ClamScan, ClamDScan: process memory scanning (Windows)

Add the process memory scanning feature from ClamWin's ClamScan. This commit extends that feature to make it available in ClamDScan as well. This adds three new options to ClamScan and ClamDScan on Windows: * --memory * --kill * --unload --allmatch and --stream are available for ClamDScan. To reduce code duplication, this refactors clamd related code used in both scanmem.c and proto.c into clamdcom. Moved send_fdpass(), send_stream(), chkpath(), dconnect(), and dsresult(); as well as some type definitions. Special thanks to Gianluigi Tiesi for allowing us to integrate the Windows process memory scanning feature from ClamWin into the ClamAV.
Cisco-Talos · Aug 27, 2021 · 23dfe8f · 23dfe8f
1 parent 1b276db
commit 23dfe8f
Show file tree

Hide file tree

Showing 17 changed files with 1,651 additions and 385 deletions.
diff --git a/clamdscan/clamdscan.c b/clamdscan/clamdscan.c
@@ -243,6 +243,11 @@ void help(void)
     mprintf("    --move=DIRECTORY                   Move infected files into DIRECTORY\n");
     mprintf("    --copy=DIRECTORY                   Copy infected files into DIRECTORY\n");
     mprintf("    --config-file=FILE                 Read configuration from FILE.\n");
+#ifdef _WIN32
+    mprintf("    --memory                           Scan loaded executable modules\n");
+    mprintf("    --kill                             Kill/Unload infected loaded modules\n");
+    mprintf("    --unload                           Unload infected modules from processes\n");
+#endif
     mprintf("    --allmatch            -z           Continue scanning within file after finding a match.\n");
     mprintf("    --multiscan           -m           Force MULTISCAN mode\n");
     mprintf("    --infected            -i           Only print infected files\n");

diff --git a/clamdscan/client.c b/clamdscan/client.c
@@ -65,13 +65,14 @@
 #include "actions.h"
 #include "clamdcom.h"
 
+#ifdef _WIN32
+#include "scanmem.h"
+#endif
+
 #include "client.h"
 #include "proto.h"
 
 unsigned long int maxstream;
-#ifndef _WIN32
-struct sockaddr_un nixsock;
-#endif
 extern struct optstruct *clamdopts;
 
 /* Inits the communication layer
@@ -219,7 +220,7 @@ int16_t ping_clamd(const struct optstruct *opts)
 
     isremote(opts);
     do {
-        if ((sockd = dconnect()) >= 0) {
+        if ((sockd = dconnect(clamdopts)) >= 0) {
             const char zPING[] = "zPING";
             recvlninit(&rcv, sockd);
 
@@ -343,7 +344,7 @@ int get_clamd_version(const struct optstruct *opts)
     const char zVERSION[] = "zVERSION";
 
     isremote(opts);
-    if ((sockd = dconnect()) < 0) return 2;
+    if ((sockd = dconnect(clamdopts)) < 0) return 2;
     recvlninit(&rcv, sockd);
 
     if (sendln(sockd, zVERSION, sizeof(zVERSION))) {
@@ -371,7 +372,7 @@ int reload_clamd_database(const struct optstruct *opts)
     const char zRELOAD[] = "zRELOAD";
 
     isremote(opts);
-    if ((sockd = dconnect()) < 0) return 2;
+    if ((sockd = dconnect(clamdopts)) < 0) return 2;
     recvlninit(&rcv, sockd);
 
     if (sendln(sockd, zRELOAD, sizeof(zRELOAD))) {
@@ -442,7 +443,7 @@ int client(const struct optstruct *opts, int *infected, int *err)
             return 2;
         }
         if ((sb.st_mode & S_IFMT) != S_IFREG) scantype = STREAM;
-        if ((sockd = dconnect()) >= 0 && (ret = dsresult(sockd, scantype, NULL, &ret, NULL)) >= 0)
+        if ((sockd = dconnect(clamdopts)) >= 0 && (ret = dsresult(sockd, scantype, NULL, &ret, NULL, clamdopts)) >= 0)
             *infected = ret;
         else
             errors = 1;
@@ -464,7 +465,20 @@ int client(const struct optstruct *opts, int *infected, int *err)
 	    }
 	    */
         }
-    } else {
+    }
+#ifdef _WIN32
+    else if (optget(opts, "memory")->enabled) {
+        struct mem_info minfo;
+        minfo.d      = 1;
+        minfo.opts   = opts;
+        minfo.ifiles = *infected;
+        minfo.errors = errors;
+        int res      = scanmem(&minfo);
+        *infected    = minfo.ifiles;
+        *err         = minfo.errors;
+    }
+#endif
+    else {
         errors = client_scan("", scantype, infected, err, maxrec, session, flags);
     }
     return *infected ? 1 : (errors ? 2 : 0);

diff --git a/clamdscan/client.h b/clamdscan/client.h
@@ -27,15 +27,6 @@
 
 #include "optparser.h"
 
-enum {
-    CONT,
-    MULTI,
-    STREAM,
-    FILDES,
-    ALLMATCH,
-    MAX_SCANTYPE = ALLMATCH
-};
-
 int client(const struct optstruct *opts, int *infected, int *err);
 int get_clamd_version(const struct optstruct *opts);
 int reload_clamd_database(const struct optstruct *opts);