1 /* Copyright (C) 2009 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
11 #include "rootcheck.h"
14 /* Read the file pointer specified (rootkit_trojans)
15 * and check if any trojan entry is in the configured files
17 void check_rc_trojans(const char *basedir, FILE *fp)
19 int i = 0, _errors = 0, _total = 0;
20 char buf[OS_SIZE_1024 + 1];
21 char file_path[OS_SIZE_1024 + 1];
26 const char *(all_paths[]) = {"bin", "sbin", "usr/bin", "usr/sbin", NULL};
28 const char *(all_paths[]) = {"C:\\Windows\\", "D:\\Windows\\", NULL};
31 debug1("%s: DEBUG: Starting on check_rc_trojans", ARGV0);
33 while (fgets(buf, OS_SIZE_1024, fp) != NULL) {
38 /* Remove end of line */
39 nbuf = strchr(buf, '\n');
44 nbuf = normalize_string(buf);
46 if (*nbuf == '\0' || *nbuf == '#') {
50 /* File now may be valid */
53 string_to_look = strchr(file, '!');
54 if (!string_to_look) {
58 *string_to_look = '\0';
61 message = strchr(string_to_look, '!');
68 string_to_look = normalize_string(string_to_look);
69 file = normalize_string(file);
70 message = normalize_string(message);
72 if (*file == '\0' || *string_to_look == '\0') {
78 /* Try with all possible paths */
79 while (all_paths[i] != NULL) {
81 snprintf(file_path, OS_SIZE_1024, "%s/%s/%s", basedir,
85 strncpy(file_path, file, OS_SIZE_1024);
86 file_path[OS_SIZE_1024 - 1] = '\0';
89 /* Check if entry is found */
90 if (is_file(file_path) && os_string(file_path, string_to_look)) {
91 char op_msg[OS_SIZE_1024 + 1];
94 snprintf(op_msg, OS_SIZE_1024, "Trojaned version of file "
95 "'%s' detected. Signature used: '%s' (%s).",
101 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
113 char op_msg[OS_SIZE_1024 + 1];
114 snprintf(op_msg, OS_SIZE_1024, "No binaries with any trojan detected. "
115 "Analyzed %d files.", _total);
116 notify_rk(ALERT_OK, op_msg);