[Minor] Magic: try avoid false positive exe detection

author Andrew Lewis <nerf@judo.za.org>

Mon, 4 Jan 2021 11:41:04 +0000 (13:41 +0200)

committer Andrew Lewis <nerf@judo.za.org>

Mon, 4 Jan 2021 11:41:04 +0000 (13:41 +0200)
author Andrew Lewis <nerf@judo.za.org>
Mon, 4 Jan 2021 11:41:04 +0000 (13:41 +0200)
committer Andrew Lewis <nerf@judo.za.org>
Mon, 4 Jan 2021 11:41:04 +0000 (13:41 +0200)
diff --git a/lualib/lua_magic/heuristics.lua b/lualib/lua_magic/heuristics.lua

index d9a7702a41bda0e313b8847f53292843c5a1c3c4..fb0a4b7c213b8ad44f74b1233cec6010e4064a90 100644 (file)
--- a/lualib/lua_magic/heuristics.lua
+++ b/lualib/lua_magic/heuristics.lua
@@ -471,4 +471,22 @@ exports.pdf_format_heuristic = function(input, log_obj, pos, part)
    return 'pdf',weight
  end
  
+exports.pe_part_heuristic = function(input, log_obj, pos, part)
+  if not input then
+    return
+  end
+
+  local pe_ptr_bin = input:sub(60, 64)
+  if #pe_ptr_bin ~= 4 then
+    return
+  end
+
+  local pe_ptr = rspamd_util.unpack("<H", pe_ptr_bin)
+  if pe_ptr ~= pos then
+    return
+  end
+
+  return 'exe',15
+end
+
  return exports
diff --git a/lualib/lua_magic/patterns.lua b/lualib/lua_magic/patterns.lua

index 5e62b47f981302fcf38b3de98f0b5d8b4188f482..8bdc7ea443639dfe90f18cd591b43a222524db4a 100644 (file)
--- a/lualib/lua_magic/patterns.lua
+++ b/lualib/lua_magic/patterns.lua
@@ -105,6 +105,7 @@ local patterns = {
          string = [[PE\x{00}\x{00}]],
          position = {'>=', 0x3c + 4},
          weight = 15,
+        heuristic = heuristics.pe_part_heuristic,
        }
      }
    },
@@ -458,4 +459,4 @@ local patterns = {
    },
  }
  
-return patterns
-\ No newline at end of file
+return patterns
author	Andrew Lewis <nerf@judo.za.org>
	Mon, 4 Jan 2021 11:41:04 +0000 (13:41 +0200)
committer	Andrew Lewis <nerf@judo.za.org>
	Mon, 4 Jan 2021 11:41:04 +0000 (13:41 +0200)
lualib/lua_magic/heuristics.lua		patch \| blob \| blame \| history
lualib/lua_magic/patterns.lua		patch \| blob \| blame \| history