mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
92088f91f1
Instead of checking the Authenticode header as an FP prevention mechanism, we now check it in the beginning if it exists. Also, we can now do actual blacklisting with .crb rules (previously, a blacklist rule just let you override a whitelist rule).
107 lines
4.5 KiB
C
107 lines
4.5 KiB
C
/*
|
|
* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
|
* Copyright (C) 2007-2013 Sourcefire, Inc.
|
|
*
|
|
* Authors: Alberto Wu, Tomasz Kojm, Andrew Williams
|
|
*
|
|
* Acknowledgements: The header structures were based upon a PE format
|
|
* analysis by B. Luevelsmeyer.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
* MA 02110-1301, USA.
|
|
*/
|
|
|
|
#ifndef __PE_H
|
|
#define __PE_H
|
|
|
|
#include "clamav.h"
|
|
#include "others.h"
|
|
#include "fmap.h"
|
|
#include "bcfeatures.h"
|
|
#include "pe_structs.h"
|
|
#include "execs.h"
|
|
|
|
/** Data for the bytecode PE hook
|
|
\group_pe
|
|
*
|
|
* NOTE: This structure must stay in-sync with the ones defined within the
|
|
* clamav-bytecode-compiler source at:
|
|
* - clang/lib/Headers/bytecode_pe.h
|
|
* - llvm/tools/clang/lib/Headers/bytecode_pe.h
|
|
* We allocate space for this, populate the values via cli_peheader, and pass
|
|
* it to the bytecode sig runtime for use.
|
|
*
|
|
* TODO Next time we are making changes to the clamav-bytecode-compiler
|
|
* source, update pe_image_optional_hdr32 and pe_image_optional_hdr64 to
|
|
* remove DataDirectory from both (like with the definitions here). Then,
|
|
* remove opt32_dirs and opt64_dirs below. There's no need to have these
|
|
* bytes in 3 places! Also, consider using a union to hold opt32 and opt64,
|
|
* since you never need more than one at a time.
|
|
*/
|
|
struct cli_pe_hook_data {
|
|
uint32_t offset;
|
|
uint32_t ep; /**< EntryPoint as file offset */
|
|
uint16_t nsections; /**< Number of sections */
|
|
uint16_t dummy; /* align */
|
|
struct pe_image_file_hdr file_hdr; /**< Header for this PE file */
|
|
struct pe_image_optional_hdr32 opt32; /**< 32-bit PE optional header */
|
|
/** Our opt32 no longer includes DataDirectory[16], but the one in the
|
|
* bytecode compiler source still does. Add this here as a placeholder (and
|
|
* it gets used, so we need to populate it also */
|
|
struct pe_image_data_dir opt32_dirs[16];
|
|
uint32_t dummy2; /* align */
|
|
struct pe_image_optional_hdr64 opt64; /**< 64-bit PE optional header */
|
|
struct pe_image_data_dir opt64_dirs[16]; /** See note about opt32_dirs */
|
|
struct pe_image_data_dir dirs[16]; /**< PE data directory header */
|
|
uint32_t e_lfanew; /**< address of new exe header */
|
|
uint32_t overlays; /**< number of overlays */
|
|
int32_t overlays_sz; /**< size of overlays */
|
|
uint32_t hdr_size; /**< internally needed by rawaddr */
|
|
};
|
|
|
|
int cli_scanpe(cli_ctx *ctx);
|
|
|
|
#define CL_CHECKFP_PE_FLAG_NONE 0x00000000
|
|
#define CL_CHECKFP_PE_FLAG_STATS 0x00000001
|
|
#define CL_CHECKFP_PE_FLAG_AUTHENTICODE 0x00000002
|
|
|
|
enum {
|
|
CL_GENHASH_PE_CLASS_SECTION,
|
|
CL_GENHASH_PE_CLASS_IMPTBL,
|
|
/* place new class types above this line */
|
|
CL_GENHASH_PE_CLASS_LAST
|
|
};
|
|
|
|
// For info about these, see the cli_peheader definition in pe.c
|
|
#define CLI_PEHEADER_OPT_NONE 0x0
|
|
#define CLI_PEHEADER_OPT_COLLECT_JSON 0x1
|
|
#define CLI_PEHEADER_OPT_DBG_PRINT_INFO 0x2
|
|
#define CLI_PEHEADER_OPT_EXTRACT_VINFO 0x4
|
|
#define CLI_PEHEADER_OPT_STRICT_ON_PE_ERRORS 0x8
|
|
|
|
#define CLI_PEHEADER_RET_SUCCESS 0
|
|
#define CLI_PEHEADER_RET_GENERIC_ERROR -1
|
|
#define CLI_PEHEADER_RET_BROKEN_PE -2
|
|
#define CLI_PEHEADER_RET_JSON_TIMEOUT -3
|
|
|
|
int cli_pe_targetinfo(fmap_t *map, struct cli_exe_info *peinfo);
|
|
int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo, uint32_t opts, cli_ctx *ctx);
|
|
|
|
cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo, char **certname);
|
|
int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type, stats_section_t *hashes);
|
|
|
|
uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t);
|
|
void findres(uint32_t, uint32_t, fmap_t *map, struct cli_exe_info *, int (*)(void *, uint32_t, uint32_t, uint32_t, uint32_t), void *);
|
|
|
|
#endif
|