2018-03-05 16:34:35 -05:00
|
|
|
/*
|
|
|
|
|
* Author: 웃 Sebastian Andrzej Siewior
|
|
|
|
|
* Summary: Glue code for libmspack handling.
|
2022-02-16 00:13:55 +01:00
|
|
|
*
|
|
|
|
|
* Acknowledgements: ClamAV uses Stuart Caie's libmspack to parse as number of
|
2018-03-05 16:34:35 -05:00
|
|
|
* Microsoft file formats.
|
|
|
|
|
* ✉ sebastian @ breakpoint ̣cc
|
|
|
|
|
*/
|
|
|
|
|
|
2016-03-24 12:26:04 -04:00
|
|
|
#ifndef __LIBMSPACK_H__
|
|
|
|
|
#define __LIBMSPACK_H__
|
|
|
|
|
|
Reduce unnecessary scanning of embedded file FPs (#1571)
When embedded file type recognition finds a possible embedded file, it
is being scanned as a new embedded file even if it turns out it was a
false positive and parsing fails. My solution is to pre-parse the file
headers as little possible to determine if it is valid. If possible,
also determine the file size based on the headers. That will make it so
we don't have to scan additional data when the embedded file is not at
the very end.
This commit adds header checks prior to embedded ZIP, ARJ, and CAB
scanning. For these types I was also able to use the header checks to
determine the object size so as to prevent excessive pattern matching.
TODO: Add the same for RAR, EGG, 7Z, NULSFT, AUTOIT, IShield, and PDF.
This commit also removes duplicate matching for embedded MSEXE.
The embedded MSEXE detection and scanning logic was accidentally
creating an extra duplicate layer in between scanning and detection
because of the logic within the `cli_scanembpe()` function.
That function was effectively doing the header check which this commit
adds for ZIP, ARJ, and CAB but minus the size check.
Note: It is unfortunately not possible to get an accurage size from PE
file headers.
The `cli_scanembpe()` function also used to dump to a temp file for no
reason since FMAPs were extended to support windows into other FMAPs.
So this commit removes the intermediate layer as well as dropping a temp
file for each embedded PE file.
Further, this commit adds configuration and DCONF safeguards around all
embedded file type scanning.
Finally, this commit adds a set of tests to validate proper extraction
of embedded ZIP, ARJ, CAB, and MSEXE files.
CLAM-2862
Co-authored-by: TheRaynMan <draynor@sourcefire.com>
2025-09-23 15:57:28 -04:00
|
|
|
/**
|
|
|
|
|
* @brief Check the CAB header for validity.
|
|
|
|
|
*
|
|
|
|
|
* @param fmap The fmap containing the CAB file.
|
|
|
|
|
* @param offset Offset of the start of a CAB file within the current fmap.
|
|
|
|
|
* @param size The size of the CAB file.
|
|
|
|
|
* @return cl_error_t
|
|
|
|
|
*/
|
|
|
|
|
cl_error_t cli_mscab_header_check(cli_ctx *ctx, size_t offset, size_t *size);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Open and extract a Microsoft CAB file, scanning each extracted file.
|
|
|
|
|
*
|
|
|
|
|
* @param ctx Scan context
|
|
|
|
|
* @param sfx_offset Offset of the start of a CAB file within the current fmap.
|
|
|
|
|
* @return cl_error_t CL_SUCCESS on success, or an error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
cl_error_t cli_scanmscab(cli_ctx *ctx, size_t sfx_offset);
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Open and extract a Microsoft CHM file, scanning each extracted file.
|
|
|
|
|
*
|
|
|
|
|
* @param ctx Scan context
|
|
|
|
|
* @return cl_error_t CL_SUCCESS on success, or an error code on failure.
|
|
|
|
|
*/
|
|
|
|
|
cl_error_t cli_scanmschm(cli_ctx *ctx);
|
2016-03-24 12:26:04 -04:00
|
|
|
|
|
|
|
|
#endif
|