mirror/clamav
1
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2026-05-08 23:56:48 -04:00
Code Issues Packages Projects Releases Wiki Activity

Retab cli_checkfp_pe()

Browse Source
This commit is contained in:
Shawn Webb
2014-01-20 14:15:51 -05:00
parent 5417061645
commit 8fdd05d2aa
1 changed files with 86 additions and 77 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
libclamav/pe.c
View File

@@ -2802,8 +2802,8 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) {
uint32_t e_lfanew; /* address of new exe header */
struct pe_image_file_hdr file_hdr;
union {
struct pe_image_optional_hdr64 opt64;
struct pe_image_optional_hdr32 opt32;
struct pe_image_optional_hdr64 opt64;
struct pe_image_optional_hdr32 opt32;
} pe_opt;
const struct pe_image_section_hdr *section_hdr;
ssize_t at;
@@ -2816,65 +2816,69 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) {
SHA1Context sha1;
if(!(DCONF & PE_CONF_CATALOG))
return CL_EFORMAT;
return CL_EFORMAT;
if(fmap_readn(map, &e_magic, 0, sizeof(e_magic)) != sizeof(e_magic))
return CL_EFORMAT;
return CL_EFORMAT;
if(EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE && EC16(e_magic) != PE_IMAGE_DOS_SIGNATURE_OLD)
return CL_EFORMAT;
return CL_EFORMAT;
if(fmap_readn(map, &e_lfanew, 58 + sizeof(e_magic), sizeof(e_lfanew)) != sizeof(e_lfanew))
return CL_EFORMAT;
return CL_EFORMAT;
e_lfanew = EC32(e_lfanew);
if(!e_lfanew)
return CL_EFORMAT;
return CL_EFORMAT;
if(fmap_readn(map, &file_hdr, e_lfanew, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr))
return CL_EFORMAT;
return CL_EFORMAT;
if(EC32(file_hdr.Magic) != PE_IMAGE_NT_SIGNATURE)
return CL_EFORMAT;
return CL_EFORMAT;
nsections = EC16(file_hdr.NumberOfSections);
if(nsections < 1 || nsections > 96)
return CL_EFORMAT;
return CL_EFORMAT;
if(EC16(file_hdr.SizeOfOptionalHeader) < sizeof(struct pe_image_optional_hdr32))
return CL_EFORMAT;
return CL_EFORMAT;
at = e_lfanew + sizeof(struct pe_image_file_hdr);
if(fmap_readn(map, &optional_hdr32, at, sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr32))
return CL_EFORMAT;
return CL_EFORMAT;
at += sizeof(struct pe_image_optional_hdr32);
/* This will be a chicken and egg problem until we drop 9x */
if(EC16(optional_hdr64.Magic)==PE32P_SIGNATURE) {
if(EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr64))
return CL_EFORMAT;
pe_plus = 1;
return CL_EFORMAT;
pe_plus = 1;
}
if(!pe_plus) { /* PE */
if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
/* Seek to the end of the long header */
at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32);
}
if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
/* Seek to the end of the long header */
at += EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32);
}
hdr_size = EC32(optional_hdr32.SizeOfHeaders);
dirs = optional_hdr32.DataDirectory;
hdr_size = EC32(optional_hdr32.SizeOfHeaders);
dirs = optional_hdr32.DataDirectory;
} else { /* PE+ */
size_t readlen = sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);
/* read the remaining part of the header */
if(fmap_readn(map, &optional_hdr32 + 1, at, sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32))
return CL_EFORMAT;
at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);
hdr_size = EC32(optional_hdr64.SizeOfHeaders);
dirs = optional_hdr64.DataDirectory;
if(fmap_readn(map, &optional_hdr32 + 1, at, readlen) != readlen)
return CL_EFORMAT;
at += sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32);
hdr_size = EC32(optional_hdr64.SizeOfHeaders);
dirs = optional_hdr64.DataDirectory;
}
if(!cli_hm_have_size(ctx->engine->hm_fp, CLI_HASH_SHA1, 2) && dirs[4].Size < 8)
return CL_BREAK;
return CL_BREAK;
fsize = map->len;
@@ -2883,57 +2887,58 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) {
section_hdr = fmap_need_off_once(map, at, sizeof(*section_hdr) * nsections);
if(!section_hdr)
return CL_EFORMAT;
return CL_EFORMAT;
at += sizeof(*section_hdr) * nsections;
exe_sections = (struct cli_exe_section *) cli_calloc(nsections, sizeof(struct cli_exe_section));
if(!exe_sections)
return CL_EMEM;
return CL_EMEM;
for(i = 0; falign!=0x200 && i<nsections; i++) {
/* file alignment fallback mode - blah */
if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200))
falign = 0x200;
/* file alignment fallback mode - blah */
if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200))
falign = 0x200;
}
hdr_size = PESALIGN(hdr_size, falign); /* Aligned headers virtual size */
for(i = 0; i < nsections; i++) {
exe_sections[i].rva = PEALIGN(EC32(section_hdr[i].VirtualAddress), valign);
exe_sections[i].vsz = PESALIGN(EC32(section_hdr[i].VirtualSize), valign);
exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);
exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);
exe_sections[i].rva = PEALIGN(EC32(section_hdr[i].VirtualAddress), valign);
exe_sections[i].vsz = PESALIGN(EC32(section_hdr[i].VirtualSize), valign);
exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);
exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);
if (!exe_sections[i].vsz && exe_sections[i].rsz)
exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);
if (!exe_sections[i].vsz && exe_sections[i].rsz)
exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);
if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))
exe_sections[i].rsz = fsize - exe_sections[i].raw;
if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))
exe_sections[i].rsz = fsize - exe_sections[i].raw;
if (exe_sections[i].rsz && exe_sections[i].raw >= fsize) {
free(exe_sections);
return CL_EFORMAT;
}
if (exe_sections[i].rsz && exe_sections[i].raw >= fsize) {
free(exe_sections);
return CL_EFORMAT;
}
if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
free(exe_sections);
return CL_EFORMAT;
}
if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
free(exe_sections);
return CL_EFORMAT;
}
}
cli_qsort(exe_sections, nsections, sizeof(*exe_sections), sort_sects);
SHA1Init(&sha1);
#define hash_chunk(where, size) \
do { \
const uint8_t *hptr; \
if(!(size)) break; \
if(!(hptr = fmap_need_off_once(map, where, size))){ \
free(exe_sections); \
return CL_EFORMAT; \
} \
SHA1Update(&sha1, hptr, size); \
#define hash_chunk(where, size) \
do { \
const uint8_t *hptr; \
if(!(size)) break; \
if(!(hptr = fmap_need_off_once(map, where, size))){ \
free(exe_sections); \
return CL_EFORMAT; \
} \
SHA1Update(&sha1, hptr, size); \
} while(0)
/* MZ to checksum */
@@ -2944,15 +2949,15 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) {
/* Checksum to security */
if(pe_plus)
hlen = offsetof(struct pe_image_optional_hdr64, DataDirectory[4]) - offsetof(struct pe_image_optional_hdr64, CheckSum) - 4;
hlen = offsetof(struct pe_image_optional_hdr64, DataDirectory[4]) - offsetof(struct pe_image_optional_hdr64, CheckSum) - 4;
else
hlen = offsetof(struct pe_image_optional_hdr32, DataDirectory[4]) - offsetof(struct pe_image_optional_hdr32, CheckSum) - 4;
hlen = offsetof(struct pe_image_optional_hdr32, DataDirectory[4]) - offsetof(struct pe_image_optional_hdr32, CheckSum) - 4;
hash_chunk(at, hlen);
at += hlen + 8;
if(at > hdr_size) {
free(exe_sections);
return CL_EFORMAT;
free(exe_sections);
return CL_EFORMAT;
}
/* Security to End of header */
@@ -2962,36 +2967,40 @@ int cli_checkfp_pe(cli_ctx *ctx, uint8_t *authsha1) {
/* Sections */
at = hdr_size;
for(i = 0; i < nsections; i++) {
if(!exe_sections[i].rsz)
continue;
hash_chunk(exe_sections[i].raw, exe_sections[i].rsz);
at += exe_sections[i].rsz;
if(!exe_sections[i].rsz)
continue;
hash_chunk(exe_sections[i].raw, exe_sections[i].rsz);
at += exe_sections[i].rsz;
}
if(at < fsize) {
hlen = fsize - at;
if(dirs[4].Size > hlen) {
free(exe_sections);
return CL_EFORMAT;
}
hlen -= dirs[4].Size;
hash_chunk(at, hlen);
at += hlen;
hlen = fsize - at;
if(dirs[4].Size > hlen) {
free(exe_sections);
return CL_EFORMAT;
}
hlen -= dirs[4].Size;
hash_chunk(at, hlen);
at += hlen;
}
free(exe_sections);
SHA1Final(&sha1, authsha1);
if(cli_debug_flag) {
char shatxt[SHA1_HASH_SIZE*2+1];
for(i=0; i<SHA1_HASH_SIZE; i++)
sprintf(&shatxt[i*2], "%02x", authsha1[i]);
cli_dbgmsg("Authenticode: %s\n", shatxt);
char shatxt[SHA1_HASH_SIZE*2+1];
for(i=0; i<SHA1_HASH_SIZE; i++)
sprintf(&shatxt[i*2], "%02x", authsha1[i]);
cli_dbgmsg("Authenticode: %s\n", shatxt);
}
hlen = dirs[4].Size;
if(hlen < 8)
return CL_VIRUS;
return CL_VIRUS;
hlen -= 8;
return asn1_check_mscat((struct cl_engine *)(ctx->engine), map, at + 8, hlen, authsha1);
}