1 /* @(#) $Id: ./src/rootcheck/check_rc_trojans.c, 2011/09/08 dcid Exp $
4 /* Copyright (C) 2009 Trend Micro Inc.
7 * This program is a free software; you can redistribute it
8 * and/or modify it under the terms of the GNU General Public
9 * License (version 2) as published by the FSF - Free Software
15 #include "rootcheck.h"
19 * Read the file pointer specified (rootkit_trojans)
20 * and check if the any trojan entry is on the configured files
22 void check_rc_trojans(char *basedir, FILE *fp)
24 int i = 0, _errors = 0, _total = 0;
25 char buf[OS_SIZE_1024 +1];
26 char file_path[OS_SIZE_1024 +1];
32 char *(all_paths[]) = {"bin","sbin","usr/bin","usr/sbin", NULL};
34 char *(all_paths[]) = {"C:\\Windows\\", "D:\\Windows\\", NULL};
37 debug1("%s: DEBUG: Starting on check_rc_trojans", ARGV0);
40 while(fgets(buf, OS_SIZE_1024, fp) != NULL)
47 /* Removing end of line */
48 nbuf = strchr(buf, '\n');
55 /* Normalizing line */
56 nbuf = normalize_string(buf);
59 if(*nbuf == '\0' || *nbuf == '#')
65 /* File now may be valid */
68 string_to_look = strchr(file, '!');
74 *string_to_look = '\0';
77 message = strchr(string_to_look, '!');
85 string_to_look = normalize_string(string_to_look);
86 file = normalize_string(file);
87 message = normalize_string(message);
90 if(*file == '\0' || *string_to_look == '\0')
98 /* Trying with all possible paths */
99 while(all_paths[i] != NULL)
103 snprintf(file_path, OS_SIZE_1024, "%s/%s/%s",basedir,
109 strncpy(file_path, file, OS_SIZE_1024);
110 file_path[OS_SIZE_1024 -1] = '\0';
113 /* Checking if entry is found */
114 if(is_file(file_path) && os_string(file_path, string_to_look))
116 char op_msg[OS_SIZE_1024 +1];
119 snprintf(op_msg, OS_SIZE_1024, "Trojaned version of file "
120 "'%s' detected. Signature used: '%s' (%s).",
126 notify_rk(ALERT_ROOTKIT_FOUND, op_msg);
141 char op_msg[OS_SIZE_1024 +1];
142 snprintf(op_msg,OS_SIZE_1024, "No binaries with any trojan detected. "
143 "Analyzed %d files.", _total);
144 notify_rk(ALERT_OK, op_msg);