2015-03-04 14:04:24 -05:00
|
|
|
VIRUSNAME_PREFIX("SUBMIT.contains")
|
|
|
|
|
VIRUSNAMES("EmbedPE")
|
|
|
|
|
|
|
|
|
|
/* Target type is 13, internal JSON properties */
|
|
|
|
|
TARGET(13)
|
|
|
|
|
|
|
|
|
|
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */
|
|
|
|
|
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5)
|
|
|
|
|
|
|
|
|
|
SIGNATURES_DECL_BEGIN
|
|
|
|
|
DECLARE_SIGNATURE(sig1)
|
|
|
|
|
SIGNATURES_DECL_END
|
|
|
|
|
|
|
|
|
|
SIGNATURES_DEF_BEGIN
|
|
|
|
|
/* search @offset 0 : '{ "Magic": "CLAMJSON' */
|
|
|
|
|
/* this can be readjusted for specific filetypes */
|
|
|
|
|
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e")
|
|
|
|
|
SIGNATURES_END
|
|
|
|
|
|
|
|
|
|
bool logical_trigger(void)
|
|
|
|
|
{
|
|
|
|
|
return matches(Signatures.sig1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define STR_MAXLEN 256
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
int entrypoint()
|
2015-03-04 14:04:24 -05:00
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
int32_t type, obj, objarr, objit, arrlen, strlen;
|
|
|
|
|
char str[STR_MAXLEN];
|
|
|
|
|
|
|
|
|
|
/* check is json is available, alerts on inactive (optional) */
|
|
|
|
|
if (!json_is_active()) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* acquire array of internal contained objects */
|
|
|
|
|
objarr = json_get_object("ContainedObjects", 16, 0);
|
2018-12-03 12:40:13 -05:00
|
|
|
type = json_get_type(objarr);
|
2015-03-04 14:04:24 -05:00
|
|
|
/* debug print uint (no '\n' or prepended message */
|
|
|
|
|
debug_print_uint(type);
|
|
|
|
|
|
|
|
|
|
if (type != JSON_TYPE_ARRAY) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* check array length for iteration over elements */
|
|
|
|
|
arrlen = json_get_array_length(objarr);
|
|
|
|
|
for (i = 0; i < arrlen; ++i) {
|
|
|
|
|
/* acquire json object @ idx i */
|
|
|
|
|
objit = json_get_array_idx(i, objarr);
|
|
|
|
|
if (objit <= 0) continue;
|
|
|
|
|
|
|
|
|
|
/* acquire FileType object of the array element @ idx i */
|
|
|
|
|
obj = json_get_object("FileType", 8, objit);
|
|
|
|
|
if (obj <= 0) continue;
|
|
|
|
|
|
|
|
|
|
/* acquire and check type */
|
|
|
|
|
type = json_get_type(obj);
|
|
|
|
|
if (type == JSON_TYPE_STRING) {
|
|
|
|
|
/* acquire string length, note +1 is for the NULL terminator */
|
2018-12-03 12:40:13 -05:00
|
|
|
strlen = json_get_string_length(obj) + 1;
|
2015-03-04 14:04:24 -05:00
|
|
|
/* prevent buffer overflow */
|
|
|
|
|
if (strlen > STR_MAXLEN)
|
|
|
|
|
strlen = STR_MAXLEN;
|
|
|
|
|
/* acquire string data, note strlen includes NULL terminator */
|
|
|
|
|
if (json_get_string(str, strlen, obj)) {
|
|
|
|
|
/* debug print str (with '\n' and prepended message */
|
2018-12-03 12:40:13 -05:00
|
|
|
debug_print_str(str, strlen);
|
2015-03-04 14:04:24 -05:00
|
|
|
|
|
|
|
|
/* check the contained object's type */
|
|
|
|
|
if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
// if (!strcmp(str, strlen, "CL_TYPE_MSEXE", strlen)) {
|
2015-03-04 14:04:24 -05:00
|
|
|
/* alert for submission */
|
|
|
|
|
foundVirus("EmbedPE");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
