enable catalog based and embedded authenticode checking

libclamav/asn1.c

@@ -1435,12 +1435,12 @@ int asn1_check_mscat(fmap_t *map, size_t offset, unsigned int size, uint8_t *com
     if(crtmgr_add_roots(&certs)) {
 	/* FIXME: do smthng here */
 	crtmgr_free(&certs);
-	return CL_CLEAN;
+	return CL_VIRUS;
     }
     ret = asn1_parse_mscat(map, offset, size, &certs, 1, &content, &content_size);
     crtmgr_free(&certs);
     if(ret)
-	return CL_VIRUS; /* FIXME */
+	return CL_VIRUS;
 
     if(asn1_expect_objtype(map, content, &content_size, &c, 0x30))
 	return CL_VIRUS;

libclamav/matcher.c

@@ -412,7 +412,7 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
     cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) size, *ctx->virname ? *ctx->virname : "Name");
 
     map = *ctx->fmap;
-    have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size);
+    have_sha1 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, size) | cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 1);
     have_sha256 = cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA256, size);
     if(have_sha1 || have_sha256) {
 	if((ptr = fmap_need_off_once(map, 0, size))) {
@@ -424,6 +424,10 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
 		    cli_dbgmsg("cli_checkfp(sha1): Found false positive detection (fp sig: %s)\n", virname);
 		    return CL_CLEAN;
 		}
+		if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], 1, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS){
+		    cli_dbgmsg("cli_checkfp(sha1): Found false positive detection via catalog file\n");
+		    return CL_CLEAN;
+		}
 	    }
 	    if(have_sha256) {
 		sha256_init(&sha256);
@@ -436,6 +440,7 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
 	    }
 	}
     }
+
 #ifdef HAVE__INTERNAL__SHA_COLLECT
     if((ctx->options & CL_SCAN_INTERNAL_COLLECT_SHA) && ctx->sha_collect>0) {
         if((ptr = fmap_need_off_once(map, 0, size))) {
@@ -462,6 +467,16 @@ int cli_checkfp(unsigned char *digest, size_t size, cli_ctx *ctx)
     }
 #endif
 
+    switch(cli_checkfp_pe(ctx, shash1)) {
+    case CL_CLEAN:
+	cli_dbgmsg("cli_checkfp(pe): PE file whitelisted due to valid embedded digital signature\n");
+	return CL_CLEAN;
+    case CL_VIRUS:
+	if(cli_hm_scan(&shash1[SHA1_HASH_SIZE], 2, &virname, ctx->engine->hm_fp, CLI_HASH_SHA1) == CL_VIRUS) {
+	    cli_dbgmsg("cli_checkfp(pe): PE file whitelisted by catalog file\n");
+	    return CL_CLEAN;
+	}
+    }
     if (ctx->engine->cb_hash)
 	ctx->engine->cb_hash(fmap_fd(*ctx->fmap), size, md5, ctx->virname ? *ctx->virname : NULL, ctx->cb_ctx);
 

libclamav/pe.c

@@ -2666,7 +2666,7 @@ static int sort_sects(const void *first, const void *second) {
     return (a->raw - b->raw);
 }
 
-int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) {
+int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) {
     uint16_t e_magic; /* DOS signature ("MZ") */
     uint16_t nsections;
     uint32_t e_lfanew; /* address of new exe header */
@@ -2833,7 +2833,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) {
     }
 
     if(at < fsize) {
-	hlen = at - fsize;
+	hlen = fsize - at;
 	if(dirs[4].Size > hlen) {
 	    free(exe_sections);
 	    return CL_EFORMAT;
@@ -2848,7 +2848,7 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) {
 
     if(cli_debug_flag) {
 	char shatxt[SHA1_HASH_SIZE*2+1];
-	for(i=0; i<sizeof(authsha1); i++)
+	for(i=0; i<SHA1_HASH_SIZE; i++)
 	    sprintf(&shatxt[i*2], "%02x", authsha1[i]);
 	cli_errmsg("Autheticode: %s\n", shatxt);
     }
@@ -2860,8 +2860,5 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t authsha1[SHA1_HASH_SIZE]) {
     if(hlen < 12)
 	return CL_VIRUS;
     hlen -= 12;
-    asn1_check_mscat(map, at, hlen, authsha1);
-
-    /* FIXME */
-    return CL_EFORMAT;
+    return asn1_check_mscat(map, at + 8, hlen, authsha1);
 }

libclamav/pe.h

@@ -161,6 +161,7 @@ struct cli_pe_hook_data {
 int cli_scanpe(cli_ctx *ctx);
 
 int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo);
+int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1);
 
 uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);
 void findres(uint32_t, uint32_t, uint32_t, fmap_t *map, struct cli_exe_section *, uint16_t, uint32_t, int (*)(void *, uint32_t, uint32_t, uint32_t, uint32_t), void *);