Hi List,
just put something together to aid me in generating signatures
for my database. Perhaps someone likes it. Just use your favorit
hex editor (vim :%!xxd) and get a good offset value.
./siggen virus.exe 0FF337
you get a 300 character signature which you (probably) have to cut a
bit and give it an appropriate name.
Greetings Daniel
--
Saying that Java is nice because it works on all OS's is like
saying that anal sex is nice because it works on all genders
--ToxicSin
<siggen.c>
/*********************************************************************
* Copyright (C) 2004 Daniel Lord *
* *
* This is free software; you can redistribute it and/or modify *
* it under the terms of the GNU General Public License as published *
* by the Free Software Foundation; either version 2 of the License, *
* or (at your option) any later version. *
* *
* This software is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this software; if not, write to the Free Software *
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, *
* MA 02111-1307, USA. *
*********************************************************************/
/* gcc -Wall -Os -s -lm -o siggen siggen.c */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <math.h>
FILE * fopenfile_ro (char *file)
{
FILE *fdp;
if ((fdp = fopen(file, "rb")) == NULL){
perror("fopen");
exit (EXIT_FAILURE);
}
return fdp;
}
int main (int argc, char *argv[])
{
FILE *virfd;
short i,x;
long offset;
long filesize=0;
if (argc != 3) {
fprintf(stderr, " usage: %s <file> <offset>\n", argv[0]);
return EXIT_FAILURE;
}
virfd = fopenfile_ro(argv[1]);
x=0;
offset=0;
for (i=strlen(argv[2])-1; i>=0; i--) {
if ((toupper(argv[2][i]) >= 'A') && (toupper(argv[2][i]) <= 'F')){
offset += (toupper(argv[2][i])-0x37)*(pow(16,x));
x++;
}
else {
if ((toupper(argv[2][i]) >= '0') && (toupper(argv[2][i]) <= '9')){
offset += (argv[2][i]-0x30)*(pow(16,x));
x++;
}
else {
fprintf(stderr, " Wrong Offset Value\n");
fprintf(stderr, " String: %s -- Value: %c\n",
argv[2],argv[2][i]);
fclose(virfd);
return EXIT_FAILURE;
}
}
if (x > 6) {
fprintf(stderr, " Really big Offset? (FIXME)\n");
fclose(virfd);
return EXIT_FAILURE;
}
}
if (fseek(virfd, 0, SEEK_END) != 0){
perror("fseek");
fclose(virfd);
return EXIT_FAILURE;
}
if ((filesize = ftell (virfd)) == -1) {
perror("ftell");
fclose(virfd);
return EXIT_FAILURE;
}
if ((offset+300) > filesize) {
fprintf(stderr, " File too short or offset to big\n");
fprintf(stderr, " Filesize: %li -- Offset: %li + 300\n",
filesize, offset);
fclose(virfd);
return EXIT_FAILURE;
}
if ((fseek (virfd, offset, SEEK_SET)) != 0) {
perror("fseek");
fclose(virfd);
return EXIT_FAILURE;
}
printf("unknown.auto.lo (Clam)=");
for (i=0; i<300; i++) {
x = fgetc(virfd);
printf("%02X",x);
}
printf("\n");
fclose(virfd);
return EXIT_SUCCESS;
}
</siggen.c>
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
