mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
db013a2bfd
Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │ └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │ └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | | └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │ └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │ └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │ └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │ └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │ └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │ └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │ └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | | └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │ └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │ └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | | └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
628 lines
21 KiB
C
628 lines
21 KiB
C
/*
|
|
* Copyright (C) 2013-2021 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
|
* Copyright (C) 2009-2013 Sourcefire, Inc.
|
|
*
|
|
* Authors: Tomasz Kojm <tkojm@clamav.net>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
* MA 02110-1301, USA.
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#ifdef HAVE_UNISTD_H
|
|
#include <unistd.h>
|
|
#endif
|
|
#include <stdlib.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <fcntl.h>
|
|
|
|
#include "clamav.h"
|
|
#include "others.h"
|
|
#include "macho.h"
|
|
#include "execs.h"
|
|
#include "scanners.h"
|
|
|
|
#define CLI_TMPUNLK() \
|
|
if (!ctx->engine->keeptmp) { \
|
|
if (cli_unlink(tempfile)) { \
|
|
free(tempfile); \
|
|
return CL_EUNLINK; \
|
|
} \
|
|
}
|
|
|
|
#define EC32(v, conv) (conv ? cbswap32(v) : v)
|
|
#define EC64(v, conv) (conv ? cbswap64(v) : v)
|
|
|
|
struct macho_hdr {
|
|
uint32_t magic;
|
|
uint32_t cpu_type;
|
|
uint32_t cpu_subtype;
|
|
uint32_t filetype;
|
|
uint32_t ncmds;
|
|
uint32_t sizeofcmds;
|
|
uint32_t flags;
|
|
};
|
|
|
|
struct macho_load_cmd {
|
|
uint32_t cmd;
|
|
uint32_t cmdsize;
|
|
};
|
|
|
|
struct macho_segment_cmd {
|
|
char segname[16];
|
|
uint32_t vmaddr;
|
|
uint32_t vmsize;
|
|
uint32_t fileoff;
|
|
uint32_t filesize;
|
|
uint32_t maxprot;
|
|
uint32_t initprot;
|
|
uint32_t nsects;
|
|
uint32_t flags;
|
|
};
|
|
|
|
struct macho_segment_cmd64 {
|
|
char segname[16];
|
|
uint64_t vmaddr;
|
|
uint64_t vmsize;
|
|
uint64_t fileoff;
|
|
uint64_t filesize;
|
|
uint32_t maxprot;
|
|
uint32_t initprot;
|
|
uint32_t nsects;
|
|
uint32_t flags;
|
|
};
|
|
|
|
struct macho_section {
|
|
char sectname[16];
|
|
char segname[16];
|
|
uint32_t addr;
|
|
uint32_t size;
|
|
uint32_t offset;
|
|
uint32_t align;
|
|
uint32_t reloff;
|
|
uint32_t nreloc;
|
|
uint32_t flags;
|
|
uint32_t res1;
|
|
uint32_t res2;
|
|
};
|
|
|
|
struct macho_section64 {
|
|
char sectname[16];
|
|
char segname[16];
|
|
uint64_t addr;
|
|
uint64_t size;
|
|
uint32_t offset;
|
|
uint32_t align;
|
|
uint32_t reloff;
|
|
uint32_t nreloc;
|
|
uint32_t flags;
|
|
uint32_t res1;
|
|
uint32_t res2;
|
|
};
|
|
|
|
struct macho_thread_state_ppc {
|
|
uint32_t srr0; /* PC */
|
|
uint32_t srr1;
|
|
uint32_t reg[32];
|
|
uint32_t cr;
|
|
uint32_t xer;
|
|
uint32_t lr;
|
|
uint32_t ctr;
|
|
uint32_t mq;
|
|
uint32_t vrsave;
|
|
};
|
|
|
|
struct macho_thread_state_ppc64 {
|
|
uint64_t srr0; /* PC */
|
|
uint64_t srr1;
|
|
uint64_t reg[32];
|
|
uint32_t cr;
|
|
uint64_t xer;
|
|
uint64_t lr;
|
|
uint64_t ctr;
|
|
uint32_t vrsave;
|
|
};
|
|
|
|
struct macho_thread_state_x86 {
|
|
uint32_t eax;
|
|
uint32_t ebx;
|
|
uint32_t ecx;
|
|
uint32_t edx;
|
|
uint32_t edi;
|
|
uint32_t esi;
|
|
uint32_t ebp;
|
|
uint32_t esp;
|
|
uint32_t ss;
|
|
uint32_t eflags;
|
|
uint32_t eip;
|
|
uint32_t cs;
|
|
uint32_t ds;
|
|
uint32_t es;
|
|
uint32_t fs;
|
|
uint32_t gs;
|
|
};
|
|
|
|
struct macho_fat_header {
|
|
uint32_t magic;
|
|
uint32_t nfats;
|
|
};
|
|
|
|
struct macho_fat_arch {
|
|
uint32_t cputype;
|
|
uint32_t cpusubtype;
|
|
uint32_t offset;
|
|
uint32_t size;
|
|
uint32_t align;
|
|
};
|
|
|
|
#define RETURN_BROKEN \
|
|
if (matcher) \
|
|
return -1; \
|
|
if (SCAN_HEURISTIC_BROKEN) { \
|
|
if (CL_VIRUS == cli_append_virus(ctx, "Heuristics.Broken.Executable")) \
|
|
return CL_VIRUS; \
|
|
} \
|
|
return CL_EFORMAT
|
|
|
|
static uint32_t cli_rawaddr(uint32_t vaddr, struct cli_exe_section *sects, uint16_t nsects, unsigned int *err)
|
|
{
|
|
unsigned int i, found = 0;
|
|
|
|
for (i = 0; i < nsects; i++) {
|
|
if (sects[i].rva <= vaddr && sects[i].rva + sects[i].vsz > vaddr) {
|
|
found = 1;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!found) {
|
|
*err = 1;
|
|
return 0;
|
|
}
|
|
|
|
*err = 0;
|
|
return vaddr - sects[i].rva + sects[i].raw;
|
|
}
|
|
|
|
int cli_scanmacho(cli_ctx *ctx, struct cli_exe_info *fileinfo)
|
|
{
|
|
struct macho_hdr hdr;
|
|
struct macho_load_cmd load_cmd;
|
|
struct macho_segment_cmd segment_cmd;
|
|
struct macho_segment_cmd64 segment_cmd64;
|
|
struct macho_section section;
|
|
struct macho_section64 section64;
|
|
unsigned int i, j, sect = 0, conv, m64, nsects, matcher = 0;
|
|
unsigned int arch = 0, ep = 0, err;
|
|
struct cli_exe_section *sections = NULL;
|
|
char name[16];
|
|
fmap_t *map = ctx->fmap;
|
|
ssize_t at;
|
|
|
|
if (fileinfo) {
|
|
matcher = 1;
|
|
|
|
// TODO This code assumes fileinfo->offset == 0, which might not always
|
|
// be the case. For now just print this debug message and continue on
|
|
if (0 != fileinfo->offset) {
|
|
cli_dbgmsg("cli_scanmacho: Assumption Violated: fileinfo->offset != 0\n");
|
|
}
|
|
}
|
|
|
|
if (fmap_readn(map, &hdr, 0, sizeof(hdr)) != sizeof(hdr)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read header\n");
|
|
return matcher ? -1 : CL_EFORMAT;
|
|
}
|
|
at = sizeof(hdr);
|
|
|
|
if (hdr.magic == 0xfeedface) {
|
|
conv = 0;
|
|
m64 = 0;
|
|
} else if (hdr.magic == 0xcefaedfe) {
|
|
conv = 1;
|
|
m64 = 0;
|
|
} else if (hdr.magic == 0xfeedfacf) {
|
|
conv = 0;
|
|
m64 = 1;
|
|
} else if (hdr.magic == 0xcffaedfe) {
|
|
conv = 1;
|
|
m64 = 1;
|
|
} else {
|
|
cli_dbgmsg("cli_scanmacho: Incorrect magic\n");
|
|
return matcher ? -1 : CL_EFORMAT;
|
|
}
|
|
|
|
switch (EC32(hdr.cpu_type, conv)) {
|
|
case 7:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: Intel 32-bit\n");
|
|
arch = 1;
|
|
break;
|
|
case 7 | 0x1000000:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: Intel 64-bit\n");
|
|
break;
|
|
case 12:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: ARM\n");
|
|
break;
|
|
case 14:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: SPARC\n");
|
|
break;
|
|
case 18:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: POWERPC 32-bit\n");
|
|
arch = 2;
|
|
break;
|
|
case 18 | 0x1000000:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: POWERPC 64-bit\n");
|
|
arch = 3;
|
|
break;
|
|
default:
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: CPU Type: ** UNKNOWN ** (%u)\n", EC32(hdr.cpu_type, conv));
|
|
break;
|
|
}
|
|
|
|
if (!matcher) switch (EC32(hdr.filetype, conv)) {
|
|
case 0x1: /* MH_OBJECT */
|
|
cli_dbgmsg("MACHO: Filetype: Relocatable object file\n");
|
|
break;
|
|
case 0x2: /* MH_EXECUTE */
|
|
cli_dbgmsg("MACHO: Filetype: Executable\n");
|
|
break;
|
|
case 0x3: /* MH_FVMLIB */
|
|
cli_dbgmsg("MACHO: Filetype: Fixed VM shared library file\n");
|
|
break;
|
|
case 0x4: /* MH_CORE */
|
|
cli_dbgmsg("MACHO: Filetype: Core file\n");
|
|
break;
|
|
case 0x5: /* MH_PRELOAD */
|
|
cli_dbgmsg("MACHO: Filetype: Preloaded executable file\n");
|
|
break;
|
|
case 0x6: /* MH_DYLIB */
|
|
cli_dbgmsg("MACHO: Filetype: Dynamically bound shared library\n");
|
|
break;
|
|
case 0x7: /* MH_DYLINKER */
|
|
cli_dbgmsg("MACHO: Filetype: Dynamic link editor\n");
|
|
break;
|
|
case 0x8: /* MH_BUNDLE */
|
|
cli_dbgmsg("MACHO: Filetype: Dynamically bound bundle file\n");
|
|
break;
|
|
case 0x9: /* MH_DYLIB_STUB */
|
|
cli_dbgmsg("MACHO: Filetype: Shared library stub for static\n");
|
|
break;
|
|
default:
|
|
cli_dbgmsg("MACHO: Filetype: ** UNKNOWN ** (0x%x)\n", EC32(hdr.filetype, conv));
|
|
}
|
|
|
|
if (!matcher) {
|
|
cli_dbgmsg("MACHO: Number of load commands: %u\n", EC32(hdr.ncmds, conv));
|
|
cli_dbgmsg("MACHO: Size of load commands: %u\n", EC32(hdr.sizeofcmds, conv));
|
|
}
|
|
|
|
if (m64)
|
|
at += 4;
|
|
|
|
hdr.ncmds = EC32(hdr.ncmds, conv);
|
|
if (!hdr.ncmds || hdr.ncmds > 1024) {
|
|
cli_dbgmsg("cli_scanmacho: Invalid number of load commands (%u)\n", hdr.ncmds);
|
|
RETURN_BROKEN;
|
|
}
|
|
|
|
for (i = 0; i < hdr.ncmds; i++) {
|
|
if (fmap_readn(map, &load_cmd, at, sizeof(load_cmd)) != sizeof(load_cmd)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read load command\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(load_cmd);
|
|
/*
|
|
if((m64 && EC32(load_cmd.cmdsize, conv) % 8) || (!m64 && EC32(load_cmd.cmdsize, conv) % 4)) {
|
|
cli_dbgmsg("cli_scanmacho: Invalid command size (%u)\n", EC32(load_cmd.cmdsize, conv));
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
*/
|
|
load_cmd.cmd = EC32(load_cmd.cmd, conv);
|
|
if ((m64 && load_cmd.cmd == 0x19) || (!m64 && load_cmd.cmd == 0x01)) { /* LC_SEGMENT */
|
|
if (m64) {
|
|
if (fmap_readn(map, &segment_cmd64, at, sizeof(segment_cmd64)) != sizeof(segment_cmd64)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read segment command\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(segment_cmd64);
|
|
nsects = EC32(segment_cmd64.nsects, conv);
|
|
strncpy(name, segment_cmd64.segname, sizeof(name));
|
|
name[sizeof(name) - 1] = '\0';
|
|
} else {
|
|
if (fmap_readn(map, &segment_cmd, at, sizeof(segment_cmd)) != sizeof(segment_cmd)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read segment command\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(segment_cmd);
|
|
nsects = EC32(segment_cmd.nsects, conv);
|
|
strncpy(name, segment_cmd.segname, sizeof(name));
|
|
name[sizeof(name) - 1] = '\0';
|
|
}
|
|
if (!matcher) {
|
|
cli_dbgmsg("MACHO: Segment name: %s\n", name);
|
|
cli_dbgmsg("MACHO: Number of sections: %u\n", nsects);
|
|
}
|
|
if (nsects > 255) {
|
|
cli_dbgmsg("cli_scanmacho: Invalid number of sections\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
if (!nsects) {
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: ------------------\n");
|
|
continue;
|
|
}
|
|
sections = (struct cli_exe_section *)cli_realloc2(sections, (sect + nsects) * sizeof(struct cli_exe_section));
|
|
if (!sections) {
|
|
cli_errmsg("cli_scanmacho: Can't allocate memory for 'sections'\n");
|
|
return matcher ? -1 : CL_EMEM;
|
|
}
|
|
|
|
for (j = 0; j < nsects; j++) {
|
|
if (m64) {
|
|
if (fmap_readn(map, §ion64, at, sizeof(section64)) != sizeof(section64)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read section\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(section64);
|
|
sections[sect].rva = EC64(section64.addr, conv);
|
|
sections[sect].vsz = EC64(section64.size, conv);
|
|
sections[sect].raw = EC32(section64.offset, conv);
|
|
section64.align = 1 << EC32(section64.align, conv);
|
|
sections[sect].rsz = sections[sect].vsz + (section64.align - (sections[sect].vsz % section64.align)) % section64.align; /* most likely we can assume it's the same as .vsz */
|
|
strncpy(name, section64.sectname, sizeof(name));
|
|
name[sizeof(name) - 1] = '\0';
|
|
} else {
|
|
if (fmap_readn(map, §ion, at, sizeof(section)) != sizeof(section)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read section\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(section);
|
|
sections[sect].rva = EC32(section.addr, conv);
|
|
sections[sect].vsz = EC32(section.size, conv);
|
|
sections[sect].raw = EC32(section.offset, conv);
|
|
if (EC32(section.align, conv) >= 32) {
|
|
cli_dbgmsg("cli_scanmacho: Section aligned is malformed\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
section.align = 1 << EC32(section.align, conv);
|
|
sections[sect].rsz = sections[sect].vsz + (section.align - (sections[sect].vsz % section.align)) % section.align;
|
|
strncpy(name, section.sectname, sizeof(name));
|
|
name[sizeof(name) - 1] = '\0';
|
|
}
|
|
if (!matcher) {
|
|
cli_dbgmsg("MACHO: --- Section %u ---\n", sect);
|
|
cli_dbgmsg("MACHO: Name: %s\n", name);
|
|
cli_dbgmsg("MACHO: Virtual address: 0x%x\n", (unsigned int)sections[sect].rva);
|
|
cli_dbgmsg("MACHO: Virtual size: %u\n", (unsigned int)sections[sect].vsz);
|
|
cli_dbgmsg("MACHO: Raw size: %u\n", (unsigned int)sections[sect].rsz);
|
|
if (sections[sect].raw)
|
|
cli_dbgmsg("MACHO: File offset: %u\n", (unsigned int)sections[sect].raw);
|
|
}
|
|
sect++;
|
|
}
|
|
if (!matcher)
|
|
cli_dbgmsg("MACHO: ------------------\n");
|
|
|
|
} else if (arch && (load_cmd.cmd == 0x4 || load_cmd.cmd == 0x5)) { /* LC_(UNIX)THREAD */
|
|
at += 8;
|
|
switch (arch) {
|
|
case 1: /* x86 */
|
|
{
|
|
struct macho_thread_state_x86 thread_state_x86;
|
|
|
|
if (fmap_readn(map, &thread_state_x86, at, sizeof(thread_state_x86)) != sizeof(thread_state_x86)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read thread_state_x86\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(thread_state_x86);
|
|
break;
|
|
}
|
|
|
|
case 2: /* PPC */
|
|
{
|
|
struct macho_thread_state_ppc thread_state_ppc;
|
|
|
|
if (fmap_readn(map, &thread_state_ppc, at, sizeof(thread_state_ppc)) != sizeof(thread_state_ppc)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read thread_state_ppc\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(thread_state_ppc);
|
|
ep = EC32(thread_state_ppc.srr0, conv);
|
|
break;
|
|
}
|
|
|
|
case 3: /* PPC64 */
|
|
{
|
|
struct macho_thread_state_ppc64 thread_state_ppc64;
|
|
|
|
if (fmap_readn(map, &thread_state_ppc64, at, sizeof(thread_state_ppc64)) != sizeof(thread_state_ppc64)) {
|
|
cli_dbgmsg("cli_scanmacho: Can't read thread_state_ppc64\n");
|
|
free(sections);
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(thread_state_ppc64);
|
|
ep = EC64(thread_state_ppc64.srr0, conv);
|
|
break;
|
|
}
|
|
default:
|
|
cli_errmsg("cli_scanmacho: Invalid arch setting!\n");
|
|
free(sections);
|
|
return matcher ? -1 : CL_EARG;
|
|
}
|
|
} else {
|
|
if (EC32(load_cmd.cmdsize, conv) > sizeof(load_cmd))
|
|
at += EC32(load_cmd.cmdsize, conv) - sizeof(load_cmd);
|
|
}
|
|
}
|
|
|
|
if (ep) {
|
|
if (!matcher)
|
|
cli_dbgmsg("Entry Point: 0x%x\n", ep);
|
|
if (sections) {
|
|
ep = cli_rawaddr(ep, sections, sect, &err);
|
|
if (err) {
|
|
cli_dbgmsg("cli_scanmacho: Can't calculate EP offset\n");
|
|
free(sections);
|
|
return matcher ? -1 : CL_EFORMAT;
|
|
}
|
|
if (!matcher)
|
|
cli_dbgmsg("Entry Point file offset: %u\n", ep);
|
|
}
|
|
}
|
|
|
|
if (matcher) {
|
|
fileinfo->ep = ep;
|
|
fileinfo->nsections = sect;
|
|
fileinfo->sections = sections;
|
|
return 0;
|
|
} else {
|
|
free(sections);
|
|
return CL_SUCCESS;
|
|
}
|
|
}
|
|
|
|
int cli_machoheader(cli_ctx *ctx, struct cli_exe_info *fileinfo)
|
|
{
|
|
return cli_scanmacho(ctx, fileinfo);
|
|
}
|
|
|
|
int cli_scanmacho_unibin(cli_ctx *ctx)
|
|
{
|
|
struct macho_fat_header fat_header;
|
|
struct macho_fat_arch fat_arch;
|
|
unsigned int conv, i, matcher = 0;
|
|
int ret = CL_CLEAN;
|
|
fmap_t *map = ctx->fmap;
|
|
ssize_t at;
|
|
|
|
if (fmap_readn(map, &fat_header, 0, sizeof(fat_header)) != sizeof(fat_header)) {
|
|
cli_dbgmsg("cli_scanmacho_unibin: Can't read fat_header\n");
|
|
return CL_EFORMAT;
|
|
}
|
|
at = sizeof(fat_header);
|
|
|
|
if (fat_header.magic == 0xcafebabe) {
|
|
conv = 0;
|
|
} else if (fat_header.magic == 0xbebafeca) {
|
|
conv = 1;
|
|
} else {
|
|
cli_dbgmsg("cli_scanmacho_unibin: Incorrect magic\n");
|
|
return CL_EFORMAT;
|
|
}
|
|
|
|
fat_header.nfats = EC32(fat_header.nfats, conv);
|
|
if ((fat_header.nfats & 0xffff) >= 39) /* Java Bytecode */
|
|
return CL_CLEAN;
|
|
|
|
if (fat_header.nfats > 32) {
|
|
cli_dbgmsg("cli_scanmacho_unibin: Invalid number of architectures\n");
|
|
return CL_EFORMAT;
|
|
}
|
|
cli_dbgmsg("UNIBIN: Number of architectures: %u\n", (unsigned int)fat_header.nfats);
|
|
for (i = 0; i < fat_header.nfats; i++) {
|
|
if (fmap_readn(map, &fat_arch, at, sizeof(fat_arch)) != sizeof(fat_arch)) {
|
|
cli_dbgmsg("cli_scanmacho_unibin: Can't read fat_arch\n");
|
|
RETURN_BROKEN;
|
|
}
|
|
at += sizeof(fat_arch);
|
|
fat_arch.offset = EC32(fat_arch.offset, conv);
|
|
fat_arch.size = EC32(fat_arch.size, conv);
|
|
cli_dbgmsg("UNIBIN: Binary %u of %u\n", i + 1, fat_header.nfats);
|
|
cli_dbgmsg("UNIBIN: File offset: %u\n", fat_arch.offset);
|
|
cli_dbgmsg("UNIBIN: File size: %u\n", fat_arch.size);
|
|
|
|
/* The offset must be greater than the location of the header or we risk
|
|
re-scanning the same data over and over again. The scan recursion max
|
|
will save us, but it will still cause other problems and waste CPU. */
|
|
if (fat_arch.offset < at) {
|
|
cli_dbgmsg("Invalid fat offset: %d\n", fat_arch.offset);
|
|
RETURN_BROKEN;
|
|
}
|
|
|
|
ret = cli_magic_scan_nested_fmap_type(map, fat_arch.offset, fat_arch.size, ctx, CL_TYPE_ANY, NULL);
|
|
if (ret == CL_VIRUS)
|
|
break;
|
|
}
|
|
|
|
return ret; /* result from the last binary */
|
|
}
|
|
|
|
int cli_unpackmacho(cli_ctx *ctx)
|
|
{
|
|
char *tempfile;
|
|
int ndesc;
|
|
struct cli_bc_ctx *bc_ctx;
|
|
int ret;
|
|
|
|
/* Bytecode BC_MACHO_UNPACKER hook */
|
|
bc_ctx = cli_bytecode_context_alloc();
|
|
if (!bc_ctx) {
|
|
cli_errmsg("cli_scanelf: can't allocate memory for bc_ctx\n");
|
|
return CL_EMEM;
|
|
}
|
|
|
|
cli_bytecode_context_setctx(bc_ctx, ctx);
|
|
|
|
ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_MACHO_UNPACKER, ctx->fmap);
|
|
switch (ret) {
|
|
case CL_VIRUS:
|
|
cli_bytecode_context_destroy(bc_ctx);
|
|
return CL_VIRUS;
|
|
case CL_SUCCESS:
|
|
ndesc = cli_bytecode_context_getresult_file(bc_ctx, &tempfile);
|
|
cli_bytecode_context_destroy(bc_ctx);
|
|
if (ndesc != -1 && tempfile) {
|
|
if (ctx->engine->keeptmp)
|
|
cli_dbgmsg("cli_scanmacho: Unpacked and rebuilt executable saved in %s\n", tempfile);
|
|
else
|
|
cli_dbgmsg("cli_scanmacho: Unpacked and rebuilt executable\n");
|
|
lseek(ndesc, 0, SEEK_SET);
|
|
cli_dbgmsg("***** Scanning rebuilt Mach-O file *****\n");
|
|
if (cli_magic_scan_desc(ndesc, tempfile, ctx, NULL) == CL_VIRUS) {
|
|
close(ndesc);
|
|
CLI_TMPUNLK();
|
|
free(tempfile);
|
|
return CL_VIRUS;
|
|
}
|
|
close(ndesc);
|
|
CLI_TMPUNLK();
|
|
free(tempfile);
|
|
return CL_SUCCESS;
|
|
}
|
|
break;
|
|
default:
|
|
cli_bytecode_context_destroy(bc_ctx);
|
|
}
|
|
|
|
return CL_CLEAN;
|
|
}
|