Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

add 'Intermediates' field to target description block

Browse source 
(allows specification of any number of intermediate containers)
This commit is contained in:
Kevin Lin 2017-01-23 13:11:03 -05:00 committed by Mickey Sola
parent 5828828b53
commit 87b2a1a9e3
3 changed files with 56 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

19
libclamav/matcher.c
View file

@ -703,6 +703,23 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
return ret; return ret;
} }
static int intermediates_eval(cli_ctx *ctx, struct cli_ac_lsig *ac_lsig)
{
uint32_t i, icnt = ac_lsig->tdb.intermediates[0];
int32_t j = -1;
if (ctx->recursion < icnt)
return 0;
for (i = icnt; i > 0; i--) {
if (ac_lsig->tdb.intermediates[i] == CL_TYPE_ANY)
continue;
if (ac_lsig->tdb.intermediates[i] != cli_get_container_type(ctx, j--))
return 0;
}
return 1;
}
static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid) static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *acdata, struct cli_target_info *target_info, const char *hash, uint32_t lsid)
{ {
unsigned evalcnt = 0; unsigned evalcnt = 0;
@ -719,6 +736,8 @@ static int lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data
if (cli_ac_chklsig(exp, exp_end, acdata->lsigcnt[lsid], &evalcnt, &evalids, 0) == 1) { if (cli_ac_chklsig(exp, exp_end, acdata->lsigcnt[lsid], &evalcnt, &evalids, 0) == 1) {
if(ac_lsig->tdb.container && ac_lsig->tdb.container[0] != cli_get_container_type(ctx, -1)) if(ac_lsig->tdb.container && ac_lsig->tdb.container[0] != cli_get_container_type(ctx, -1))
return CL_CLEAN; return CL_CLEAN;
if(ac_lsig->tdb.intermediates && !intermediates_eval(ctx, ac_lsig))
return CL_CLEAN;
if(ac_lsig->tdb.filesize && (ac_lsig->tdb.filesize[0] > map->len || ac_lsig->tdb.filesize[1] < map->len)) if(ac_lsig->tdb.filesize && (ac_lsig->tdb.filesize[0] > map->len || ac_lsig->tdb.filesize[1] < map->len))
return CL_CLEAN; return CL_CLEAN;

2
libclamav/matcher.h
View file

@ -59,6 +59,7 @@ struct cli_lsig_tdb {
#define CLI_TDB_STR 2 #define CLI_TDB_STR 2
#define CLI_TDB_RANGE2 3 #define CLI_TDB_RANGE2 3
#define CLI_TDB_FTYPE 4 #define CLI_TDB_FTYPE 4
#define CLI_TDB_FTYPE_EXPR 5
uint32_t *val, *range; uint32_t *val, *range;
char *str; char *str;
uint32_t cnt[3]; uint32_t cnt[3];
@ -67,6 +68,7 @@ struct cli_lsig_tdb {
const uint32_t *target; const uint32_t *target;
const uint32_t *engine, *nos, *ep, *filesize; const uint32_t *engine, *nos, *ep, *filesize;
const uint32_t *container, *handlertype; const uint32_t *container, *handlertype;
const uint32_t *intermediates;
/* /*
const uint32_t *sectoff, *sectrva, *sectvsz, *sectraw, *sectrsz, const uint32_t *sectoff, *sectrva, *sectvsz, *sectraw, *sectrsz,
*secturva, *sectuvsz, *secturaw, *sectursz; *secturva, *sectuvsz, *secturaw, *sectursz;

32
libclamav/readdb.c
View file

@ -1353,7 +1353,8 @@ struct lsig_attrib {
static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb) static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
{ {
struct lsig_attrib attrtab[] = { struct lsig_attrib attrtab[] = {
#define ATTRIB_TOKENS 9 #define ATTRIB_TOKENS 10
#define EXPR_TOKEN_MAX 16
{ "Target", CLI_TDB_UINT, (void **) &tdb->target }, { "Target", CLI_TDB_UINT, (void **) &tdb->target },
{ "Engine", CLI_TDB_RANGE, (void **) &tdb->engine }, { "Engine", CLI_TDB_RANGE, (void **) &tdb->engine },
@ -1366,6 +1367,7 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
{ "Container", CLI_TDB_FTYPE, (void **) &tdb->container }, { "Container", CLI_TDB_FTYPE, (void **) &tdb->container },
{ "HandlerType", CLI_TDB_FTYPE, (void **) &tdb->handlertype }, { "HandlerType", CLI_TDB_FTYPE, (void **) &tdb->handlertype },
{ "Intermediates", CLI_TDB_FTYPE_EXPR, (void **) &tdb->intermediates },
/* /*
{ "SectOff", CLI_TDB_RANGE2, (void **) &tdb->sectoff }, { "SectOff", CLI_TDB_RANGE2, (void **) &tdb->sectoff },
{ "SectRVA", CLI_TDB_RANGE2, (void **) &tdb->sectrva }, { "SectRVA", CLI_TDB_RANGE2, (void **) &tdb->sectrva },
@ -1435,7 +1437,7 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
case CLI_TDB_FTYPE: case CLI_TDB_FTYPE:
if((v1 = cli_ftcode(pt)) == CL_TYPE_ERROR) { if((v1 = cli_ftcode(pt)) == CL_TYPE_ERROR) {
cli_dbgmsg("lsigattribs: Unknown file type in %s\n", tokens[i]); cli_dbgmsg("lsigattribs: Unknown file type '%s' in %s\n", pt, tokens[i]);
return 1; /* skip */ return 1; /* skip */
} }
@ -1449,6 +1451,31 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
tdb->val[cnt] = v1; tdb->val[cnt] = v1;
break; break;
case CLI_TDB_FTYPE_EXPR:
{
char *ftypes[EXPR_TOKEN_MAX];
unsigned int ftypes_count;
off[i] = cnt = tdb->cnt[CLI_TDB_UINT];
ftypes_count = cli_strtokenize(pt, '>', EXPR_TOKEN_MAX, (const char **) ftypes);
tdb->cnt[CLI_TDB_UINT] += (ftypes_count + 1);
tdb->val = (uint32_t *) mpool_realloc2(tdb->mempool, tdb->val, tdb->cnt[CLI_TDB_UINT] * sizeof(uint32_t));
if(!tdb->val) {
tdb->cnt[CLI_TDB_UINT] = 0;
return -1;
}
tdb->val[cnt++] = ftypes_count;
for(j = 0; j < ftypes_count; j++) {
if((v1 = cli_ftcode(ftypes[j])) == CL_TYPE_ERROR) {
cli_dbgmsg("lsigattribs: Unknown file type '%s' in %s\n", ftypes[j], tokens[i]);
return 1; /* skip */
}
tdb->val[cnt++] = v1;
}
}
break;
case CLI_TDB_RANGE: case CLI_TDB_RANGE:
if(!(pt2 = strchr(pt, '-'))) { if(!(pt2 = strchr(pt, '-'))) {
cli_errmsg("lsigattribs: Incorrect parameters in '%s'\n", tokens[i]); cli_errmsg("lsigattribs: Incorrect parameters in '%s'\n", tokens[i]);
@ -1535,6 +1562,7 @@ static int lsigattribs(char *attribs, struct cli_lsig_tdb *tdb)
switch(apt->type) { switch(apt->type) {
case CLI_TDB_UINT: case CLI_TDB_UINT:
case CLI_TDB_FTYPE: case CLI_TDB_FTYPE:
case CLI_TDB_FTYPE_EXPR:
*apt->pt = (uint32_t *) &tdb->val[off[i]]; *apt->pt = (uint32_t *) &tdb->val[off[i]];
break; break;