1 /* @(#) $Id: check_rc_trojans.c,v 1.12 2009/06/24 18:53:07 dcid Exp $ */
3 /* Copyright (C) 2009 Trend Micro Inc.
6 * This program is a free software; you can redistribute it
7 * and/or modify it under the terms of the GNU General Public
8 * License (version 3) as published by the FSF - Free Software
14 #include "rootcheck.h"
18 * Read the file pointer specified (rootkit_trojans)
19 * and check if the any trojan entry is on the configured files
21 void check_rc_trojans(char *basedir, FILE *fp)
23 int i = 0, _errors = 0, _total = 0;
24 char buf[OS_SIZE_1024 +1];
25 char file_path[OS_SIZE_1024 +1];
31 char *(all_paths[]) = {"bin","sbin","usr/bin","usr/sbin", NULL};
33 char *(all_paths[]) = {"C:\\Windows\\", "D:\\Windows\\", NULL};
36 debug1("%s: DEBUG: Starting on check_rc_trojans", ARGV0);
39 while(fgets(buf, OS_SIZE_1024, fp) != NULL)
46 /* Removing end of line */
47 nbuf = strchr(buf, '\n');
54 /* Normalizing line */
55 nbuf = normalize_string(buf);
58 if(*nbuf == '\0' || *nbuf == '#')
64 /* File now may be valid */
67 string_to_look = strchr(file, '!');
73 *string_to_look = '\0';
76 message = strchr(string_to_look, '!');
84 string_to_look = normalize_string(string_to_look);
85 file = normalize_string(file);
86 message = normalize_string(message);
89 if(*file == '\0' || *string_to_look == '\0')
97 /* Trying with all possible paths */
98 while(all_paths[i] != NULL)
102 snprintf(file_path, OS_SIZE_1024, "%s/%s/%s",basedir,
108 strncpy(file_path, file, OS_SIZE_1024);
109 file_path[OS_SIZE_1024 -1] = '\0';
112 /* Checking if entry is found */
113 if(is_file(file_path) && os_string(file_path, string_to_look))
115 char op_msg[OS_SIZE_1024 +1];
118 snprintf(op_msg, OS_SIZE_1024, "Trojaned version of file "
119 "'%s' detected. Signature used: '%s' (%s).",
125 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
140 char op_msg[OS_SIZE_1024 +1];
141 snprintf(op_msg,OS_SIZE_1024, "No binaries with any trojan detected. "
142 "Analyzed %d files.", _total);
143 notify_rk(ALERT_OK, op_msg);