这近2000行的代码,要是没有Source Insight,都不知道怎么看下去。跟着跟着来到了PE文件查杀的地方,发现前面都中规中矩地进行PE属性检查,中间一段开始扫描每个区块,然后和特征库的size对比扫描查毒。再后面,加了对一些流行病毒的特定查杀。(这个比较晕。)
代码注释如下(代码过长,可能有些人加载较慢,请耐心等待……):
//传说中的PE文件查杀
int cli_scanpe(int desc, cli_ctx *ctx)
{
uint16_t e_magic; /* DOS signature ("MZ") */
uint16_t nsections;
uint32_t e_lfanew; /* address of new exe header */
uint32_t ep, vep; /* entry point (raw, virtual) */
uint8_t polipos = 0;
time_t timestamp;
struct pe_image_file_hdr file_hdr;
union {
struct pe_image_optional_hdr64 opt64;
struct pe_image_optional_hdr32 opt32;
} pe_opt;
struct pe_image_section_hdr *section_hdr;
struct stat sb;
char sname[9], buff[4096], epbuff[4096], *tempfile;
uint32_t epsize;
ssize_t bytes;
unsigned int i, found, upx_success = 0, min = 0, max = 0, err;
unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0;
int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;
char *src = NULL, *dest = NULL;
int ndesc, ret = CL_CLEAN, upack = 0, native=0;
size_t fsize;
uint32_t valign, falign, hdr_size, j;
struct cli_exe_section *exe_sections;
struct cli_matcher *md5_sect;
char timestr[32];
if(!ctx) {
cli_errmsg("cli_scanpe: ctx == NULL
");
return CL_ENULLARG;
}
//读取DOS头,既是MZ
if(cli_readn(desc, &e_magic, sizeof(e_magic)) != sizeof(e_magic)) {
cli_dbgmsg("Can't read DOS signature
");
return CL_CLEAN;
}
//EC16功能:前后16位数据互换
//因为IMAGE_DOS_SIGNATURE是0x5a4d,既是ZM
if(EC16(e_magic) != IMAGE_DOS_SIGNATURE && EC16(e_magic) != IMAGE_DOS_SIGNATURE_OLD) {
cli_dbgmsg("Invalid DOS signature
");
return CL_CLEAN;
}
//再跳过58bytes就到达0x3c位置,PE头偏移数据
lseek(desc, 58, SEEK_CUR); /* skip to the end of the DOS header */
//读取PE文件头的文件偏移地址
if(cli_readn(desc, &e_lfanew, sizeof(e_lfanew)) != sizeof(e_lfanew)) {
cli_dbgmsg("Can't read new header address
");
/* truncated header? */
//根据设置,判断是否要归类到病毒
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
//EC32功能:高低地址翻转
//设置为正常顺序
e_lfanew = EC32(e_lfanew);
cli_dbgmsg("e_lfanew == %d
", e_lfanew);
if(!e_lfanew) {
cli_dbgmsg("Not a PE file
");
return CL_CLEAN;
}
//跳到PE文件头位置
if(lseek(desc, e_lfanew, SEEK_SET) < 0) {
/* probably not a PE file */
cli_dbgmsg("Can't lseek to e_lfanew
");
return CL_CLEAN;
}
//读取PE镜像文件头数据
if(cli_readn(desc, &file_hdr, sizeof(struct pe_image_file_hdr)) != sizeof(struct pe_image_file_hdr)) {
/* bad information in e_lfanew - probably not a PE file */
cli_dbgmsg("Can't read file header
");
return CL_CLEAN;
}
//判断PE签名是否为00EP
if(EC32(file_hdr.Magic) != IMAGE_NT_SIGNATURE) {
cli_dbgmsg("Invalid PE signature (probably NE file)
");
return CL_CLEAN;
}
//文件属性为0x2000既是DLL文件
//文件属性为0x01则是普通EXE文件
if(EC16(file_hdr.Characteristics) & 0x2000) {
cli_dbgmsg("File type: DLL
");
dll = 1;
} else if(EC16(file_hdr.Characteristics) & 0x01) {
cli_dbgmsg("File type: Executable
");
}
//判断该PE文件的目标CPU 类型
switch(EC16(file_hdr.Machine)) {
case 0x0:
cli_dbgmsg("Machine type: Unknown
");
break;
case 0x14c:
cli_dbgmsg("Machine type: 80386
");
break;
case 0x14d:
cli_dbgmsg("Machine type: 80486
");
break;
case 0x14e:
cli_dbgmsg("Machine type: 80586
");
break;
case 0x160:
cli_dbgmsg("Machine type: R30000 (big-endian)
");
break;
case 0x162:
cli_dbgmsg("Machine type: R3000
");
break;
case 0x166:
cli_dbgmsg("Machine type: R4000
");
break;
case 0x168:
cli_dbgmsg("Machine type: R10000
");
break;
case 0x184:
cli_dbgmsg("Machine type: DEC Alpha AXP
");
break;
case 0x284:
cli_dbgmsg("Machine type: DEC Alpha AXP 64bit
");
break;
case 0x1f0:
cli_dbgmsg("Machine type: PowerPC
");
break;
case 0x200:
cli_dbgmsg("Machine type: IA64
");
break;
case 0x268:
cli_dbgmsg("Machine type: M68k
");
break;
case 0x266:
cli_dbgmsg("Machine type: MIPS16
");
break;
case 0x366:
cli_dbgmsg("Machine type: MIPS+FPU
");
break;
case 0x466:
cli_dbgmsg("Machine type: MIPS16+FPU
");
break;
case 0x1a2:
cli_dbgmsg("Machine type: Hitachi SH3
");
break;
case 0x1a3:
cli_dbgmsg("Machine type: Hitachi SH3-DSP
");
break;
case 0x1a4:
cli_dbgmsg("Machine type: Hitachi SH3-E
");
break;
case 0x1a6:
cli_dbgmsg("Machine type: Hitachi SH4
");
break;
case 0x1a8:
cli_dbgmsg("Machine type: Hitachi SH5
");
break;
case 0x1c0:
cli_dbgmsg("Machine type: ARM
");
break;
case 0x1c2:
cli_dbgmsg("Machine type: THUMB
");
break;
case 0x1d3:
cli_dbgmsg("Machine type: AM33
");
break;
case 0x520:
cli_dbgmsg("Machine type: Infineon TriCore
");
break;
case 0xcef:
cli_dbgmsg("Machine type: CEF
");
break;
case 0xebc:
cli_dbgmsg("Machine type: EFI Byte Code
");
break;
case 0x9041:
cli_dbgmsg("Machine type: M32R
");
break;
case 0xc0ee:
cli_dbgmsg("Machine type: CEE
");
break;
case 0x8664:
cli_dbgmsg("Machine type: AMD64
");
break;
default:
cli_warnmsg("Unknown machine type in PE header (0x%x)
", EC16(file_hdr.Machine));
}
//获取块的数目
nsections = EC16(file_hdr.NumberOfSections);
if(nsections < 1 || nsections > 96) {
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
if(nsections)
cli_warnmsg("PE file contains %d sections
", nsections);
else
cli_warnmsg("PE file contains no sections
");
return CL_CLEAN;
}
cli_dbgmsg("NumberOfSections: %d
", nsections);
//获取文件创建时间
//自1970/1/1 用GMT计算的秒数
timestamp = (time_t) EC32(file_hdr.TimeDateStamp);
cli_dbgmsg("TimeDateStamp: %s", cli_ctime(×tamp, timestr, sizeof(timestr)));
//读取可选镜像文件头大小
cli_dbgmsg("SizeOfOptionalHeader: %x
", EC16(file_hdr.SizeOfOptionalHeader));
//可选镜像文件头太小
if (EC16(file_hdr.SizeOfOptionalHeader) < sizeof(struct pe_image_optional_hdr32)) {
cli_dbgmsg("SizeOfOptionalHeader too small
");
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
//读取可选镜像文件头数据
if(cli_readn(desc, &optional_hdr32, sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr32)) {
cli_dbgmsg("Can't read optional file header
");
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
//读取可选镜像文件头标志,判断是32位还是64位
//ROM映像0x107
//普通可执行的映像0x10b
//PE32+是0x20b
/* This will be a chicken and egg problem until we drop 9x */
if(EC32(optional_hdr64.Magic)==PE32P_SIGNATURE) {
//再判断读取可选镜像文件头大小是否正确
if(EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr64)) {
/* FIXME: need to play around a bit more with xp64 */
cli_dbgmsg("Incorrect SizeOfOptionalHeader for PE32+
");
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
pe_plus = 1;
} else {
/*
either it's got a PE32_SIGNATURE or
we enable win9x compatibility in that we don't honor magic (see bb#119)
either way it's a 32bit thingy
*/
if(EC16(optional_hdr32.Magic) != PE32_SIGNATURE) {
cli_warnmsg("Incorrect magic number in optional header
");
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
cli_dbgmsg("9x compatibility mode
");
}
}
//非64位,既是32位
if(!pe_plus) { /* PE */
if (EC16(file_hdr.SizeOfOptionalHeader)!=sizeof(struct pe_image_optional_hdr32)) {
/* Seek to the end of the long header */
//略过多余部分数据
lseek(desc, (EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32)), SEEK_CUR);
}
//判断PE是否需要脱壳?
if(DCONF & PE_CONF_UPACK)
upack = (EC16(file_hdr.SizeOfOptionalHeader)==0x148);
//获取入口RVA
vep = EC32(optional_hdr32.AddressOfEntryPoint);
//获取MS-DOS头、PE文件头、区块表的组合大小
//域值四舍五入到文件对齐的倍数
hdr_size = EC32(optional_hdr32.SizeOfHeaders);
cli_dbgmsg("File format: PE
");
cli_dbgmsg("MajorLinkerVersion: %d
", optional_hdr32.MajorLinkerVersion);
cli_dbgmsg("MinorLinkerVersion: %d
", optional_hdr32.MinorLinkerVersion);
cli_dbgmsg("SizeOfCode: 0x%x
", EC32(optional_hdr32.SizeOfCode));
cli_dbgmsg("SizeOfInitializedData: 0x%x
", EC32(optional_hdr32.SizeOfInitializedData));
cli_dbgmsg("SizeOfUninitializedData: 0x%x
", EC32(optional_hdr32.SizeOfUninitializedData));
cli_dbgmsg("AddressOfEntryPoint: 0x%x
", vep);
cli_dbgmsg("BaseOfCode: 0x%x
", EC32(optional_hdr32.BaseOfCode));
cli_dbgmsg("SectionAlignment: 0x%x
", EC32(optional_hdr32.SectionAlignment));
cli_dbgmsg("FileAlignment: 0x%x
", EC32(optional_hdr32.FileAlignment));
cli_dbgmsg("MajorSubsystemVersion: %d
", EC16(optional_hdr32.MajorSubsystemVersion));
cli_dbgmsg("MinorSubsystemVersion: %d
", EC16(optional_hdr32.MinorSubsystemVersion));
cli_dbgmsg("SizeOfImage: 0x%x
", EC32(optional_hdr32.SizeOfImage));
cli_dbgmsg("SizeOfHeaders: 0x%x
", hdr_size);
cli_dbgmsg("NumberOfRvaAndSizes: %d
", EC32(optional_hdr32.NumberOfRvaAndSizes));
} else { /* PE+ */
//64位
/* read the remaining part of the header */
if(cli_readn(desc, &optional_hdr32 + 1, sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) != sizeof(struct pe_image_optional_hdr64) - sizeof(struct pe_image_optional_hdr32)) {
cli_dbgmsg("Can't read optional file header
");
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
vep = EC32(optional_hdr64.AddressOfEntryPoint);
hdr_size = EC32(optional_hdr64.SizeOfHeaders);
cli_dbgmsg("File format: PE32+
");
cli_dbgmsg("MajorLinkerVersion: %d
", optional_hdr64.MajorLinkerVersion);
cli_dbgmsg("MinorLinkerVersion: %d
", optional_hdr64.MinorLinkerVersion);
cli_dbgmsg("SizeOfCode: 0x%x
", EC32(optional_hdr64.SizeOfCode));
cli_dbgmsg("SizeOfInitializedData: 0x%x
", EC32(optional_hdr64.SizeOfInitializedData));
cli_dbgmsg("SizeOfUninitializedData: 0x%x
", EC32(optional_hdr64.SizeOfUninitializedData));
cli_dbgmsg("AddressOfEntryPoint: 0x%x
", vep);
cli_dbgmsg("BaseOfCode: 0x%x
", EC32(optional_hdr64.BaseOfCode));
cli_dbgmsg("SectionAlignment: 0x%x
", EC32(optional_hdr64.SectionAlignment));
cli_dbgmsg("FileAlignment: 0x%x
", EC32(optional_hdr64.FileAlignment));
cli_dbgmsg("MajorSubsystemVersion: %d
", EC16(optional_hdr64.MajorSubsystemVersion));
cli_dbgmsg("MinorSubsystemVersion: %d
", EC16(optional_hdr64.MinorSubsystemVersion));
cli_dbgmsg("SizeOfImage: 0x%x
", EC32(optional_hdr64.SizeOfImage));
cli_dbgmsg("SizeOfHeaders: 0x%x
", hdr_size);
cli_dbgmsg("NumberOfRvaAndSizes: %d
", EC32(optional_hdr64.NumberOfRvaAndSizes));
}
//判断该执行文件所期待的子系统(用户界面类型)的枚举值
switch(pe_plus ? EC16(optional_hdr64.Subsystem) : EC16(optional_hdr32.Subsystem)) {
case 0:
cli_dbgmsg("Subsystem: Unknown
");
break;
case 1:
cli_dbgmsg("Subsystem: Native (svc)
");
native = 1;
break;
case 2:
cli_dbgmsg("Subsystem: Win32 GUI
");
break;
case 3:
cli_dbgmsg("Subsystem: Win32 console
");
break;
case 5:
cli_dbgmsg("Subsystem: OS/2 console
");
break;
case 7:
cli_dbgmsg("Subsystem: POSIX console
");
break;
case 8:
cli_dbgmsg("Subsystem: Native Win9x driver
");
break;
case 9:
cli_dbgmsg("Subsystem: WinCE GUI
");
break;
case 10:
cli_dbgmsg("Subsystem: EFI application
");
break;
case 11:
cli_dbgmsg("Subsystem: EFI driver
");
break;
case 12:
cli_dbgmsg("Subsystem: EFI runtime driver
");
break;
default:
cli_warnmsg("Unknown subsystem in PE header (0x%x)
", pe_plus ? EC16(optional_hdr64.Subsystem) : EC16(optional_hdr32.Subsystem));
}
cli_dbgmsg("------------------------------------
");
//内存区块对齐值出错
if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment)) || (pe_plus?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment))%0x1000)) {
cli_dbgmsg("Bad virtual alignemnt
");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
//文件区块对齐值出错
if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
cli_dbgmsg("Bad file alignemnt
");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
//获取该PE文件信息
if(fstat(desc, &sb) == -1) {
cli_dbgmsg("fstat failed
");
return CL_EIO;
}
fsize = sb.st_size;
//创建区块表
section_hdr = (struct pe_image_section_hdr *) cli_calloc(nsections, sizeof(struct pe_image_section_hdr));
if(!section_hdr) {
cli_dbgmsg("Can't allocate memory for section headers
");
return CL_EMEM;
}
//创建可执行区块表?
exe_sections = (struct cli_exe_section *) cli_calloc(nsections, sizeof(struct cli_exe_section));
if(!exe_sections) {
cli_dbgmsg("Can't allocate memory for section headers
");
free(section_hdr);
return CL_EMEM;
}
//内存块对齐值和文件块对齐值
valign = (pe_plus)?EC32(optional_hdr64.SectionAlignment):EC32(optional_hdr32.SectionAlignment);
falign = (pe_plus)?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment);
//读取区块表
if(cli_readn(desc, section_hdr, sizeof(struct pe_image_section_hdr)*nsections) != (int)(nsections*sizeof(struct pe_image_section_hdr))) {
cli_dbgmsg("Can't read section header
");
cli_dbgmsg("Possibly broken PE file
");
free(section_hdr);
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
//x86是0x200或者0x1000,会随编译链接改变,最小为0x200
for(i = 0; falign!=0x200 && i<nsections; i++) {
/* file alignment fallback mode - blah */
//找到没有对齐区块
if (falign && section_hdr[i].SizeOfRawData && EC32(section_hdr[i].PointerToRawData)%falign && !(EC32(section_hdr[i].PointerToRawData)%0x200)) {
cli_dbgmsg("Found misaligned section, using 0x200
");
falign = 0x200;
}
}
//填补对齐空余
hdr_size = PESALIGN(hdr_size, valign); /* Aligned headers virtual size */
//循环对每个表进行处理
for(i = 0; i < nsections; i++) {
//获取表名,8位的ASCII码
strncpy(sname, (char *) section_hdr[i].Name, 8);
sname[8] = 0;
//获取其余信息
exe_sections[i].rva = PEALIGN(EC32(section_hdr[i].VirtualAddress), valign);
exe_sections[i].vsz = PESALIGN(EC32(section_hdr[i].VirtualSize), valign);
exe_sections[i].raw = PEALIGN(EC32(section_hdr[i].PointerToRawData), falign);
exe_sections[i].rsz = PESALIGN(EC32(section_hdr[i].SizeOfRawData), falign);
exe_sections[i].chr = EC32(section_hdr[i].Characteristics);
exe_sections[i].urva = EC32(section_hdr[i].VirtualAddress); /* Just in case */
exe_sections[i].uvsz = EC32(section_hdr[i].VirtualSize);
exe_sections[i].uraw = EC32(section_hdr[i].PointerToRawData);
exe_sections[i].ursz = EC32(section_hdr[i].SizeOfRawData);
//实际被使用区块大小为0时重设
if (!exe_sections[i].vsz && exe_sections[i].rsz)
exe_sections[i].vsz=PESALIGN(exe_sections[i].ursz, valign);
if (exe_sections[i].rsz && fsize>exe_sections[i].raw && !CLI_ISCONTAINED(0, (uint32_t) fsize, exe_sections[i].raw, exe_sections[i].rsz))
exe_sections[i].rsz = fsize - exe_sections[i].raw;
cli_dbgmsg("Section %d
", i);
cli_dbgmsg("Section name: %s
", sname);
cli_dbgmsg("Section data (from headers - in memory)
");
cli_dbgmsg("VirtualSize: 0x%x 0x%x
", exe_sections[i].uvsz, exe_sections[i].vsz);
cli_dbgmsg("VirtualAddress: 0x%x 0x%x
", exe_sections[i].urva, exe_sections[i].rva);
cli_dbgmsg("SizeOfRawData: 0x%x 0x%x
", exe_sections[i].ursz, exe_sections[i].rsz);
cli_dbgmsg("PointerToRawData: 0x%x 0x%x
", exe_sections[i].uraw, exe_sections[i].raw);
//块属性判断
//0x20为包含代码
if(exe_sections[i].chr & 0x20) {
cli_dbgmsg("Section contains executable code
");
if(exe_sections[i].vsz < exe_sections[i].rsz) {
cli_dbgmsg("Section contains free space
");
/*
cli_dbgmsg("Dumping %d bytes
", section_hdr.SizeOfRawData - section_hdr.VirtualSize);
ddump(desc, section_hdr.PointerToRawData + section_hdr.VirtualSize, section_hdr.SizeOfRawData - section_hdr.VirtualSize, cli_gentemp(NULL));
*/
}
}
//0x20000000为可执行
if(exe_sections[i].chr & 0x20000000)
cli_dbgmsg("Section's memory is executable
");
//0x80000000为可写
if(exe_sections[i].chr & 0x80000000)
cli_dbgmsg("Section's memory is writeable
");
cli_dbgmsg("------------------------------------
");
//文件对齐有误
if (DETECT_BROKEN && (exe_sections[i].urva % valign)) { /* Bad virtual alignment */
cli_dbgmsg("VirtualAddress is misaligned
");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
}
//区块表有数据时候
if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
//磁盘文件偏移超出大小范围,有误
if (exe_sections[i].raw >= fsize) { /* really broken */
cli_dbgmsg("Broken PE file - Section %d starts beyond the end of file (Offset@ %lu, Total filesize %lu)
", i, (unsigned long)exe_sections[i].raw, (unsigned long)fsize);
free(section_hdr);
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN; /* no ninjas to see here! move along! */
}
//大小设置规范怎么来的?
if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i;
/* check MD5 section sigs */
md5_sect = ctx->engine->md5_mdb;
if((DCONF & PE_CONF_MD5SECT) && md5_sect) {
found = 0;
for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <= exe_sections[i].rsz; j++) {
if(md5_sect->soff[j] == exe_sections[i].rsz) {
unsigned char md5_dig[16];
if(cli_md5sect(desc, &exe_sections[i], md5_dig) && cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_mdb, 0, 0, -1) == CL_VIRUS) {
/* Since .mdb sigs are not fp-prone, to save
* performance we don't call cli_checkfp() here,
* just give the possibility of whitelisting
* idividual .mdb entries via daily.fp
*/
if(cli_bm_scanbuff(md5_dig, 16, NULL, ctx->engine->md5_fp, 0, 0, -1) != CL_VIRUS) {
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
}
}
break;
}
}
}
}
if (exe_sections[i].urva>>31 || exe_sections[i].uvsz>>31 || (exe_sections[i].rsz && exe_sections[i].uraw>>31) || exe_sections[i].ursz>>31) {
cli_dbgmsg("Found PE values with sign bit set
");
free(section_hdr);
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
if(!i) {
if (DETECT_BROKEN && exe_sections[i].urva!=hdr_size) { /* Bad first section RVA */
cli_dbgmsg("First section is in the wrong place
");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
}
min = exe_sections[i].rva;
max = exe_sections[i].rva + exe_sections[i].rsz;
} else {
if (DETECT_BROKEN && exe_sections[i].urva - exe_sections[i-1].urva != exe_sections[i-1].vsz) { /* No holes, no overlapping, no virtual disorder */
cli_dbgmsg("Virtually misplaced section (wrong order, overlapping, non contiguous)
");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
return CL_VIRUS;
}
if(exe_sections[i].rva < min)
min = exe_sections[i].rva;
if(exe_sections[i].rva + exe_sections[i].rsz > max)
max = exe_sections[i].rva + exe_sections[i].rsz;
}
}
free(section_hdr);
if(!(ep = cli_rawaddr(vep, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
cli_dbgmsg("EntryPoint out of file
");
free(exe_sections);
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
return CL_VIRUS;
}
return CL_CLEAN;
}
cli_dbgmsg("EntryPoint offset: 0x%x (%d)
", ep, ep);
if(pe_plus) { /* Do not continue for PE32+ files */
free(exe_sections);
return CL_CLEAN;
}
lseek(desc, ep, SEEK_SET);
epsize = cli_readn(desc, epbuff, 4096);
/* Attempt to detect some popular polymorphic viruses */
/* W32.Parite.B */
if(SCAN_ALGO && (DCONF & PE_CONF_PARITE) && !dll && epsize == 4096 && ep == exe_sections[nsections - 1].raw) {
const char *pt = cli_memstr(epbuff, 4040, "x47x65x74x50x72x6fx63x41x64x64x72x65x73x73x00", 15);
if(pt) {
pt += 15;
if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
*ctx->virname = "W32.Parite.B";
free(exe_sections);
return CL_VIRUS;
}
}
}
/* Kriz */
if(SCAN_ALGO && (DCONF & PE_CONF_KRIZ) && epsize >= 200 && CLI_ISCONTAINED(exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz, ep, 0x0fd2) && epbuff[1]=='x9c' && epbuff[2]=='x60') {
enum {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSXORPRFX,KZSXOR,KZSDDELTA,KZSLOOP,KZSTOP};
uint8_t kzs[] = {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSTRASH,KZSXORPRFX,KZSXOR,KZSTRASH,KZSDDELTA,KZSTRASH,KZSLOOP,KZSTOP};
uint8_t *kzstate = kzs;
uint8_t *kzcode = (uint8_t *)epbuff + 3;
uint8_t kzdptr=0xff, kzdsize=0xff;
int kzlen = 197, kzinitlen=0xffff, kzxorlen=-1;
cli_dbgmsg("in kriz
");
while(*kzstate!=KZSTOP) {
uint8_t op;
if(kzlen<=6) break;
op = *kzcode++;
kzlen--;
switch (*kzstate) {
case KZSTRASH: case KZSGETSIZE: {
int opsz=0;
switch(op) {
case 0x81:
kzcode+=5;
kzlen-=5;
break;
case 0xb8: case 0xb9: case 0xba: case 0xbb: case 0xbd: case 0xbe: case 0xbf:
if(*kzstate==KZSGETSIZE && cli_readint32(kzcode)==0x0fd2) {
kzinitlen = kzlen-5;
kzdsize=op-0xb8;
kzstate++;
op=4; /* fake the register to avoid breaking out */
cli_dbgmsg("kriz: using #%d as size counter
", kzdsize);
}
opsz=4;
case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4d: case 0x4e: case 0x4f:
op&=7;
if(op!=kzdptr && op!=kzdsize) {
kzcode+=opsz;
kzlen-=opsz;
break;
}
default:
kzcode--;
kzlen++;
kzstate++;
}
break;
}
case KZSCDELTA:
if(op==0xe8 && (uint32_t)cli_readint32(kzcode) < 0xff) {
kzlen-=*kzcode+4;
kzcode+=*kzcode+4;
kzstate++;
} else *kzstate=KZSTOP;
break;
case KZSPDELTA:
if((op&0xf8)==0x58 && (kzdptr=op-0x58)!=4) {
kzstate++;
cli_dbgmsg("kriz: using #%d as pointer
", kzdptr);
} else *kzstate=KZSTOP;
break;
case KZSXORPRFX:
kzstate++;
if(op==0x3e) break;
case KZSXOR:
if (op==0x80 && *kzcode==kzdptr+0xb0) {
kzxorlen=kzlen;
kzcode+=+6;
kzlen-=+6;
kzstate++;
} else *kzstate=KZSTOP;
break;
case KZSDDELTA:
if (op==kzdptr+0x48) kzstate++;
else *kzstate=KZSTOP;
break;
case KZSLOOP:
if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
*ctx->virname = "W32.Kriz";
free(exe_sections);
return CL_VIRUS;
}
cli_dbgmsg("kriz: loop out of bounds, corrupted sample?
");
kzstate++;
}
}
}
/* W32.Magistr.A/B */
if(SCAN_ALGO && (DCONF & PE_CONF_MAGISTR) && !dll && (nsections>1) && (exe_sections[nsections - 1].chr & 0x80000000)) {
uint32_t rsize, vsize, dam = 0;
vsize = exe_sections[nsections - 1].uvsz;
rsize = exe_sections[nsections - 1].rsz;
if(rsize < exe_sections[nsections - 1].ursz) {
rsize = exe_sections[nsections - 1].ursz;
dam = 1;
}
if(vsize >= 0x612c && rsize >= 0x612c && ((vsize & 0xff) == 0xec)) {
int bw = rsize < 0x7000 ? rsize : 0x7000;
lseek(desc, exe_sections[nsections - 1].raw + rsize - bw, SEEK_SET);
if(cli_readn(desc, buff, 4096) == 4096) {
if(cli_memstr(buff, 4091, "xe8x2cx61x00x00", 5)) {
*ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
free(exe_sections);
return CL_VIRUS;
}
}
} else if(rsize >= 0x7000 && vsize >= 0x7000 && ((vsize & 0xff) == 0xed)) {
int bw = rsize < 0x8000 ? rsize : 0x8000;
lseek(desc, exe_sections[nsections - 1].raw + rsize - bw, SEEK_SET);
if(cli_readn(desc, buff, 4096) == 4096) {
if(cli_memstr(buff, 4091, "xe8x04x72x00x00", 5)) {
*ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
free(exe_sections);
return CL_VIRUS;
}
}
}
}
/* W32.Polipos.A */
while(polipos && !dll && nsections > 2 && nsections < 13 && e_lfanew <= 0x800 && (EC16(optional_hdr32.Subsystem) == 2 || EC16(optional_hdr32.Subsystem) == 3) && EC16(file_hdr.Machine) == 0x14c && optional_hdr32.SizeOfStackReserve >= 0x80000) {
uint32_t jump, jold, *jumps = NULL;
uint8_t *code;
unsigned int xsjs = 0;
if(exe_sections[0].rsz > CLI_MAX_ALLOCATION) break;
if(!cli_seeksect(desc, &exe_sections[0])) break;
if(!(code=cli_malloc(exe_sections[0].rsz))) {
free(exe_sections);
return CL_EMEM;
}
if(cli_readn(desc, code, exe_sections[0].rsz)!=exe_sections[0].rsz) {
free(exe_sections);
return CL_EIO;
}
for(i=0; i<exe_sections[0].rsz - 5; i++) {
if((uint8_t)(code[i]-0xe8) > 1) continue;
jump = cli_rawaddr(exe_sections[0].rva+i+5+cli_readint32(&code[i+1]), exe_sections, nsections, &err, fsize, hdr_size);
if(err || !CLI_ISCONTAINED(exe_sections[polipos].raw, exe_sections[polipos].rsz, jump, 9)) continue;
if(xsjs % 128 == 0) {
if(xsjs == 1280) break;
if(!(jumps=(uint32_t *)cli_realloc2(jumps, (xsjs+128)*sizeof(uint32_t)))) {
free(code);
free(exe_sections);
return CL_EMEM;
}
}
j=0;
for(; j<xsjs; j++) {
if(jumps[j]<jump) continue;
if(jumps[j]==jump) {
xsjs--;
break;
}
jold=jumps[j];
jumps[j]=jump;
jump=jold;
}
jumps[j]=jump;
xsjs++;
}
free(code);
if(!xsjs) break;
cli_dbgmsg("Polipos: Checking %d xsect jump(s)
", xsjs);
for(i=0;i<xsjs;i++) {
lseek(desc, jumps[i], SEEK_SET);
if(cli_readn(desc, buff, 9) != 9) continue;
if((jump=cli_readint32(buff))==0x60ec8b55 || (buff[4]=='xec' && ((jump==0x83ec8b55 && buff[6]=='x60') || (jump==0x81ec8b55 && !buff[7] && !buff[8])))) {
*ctx->virname = "W32.Polipos.A";
free(jumps);
free(exe_sections);
return CL_VIRUS;
}
}
free(jumps);
break;
}
/* UPX, FSG, MEW support */
/* try to find the first section with physical size == 0 */
found = 0;
if(DCONF & (PE_CONF_UPX | PE_CONF_FSG | PE_CONF_MEW)) {
for(i = 0; i < (unsigned int) nsections - 1; i++) {
if(!exe_sections[i].rsz && exe_sections[i].vsz && exe_sections[i + 1].rsz && exe_sections[i + 1].vsz) {
found = 1;
cli_dbgmsg("UPX/FSG/MEW: empty section found - assuming compression
");
break;
}
}
}
/* MEW support */
if (found && (DCONF & PE_CONF_MEW) && epsize>=16 && epbuff[0]=='xe9') {
uint32_t fileoffset;
fileoffset = (vep + cli_readint32(epbuff + 1) + 5);
while (fileoffset == 0x154 || fileoffset == 0x158) {
uint32_t offdiff, uselzma;
cli_dbgmsg ("MEW: found MEW characteristics %08X + %08X + 5 = %08X
",
cli_readint32(epbuff + 1), vep, cli_readint32(epbuff + 1) + vep + 5);
if(lseek(desc, fileoffset, SEEK_SET) == -1) {
cli_dbgmsg("MEW: lseek() failed
");
free(exe_sections);
return CL_EIO;
}
if((bytes = read(desc, buff, 0xb0)) != 0xb0) {
cli_dbgmsg("MEW: Can't read 0xb0 bytes at 0x%x (%d) %lu
", fileoffset, fileoffset, (unsigned long)bytes);
break;
}
if (fileoffset == 0x154) cli_dbgmsg("MEW: Win9x compatibility was set!
");
else cli_dbgmsg("MEW: Win9x compatibility was NOT set!
");
if((offdiff = cli_readint32(buff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4) {
cli_dbgmsg("MEW: ESI is not in proper section
");
break;
}
offdiff -= exe_sections[i + 1].rva;
if(!cli_seeksect(desc, &exe_sections[i + 1])) {
free(exe_sections);
return CL_EIO;
}
ssize = exe_sections[i + 1].vsz;
dsize = exe_sections[i].vsz;
cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x
", ssize, dsize, offdiff);
CLI_UNPSIZELIMITS("MEW", MAX(ssize, dsize));
CLI_UNPSIZELIMITS("MEW", MAX(ssize + dsize, exe_sections[i + 1].rsz));
/* allocate needed buffer */
if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) {
free(exe_sections);
return CL_EMEM;
}
if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize) {
cli_dbgmsg("MEW: Size mismatch: %08x
", exe_sections[i + 1].rsz);
free(src);
break;
}
if((bytes = read(desc, src + dsize, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) {
cli_dbgmsg("MEW: Can't read %d bytes [read: %lu]
", exe_sections[i + 1].rsz, (unsigned long)bytes);
free(exe_sections);
free(src);
return CL_EIO;
}
cli_dbgmsg("MEW: %u (%08x) bytes read
", (unsigned int)bytes, (unsigned int)bytes);
/* count offset to lzma proc, if lzma used, 0xe8 -> call */
if (buff[0x7b] == 'xe8') {
if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(buff + 0x7c) + fileoffset + 0x80, 4)) {
cli_dbgmsg("MEW: lzma proc out of bounds!
");
free(src);
break; /* to next unpacker in chain */
}
uselzma = cli_readint32(buff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80);
} else {
uselzma = 0;
}
CLI_UNPTEMP("MEW",(src,exe_sections,0));
CLI_UNPRESULTS("MEW",(unmew11(src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, ndesc)),1,(src,0));
break;
}
}
if(epsize<168) {
free(exe_sections);
return CL_CLEAN;
}
if (found || upack) {
/* Check EP for UPX vs. FSG vs. Upack */
/* Upack 0.39 produces 2 types of executables
* 3 sections: | 2 sections (one empty, I don't chech found if !upack, since it's in OR above):
* mov esi, value | pusha
* lodsd | call $+0x9
* push eax |
*
* Upack 1.1/1.2 Beta produces [based on 2 samples (sUx) provided by aCaB]:
* 2 sections
* mov esi, value
* loads
* mov edi, eax
*
* Upack unknown [sample 0297729]
* 3 sections
* mov esi, value
* push [esi]
* jmp
*
*/
/* upack 0.39-3s + sample 0151477*/
while(((upack && nsections == 3) && /* 3 sections */
((
epbuff[0] == 'xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */
epbuff[5] == 'xad' && epbuff[6] == 'x50' /* lodsd; push eax */
)
||
/* based on 0297729 sample from aCaB */
(epbuff[0] == 'xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */
epbuff[5] == 'xff' && epbuff[6] == 'x36' /* push [esi] */
)
))
||
((!upack && nsections == 2) && /* 2 sections */
(( /* upack 0.39-2s */
epbuff[0] == 'x60' && epbuff[1] == 'xe8' && cli_readint32(epbuff+2) == 0x9 /* pusha; call+9 */
)
||
( /* upack 1.1/1.2, based on 2 samples */
epbuff[0] == 'xbe' && cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase) < min && /* mov esi */
cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) > 0 &&
epbuff[5] == 'xad' && epbuff[6] == 'x8b' && epbuff[7] == 'xf8' /* loads; mov edi, eax */
)
))
) {
uint32_t vma, off;
int a,b,c;
cli_dbgmsg("Upack characteristics found.
");
a = exe_sections[0].vsz;
b = exe_sections[1].vsz;
if (upack) {
cli_dbgmsg("Upack: var set
");
c = exe_sections[2].vsz;
ssize = exe_sections[0].ursz + exe_sections[0].uraw;
off = exe_sections[0].rva;
vma = EC32(optional_hdr32.ImageBase) + exe_sections[0].rva;
} else {
cli_dbgmsg("Upack: var NOT set
");
c = exe_sections[1].rva;
ssize = exe_sections[1].uraw;
off = 0;
vma = exe_sections[1].rva - exe_sections[1].uraw;
}
dsize = a+b+c;
CLI_UNPSIZELIMITS("Upack", MAX(MAX(dsize, ssize), exe_sections[1].ursz));
if (!CLI_ISCONTAINED(0, dsize, exe_sections[1].rva - off, exe_sections[1].ursz) || (upack && !CLI_ISCONTAINED(0, dsize, exe_sections[2].rva - exe_sections[0].rva, ssize)) || ssize > dsize) {
cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker
");
break;
}
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
free(exe_sections);
return CL_EMEM;
}
lseek(desc, 0, SEEK_SET);
if(read(desc, dest, ssize) != ssize) {
cli_dbgmsg("Upack: Can't read raw data of section 0
");
free(dest);
break;
}
if(upack) memmove(dest + exe_sections[2].rva - exe_sections[0].rva, dest, ssize);
lseek(desc, exe_sections[1].uraw, SEEK_SET);
if(read(desc, dest + exe_sections[1].rva - off, exe_sections[1].ursz) != exe_sections[1].ursz) {
cli_dbgmsg("Upack: Can't read raw data of section 1
");
free(dest);
break;
}
CLI_UNPTEMP("Upack",(dest,exe_sections,0));
CLI_UNPRESULTS("Upack",(unupack(upack, dest, dsize, epbuff, vma, ep, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, ndesc)),1,(dest,0));
break;
}
}
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == 'x87' && epbuff[1] == 'x25') {
/* FSG v2.0 support - thanks to aCaB ! */
uint32_t newesi, newedi, newebx, newedx;
ssize = exe_sections[i + 1].rsz;
dsize = exe_sections[i].vsz;
CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
if(ssize <= 0x19 || dsize <= ssize) {
cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)
", ssize, dsize);
free(exe_sections);
return CL_CLEAN;
}
newedx = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase);
if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
cli_dbgmsg("FSG: xchg out of bounds (%x), giving up
", newedx);
break;
}
if((src = (char *) cli_malloc(ssize)) == NULL) {
free(exe_sections);
return CL_EMEM;
}
if(!cli_seeksect(desc, &exe_sections[i + 1]) || (unsigned int) cli_readn(desc, src, ssize) != ssize) {
cli_dbgmsg("Can't read raw data of section %d
", i + 1);
free(exe_sections);
free(src);
return CL_EIO;
}
dest = src + newedx - exe_sections[i + 1].rva;
if(newedx < exe_sections[i + 1].rva || !CLI_ISCONTAINED(src, ssize, dest, 4)) {
cli_dbgmsg("FSG: New ESP out of bounds
");
free(src);
break;
}
newedx = cli_readint32(dest) - EC32(optional_hdr32.ImageBase);
if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newedx, 4)) {
cli_dbgmsg("FSG: New ESP (%x) is wrong
", newedx);
free(src);
break;
}
dest = src + newedx - exe_sections[i + 1].rva;
if(!CLI_ISCONTAINED(src, ssize, dest, 32)) {
cli_dbgmsg("FSG: New stack out of bounds
");
free(src);
break;
}
newedi = cli_readint32(dest) - EC32(optional_hdr32.ImageBase);
newesi = cli_readint32(dest + 4) - EC32(optional_hdr32.ImageBase);
newebx = cli_readint32(dest + 16) - EC32(optional_hdr32.ImageBase);
newedx = cli_readint32(dest + 20);
if(newedi != exe_sections[i].rva) {
cli_dbgmsg("FSG: Bad destination buffer (edi is %x should be %x)
", newedi, exe_sections[i].rva);
free(src);
break;
}
if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
cli_dbgmsg("FSG: Source buffer out of section bounds
");
free(src);
break;
}
if(!CLI_ISCONTAINED(exe_sections[i + 1].rva, exe_sections[i + 1].rsz, newebx, 16)) {
cli_dbgmsg("FSG: Array of functions out of bounds
");
free(src);
break;
}
newedx=cli_readint32(newebx + 12 - exe_sections[i + 1].rva + src) - EC32(optional_hdr32.ImageBase);
cli_dbgmsg("FSG: found old EP @%x
",newedx);
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
free(exe_sections);
free(src);
return CL_EMEM;
}
CLI_UNPTEMP("FSG",(src,dest,exe_sections,0));
CLI_UNPRESULTSFSG2("FSG",(unfsg_200(newesi - exe_sections[i + 1].rva + src, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, newedi, EC32(optional_hdr32.ImageBase), newedx, ndesc)),1,(src,dest,0));
break;
}
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == 'xbe' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) < min) {
/* FSG support - v. 1.33 (thx trog for the many samples) */
int sectcnt = 0;
char *support;
uint32_t newesi, newedi, oldep, gp, t;
struct cli_exe_section *sections;
ssize = exe_sections[i + 1].rsz;
dsize = exe_sections[i].vsz;
CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
if(ssize <= 0x19 || dsize <= ssize) {
cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)
", ssize, dsize);
free(exe_sections);
return CL_CLEAN;
}
if(!(gp = cli_rawaddr(cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size)) && err ) {
cli_dbgmsg("FSG: Support data out of padding area
");
break;
}
lseek(desc, gp, SEEK_SET);
gp = exe_sections[i + 1].raw - gp;
CLI_UNPSIZELIMITS("FSG", gp)
if((support = (char *) cli_malloc(gp)) == NULL) {
free(exe_sections);
return CL_EMEM;
}
if((int)cli_readn(desc, support, gp) != (int)gp) {
cli_dbgmsg("Can't read %d bytes from padding area
", gp);
free(exe_sections);
free(support);
return CL_EIO;
}
/* newebx = cli_readint32(support) - EC32(optional_hdr32.ImageBase); Unused */
newedi = cli_readint32(support + 4) - EC32(optional_hdr32.ImageBase); /* 1st dest */
newesi = cli_readint32(support + 8) - EC32(optional_hdr32.ImageBase); /* Source */
if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].rsz) {
cli_dbgmsg("FSG: Source buffer out of section bounds
");
free(support);
break;
}
if(newedi != exe_sections[i].rva) {
cli_dbgmsg("FSG: Bad destination (is %x should be %x)
", newedi, exe_sections[i].rva);
free(support);
break;
}
/* Counting original sections */
for(t = 12; t < gp - 4; t += 4) {
uint32_t rva = cli_readint32(support+t);
if(!rva)
break;
rva -= EC32(optional_hdr32.ImageBase)+1;
sectcnt++;
if(rva % 0x1000) cli_dbgmsg("FSG: Original section %d is misaligned
", sectcnt);
if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
cli_dbgmsg("FSG: Original section %d is out of bounds
", sectcnt);
break;
}
}
if(t >= gp - 4 || cli_readint32(support + t)) {
free(support);
break;
}
if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
free(exe_sections);
free(support);
return CL_EMEM;
}
sections[0].rva = newedi;
for(t = 1; t <= (uint32_t)sectcnt; t++)
sections[t].rva = cli_readint32(support + 8 + t * 4) - 1 - EC32(optional_hdr32.ImageBase);
free(support);
if((src = (char *) cli_malloc(ssize)) == NULL) {
free(exe_sections);
free(sections);
return CL_EMEM;
}
if(!cli_seeksect(desc, &exe_sections[i + 1]) || (unsigned int) cli_readn(desc, src, ssize) != ssize) {
cli_dbgmsg("Can't read raw data of section %d
", i);
free(exe_sections);
free(sections);
free(src);
return CL_EIO;
}
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
free(exe_sections);
free(src);
free(sections);
return CL_EMEM;
}
oldep = vep + 161 + 6 + cli_readint32(epbuff+163);
cli_dbgmsg("FSG: found old EP @%x
", oldep);
CLI_UNPTEMP("FSG",(src,dest,sections,exe_sections,0));
CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(src,dest,sections,0));
break; /* were done with 1.33 */
}
while(found && (DCONF & PE_CONF_FSG) && epbuff[0] == 'xbb' && cli_readint32(epbuff + 1) - EC32(optional_hdr32.ImageBase) < min && epbuff[5] == 'xbf' && epbuff[10] == 'xbe' && vep >= exe_sections[i + 1].rva && vep - exe_sections[i + 1].rva > exe_sections[i + 1].rva - 0xe0 ) {
/* FSG support - v. 1.31 */
int sectcnt = 0;
uint32_t t;
uint32_t gp = cli_rawaddr(cli_readint32(epbuff+1) - EC32(optional_hdr32.ImageBase), NULL, 0 , &err, fsize, hdr_size);
char *support;
uint32_t newesi = cli_readint32(epbuff+11) - EC32(optional_hdr32.ImageBase);
uint32_t newedi = cli_readint32(epbuff+6) - EC32(optional_hdr32.ImageBase);
uint32_t oldep = vep - exe_sections[i + 1].rva;
struct cli_exe_section *sections;
ssize = exe_sections[i + 1].rsz;
dsize = exe_sections[i].vsz;
if(err) {
cli_dbgmsg("FSG: Support data out of padding area
");
break;
}
if(newesi < exe_sections[i + 1].rva || newesi - exe_sections[i + 1].rva >= exe_sections[i + 1].raw) {
cli_dbgmsg("FSG: Source buffer out of section bounds
");
break;
}
if(newedi != exe_sections[i].rva) {
cli_dbgmsg("FSG: Bad destination (is %x should be %x)
", newedi, exe_sections[i].rva);
break;
}
CLI_UNPSIZELIMITS("FSG", MAX(dsize, ssize));
if(ssize <= 0x19 || dsize <= ssize) {
cli_dbgmsg("FSG: Size mismatch (ssize: %d, dsize: %d)
", ssize, dsize);
free(exe_sections);
return CL_CLEAN;
}
lseek(desc, gp, SEEK_SET);
gp = exe_sections[i + 1].raw - gp;
CLI_UNPSIZELIMITS("FSG", gp)
if((support = (char *) cli_malloc(gp)) == NULL) {
free(exe_sections);
return CL_EMEM;
}
if(cli_readn(desc, support, gp) != (int)gp) {
cli_dbgmsg("Can't read %d bytes from padding area
", gp);
free(exe_sections);
free(support);
return CL_EIO;
}
/* Counting original sections */
for(t = 0; t < gp - 2; t += 2) {
uint32_t rva = support[t]|(support[t+1]<<8);
if (rva == 2 || rva == 1)
break;
rva = ((rva-2)<<12) - EC32(optional_hdr32.ImageBase);
sectcnt++;
if(rva < exe_sections[i].rva || rva - exe_sections[i].rva >= exe_sections[i].vsz) {
cli_dbgmsg("FSG: Original section %d is out of bounds
", sectcnt);
break;
}
}
if(t >= gp-10 || cli_readint32(support + t + 6) != 2) {
free(support);
break;
}
if((sections = (struct cli_exe_section *) cli_malloc((sectcnt + 1) * sizeof(struct cli_exe_section))) == NULL) {
free(exe_sections);
free(support);
return CL_EMEM;
}
sections[0].rva = newedi;
for(t = 0; t <= (uint32_t)sectcnt - 1; t++) {
sections[t+1].rva = (((support[t*2]|(support[t*2+1]<<8))-2)<<12)-EC32(optional_hdr32.ImageBase);
}
free(support);
if((src = (char *) cli_malloc(ssize)) == NULL) {
free(exe_sections);
free(sections);
return CL_EMEM;
}
if(!cli_seeksect(desc, &exe_sections[i + 1]) || (unsigned int) cli_readn(desc, src, ssize) != ssize) {
cli_dbgmsg("FSG: Can't read raw data of section %d
", i);
free(exe_sections);
free(sections);
free(src);
return CL_EIO;
}
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
free(exe_sections);
free(src);
free(sections);
return CL_EMEM;
}
gp = 0xda + 6*(epbuff[16]=='xe8');
oldep = vep + gp + 6 + cli_readint32(src+gp+2+oldep);
cli_dbgmsg("FSG: found old EP @%x
", oldep);
CLI_UNPTEMP("FSG",(src,dest,sections,exe_sections,0));
CLI_UNPRESULTSFSG1("FSG",(unfsg_133(src + newesi - exe_sections[i + 1].rva, dest, ssize + exe_sections[i + 1].rva - newesi, dsize, sections, sectcnt, EC32(optional_hdr32.ImageBase), oldep, ndesc)),1,(src,dest,sections,0));
break; /* were done with 1.31 */
}
if(found && (DCONF & PE_CONF_UPX)) {
/* UPX support */
/* we assume (i + 1) is UPX1 */
ssize = exe_sections[i + 1].rsz;
dsize = exe_sections[i].vsz + exe_sections[i + 1].vsz;
CLI_UNPSIZELIMITS("UPX", MAX(dsize, ssize));
if(ssize <= 0x19 || dsize <= ssize || dsize > CLI_MAX_ALLOCATION ) {
cli_dbgmsg("UPX: Size mismatch or dsize too big (ssize: %d, dsize: %d)
", ssize, dsize);
free(exe_sections);
return CL_CLEAN;
}
if((src = (char *) cli_malloc(ssize)) == NULL) {
free(exe_sections);
return CL_EMEM;
}
if((dest = (char *) cli_calloc(dsize + 8192, sizeof(char))) == NULL) {
free(exe_sections);
free(src);
return CL_EMEM;
}
if(!cli_seeksect(desc, &exe_sections[i + 1]) || (unsigned int) cli_readn(desc, src, ssize) != ssize) {
cli_dbgmsg("UPX: Can't read raw data of section %d
", i+1);
free(exe_sections);
free(src);
free(dest);
return CL_EIO;
}
/* try to detect UPX code */
if(cli_memstr(UPX_NRV2B, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, epbuff + 0x69 + 8, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2B decompression routine
");
upxfn = upx_inflate2b;
} else if(cli_memstr(UPX_NRV2D, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, epbuff + 0x69 + 8, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2D decompression routine
");
upxfn = upx_inflate2d;
} else if(cli_memstr(UPX_NRV2E, 24, epbuff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, epbuff + 0x69 + 8, 13)) {
cli_dbgmsg("UPX: Looks like a NRV2E decompression routine
");
upxfn = upx_inflate2e;
}
if(upxfn) {
int skew = cli_readint32(epbuff + 2) - EC32(optional_hdr32.ImageBase) - exe_sections[i + 1].rva;
if(epbuff[1] != 'xbe' || skew <= 0 || skew > 0xfff) { /* FIXME: legit skews?? */
skew = 0;
if(upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
upx_success = 1;
} else {
cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes
", skew);
if(upxfn(src + skew, ssize - skew, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep-skew) >= 0 || upxfn(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) >= 0)
upx_success = 1;
}
if(upx_success)
cli_dbgmsg("UPX: Successfully decompressed
");
else
cli_dbgmsg("UPX: Preferred decompressor failed
");
}
if(!upx_success && upxfn != upx_inflate2b) {
if(upx_inflate2b(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2b(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
cli_dbgmsg("UPX: NRV2B decompressor failed
");
} else {
upx_success = 1;
cli_dbgmsg("UPX: Successfully decompressed with NRV2B
");
}
}
if(!upx_success && upxfn != upx_inflate2d) {
if(upx_inflate2d(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2d(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
cli_dbgmsg("UPX: NRV2D decompressor failed
");
} else {
upx_success = 1;
cli_dbgmsg("UPX: Successfully decompressed with NRV2D
");
}
}
if(!upx_success && upxfn != upx_inflate2e) {
if(upx_inflate2e(src, ssize, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep) == -1 && upx_inflate2e(src + 0x15, ssize - 0x15, dest, &dsize, exe_sections[i].rva, exe_sections[i + 1].rva, vep - 0x15) == -1) {
cli_dbgmsg("UPX: NRV2E decompressor failed
");
} else {
upx_success = 1;
cli_dbgmsg("UPX: Successfully decompressed with NRV2E
");
}
}
if(!upx_success) {
cli_dbgmsg("UPX: All decompressors failed
");
free(src);
free(dest);
}
}
if(upx_success) {
free(src);
free(exe_sections);
CLI_UNPTEMP("UPX/FSG",(dest,0));
if((unsigned int) write(ndesc, dest, dsize) != dsize) {
cli_dbgmsg("UPX/FSG: Can't write %d bytes
", dsize);
free(tempfile);
free(dest);
close(ndesc);
return CL_EIO;
}
free(dest);
fsync(ndesc);
lseek(ndesc, 0, SEEK_SET);
if(cli_leavetemps_flag)
cli_dbgmsg("UPX/FSG: Decompressed data saved in %s
", tempfile);
cli_dbgmsg("***** Scanning decompressed file *****
");
//扫描解压后的文件
if((ret = cli_magic_scandesc(ndesc, ctx)) == CL_VIRUS) {
close(ndesc);
CLI_TMPUNLK();
free(tempfile);
return CL_VIRUS;
}
close(ndesc);
CLI_TMPUNLK();
free(tempfile);
return ret;
}
/* Petite */
if(epsize<200) {
free(exe_sections);
return CL_CLEAN;
}
found = 2;
if(epbuff[0] != 'xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 1].rva + EC32(optional_hdr32.ImageBase)) {
if(nsections < 2 || epbuff[0] != 'xb8' || (uint32_t) cli_readint32(epbuff + 1) != exe_sections[nsections - 2].rva + EC32(optional_hdr32.ImageBase))
found = 0;
else
found = 1;
}
if(found && (DCONF & PE_CONF_PETITE)) {
cli_dbgmsg("Petite: v2.%d compression detected
", found);
if(cli_readint32(epbuff + 0x80) == 0x163c988d) {
cli_dbgmsg("Petite: level zero compression is not supported yet
");
} else {
dsize = max - min;
CLI_UNPSIZELIMITS("Petite", dsize);
if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {
cli_dbgmsg("Petite: Can't allocate %d bytes
", dsize);
free(exe_sections);
return CL_EMEM;
}
for(i = 0 ; i < nsections; i++) {
if(exe_sections[i].raw) {
if(!cli_seeksect(desc, &exe_sections[i]) || (unsigned int) cli_readn(desc, dest + exe_sections[i].rva - min, exe_sections[i].ursz) != exe_sections[i].ursz) {
free(exe_sections);
free(dest);
return CL_CLEAN;
}
}
}
CLI_UNPTEMP("Petite",(dest,exe_sections,0));
CLI_UNPRESULTS("Petite",(petite_inflate2x_1to9(dest, min, max - min, exe_sections, nsections - (found == 1 ? 1 : 0), EC32(optional_hdr32.ImageBase),vep, ndesc, found, EC32(optional_hdr32.DataDirectory[2].VirtualAddress),EC32(optional_hdr32.DataDirectory[2].Size))),0,(dest,0));
}
}
/* PESpin 1.1 */
if((DCONF & PE_CONF_PESPIN) && nsections > 1 &&
vep >= exe_sections[nsections - 1].rva &&
vep < exe_sections[nsections - 1].rva + exe_sections[nsections - 1].rsz - 0x3217 - 4 &&
memcmp(epbuff+4, "xe8x00x00x00x00x8bx1cx24x83xc3", 10) == 0) {
char *spinned;
CLI_UNPSIZELIMITS("PEspin", fsize);
if((spinned = (char *) cli_malloc(fsize)) == NULL) {
free(exe_sections);
return CL_EMEM;
}
lseek(desc, 0, SEEK_SET);
if((size_t) cli_readn(desc, spinned, fsize) != fsize) {
cli_dbgmsg("PESpin: Can't read %lu bytes
", (unsigned long)fsize);
free(spinned);
free(exe_sections);
return CL_EIO;
}
CLI_UNPTEMP("PESpin",(spinned,exe_sections,0));
CLI_UNPRESULTS_("PEspin",SPINCASE(),(unspin(spinned, fsize, exe_sections, nsections - 1, vep, ndesc, ctx)),0,(spinned,0));
}
/* yC 1.3 */
if((DCONF & PE_CONF_YC) && nsections > 1 &&
EC32(optional_hdr32.AddressOfEntryPoint) == exe_sections[nsections - 1].rva + 0x60 &&
memcmp(epbuff, "x55x8BxECx53x56x57x60xE8x00x00x00x00x5Dx81xEDx6Cx28x40x00xB9x5Dx34x40x00x81xE9xC6x28x40x00x8BxD5x81xC2xC6x28x40x00x8Dx3Ax8BxF7x33xC0xEBx04x90xEBx01xC2xAC", 51) == 0 && fsize >= exe_sections[nsections - 1].raw + 0xC6 + 0xb97) {
char *spinned;
if((spinned = (char *) cli_malloc(fsize)) == NULL) {
free(exe_sections);
return CL_EMEM;
}
lseek(desc, 0, SEEK_SET);
if((size_t) cli_readn(desc, spinned, fsize) != fsize) {
cli_dbgmsg("yC: Can't read %lu bytes
", (unsigned long)fsize);
free(spinned);
free(exe_sections);
return CL_EIO;
}
CLI_UNPTEMP("yC",(spinned,exe_sections,0));
CLI_UNPRESULTS("yC",(yc_decrypt(spinned, fsize, exe_sections, nsections-1, e_lfanew, ndesc)),0,(spinned,0));
}
/* WWPack */
while ((DCONF & PE_CONF_WWPACK) && nsections > 1 &&
vep == exe_sections[nsections - 1].rva &&
memcmp(epbuff, "x53x55x8bxe8x33xdbxeb", 7) == 0 &&
memcmp(epbuff+0x68, "xe8x00x00x00x00x58x2dx6dx00x00x00x50x60x33xc9x50x58x50x50", 19) == 0) {
uint32_t head = exe_sections[nsections - 1].raw;
uint8_t *packer;
ssize = 0;
for(i=0 ; ; i++) {
if(exe_sections[i].raw<head)
head=exe_sections[i].raw;
if(i==nsections-1) break;
if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
ssize=exe_sections[i].rva+exe_sections[i].vsz;
}
if(!head || !ssize || head>ssize) break;
CLI_UNPSIZELIMITS("WWPack", ssize);
if(!(src=(char *)cli_calloc(ssize, sizeof(char)))) {
free(exe_sections);
return CL_EMEM;
}
lseek(desc, 0, SEEK_SET);
if((size_t) cli_readn(desc, src, head) != head) {
cli_dbgmsg("WWPack: Can't read %d bytes from headers
", head);
free(src);
free(exe_sections);
return CL_EIO;
}
for(i = 0 ; i < (unsigned int)nsections-1; i++) {
if(!exe_sections[i].rsz) continue;
if(!cli_seeksect(desc, &exe_sections[i])) break;
if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) break;
if(cli_readn(desc, src+exe_sections[i].rva, exe_sections[i].rsz)!=exe_sections[i].rsz) break;
}
if(i!=nsections-1) {
cli_dbgmsg("WWpack: Probably hacked/damaged file.
");
free(src);
break;
}
if((packer = (uint8_t *) cli_calloc(exe_sections[nsections - 1].rsz, sizeof(char))) == NULL) {
free(src);
free(exe_sections);
return CL_EMEM;
}
if(!cli_seeksect(desc, &exe_sections[nsections - 1]) || (size_t) cli_readn(desc, packer, exe_sections[nsections - 1].rsz) != exe_sections[nsections - 1].rsz) {
cli_dbgmsg("WWPack: Can't read %d bytes from wwpack sect
", exe_sections[nsections - 1].rsz);
free(src);
free(packer);
free(exe_sections);
return CL_EIO;
}
CLI_UNPTEMP("WWPack",(src,packer,exe_sections,0));
CLI_UNPRESULTS("WWPack",(wwunpack((uint8_t *)src, ssize, packer, exe_sections, nsections-1, e_lfanew, ndesc)),0,(src,packer,0));
break;
}
/* ASPACK support */
while((DCONF & PE_CONF_ASPACK) && ep+58+0x70e < fsize && !memcmp(epbuff,"x60xe8x03x00x00x00xe9xeb",8)) {
if(epsize<0x3bf || memcmp(epbuff+0x3b9, "x68x00x00x00x00xc3",6)) break;
ssize = 0;
for(i=0 ; i< nsections ; i++)
if(ssize<exe_sections[i].rva+exe_sections[i].vsz)
ssize=exe_sections[i].rva+exe_sections[i].vsz;
if(!ssize) break;
CLI_UNPSIZELIMITS("Aspack", ssize);
if(!(src=(char *)cli_calloc(ssize, sizeof(char)))) {
free(exe_sections);
return CL_EMEM;
}
for(i = 0 ; i < (unsigned int)nsections; i++) {
if(!exe_sections[i].rsz) continue;
if(!cli_seeksect(desc, &exe_sections[i])) break;
if(!CLI_ISCONTAINED(src, ssize, src+exe_sections[i].rva, exe_sections[i].rsz)) break;
if(cli_readn(desc, src+exe_sections[i].rva, exe_sections[i].rsz)!=exe_sections[i].rsz) break;
}
if(i!=nsections) {
cli_dbgmsg("Aspack: Probably hacked/damaged Aspack file.
");
free(src);
break;
}
CLI_UNPTEMP("Aspack",(src,exe_sections,0));
CLI_UNPRESULTS("Aspack",(unaspack212((uint8_t *)src, ssize, exe_sections, nsections, vep-1, EC32(optional_hdr32.ImageBase), ndesc)),1,(src,0));
break;
}
/* NsPack */
while (DCONF & PE_CONF_NSPACK) {
uint32_t eprva = vep;
uint32_t start_of_stuff, ssize, dsize, rep = ep;
unsigned int nowinldr;
char nbuff[24];
char *src=epbuff, *dest;
if (*epbuff=='xe9') { /* bitched headers */
eprva = cli_readint32(epbuff+1)+vep+5;
if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) break;
if (lseek(desc, rep, SEEK_SET)==-1) break;
if (cli_readn(desc, nbuff, 24)!=24) break;
src = nbuff;
}
if (memcmp(src, "x9cx60xe8x00x00x00x00x5dxb8x07x00x00x00", 13)) break;
nowinldr = 0x54-cli_readint32(src+17);
cli_dbgmsg("NsPack: Found *start_of_stuff @delta-%x
", nowinldr);
if (lseek(desc, rep-nowinldr, SEEK_SET)==-1) break;
if (cli_readn(desc, nbuff, 4)!=4) break;
start_of_stuff=rep+cli_readint32(nbuff);
if (lseek(desc, start_of_stuff, SEEK_SET)==-1) break;
if (cli_readn(desc, nbuff, 20)!=20) break;
src = nbuff;
if (!cli_readint32(nbuff)) {
start_of_stuff+=4; /* FIXME: more to do */
src+=4;
}
ssize = cli_readint32(src+5)|0xff;
dsize = cli_readint32(src+9);
CLI_UNPSIZELIMITS("NsPack", MAX(ssize,dsize));
if ( !ssize || !dsize || dsize != exe_sections[0].vsz) break;
if (lseek(desc, start_of_stuff, SEEK_SET)==-1) break;
if (!(dest=cli_malloc(dsize))) break;
/* memset(dest, 0xfc, dsize); */
if (!(src=cli_malloc(ssize))) {
free(dest);
break;
}
/* memset(src, 0x00, ssize); */
cli_readn(desc, src, ssize);
eprva+=0x27a;
if (!(rep = cli_rawaddr(eprva, exe_sections, nsections, &err, fsize, hdr_size)) && err) {
free(dest);
free(src);
break;
}
if (lseek(desc, rep, SEEK_SET)==-1) {
free(dest);
free(src);
break;
}
if (cli_readn(desc, nbuff, 5)!=5) {
free(dest);
free(src);
break;
}
eprva=eprva+5+cli_readint32(nbuff+1);
cli_dbgmsg("NsPack: OEP = %08x
", eprva);
CLI_UNPTEMP("NsPack",(src,dest,exe_sections,0));
CLI_UNPRESULTS("NsPack",(unspack(src, dest, ctx, exe_sections[0].rva, EC32(optional_hdr32.ImageBase), eprva, ndesc)),0,(src,dest,0));
break;
}
/* to be continued ... */
free(exe_sections);
return CL_CLEAN;
}