Added parser for alz files

Cisco-Talos · Feb 27, 2024 · 8c0442e · 8c0442e
1 parent 17c9f5b
commit 8c0442e
Show file tree

Hide file tree

Showing 25 changed files with 874 additions and 0 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/clamd/server-th.c b/clamd/server-th.c
@@ -1298,6 +1298,13 @@ int recvloop(int *socketds, unsigned nsockets, struct cl_engine *engine, unsigne
         logg(LOGG_INFO, "OneNote support disabled.\n");
     }
 
+    if (optget(opts, "ScanAlz")->enabled) {
+        logg(LOGG_INFO, "Alz support enabled.\n");
+        options.parse |= CL_SCAN_PARSE_ALZ;
+    } else {
+        logg(LOGG_INFO, "Alz support disabled.\n");
+    }
+
     if (optget(opts, "PhishingScanURLs")->enabled) {
         /* TODO: Remove deprecated option in a future feature release */
         if ((optget(opts, "PhishingAlwaysBlockCloak")->enabled) ||

diff --git a/clamscan/clamscan.c b/clamscan/clamscan.c
@@ -305,6 +305,7 @@ void help(void)
     mprintf(LOGG_INFO, "    --scan-xmldocs[=yes(*)/no]           Scan xml-based document files\n");
     mprintf(LOGG_INFO, "    --scan-hwp3[=yes(*)/no]              Scan HWP3 files\n");
     mprintf(LOGG_INFO, "    --scan-onenote[=yes(*)/no]           Scan OneNote files\n");
+    mprintf(LOGG_INFO, "    --scan-alz[=yes(*)/no]               Scan alz files\n");
     mprintf(LOGG_INFO, "    --scan-archive[=yes(*)/no]           Scan archive files (supported by libclamav)\n");
     mprintf(LOGG_INFO, "    --alert-broken[=yes/no(*)]           Alert on broken executable files (PE & ELF)\n");
     mprintf(LOGG_INFO, "    --alert-broken-media[=yes/no(*)]     Alert on broken graphics files (JPEG, TIFF, PNG, GIF)\n");

diff --git a/clamscan/manager.c b/clamscan/manager.c
@@ -1555,6 +1555,11 @@ int scanmanager(const struct optstruct *opts)
     if (optget(opts, "scan-onenote")->enabled)
         options.parse |= CL_SCAN_PARSE_ONENOTE;
 
+    if (optget(opts, "scan-alz")->enabled) {
+        /*TODO: Consider just having this for archives.*/
+        options.parse |= CL_SCAN_PARSE_ALZ;
+    }
+
     /* TODO: Remove deprecated option in a future feature release */
     if ((optget(opts, "algorithmic-detection")->enabled) && /* && used due to default-yes for both options */
         (optget(opts, "heuristic-alerts")->enabled)) {

diff --git a/common/optparser.c b/common/optparser.c
@@ -436,6 +436,8 @@ const struct clam_option __clam_options[] = {
 
     {"ScanOneNote", "scan-onenote", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning OneNote files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes"},
 
+    {"ScanAlz", "scan-alz", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning Alz files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes"},
+
     {"ScanArchive", "scan-archive", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Scan within archives and compressed files.\nIf you turn off this option, the original files will still be scanned, but\nwithout unpacking and additional processing.", "yes"},
 
     {"ForceToDisk", "force-to-disk", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option causes memory or nested map scans to dump the content to disk.\nIf you turn on this option, more data is written to disk and is available\nwhen the leave-temps option is enabled at the cost of more disk writes.", "no"},

diff --git a/libclamav/clamav.h b/libclamav/clamav.h
@@ -181,6 +181,7 @@ struct cl_scan_options {
 #define CL_SCAN_PARSE_HTML                          0x100
 #define CL_SCAN_PARSE_PE                            0x200
 #define CL_SCAN_PARSE_ONENOTE                       0x400
+#define CL_SCAN_PARSE_ALZ                           0x800
 
 /* heuristic alerting options */
 #define CL_SCAN_HEURISTIC_BROKEN                    0x2    /* alert on broken PE and broken ELF files */

diff --git a/libclamav/dconf.c b/libclamav/dconf.c
@@ -107,6 +107,7 @@ static struct dconf_module modules[] = {
     {"ARCHIVE", "APM", ARCH_CONF_APM, 1},
     {"ARCHIVE", "EGG", ARCH_CONF_EGG, 1},
     {"ARCHIVE", "UDF", ARCH_CONF_UDF, 1},
+    {"ARCHIVE", "ALZ", ARCH_CONF_ALZ, 1},
 
     {"DOCUMENT", "HTML", DOC_CONF_HTML, 1},
     {"DOCUMENT", "RTF", DOC_CONF_RTF, 1},

diff --git a/libclamav/dconf.h b/libclamav/dconf.h
@@ -97,6 +97,7 @@ struct cli_dconf {
 #define ARCH_CONF_APM     0x2000000
 #define ARCH_CONF_EGG     0x4000000
 #define ARCH_CONF_UDF     0x8000000
+#define ARCH_CONF_ALZ     0x10000000
 
 /* Document flags */
 #define DOC_CONF_HTML         0x1

diff --git a/libclamav/filetypes.c b/libclamav/filetypes.c
@@ -138,6 +138,7 @@ static const struct ftmap_s {
     { "CL_TYPE_EGG",                CL_TYPE_EGG             },
     { "CL_TYPE_EGGSFX",             CL_TYPE_EGGSFX          },
     { "CL_TYPE_UDF",                CL_TYPE_UDF             },
+    { "CL_TYPE_ALZ",                CL_TYPE_ALZ             },
     { "CL_TYPE_ONENOTE",            CL_TYPE_ONENOTE         },
     { "CL_TYPE_PYTHON_COMPILED",    CL_TYPE_PYTHON_COMPILED },
     { NULL,                         CL_TYPE_IGNORED         }

diff --git a/libclamav/filetypes.h b/libclamav/filetypes.h
@@ -125,6 +125,7 @@ typedef enum cli_file {
     CL_TYPE_MHTML,
     CL_TYPE_LNK,
     CL_TYPE_UDF,
+    CL_TYPE_ALZ,
     CL_TYPE_OTHER,  /* on-the-fly, used for target 14 (OTHER) */
     CL_TYPE_IGNORED /* please don't add anything below */
 } cli_file_t;

diff --git a/libclamav/filetypes_int.h b/libclamav/filetypes_int.h
@@ -298,5 +298,6 @@ static const char *ftypes_int[] = {
     "0:0:00010d0a:PyPy 3.8 byte-compiled (.pyc):CL_TYPE_ANY:CL_TYPE_PYTHON_COMPILED:200",
     "0:0:50010d0a:PyPy 3.9 byte-compiled (.pyc):CL_TYPE_ANY:CL_TYPE_PYTHON_COMPILED:200",
     "1:0:??0d0d0a:Python 3.7 or newer byte-compiled (.pyc):CL_TYPE_ANY:CL_TYPE_PYTHON_COMPILED:200",
+    "0:0:414c5a01:ALZ:CL_TYPE_ANY:CL_TYPE_ALZ:210", 
     NULL};
 #endif
diff --git a/libclamav/others.h b/libclamav/others.h
@@ -570,6 +570,7 @@ extern LIBCLAMAV_EXPORT int have_rar;
 #define SCAN_PARSE_HTML (ctx->options->parse & CL_SCAN_PARSE_HTML)
 #define SCAN_PARSE_PE (ctx->options->parse & CL_SCAN_PARSE_PE)
 #define SCAN_PARSE_ONENOTE (ctx->options->parse & CL_SCAN_PARSE_ONENOTE)
+#define SCAN_PARSE_ALZ (ctx->options->parse & CL_SCAN_PARSE_ALZ)
 
 #define SCAN_HEURISTIC_BROKEN (ctx->options->heuristic & CL_SCAN_HEURISTIC_BROKEN)
 #define SCAN_HEURISTIC_BROKEN_MEDIA (ctx->options->heuristic & CL_SCAN_HEURISTIC_BROKEN_MEDIA)

diff --git a/libclamav/scanners.c b/libclamav/scanners.c
@@ -4586,6 +4586,11 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)
             if (SCAN_PARSE_ONENOTE && (DCONF_ARCH & DOC_CONF_ONENOTE))
                 ret = scan_onenote(ctx);
             break;
+        case CL_TYPE_ALZ:
+            if (SCAN_PARSE_ALZ && (DCONF_ARCH & ARCH_CONF_ALZ)) {
+                ret = extract_alz(ctx);
+            }
+            break;
 
         case CL_TYPE_OOXML_WORD:
         case CL_TYPE_OOXML_PPT:

diff --git a/libclamav_rust/Cargo.toml b/libclamav_rust/Cargo.toml
@@ -22,6 +22,9 @@ unicode-segmentation = "1.10.1"
 bindgen = "0.65"
 onenote_parser = { git = "https://github.com/Cisco-Talos/onenote.rs.git", branch = "CLAM-2329-new-from-slice" }
 hex-literal = "0.4.1"
+inflate = "0.4.5"
+bzip2 = "0.4.4"
+byteorder = "1.5.0"
 
 [lib]
 crate-type = ["staticlib"]

diff --git a/libclamav_rust/cbindgen.toml b/libclamav_rust/cbindgen.toml
@@ -37,6 +37,7 @@ include = [
   "evidence::evidence_add_indicator",
   "evidence::IndicatorType",
   "scanners::scan_onenote",
+  "scanners::extract_alz",
 ]
 
 # prefix = "CAPI_"