| Autor |
Beitrag |
mohfa 
Beiträge: 17
|
Verfasst: So 21.02.10 19:50
Ok Sir BenBE here it's :
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
| procedure scan_file(name: String;log:TStrings);
var
cfile, map: THandle; mymap: Pointer;
startrange, endrange, i, loc, temp_loc, upa: DWORD; where_ctx, caller, sv: DWORD; pMZ: PIMAGE_DOS_HEADER;
pPE: PIMAGE_NT_HEADERS;
pSH, pSHC: PIMAGE_SECTION_HEADER;
temp_name: String;
sections: WORD;
count: Integer;
secname:pchar;
label error_mode1, error_mode2, error_mode3, error_mode4;
begin
startrange := 0;
endrange := 0;
i := 0;
loc := 0;
temp_loc := 0;
upa := 0;
where_ctx := 0;
caller := 0;
sv := 0;
pMZ := nil;
pPE := nil;
pSH := nil;
pSHC := nil;
temp_name := TEMP_FILE_NAME;
if not CopyFile(pchar(name),pchar(temp_name),FALSE) then
begin
log.Add(Format('[-] Error: copying file failed - no future disinfection possible, error: %d', [GetLastError()]));
end;
cfile := CreateFile(PChar(name), GENERIC_READ or FILE_SHARE_READ or FILE_SHARE_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if cfile = INVALID_HANDLE_VALUE then
begin
log.Add(Format('[-] Error: Cannot open file - error: %d',[GetLastError()]));
goto error_mode1;
end;
map := CreateFileMapping(cfile, nil, PAGE_READWRITE or SEC_COMMIT, 0,0, 0);
if map = 0 then
begin
log.Add(Format('[-] Error: Cannot create map of file - error: %d',[GetLastError()]));
goto error_mode2;
end;
mymap := MapViewOfFile(map,FILE_MAP_ALL_ACCESS,0,0,0);
if mymap = nil then
begin
log.Add(format('"[-] Error: Cannot create map view of file - error: %d\n"',[GetLastError()]));
goto error_mode3;
end;
pMZ := PIMAGE_DOS_HEADER(mymap);
if pMZ^.e_magic <> IMAGE_DOS_SIGNATURE then
begin
log.Add('[-] Error: Bad MZ signature');
goto error_mode4;
end;
pPE := PIMAGE_NT_HEADERS(DWORD(mymap) + pMZ^.e_lfanew);
if IsBadReadPtr(pPE, sizeof(PIMAGE_NT_HEADERS)) then
begin
log.Add('[-] Error: Bad PE file');
goto error_mode4;
end;
if (pPE^.Signature <> IMAGE_NT_SIGNATURE) or (pPE^.FileHeader.NumberOfSections = 0) then
begin
log.Add('[-] Error: Bad PE file');
goto error_mode4;
end;
if (pPE^.OptionalHeader.ImageBase <= 0) or (pPE^.OptionalHeader.AddressOfEntryPoint <= 0) or (pPE^.FileHeader.NumberOfSections <= 0) then
begin
log.Add('[-] Error: Bad PE file\n');
goto error_mode4;
end;
log.Add(Format('[+] Imagebase: 0x%.08x - Entrypoint: 0x%.08x (0x%.08x)\n', [pPE^.OptionalHeader.ImageBase, pPE^.OptionalHeader.AddressOfEntryPoint, pPE^.OptionalHeader.ImageBase + pPE^.OptionalHeader.AddressOfEntryPoint]));
sections := pPE^.FileHeader.NumberOfSections;
pSH := PIMAGE_SECTION_HEADER(DWORD(mymap)+pMZ^.e_lfanew + sizeof(IMAGE_NT_HEADERS));
while sections<>0
do
begin
if IsBadReadPtr(@pSH,sizeof(PIMAGE_SECTION_HEADER))=true
then
begin
log.Add('[-] Error: Bad PE file'#13#10'');
UnmapViewOfFile(mymap);
end;
secname:=(pSH^.Name);
if (secname = nil)then strcopy(secname,'NONAME');
startrange:=DWORD(pSH^.VirtualAddress+pPE^.OptionalHeader.ImageBase);
endrange:=DWORD(startrange + pSH^.Misc.VirtualSize);
if ((startrange<=0)or(startrange<=pPE^.OptionalHeader.ImageBase)or(endrange<=0)or(pPE^.OptionalHeader.ImageBase<=0)or(pSH^.Misc.PhysicalAddress<0)or(pSH^.SizeOfRawData<0 )) then
begin
log.Add(format('"[-] Error: The %s section is broken\n"',[secname]));
goto error_mode4;
end;
if ((pSH^.VirtualAddress<=pPE^.OptionalHeader.AddressOfEntryPoint)and(pPE^.OptionalHeader.AddressOfEntryPoint<pSH^.VirtualAddress+pSH^.Misc.VirtualSize))
then
begin
log.Add(format('"[+] Checking call/jump requests from %s section (EP)\n"',[secname]));
pSHC := pSH;
end;
begin
inc(pSH);
Dec(sections);
end;
Dec(pSH);
if (pSHC = nil)
then
begin
log.Add('Error: invalid entrypoint');
exit;
goto error_mode4;
end;
log.Add(format('"[+] Starting heuristics scan on %s section.."',[pSHC^.Name]));
if (pSHC = pSH)
then
begin
log.Add(format('"[!] Alert: file %s Entrypoint points to last section (%s) -> 0x%.08x\n"',[name,pSH^.Name,pPE^.OptionalHeader.AddressOfEntryPoint + pPE^.OptionalHeader.ImageBase]));
log.Add(format('[!] Alert: The file %s may be infected!',[name]));
log.Add('[+] No deep-scan action was performed');
goto error_mode4;
end;
log.Add(format('"[+] Starting from offset: 0x%.08x\n"',[pPE^.OptionalHeader.ImageBase + pSHC^.VirtualAddress]));
for i := 0 to pSHC^.SizeOfRawData - 1 do
begin
loc := DWORD(DWORD(mymap) + pSHC^.PointerToRawData) + i;
if ((((BYTE(loc)) = O_CALL) or ((BYTE(loc)) = O_JMP )))
then
begin
inc(loc);
temp_loc:= (DWORD(((DWORD(pSHC^.VirtualAddress) + i + ((DWORD(loc))))))) + 5;
if ((temp_loc>=pSH^.VirtualAddress)and(temp_loc<=pSH^.VirtualAddress+pSH^.Misc.VirtualSize))
then
begin
log.Add(format('-------->[!] Alert: file %s Detected request to %s(0x%.08x) section at: 0x%.08x'#13#10'',[name,pSH^.Name,pPE^.OptionalHeader.ImageBase+temp_loc,pSHC^.VirtualAddress+pPE^.OptionalHeader.ImageBase+i]));
if where_ctx=0
then
begin
where_ctx:= (pPE^.OptionalHeader.ImageBase+temp_loc);
caller:= (pSHC^.VirtualAddress+pPE^.OptionalHeader.ImageBase+i);
upa:= (pSH^.VirtualAddress+pPE^.OptionalHeader.ImageBase);
sv:= loc-1;
end;
inc(count);
end;
dec(loc);
end;
end;
log.Add(format('"[+] Scan finished, %d suspected instruction(s) found.\n"',[count]));
if (count = 0)
then
begin
log.Add(Format('"--------->[!] Warning: the file may be infected!\n %s"',[name]));
log.Add('"\n[?] Do you want to try dis-infect the file?\n"');
log.Add(Format('"---------> [?] Warning: the file may be executed if this is not the CTX.Phage\n %s "',[name]));
log.Add('" infection.\n"');
log.Add('"[?] Disinfect: (y)es / (n)o ? \n"');
end;
end;
error_mode4:
UnmapViewOfFile(mymap);
error_mode3:
CloseHandle(map);
error_mode2:
CloseHandle(cfile);
error_mode1:
DeleteFile(temp_name);
end; |
|
|
BenBE
 
Beiträge: 8721
Erhaltene Danke: 191
Win95, Win98SE, Win2K, WinXP
D1S, D3S, D4S, D5E, D6E, D7E, D9PE, D10E, D12P, DXEP, L0.9\FPC2.0
|
Verfasst: So 21.02.10 20:31
Okay, when I didn't screw something up when changing the resource allocations this should do the trick:
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
| Procedure scan_file(name: String; log: TStrings);
Var
cfile, map: THandle; mymap: Pointer;
startrange, endrange, i, loc, temp_loc, upa: DWORD; where_ctx, caller, sv: DWORD; pMZ: PIMAGE_DOS_HEADER;
pPE: PIMAGE_NT_HEADERS;
pSH, pSHC: PIMAGE_SECTION_HEADER;
temp_name: String;
sections: WORD;
count: Integer;
secname: PChar;
Begin
startrange := 0;
endrange := 0;
i := 0;
loc := 0;
temp_loc := 0;
upa := 0;
where_ctx := 0;
caller := 0;
sv := 0;
pMZ := Nil;
pPE := Nil;
pSH := Nil;
pSHC := Nil;
temp_name := TEMP_FILE_NAME;
If Not CopyFile(pchar(name), pchar(temp_name), FALSE) Then
Begin
log.Add(Format('[-] Error: copying file failed - no future disinfection possible, error: %d', [GetLastError()]));
End;
Try
cfile := CreateFile(PChar(name), GENERIC_READ Or FILE_SHARE_READ Or FILE_SHARE_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
If cfile = INVALID_HANDLE_VALUE Then
Begin
log.Add(Format('[-] Error: Cannot open file - error: %d', [GetLastError()]));
exit;
End;
Try
map := CreateFileMapping(cfile, Nil, PAGE_READWRITE Or SEC_COMMIT, 0, 0, 0);
If map = 0 Then
Begin
log.Add(Format('[-] Error: Cannot create map of file - error: %d', [GetLastError()]));
exit;
End;
Try
mymap := MapViewOfFile(map, FILE_MAP_ALL_ACCESS, 0, 0, 0);
If mymap = Nil Then
Begin
log.Add(format('"[-] Error: Cannot create map view of file - error: %d\n"', [GetLastError()]));
exit;
End;
Try
pMZ := PIMAGE_DOS_HEADER(mymap);
If pMZ^.e_magic <> IMAGE_DOS_SIGNATURE Then
Begin
log.Add('[-] Error: Bad MZ signature');
exit;
End;
pPE := PIMAGE_NT_HEADERS(DWORD(mymap) + pMZ^.e_lfanew);
If IsBadReadPtr(pPE, sizeof(PIMAGE_NT_HEADERS)) Then Begin
log.Add('[-] Error: Bad PE file');
exit;
End;
If (pPE^.Signature <> IMAGE_NT_SIGNATURE) Or (pPE^.FileHeader.NumberOfSections = 0) Then
Begin
log.Add('[-] Error: Bad PE file');
exit;
End;
If (pPE^.OptionalHeader.ImageBase <= 0) Or (pPE^.OptionalHeader.AddressOfEntryPoint <= 0) Or (pPE^.FileHeader.NumberOfSections <= 0) Then
Begin
log.Add('[-] Error: Bad PE file\n');
exit;
End;
log.Add(Format('[+] Imagebase: 0x%.08x - Entrypoint: 0x%.08x (0x%.08x)\n', [pPE^.OptionalHeader.ImageBase, pPE^.OptionalHeader.AddressOfEntryPoint, pPE^.OptionalHeader.ImageBase + pPE^.OptionalHeader.AddressOfEntryPoint]));
sections := pPE^.FileHeader.NumberOfSections;
pSH := PIMAGE_SECTION_HEADER(DWORD(mymap) + pMZ^.e_lfanew + sizeof(IMAGE_NT_HEADERS));
While sections <> 0 Do
Begin
If IsBadReadPtr(@pSH, sizeof(PIMAGE_SECTION_HEADER)) = true Then
Begin
log.Add('[-] Error: Bad PE file'#13#10'');
UnmapViewOfFile(mymap);
End;
secname := pSH^.Name;
If secname = Nil Then
strcopy(secname, 'NONAME');
startrange := DWORD(pSH^.VirtualAddress + pPE^.OptionalHeader.ImageBase);
endrange := DWORD(startrange + pSH^.Misc.VirtualSize);
If (startrange <= 0) Or (startrange <= pPE^.OptionalHeader.ImageBase) Or (endrange <= 0) Or (pPE^.OptionalHeader.ImageBase <= 0) Or (pSH^.Misc.PhysicalAddress < 0) Or (pSH^.SizeOfRawData < 0) Then
Begin
log.Add(format('"[-] Error: The %s section is broken\n"', [secname]));
Exit;
End;
If ((pSH^.VirtualAddress <= pPE^.OptionalHeader.AddressOfEntryPoint) And (pPE^.OptionalHeader.AddressOfEntryPoint < pSH^.VirtualAddress + pSH^.Misc.VirtualSize)) Then
Begin
log.Add(format('"[+] Checking call/jump requests from %s section (EP)\n"', [secname]));
pSHC := pSH;
End;
Begin
inc(pSH);
Dec(sections);
End;
Dec(pSH);
If (pSHC = Nil) Then
Begin
log.Add('Error: invalid entrypoint');
exit;
End;
log.Add(format('"[+] Starting heuristics scan on %s section.."', [pSHC^.Name]));
If (pSHC = pSH) Then
Begin
log.Add(format('"[!] Alert: file %s Entrypoint points to last section (%s) -> 0x%.08x\n"', [name, pSH^.Name, pPE^.OptionalHeader.AddressOfEntryPoint + pPE^.OptionalHeader.ImageBase]));
log.Add(format('[!] Alert: The file %s may be infected!', [name]));
log.Add('[+] No deep-scan action was performed');
Exit;
End;
log.Add(format('"[+] Starting from offset: 0x%.08x\n"', [pPE^.OptionalHeader.ImageBase + pSHC^.VirtualAddress]));
For i := 0 To pSHC^.SizeOfRawData - 1 Do
Begin
loc := DWORD(DWORD(mymap) + pSHC^.PointerToRawData) + i;
If ((((BYTE(loc)) = O_CALL) Or ((BYTE(loc)) = O_JMP))) Then
Begin
inc(loc);
temp_loc := (DWORD(((DWORD(pSHC^.VirtualAddress) + i + ((DWORD(loc))))))) + 5;
If ((temp_loc >= pSH^.VirtualAddress) And (temp_loc <= pSH^.VirtualAddress + pSH^.Misc.VirtualSize)) Then
Begin
log.Add(format('-------->[!] Alert: file %s Detected request to %s(0x%.08x) section at: 0x%.08x'#13#10'', [name, pSH^.Name, pPE^.OptionalHeader.ImageBase + temp_loc, pSHC^.VirtualAddress + pPE^.OptionalHeader.ImageBase + i]));
If where_ctx = 0 Then
Begin
where_ctx := (pPE^.OptionalHeader.ImageBase + temp_loc);
caller := (pSHC^.VirtualAddress + pPE^.OptionalHeader.ImageBase + i);
upa := (pSH^.VirtualAddress + pPE^.OptionalHeader.ImageBase);
sv := loc - 1;
End;
inc(count);
End;
dec(loc);
End;
End;
log.Add(format('"[+] Scan finished, %d suspected instruction(s) found.\n"', [count]));
If (count = 0) Then
Begin
log.Add(Format('"--------->[!] Warning: the file may be infected!\n %s"', [name]));
log.Add('"\n[?] Do you want to try dis-infect the file?\n"');
log.Add(Format('"---------> [?] Warning: the file may be executed if this is not the CTX.Phage\n %s "', [name]));
log.Add('" infection.\n"');
log.Add('"[?] Disinfect: (y)es / (n)o ? \n"');
End;
End;
Finally
UnmapViewOfFile(mymap);
End;
Finally
CloseHandle(map);
End;
Finally
CloseHandle(cfile);
End;
Finally
DeleteFile(temp_name);
End;
End; |
Please note the one single statement block I added a comment ... There seems to be something missing OR the block statements around those instructions should be removed. _________________ Anyone who is capable of being elected president should on no account be allowed to do the job.
Ich code EdgeMonkey - In dubio pro Setting.
|
|
|
