1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
VIRUSNAME_PREFIX("SUBMIT.NotPDF")
VIRUSNAMES("InActive", "Submit")
/* Target type is 0, all relevant files */
TARGET(0)
/* Declares to run bytecode only for preclassification (affecting only preclass files) */
PRECLASS_HOOK_DECLARE
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */
/* PRECLASS_HOOK_DECLARE will require FUNC_LEVEL_098_7 = 80 */
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_7)
#define STR_MAXLEN 256
int entrypoint()
{
int32_t type, obj, strlen;
char str[STR_MAXLEN];
/* check is json is available, alerts on inactive (optional) */
if (!json_is_active()) {
return -1;
}
/* acquire array of internal contained objects */
obj = json_get_object("FileType", 8, 0);
if (obj <= 0) return -1;
/* acquire and check type */
type = json_get_type(obj);
if (type == JSON_TYPE_STRING) {
/* acquire string length, note +1 is for the NULL terminator */
strlen = json_get_string_length(obj) + 1;
/* prevent buffer overflow */
if (strlen > STR_MAXLEN)
strlen = STR_MAXLEN;
/* acquire string data, note strlen includes NULL terminator */
if (json_get_string(str, strlen, obj)) {
/* debug print str (with '\n' and prepended message */
debug_print_str(str, strlen);
/* check the contained object's type */
if (!(strlen == 12) || !memcmp(str, "CL_TYPE_PDF", 12)) {
foundVirus("Submit");
}
}
}
return 0;
}
|
