_hdr;
160
char sname[9], buff[4096], *tempfile;
161
unsigned int i, found, upx_success = 0, min = 0, max = 0, err, broken = 0;
162
unsigned int ssize = 0, dsize = 0, dll = 0;
163
int (*upxfn)(char *, int , char *, int *, uint32_t, uint32_t, uint32_t) = NULL;
164
char *src = NULL, *dest = NULL;
168
if(read(desc, &e_magic, sizeof(e_magic)) != sizeof(e_magic)) {
169
cli_dbgmsg("Can't read DOS signature\n");
173
if(EC16(e_magic) != IMAGE_DOS_SIGNATURE && EC16(e_magic) != IMAGE_DOS_SIGNATURE_OLD) {
174
cli_dbgmsg("Invalid DOS signature\n");
178
lseek(desc, 58, SEEK_CUR); /* skip to the end of the DOS header */
180
if(read(desc, &e_lfanew, sizeof(e_lfanew)) != sizeof(e_lfanew)) {
181
cli_dbgmsg("Can't read new header address\n");
182
/* truncated header? */
185
*virname = "Broken.Executable";
191
e_lfanew = EC32(e_lfanew);
192
cli_dbgmsg("e_lfanew == %d\n", e_lfanew);
194
cli_dbgmsg("Not a PE file\n");
198
if(lseek(desc, e_lfanew, SEEK_SET) < 0) {
199
/* probably not a PE file */
200
cli_dbgmsg("Can't lseek to e_lfanew\n");
204
if(read(desc, &file_hdr, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr)) {
205
/* bad information in e_lfanew - probably not a PE file */
206
cli_dbgmsg("Can't read file header\n");
210
if(EC32(file_hdr.Magic) != IMAGE_NT_SIGNATURE) {
211
cli_dbgmsg("Invalid PE signature (probably NE file)\n");
215
if(EC16(file_hdr.Characteristics) & 0x2000) {
216
cli_dbgmsg("File type: DLL\n");
218
} else if(EC16(file_hdr.Characteristics) & 0x01) {
219
cli_dbgmsg("File type: Executable\n");
222
switch(EC16(file_hdr.Machine)) {
224
cli_dbgmsg("Machine type: Unknown\n");
226
cli_dbgmsg("Machine type: 80386\n");
229
cli_dbgmsg("Machine type: 80486\n");
232
cli_dbgmsg("Machine type: 80586\n");
235
cli_dbgmsg("Machine type: R30000 (big-endian)\n");
238
cli_dbgmsg("Machine type: R3000\n");
241
cli_dbgmsg("Machine type: R4000\n");
244
cli_dbgmsg("Machine type: R10000\n");
247
cli_dbgmsg("Machine type: DEC Alpha AXP\n");
250
cli_dbgmsg("Machine type: DEC Alpha AXP 64bit\n");
253
cli_dbgmsg("Machine type: PowerPC\n");
256
cli_dbgmsg("Machine type: IA64\n");
259
cli_dbgmsg("Machine type: M68k\n");
262
cli_dbgmsg("Machine type: MIPS16\n");
265
cli_dbgmsg("Machine type: MIPS+FPU\n");
268
cli_dbgmsg("Machine type: MIPS16+FPU\n");
271
cli_dbgmsg("Machine type: Hitachi SH3\n");
274
cli_dbgmsg("Machine type: Hitachi SH3-DSP\n");
277
cli_dbgmsg("Machine type: Hitachi SH3-E\n");
280
cli_dbgmsg("Machine type: Hitachi SH4\n");
283
cli_dbgmsg("Machine type: Hitachi SH5\n");
286
cli_dbgmsg("Machine type: ARM\n");
289
cli_dbgmsg("Machine type: THUMB\n");
292
cli_dbgmsg("Machine type: AM33\n");
295
cli_dbgmsg("Machine type: Infineon TriCore\n");
298
cli_dbgmsg("Machine type: CEF\n");
301
cli_dbgmsg("Machine type: EFI Byte Code\n");
304
cli_dbgmsg("Machine type: M32R\n");
307
cli_dbgmsg("Machine type: CEE\n");
310
cli_dbgmsg("Machine type: AMD64\n");
313
cli_warnmsg("Unknown machine type in PE header (0x%x)\n", EC16(file_hdr.Machine));
316
nsections = EC16(file_hdr.NumberOfSections);
320
*virname = "Broken.Executable";
323
cli_warnmsg("PE file contains no sections\n");
327
cli_dbgmsg("NumberOfSections: %d\n", nsections);
329
timestamp = (time_t) EC32(file_hdr.TimeDateStamp);
330
cli_dbgmsg("TimeDateStamp: %s", ctime(×tamp));
332
cli_dbgmsg("SizeOfOptionalHeader: %d\n", EC16(file_hdr.SizeOfOptionalHeader));
334
if(EC16(file_hdr.SizeOfOptionalHeader) != sizeof(struct pe_image_optional_hdr)) {
335
cli_warnmsg("Broken PE header detected.\n");
338
*virname = "Broken.Executable";
344
if(read(desc, &optional_hdr, sizeof(struct pe_image_optional_hdr)) != sizeof(struct pe_image_optional_hdr)) {
345
cli_dbgmsg("Can't optional file header\n");
348
*virname = "Broken.Executable";
354
cli_dbgmsg("MajorLinkerVersion: %d\n", optional_hdr.MajorLinkerVersion);
355
cli_dbgmsg("MinorLinkerVersion: %d\n", optional_hdr.MinorLinkerVersion);
356
cli_dbgmsg("SizeOfCode: %d\n", EC32(optional_hdr.SizeOfCode));
357
cli_dbgmsg("SizeOfInitializedData: %d\n", EC32(optional_hdr.SizeOfInitializedData));
358
cli_dbgmsg("SizeOfUninitializedData: %d\n", EC32(optional_hdr.SizeOfUninitializedData));
359
cli_dbgmsg("AddressOfEntryPoint: 0x%x\n", EC32(optional_hdr.AddressOfEntryPoint));
360
cli_dbgmsg("SectionAlignment: %d\n", EC32(optional_hdr.SectionAlignment));
361
cli_dbgmsg("FileAlignment: %d\n", EC32(optional_hdr.FileAlignment));
362
cli_dbgmsg("MajorSubsystemVersion: %d\n", EC16(optional_hdr.MajorSubsystemVersion));
363
cli_dbgmsg("MinorSubsystemVersion: %d\n", EC16(optional_hdr.MinorSubsystemVersion));
364
cli_dbgmsg("SizeOfImage: %d\n", EC32(optional_hdr.SizeOfImage));
365
cli_dbgmsg("SizeOfHeaders: %d\n", EC32(optional_hdr.SizeOfHeaders));
367
switch(EC16(optional_hdr.Subsystem)) {
369
cli_dbgmsg("Subsystem: Unknown\n");
372
cli_dbgmsg("Subsystem: Native (a driver ?)\n");
375
cli_dbgmsg("Subsystem: Win32 GUI\n");
378
cli_dbgmsg("Subsystem: Win32 console\n");
381
cli_dbgmsg("Subsystem: OS/2 console\n");
384
cli_dbgmsg("Subsystem: POSIX console\n");
387
cli_dbgmsg("Subsystem: Native Win9x driver\n");
390
cli_dbgmsg("Subsystem: WinCE GUI\n");
393
cli_dbgmsg("Subsystem: EFI application\n");
396
cli_dbgmsg("Subsystem: EFI driver\n");
399
cli_dbgmsg("Subsystem: EFI runtime driver\n");
402
cli_warnmsg("Unknown subsystem in PE header (0x%x)\n", EC16(optional_hdr.Subsystem));
405
cli_dbgmsg("NumberOfRvaAndSizes: %d\n", EC32(optional_hdr.NumberOfRvaAndSizes));
406
cli_dbgmsg("------------------------------------\n");
408
if(fstat(desc, &sb) == -1) {
409
cli_dbgmsg("fstat failed\n");
413
section_hdr = (struct pe_image_section_hdr *) cli_calloc(nsections, sizeof(struct pe_image_section_hdr));
416
cli_dbgmsg("Can't allocate memory for section headers\n");
420
for(i = 0; i < nsections; i++) {
422
if(read(desc, §ion_hdr[i], sizeof(struct pe_image_section_hdr)) != sizeof(struct pe_image_section_hdr)) {
423
cli_dbgmsg("Can't read section header\n");
424
cli_dbgmsg("Possibly broken PE file\n");
428
*virname = "Broken.Executable";
434
strncpy(sname, section_hdr[i].Name, 8);
436
cli_dbgmsg("Section %d\n", i);
437
cli_dbgmsg("Section name: %s\n", sname);
438
cli_dbgmsg("VirtualSize: %d\n", EC32(section_hdr[i].VirtualSize));
439
cli_dbgmsg("VirtualAddress: 0x%x\n", EC32(section_hdr[i].VirtualAddress));
440
cli_dbgmsg("SizeOfRawData: %d\n", EC32(section_hdr[i].SizeOfRawData));
441
cli_dbgmsg("PointerToRawData: 0x%x (%d)\n", EC32(section_hdr[i].PointerToRawData), EC32(section_hdr[i].PointerToRawData));
443
if(EC32(section_hdr[i].Characteristics) & 0x20) {
444
cli_dbgmsg("Section contains executable code\n");
446
if(EC32(section_hdr[i].VirtualSize) < EC32(section_hdr[i].SizeOfRawData)) {
447
cli_dbgmsg("Section contains free space\n");
449
cli_dbgmsg("Dumping %d bytes\n", section_hdr.SizeOfRawData - section_hdr.VirtualSize);
450
ddump(desc, section_hdr.PointerToRawData + section_hdr.VirtualSize, section_hdr.SizeOfRawData - section_hdr.VirtualSize, cli_gentemp(NULL));
456
if(EC32(section_hdr[i].Characteristics) & 0x20000000)
457
cli_dbgmsg("Section's memory is executable\n");
459
if(EC32(section_hdr[i].Characteristics) & 0x80000000)
460
cli_dbgmsg("Section's memory is writeable\n");
462
cli_dbgmsg("------------------------------------\n");
464
if(EC32(section_hdr[i].PointerToRawData) + EC32(section_hdr[i].SizeOfRawData) > (unsigned long int) sb.st_size) {
465
cli_dbgmsg("Possibly broken PE file - Section %d out of file (Offset@ %d, Rsize %d, Total filesize %d)\n", i, EC32(section_hdr[i].PointerToRawData), EC32(section_hdr[i].SizeOfRawData), sb.st_size);
468
*virname = "Broken.Executable";
476
min = EC32(section_hdr[i].VirtualAddress);
477
max = EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData);
479
if(EC32(section_hdr[i].VirtualAddress) < min)
480
min = EC32(section_hdr[i].VirtualAddress);
482
if(EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData) > max)
483
max = EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData);
488
if((ep = EC32(optional_hdr.AddressOfEntryPoint)) >= min && !(ep = cli_rawaddr(EC32(optional_hdr.AddressOfEntryPoint), section_hdr, nsections, &err)) && err) {
489
cli_dbgmsg("Possibly broken PE file\n");
493
*virname = "Broken.Executable";
499
cli_dbgmsg("EntryPoint offset: 0x%x (%d)\n", ep, ep);
501
/* Attempt to detect some popular polymorphic viruses */
504
if(!dll && ep == EC32(section_hdr[nsections - 1].PointerToRawData)) {
505
lseek(desc, ep, SEEK_SET);
506
if(read(desc, buff, 4096) == 4096) {
507
const char *pt = cli_memstr(buff, 4040, "\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00", 15);
512
if(((dw1 = cli_readint32(pt)) ^ (dw2 = cli_readint32(pt + 4))) == 0x505a4f && ((dw1 = cli_readint32(pt + 8)) ^ (dw2 = cli_readint32(pt + 12))) == 0xffffb && ((dw1 = cli_readint32(pt + 16)) ^ (dw2 = cli_readint32(pt + 20))) == 0xb8) {
513
*virname = "W32.Parite.B";
521
/* W32.Magistr.A/B */
522
if(!dll && (EC32(section_hdr[nsections - 1].Characteristics) & 0x80000000)) {
523
uint32_t rsize, vsize;
525
rsize = EC32(section_hdr[nsections - 1].SizeOfRawData);
526
vsize = EC32(section_hdr[nsections - 1].VirtualSize);
528
if(rsize >= 0x612c && vsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
529
int bw = rsize < 0x7000 ? rsize : 0x7000;
531
lseek(desc, EC32(section_hdr[nsections - 1].PointerToRawData) + rsize - bw, SEEK_SET);
532
if(read(desc, buff, 4096) == 4096) {
533
if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
534
*virname = "W32.Magistr.A";
540
} else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) {
541
int bw = rsize < 0x8000 ? rsize : 0x8000;
543
lseek(desc, EC32(section_hdr[nsections - 1].PointerToRawData) + rsize - bw, SEEK_SET);
544
if(read(desc, buff, 4096) == 4096) {
545
if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
546
*virname = "W32.Magistr.B";
559
/* UPX & FSG support */
561
/* try to find the first section with physical size == 0 */
563
for(i = 0; i < (unsigned int) nsections - 1; i++) {
564
if(!section_hdr[i].SizeOfRawData && section_hdr[i].VirtualSize && section_hdr[i + 1].SizeOfRawData && section_hdr[i + 1].VirtualSize) {
566
cli_dbgmsg("UPX/FSG: empty section found - assuming compression\n");
573
/* Check EP for UPX vs. FSG */
574
if(lseek(desc, ep, SEEK_SET) == -1) {
575
cli_dbgmsg("UPX/FSG: lseek() failed\n");
580
if(read(desc, buff, 168) != 168) {
581
cli_dbgmsg("UPX/FSG: Can't read 168 bytes at 0x%x (%d)\n", ep, ep);
582
cli_dbgmsg("UPX/FSG: Broken or not UPX/FSG compressed file\n");
587
if(buff[0] == '\x87' && buff[1] == '\x25') {
589
/* FSG v2.0 support - thanks to aCaB ! */
591
ssize = EC32(section_hdr[i + 1].SizeOfRawData);
592
dsize = EC32(section_hdr[i].VirtualSize);
595
uint32_t newesi, newedi, newebx, newedx;
597
if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) {
598
cli_dbgmsg("FSG: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , limits->maxfilesize);
603
if(ssize <= 0x19 || dsize <= ssize) {
604
cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
609
if((newedx = cli_readint32(buff + 2) - EC32(optional_hdr.ImageBase)) < EC32(section_hdr[i + 1].VirtualAddress) || newedx >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 4) {
610
cli_dbgmsg("FSG: xchg out of bounds (%x), giving up\n", newedx);
614
if((src = (char *) cli_malloc(ssize)) == NULL) {
619
lseek(desc, EC32(section_hdr[i + 1].PointerToRawData), SEEK_SET);
620
if((unsigned int) read(desc, src, ssize) != ssize) {
621
cli_dbgmsg("Can't read raw data of section %d\n", i);
627
if(newedx < EC32(section_hdr[i + 1].VirtualAddress) || ((dest = src + newedx - EC32(section_hdr[i + 1].VirtualAddress)) < src && dest >= src + EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 4)) {
628
cli_dbgmsg("FSG: New ESP out of bounds\n");
633
if((newedx = cli_readint32(dest) - EC32(optional_hdr.ImageBase)) <= EC32(section_hdr[i + 1].VirtualAddress) || newedx >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 4) {
634
cli_dbgmsg("FSG: New ESP (%x) is wrong\n", newedx);
639
if((dest = src + newedx - EC32(section_hdr[i + 1].VirtualAddress)) < src || dest >= src + EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 32) {
640
cli_dbgmsg("FSG: New stack out of bounds\n");
645
newedi = cli_readint32(dest) - EC32(optional_hdr.ImageBase);
646
newesi = cli_readint32(dest + 4) - EC32(optional_hdr.ImageBase);
647
newebx = cli_readint32(dest + 16) - EC32(optional_hdr.ImageBase);
648
newedx = cli_readint32(dest + 20);
650
if(newedi != EC32(section_hdr[i].VirtualAddress)) {
651
cli_dbgmsg("FSG: Bad destination buffer (edi is %x should be %x)\n", newedi, EC32(section_hdr[i].VirtualAddress));
656
if(newesi < EC32(section_hdr[i + 1].VirtualAddress) || newesi >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData)) {
657
cli_dbgmsg("FSG: Source buffer out of section bounds\n");
662
if(newebx < EC32(section_hdr[i + 1].VirtualAddress) || newebx >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 16) {
663
cli_dbgmsg("FSG: Array of functions out of bounds\n");
668
/* FIXME: unused atm, needed for pe rebuilding */
669
cli_dbgmsg("FSG: found old EP @%x\n", cli_readint32(newebx + 12 - EC32(section_hdr[i + 1].VirtualAddress) + src) - EC32(optional_hdr.ImageBase));
671
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
677
if(unfsg_200(newesi - EC32(section_hdr[i + 1].VirtualAddress) + src, dest, ssize + EC32(section_hdr[i + 1].VirtualAddress) - newesi, dsize) == -1) {
678
cli_dbgmsg("FSG: Unpacking failed\n");
686
cli_dbgmsg("FSG: Successfully decompressed\n");
690
if(found && buff[0] == '\xbe' && cli_readint32(buff + 1) - EC32(optional_hdr.ImageBase) < min) {
692
/* FSG support - v. 1.33 (thx trog for the many samples) */
694
ssize = EC32(section_hdr[i + 1].SizeOfRawData);
695
dsize = EC32(section_hdr[i].VirtualSize);
698
int gp, t, sectcnt = 0;
700
uint32_t newesi, newedi, newebx, oldep;
701
struct SECTION *sections;
704
if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) {
705
cli_dbgmsg("FSG: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize, limits->maxfilesize);
710
if(ssize <= 0x19 || dsize <= ssize) {
711
cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
716
if((gp = cli_readint32(buff + 1) - EC32(optional_hdr.ImageBase)) >= (int) EC32(section_hdr[i + 1].PointerToRawData) || gp < 0) {
717
cli_dbgmsg("FSG: Support data out of padding area (vaddr: %d)\n", EC32(section_hdr[i].VirtualAddress));
721
lseek(desc, gp, SEEK_SET);
722
gp = EC32(section_hdr[i + 1].PointerToRawData) - gp;
724
if(limits && limits->maxfilesize && (unsigned int) gp > limits->maxfilesize) {
725
cli_dbgmsg("FSG: Buffer size exceeded (size: %d, max: %lu)\n", gp, limits->maxfilesize);
730
if((support = (char *) cli_malloc(gp)) == NULL) {
735
if(read(desc, support, gp) != gp) {
736
cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
742
newebx = cli_readint32(support) - EC32(optional_hdr.ImageBase); /* Unused */
743
newedi = cli_readint32(support + 4) - EC32(optional_hdr.ImageBase); /* 1st dest */
744
newesi = cli_readint32(support + 8) - EC32(optional_hdr.ImageBase); /* Source */
746
if(newesi < EC32(section_hdr[i + 1].VirtualAddress) || newesi >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData)) {
747
cli_dbgmsg("FSG: Source buffer out of section bounds\n");
752
if(newedi != EC32(section_hdr[i].VirtualAddress)) {
753
cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, EC32(section_hdr[i].VirtualAddress));
758
/* Counting original sections */
759
for(t = 12; t < gp - 4; t += 4) {
760
uint32_t rva = cli_readint32(support+t);
765
rva -= EC32(optional_hdr.ImageBase)+1;
769
/* FIXME: really need to bother? */
770
cli_dbgmsg("FSG: Original section %d is misaligned\n", sectcnt);
772
if(rva < EC32(section_hdr[i].VirtualAddress) || rva >= EC32(section_hdr[i].VirtualAddress)+EC32(section_hdr[i].VirtualSize)) {
773
cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
778
if(t >= gp - 4 || cli_readint32(support + t)) {
783
if((sections = (struct SECTION *) cli_malloc((sectcnt + 1) * sizeof(struct SECTION))) == NULL) {
789
sections[0].rva = newedi;
790
for(t = 1; t <= sectcnt; t++)
791
sections[t].rva = cli_readint32(support + 8 + t * 4) - 1 -EC32(optional_hdr.ImageBase);
795
if((src = (char *) cli_malloc(ssize)) == NULL) {
801
lseek(desc, EC32(section_hdr[i + 1].PointerToRawData), SEEK_SET);
802
if((unsigned int) read(desc, src, ssize) != ssize) {
803
cli_dbgmsg("Can't read raw data of section %d\n", i);
810
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
817
oldep = EC32(optional_hdr.AddressOfEntryPoint) + 161 + 6 + cli_readint32(buff+163);
818
cli_dbgmsg("FSG: found old EP @%x\n", oldep);
820
tempfile = cli_gentemp(NULL);
821
if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {
822
cli_dbgmsg("FSG: Can't create file %s\n", tempfile);
831
switch(unfsg_133(src + newesi - EC32(section_hdr[i + 1].VirtualAddress), dest, ssize + EC32(section_hdr[i + 1].VirtualAddress) - newesi, dsize, sections, sectcnt, EC32(optional_hdr.ImageBase), oldep, ndesc)) {
832
case 1: /* Everything OK */
833
cli_dbgmsg("FSG: Unpacked and rebuilt executable saved in %s\n", tempfile);
838
lseek(ndesc, 0, SEEK_SET);
840
cli_dbgmsg("***** Scanning rebuilt PE file *****\n");
841
if(cli_magic_scandesc(ndesc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
844
if(!cli_leavetemps_flag)
851
if(!cli_leavetemps_flag)
857
case 0: /* We've got an unpacked buffer, no exe though */
858
cli_dbgmsg("FSG: FSG: Successfully decompressed\n");
865
break; /* Go and scan the buffer! */
867
default: /* Everything gone wrong */
868
cli_dbgmsg("FSG: Unpacking failed\n");
870
unlink(tempfile); // It's empty anyway
878
break; /* were done with 1.33 */
882
/* FIXME: easy 2 hack */
883
if(found && buff[0] == '\xbb' && cli_readint32(buff + 1) - EC32(optional_hdr.ImageBase) < min && buff[5] == '\xbf' && buff[10] == '\xbe') {
885
/* FSG support - v. 1.31 */
887
ssize = EC32(section_hdr[i + 1].SizeOfRawData);
888
dsize = EC32(section_hdr[i].VirtualSize);
891
int gp = cli_readint32(buff+1) - EC32(optional_hdr.ImageBase), t, sectcnt = 0;
893
uint32_t newesi = cli_readint32(buff+11) - EC32(optional_hdr.ImageBase);
894
uint32_t newedi = cli_readint32(buff+6) - EC32(optional_hdr.ImageBase);
895
uint32_t oldep = EC32(optional_hdr.AddressOfEntryPoint);
896
struct SECTION *sections;
898
if (oldep <= EC32(section_hdr[i + 1].VirtualAddress) || oldep > EC32(section_hdr[i + 1].VirtualAddress)+EC32(section_hdr[i + 1].SizeOfRawData) - 0xe0) {
899
cli_dbgmsg("FSG: EP not in section %d\n", i+1);
902
oldep -= EC32(section_hdr[i + 1].VirtualAddress);
904
if(newesi < EC32(section_hdr[i + 1].VirtualAddress) || newesi >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData)) {
905
cli_dbgmsg("FSG: Source buffer out of section bounds\n");
909
if(newedi != EC32(section_hdr[i].VirtualAddress)) {
910
cli_dbgmsg("FSG: Bad destination (is %x should be %x)\n", newedi, EC32(section_hdr[i].VirtualAddress));
914
if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) {
915
cli_dbgmsg("FSG: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize, limits->maxfilesize);
920
if(ssize <= 0x19 || dsize <= ssize) {
921
cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
926
if(gp >= (int) EC32(section_hdr[i + 1].PointerToRawData) || gp < 0) {
927
cli_dbgmsg("FSG: Support data out of padding area (newedi: %d, vaddr: %d)\n", newedi, EC32(section_hdr[i].VirtualAddress));
931
lseek(desc, gp, SEEK_SET);
932
gp = EC32(section_hdr[i + 1].PointerToRawData) - gp;
934
if(limits && limits->maxfilesize && (unsigned int) gp > limits->maxfilesize) {
935
cli_dbgmsg("FSG: Buffer size exceeded (size: %d, max: %lu)\n", gp, limits->maxfilesize);
940
if((support = (char *) cli_malloc(gp)) == NULL) {
945
if(read(desc, support, gp) != gp) {
946
cli_dbgmsg("Can't read %d bytes from padding area\n", gp);
952
/* Counting original sections */
953
for(t = 0; t < gp - 2; t += 2) {
954
uint32_t rva = support[t]+256*support[t+1];
956
if (rva == 2 || rva == 1)
959
rva = ((rva-2)<<12) - EC32(optional_hdr.ImageBase);
962
if(rva < EC32(section_hdr[i].VirtualAddress) || rva >= EC32(section_hdr[i].VirtualAddress)+EC32(section_hdr[i].VirtualSize)) {
963
cli_dbgmsg("FSG: Original section %d is out of bounds\n", sectcnt);
968
if(t >= gp-10 || cli_readint32(support + t + 6) != 2) {
973
if((sections = (struct SECTION *) cli_malloc((sectcnt + 1) * sizeof(struct SECTION))) == NULL) {
979
sections[0].rva = newedi;
980
for(t = 0; t <= sectcnt - 1; t++) {
981
sections[t+1].rva = (((support[t*2]+256*support[t*2+1])-2)<<12)-EC32(optional_hdr.ImageBase);
986
if((src = (char *) cli_malloc(ssize)) == NULL) {
992
lseek(desc, EC32(section_hdr[i + 1].PointerToRawData), SEEK_SET);
993
if((unsigned int) read(desc, src, ssize) != ssize) {
994
cli_dbgmsg("Can't read raw data of section %d\n", i);
1001
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
1008
/* Better not increasing buff size any further, let's go the hard way */
1009
gp = 0xda + 6*(buff[16]=='\xe8');
1010
oldep = EC32(optional_hdr.AddressOfEntryPoint) + gp + 6 + cli_readint32(src+gp+2+oldep);
1011
cli_dbgmsg("FSG: found old EP @%x\n", oldep);
1013
tempfile = cli_gentemp(NULL);
1014
if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {
1015
cli_dbgmsg("FSG: Can't create file %s\n", tempfile);
1024
switch(unfsg_133(src + newesi - EC32(section_hdr[i + 1].VirtualAddress), dest, ssize + EC32(section_hdr[i + 1].VirtualAddress) - newesi, dsize, sections, sectcnt, EC32(optional_hdr.ImageBase), oldep, ndesc)) {
1025
case 1: /* Everything OK */
1026
cli_dbgmsg("FSG: Unpacked and rebuilt executable saved in %s\n", tempfile);
1031
lseek(ndesc, 0, SEEK_SET);
1033
cli_dbgmsg("***** Scanning rebuilt PE file *****\n");
1034
if(cli_magic_scandesc(ndesc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
1037
if(!cli_leavetemps_flag)
1044
if(!cli_leavetemps_flag)
1050
case 0: /* We've got an unpacked buffer, no exe though */
1051
cli_dbgmsg("FSG: FSG: Successfully decompressed\n");
1058
break; /* Go and scan the buffer! */
1060
default: /* Everything gone wrong */
1061
cli_dbgmsg("FSG: Unpacking failed\n");
1063
unlink(tempfile); // It's empty anyway
1071
break; /* were done with 1.31 */
1080
strncpy(sname, section_hdr[i].Name, 8);
1082
cli_dbgmsg("UPX: Section %d name: %s\n", i, sname);
1083
strncpy(sname, section_hdr[i + 1].Name, 8);
1085
cli_dbgmsg("UPX: Section %d name: %s\n", i + 1, sname);
1087
if(strncmp(section_hdr[i].Name, "UPX0", 4) || strncmp(section_hdr[i + 1].Name, "UPX1", 4))
1088
cli_dbgmsg("UPX: Possibly hacked UPX section headers\n");
1090
/* we assume (i + 1) is UPX1 */
1091
ssize = EC32(section_hdr[i + 1].SizeOfRawData);
1092
dsize = EC32(section_hdr[i].VirtualSize) + EC32(section_hdr[i + 1].VirtualSize);
1094
if(limits && limits->maxfilesize && (ssize > limits->maxfilesize || dsize > limits->maxfilesize)) {
1095
cli_dbgmsg("UPX: Sizes exceeded (ssize: %d, dsize: %d, max: %lu)\n", ssize, dsize , limits->maxfilesize);
1100
if(ssize <= 0x19 || dsize <= ssize) { /* FIXME: What are reasonable values? */
1101
cli_dbgmsg("UPX: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);
1106
/* FIXME: use file operations in case of big files */
1107
if((src = (char *) cli_malloc(ssize)) == NULL) {
1112
if((dest = (char *) cli_calloc(dsize + 1024 + nsections * 40, sizeof(char))) == NULL) {
1118
lseek(desc, EC32(section_hdr[i + 1].PointerToRawData), SEEK_SET);
1119
if((unsigned int) read(desc, src, ssize) != ssize) {
1120
cli_dbgmsg("Can't read raw data of section %d\n", i);
1127
/* try to detect UPX code */
1129
if(lseek(desc, ep, SEEK_SET) == -1) {
1130
cli_dbgmsg("lseek() failed\n");
1137
if(read(desc, buff, 126) != 126) { /* i.e. 0x69 + 13 + 8 */
1138
cli_dbgmsg("UPX: Can't read 126 bytes at 0x%x (%d)\n", ep, ep);
1139
cli_dbgmsg("UPX/FSG: Broken or not UPX/FSG compressed file\n");
1145
if(cli_memstr(UPX_NRV2B, 24, buff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, buff + 0x69 + 8, 13)) {
1146
cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");
1147
upxfn = upx_inflate2b;
1148
} else if(cli_memstr(UPX_NRV2D, 24, buff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, buff + 0x69 + 8, 13)) {
1149
cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");
1150
upxfn = upx_inflate2d;
1151
} else if(cli_memstr(UPX_NRV2E, 24, buff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, buff + 0x69 + 8, 13)) {
1152
cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");
1153
upxfn = upx_inflate2e;
1158
int skew = cli_readint32(buff + 2) - EC32(optional_hdr.ImageBase) - EC32(section_hdr[i + 1].VirtualAddress);
1160
if(buff[1] != '\xbe' || skew <= 0 || skew > 0xfff) { /* FIXME: legit skews?? */
1162
if(upxfn(src, ssize, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint)) >= 0)
1166
cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);
1167
if(upxfn(src + skew, ssize - skew, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint)-skew) >= 0 || upxfn(src, ssize, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint)) >= 0)
1172
cli_dbgmsg("UPX: Successfully decompressed\n");
1174
cli_dbgmsg("UPX: Prefered decompressor failed\n");
1177
if(!upx_success && upxfn != upx_inflate2b) {
1178
if(upx_inflate2b(src, ssize, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint)) == -1 && upx_inflate2b(src + 0x15, ssize - 0x15, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint) - 0x15) == -1) {
1180
cli_dbgmsg("UPX: NRV2B decompressor failed\n");
1183
cli_dbgmsg("UPX: Successfully decompressed with NRV2B\n");
1187
if(!upx_success && upxfn != upx_inflate2d) {
1188
if(upx_inflate2d(src, ssize, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint)) == -1 && upx_inflate2d(src + 0x15, ssize - 0x15, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint) - 0x15) == -1) {
1190
cli_dbgmsg("UPX: NRV2D decompressor failed\n");
1193
cli_dbgmsg("UPX: Successfully decompressed with NRV2D\n");
1197
if(!upx_success && upxfn != upx_inflate2e) {
1198
if(upx_inflate2e(src, ssize, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint)) == -1 && upx_inflate2e(src + 0x15, ssize - 0x15, dest, &dsize, EC32(section_hdr[i].VirtualAddress), EC32(section_hdr[i + 1].VirtualAddress), EC32(optional_hdr.AddressOfEntryPoint) - 0x15) == -1) {
1199
cli_dbgmsg("UPX: NRV2E decompressor failed\n");
1202
cli_dbgmsg("UPX: Successfully decompressed with NRV2E\n");
1207
cli_dbgmsg("UPX: All decompressors failed\n");
1217
tempfile = cli_gentemp(NULL);
1218
if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {
1219
cli_dbgmsg("UPX/FSG: Can't create file %s\n", tempfile);
1225
if((unsigned int) write(ndesc, dest, dsize) != dsize) {
1226
cli_dbgmsg("UPX/FSG: Can't write %d bytes\n", dsize);
1235
lseek(ndesc, 0, SEEK_SET);
1237
if(cli_leavetemps_flag)
1238
cli_dbgmsg("UPX/FSG: Decompressed data saved in %s\n", tempfile);
1240
cli_dbgmsg("***** Scanning decompressed data *****\n");
1241
if((ret = cli_magic_scandesc(ndesc, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS) {
1243
if(!cli_leavetemps_flag)
1250
if(!cli_leavetemps_flag)
1261
lseek(desc, ep, SEEK_SET);
1262
if(read(desc, buff, 200) != 200) {
1263
cli_dbgmsg("Can't read 200 bytes\n");
1268
if(buff[0] != '\xb8' || (uint32_t) cli_readint32(buff + 1) != EC32(section_hdr[nsections - 1].VirtualAddress) + EC32(optional_hdr.ImageBase)) {
1269
if(nsections < 2 || buff[0] != '\xb8' || (uint32_t) cli_readint32(buff + 1) != EC32(section_hdr[nsections - 2].VirtualAddress) + EC32(optional_hdr.ImageBase))
1276
cli_dbgmsg("Petite: v2.%d compression detected\n", found);
1278
if(cli_readint32(buff + 0x80) == 0x163c988d) {
1279
cli_dbgmsg("Petite: level zero compression is not supported yet\n");
1283
if(limits && limits->maxfilesize && dsize > limits->maxfilesize) {
1284
cli_dbgmsg("Petite: Size exceeded (dsize: %d, max: %lu)\n", dsize, limits->maxfilesize);
1289
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
1290
cli_dbgmsg("Petite: Can't allocate %d bytes\n", dsize);
1295
for(i = 0 ; i < nsections; i++) {
1296
if(section_hdr[i].SizeOfRawData) {
1297
uint32_t offset = cli_rawaddr(EC32(section_hdr[i].VirtualAddress), section_hdr, nsections, &err);
1299
if(err || lseek(desc, offset, SEEK_SET) == -1 || (unsigned int) read(desc, dest + EC32(section_hdr[i].VirtualAddress) - min, EC32(section_hdr[i].SizeOfRawData)) != EC32(section_hdr[i].SizeOfRawData)) {
1307
tempfile = cli_gentemp(NULL);
1308
if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {
1309
cli_dbgmsg("Petite: Can't create file %s\n", tempfile);
1316
/* aCaB: Fixed to allow petite v2.1 unpacking (last section is a ghost) */
1317
switch(petite_inflate2x_1to9(dest, min, max - min, section_hdr,
1318
nsections - (found == 1 ? 1 : 0), EC32(optional_hdr.ImageBase),
1319
EC32(optional_hdr.AddressOfEntryPoint), ndesc,
1320
found, EC32(optional_hdr.DataDirectory[2].VirtualAddress),
1321
EC32(optional_hdr.DataDirectory[2].Size))) {
1323
cli_dbgmsg("Petite: Unpacked and rebuilt executable saved in %s\n", tempfile);
1324
cli_dbgmsg("***** Scanning rebuilt PE file *****\n");
1328
cli_dbgmsg("Petite: Unpacked data saved in %s\n", tempfile);
1332
cli_dbgmsg("Petite: Unpacking failed\n");
1337
lseek(ndesc, 0, SEEK_SET);
1339
if(cli_magic_scandesc(ndesc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
1342
if(!cli_leavetemps_flag) {
1353
if(!cli_leavetemps_flag) {
1362
/* to be continued ... */
1368
int cli_peheader(int desc, struct cli_pe_info *peinfo)
1370
uint16_t e_magic; /* DOS signature ("MZ") */
1371
uint32_t e_lfanew; /* address of new exe header */
1373
struct pe_image_file_hdr file_hdr;
1374
struct pe_image_optional_hdr optional_hdr;
1375
struct pe_image_section_hdr *section_hdr;
1381
cli_dbgmsg("in cli_peheader\n");
1383
if(read(desc, &e_magic, sizeof(e_magic)) != sizeof(e_magic)) {
1384
cli_dbgmsg("Can't read DOS signature\n");
1388
if(EC16(e_magic) != IMAGE_DOS_SIGNATURE && EC16(e_magic) != IMAGE_DOS_SIGNATURE_OLD) {
1389
cli_dbgmsg("Invalid DOS signature\n");
1393
lseek(desc, 58, SEEK_CUR); /* skip to the end of the DOS header */
1395
if(read(desc, &e_lfanew, sizeof(e_lfanew)) != sizeof(e_lfanew)) {
1396
cli_dbgmsg("Can't read new header address\n");
1397
/* truncated header? */
1401
e_lfanew = EC32(e_lfanew);
1403
cli_dbgmsg("Not a PE file\n");
1407
if(lseek(desc, e_lfanew, SEEK_SET) < 0) {
1408
/* probably not a PE file */
1409
cli_dbgmsg("Can't lseek to e_lfanew\n");
1413
if(read(desc, &file_hdr, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr)) {
1414
/* bad information in e_lfanew - probably not a PE file */
1415
cli_dbgmsg("Can't read file header\n");
1419
if(EC32(file_hdr.Magic) != IMAGE_NT_SIGNATURE) {
1420
cli_dbgmsg("Invalid PE signature (probably NE file)\n");
1424
if(EC16(file_hdr.SizeOfOptionalHeader) != sizeof(struct pe_image_optional_hdr)) {
1425
cli_warnmsg("Broken PE header detected.\n");
1429
peinfo->nsections = EC16(file_hdr.NumberOfSections);
1431
if(read(desc, &optional_hdr, sizeof(struct pe_image_optional_hdr)) != sizeof(struct pe_image_optional_hdr)) {
1432
cli_dbgmsg("Can't optional file header\n");
1436
peinfo->section = (struct SECTION *) cli_calloc(peinfo->nsections, sizeof(struct SECTION));
1438
if(!peinfo->section) {
1439
cli_dbgmsg("Can't allocate memory for section headers\n");
1443
if(fstat(desc, &sb) == -1) {
1444
cli_dbgmsg("fstat failed\n");
1445
free(peinfo->section);
1449
section_hdr = (struct pe_image_section_hdr *) cli_calloc(peinfo->nsections, sizeof(struct pe_image_section_hdr));
1452
cli_dbgmsg("Can't allocate memory for section headers\n");
1453
free(peinfo->section);
1457
for(i = 0; i < peinfo->nsections; i++) {
1459
if(read(desc, §ion_hdr[i], sizeof(struct pe_image_section_hdr)) != sizeof(struct pe_image_section_hdr)) {
1460
cli_dbgmsg("Can't read section header\n");
1461
cli_dbgmsg("Possibly broken PE file\n");
1463
free(peinfo->section);
1467
peinfo->section[i].rva = EC32(section_hdr[i].VirtualAddress);
1468
peinfo->section[i].vsz = EC32(section_hdr[i].VirtualSize);
1469
peinfo->section[i].raw = EC32(section_hdr[i].PointerToRawData);
1470
peinfo->section[i].rsz = EC32(section_hdr[i].SizeOfRawData);
1473
min = EC32(section_hdr[i].VirtualAddress);
1474
max = EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData);
1476
if(EC32(section_hdr[i].VirtualAddress) < min)
1477
min = EC32(section_hdr[i].VirtualAddress);
1479
if(EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData) > max)
1480
max = EC32(section_hdr[i].VirtualAddress) + EC32(section_hdr[i].SizeOfRawData);
1484
if((peinfo->ep = EC32(optional_hdr.AddressOfEntryPoint)) >= min && !(peinfo->ep = cli_rawaddr(EC32(optional_hdr.AddressOfEntryPoint), section_hdr, peinfo->nsections, &err)) && err) {
1485
cli_dbgmsg("Possibly broken PE file\n");
1487
free(peinfo->section);