d6ada03c |
/*
* ClamAV bytecode handler tool.
* |
e098cdc5 |
* Copyright (C) 2015, 2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved. |
54402320 |
* Copyright (C) 2009-2012 Sourcefire, Inc. |
d6ada03c |
*
* Authors: Török Edvin
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif |
d1487222 |
#include "cltypes.h" |
3ff75dbf |
#ifndef _WIN32 |
74b00233 |
#include <sys/time.h> |
3ff75dbf |
#endif |
74b00233 |
#include <stdlib.h> |
b2e7c931 |
|
d6ada03c |
#include "bytecode.h" |
65c740d7 |
#include "bytecode_priv.h" |
d6ada03c |
#include "clamav.h" |
0d71db97 |
#include "shared/optparser.h" |
860c2737 |
#include "shared/misc.h" |
6eeadbfe |
#include "libclamav/dconf.h" |
3de96271 |
#include "libclamav/others.h" |
d6ada03c |
|
a1781898 |
#include <fcntl.h> |
d6ada03c |
#include <stdlib.h> |
a1781898 |
#include <errno.h> |
646395bb |
#include <string.h> |
3ff75dbf |
#ifdef HAVE_UNISTD_H |
646395bb |
#include <unistd.h> |
3ff75dbf |
#endif |
d6ada03c |
|
0d71db97 |
static void help(void)
{
printf("\n"); |
e098cdc5 |
printf(" Clam AntiVirus: Bytecode Testing Tool %s\n", get_version()); |
964a1e73 |
printf(" By The ClamAV Team: https://www.clamav.net/about.html#credits\n"); |
e098cdc5 |
printf(" (C) 2009-2018 Cisco Systems, Inc.\n");
printf("\n");
printf(" clambc <file> [function] [param1 ...]\n");
printf("\n");
printf(" --help -h Show this help\n"); |
0d71db97 |
printf(" --version -V Show version\n"); |
8d170d58 |
printf(" --debug Show debug\n");
printf(" --force-interpreter -f Force using the interpreter instead of the JIT\n");
printf(" --trust-bytecode -t Trust loaded bytecode (default yes)\n"); |
d4c9f766 |
printf(" --info -i Print information about bytecode\n");
printf(" --printsrc -p Print bytecode source\n"); |
8d170d58 |
printf(" --printbcir -c Print IR of bytecode signature\n"); |
e098cdc5 |
printf(" --input -c Input file to run the bytecode on\n"); |
1a7ce1e1 |
printf(" --trace <level> -T Set bytecode trace level 0..7 (default 7)\n"); |
8d170d58 |
printf(" --no-trace-showsource -s Don't show source line during tracing\n"); |
c94a95b8 |
printf(" --statistics=bytecode Collect and print bytecode execution statistics\n"); |
e098cdc5 |
printf(" file File to test\n"); |
0d71db97 |
printf("\n");
return;
}
|
0a11015b |
static struct dbg_state {
const char *directory;
const char *file;
const char *scope;
uint32_t scopeid;
unsigned line;
unsigned col;
unsigned showline;
} dbg_state;
static void tracehook(struct cli_bc_ctx *ctx, unsigned event)
{
dbg_state.directory = ctx->directory;
if (*ctx->file == '?')
return;
switch (event) {
case trace_func: |
1e96c19e |
fprintf(stderr, "[trace] %s:%u:%u -> %s:%u:%u Entered function %s\n", |
0a11015b |
dbg_state.file, dbg_state.line, dbg_state.col,
ctx->file, ctx->line, ctx->col, ctx->scope);
dbg_state.scope = ctx->scope;
break;
case trace_param: |
1e96c19e |
fprintf(stderr, "[trace] function parameter:\n"); |
0a11015b |
return;
case trace_scope: |
1e96c19e |
fprintf(stderr, "[trace] %s:%u:%u -> %s:%u:%u\n", |
0a11015b |
dbg_state.file, dbg_state.line, dbg_state.col,
ctx->file, ctx->line, ctx->col);
dbg_state.scope = ctx->scope;
break;
case trace_line:
case trace_col:
if (dbg_state.showline)
cli_bytecode_debug_printsrc(ctx);
else |
1e96c19e |
fprintf(stderr, "[trace] %s:%u:%u\n", |
0a11015b |
dbg_state.file, dbg_state.line, dbg_state.col);
break;
default:
break;
}
dbg_state.file = ctx->file;
dbg_state.line = ctx->line;
dbg_state.col = ctx->col;
}
static void tracehook_op(struct cli_bc_ctx *ctx, const char *op)
{ |
6df13d04 |
UNUSEDPARAM(ctx); |
1e96c19e |
fprintf(stderr, "[trace] %s\n", op); |
0a11015b |
}
static void tracehook_val(struct cli_bc_ctx *ctx, const char *name, uint32_t value)
{ |
6df13d04 |
UNUSEDPARAM(ctx); |
1e96c19e |
fprintf(stderr, "[trace] %s = %u\n", name, value); |
0a11015b |
}
|
688799d1 |
static void tracehook_ptr(struct cli_bc_ctx *ctx, const void *ptr)
{ |
6df13d04 |
UNUSEDPARAM(ctx); |
688799d1 |
fprintf(stderr, "[trace] %p\n", ptr);
}
|
a46e16af |
static uint8_t debug_flag = 0; |
9bdaf35d |
static void print_src(const char *file)
{
char buf[4096]; |
9f9573fe |
int nread, i, found = 0, lcnt = 0; |
9bdaf35d |
FILE *f = fopen(file, "r");
if (!f) {
fprintf(stderr,"Unable to reopen %s\n", file);
return;
}
do {
nread = fread(buf, 1, sizeof(buf), f);
for (i=0;i<nread-1;i++) { |
9f9573fe |
if (buf[i] == '\n') {
lcnt++;
}
/* skip over the logical trigger */
if (lcnt >= 2 && buf[i] == '\n' && buf[i+1] == 'S') { |
9bdaf35d |
found = 1; |
f4a26ba1 |
i+=2; |
9bdaf35d |
break;
}
}
} while (!found && (nread == sizeof(buf))); |
a46e16af |
if (debug_flag) |
d4c9f766 |
printf("[clambc] Source code:"); |
9bdaf35d |
do {
for (;i+1<nread;i++) {
if (buf[i] == 'S' || buf[i] == '\n') {
putc('\n', stdout);
continue;
} |
3000f7bf |
putc(((buf[i]&0xf) | ((buf[i+1]&0xf)<<4)), stdout); |
9bdaf35d |
i++;
} |
d4c9f766 |
if (i == nread-1 && nread != 1)
fseek(f, -1, SEEK_CUR); |
9bdaf35d |
i=0;
nread = fread(buf, 1, sizeof(buf), f);
} while (nread > 0);
fclose(f);
} |
74f5816c |
static uint32_t deadbeefcounts[64] = {
0xdeadbeef,
0,
0xbeefdead,
0,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
0xdeadbeef,
}; |
d6ada03c |
int main(int argc, char *argv[])
{
FILE *f;
struct cli_bc *bc;
struct cli_bc_ctx *ctx; |
e77937b4 |
int rc, dbgargc, bc_stats=0; |
0d71db97 |
struct optstruct *opts; |
a1781898 |
const struct optstruct *opt; |
e0c4fd85 |
unsigned funcid=0, i; |
d1487222 |
struct cli_all_bc bcs; |
e4a0f2c9 |
int fd = -1; |
acb53e3a |
unsigned tracelevel; |
0d71db97 |
|
bca0b679 |
if(check_flevel())
exit(1);
|
0d71db97 |
opts = optparse(NULL, argc, argv, 1, OPT_CLAMBC, 0, NULL);
if (!opts) {
fprintf(stderr, "ERROR: Can't parse command line options\n"); |
d6ada03c |
exit(1);
} |
1a486dca |
if(optget(opts, "version")->enabled) {
printf("Clam AntiVirus Bytecode Testing Tool %s\n", get_version()); |
4a3c659b |
cl_init(CL_INIT_DEFAULT); |
d0934caf |
cli_bytecode_printversion(); |
0d71db97 |
optfree(opts);
exit(0);
} |
1a486dca |
if(optget(opts, "help")->enabled || !opts->filename) { |
0d71db97 |
optfree(opts); |
1a486dca |
help(); |
0d71db97 |
exit(0);
} |
e0c4fd85 |
f = fopen(opts->filename[0], "r"); |
d6ada03c |
if (!f) {
fprintf(stderr, "Unable to load %s\n", argv[1]); |
2e0a9ae6 |
optfree(opts); |
d6ada03c |
exit(2);
}
bc = malloc(sizeof(*bc));
if (!bc) {
fprintf(stderr, "Out of memory\n"); |
2e0a9ae6 |
optfree(opts); |
d6ada03c |
exit(3);
}
|
d4c9f766 |
if (optget(opts,"debug")->enabled) {
cl_debug(); |
a46e16af |
debug_flag=1; |
d4c9f766 |
} |
d1487222 |
rc = cl_init(CL_INIT_DEFAULT);
if (rc != CL_SUCCESS) {
fprintf(stderr,"Unable to init libclamav: %s\n", cl_strerror(rc));
optfree(opts);
exit(4);
}
|
3b33bd68 |
dbgargc=1;
while (opts->filename[dbgargc]) dbgargc++;
if (dbgargc > 1)
cli_bytecode_debug(dbgargc, opts->filename); |
1a486dca |
if (optget(opts, "force-interpreter")->enabled) {
bcs.engine = NULL;
} else { |
927d0548 |
rc = cli_bytecode_init(&bcs); |
1a486dca |
if (rc != CL_SUCCESS) {
fprintf(stderr,"Unable to init bytecode engine: %s\n", cl_strerror(rc));
optfree(opts);
exit(4);
} |
d1487222 |
}
bcs.all_bcs = bc;
bcs.count = 1;
|
e77937b4 |
if((opt = optget(opts, "statistics"))->enabled) {
while(opt) {
if (!strcasecmp(opt->strarg, "bytecode"))
bc_stats=1;
opt = opt->nextarg;
}
}
rc = cli_bytecode_load(bc, f, NULL, optget(opts, "trust-bytecode")->enabled, bc_stats); |
d6ada03c |
if (rc != CL_SUCCESS) {
fprintf(stderr,"Unable to load bytecode: %s\n", cl_strerror(rc)); |
2e0a9ae6 |
optfree(opts); |
d6ada03c |
exit(4);
}
fclose(f); |
3735fda1 |
if (bc->state == bc_skip) {
fprintf(stderr,"bytecode load skipped\n");
exit(0);
} |
a46e16af |
if (debug_flag) |
3735fda1 |
printf("[clambc] Bytecode loaded\n"); |
d4c9f766 |
if (optget(opts, "info")->enabled) { |
a35cfe51 |
cli_bytecode_describe(bc); |
d4c9f766 |
} else if (optget(opts, "printsrc")->enabled) { |
9bdaf35d |
print_src(opts->filename[0]); |
0ff13b31 |
} else if (optget(opts, "printbcir")->enabled) {
cli_bytetype_describe(bc);
cli_bytevalue_describe(bc, 0);
cli_bytefunc_describe(bc, 0); |
a35cfe51 |
} else { |
3de96271 |
cli_ctx cctx; |
562fdb82 |
struct cl_engine *engine = cl_engine_new(); |
349e6e11 |
fmap_t *map = NULL; |
3de96271 |
memset(&cctx, 0, sizeof(cctx)); |
562fdb82 |
if (!engine) {
fprintf(stderr,"Unable to create engine\n");
optfree(opts);
exit(3);
}
rc = cl_engine_compile(engine);
if (rc) {
fprintf(stderr,"Unable to compile engine: %s\n", cl_strerror(rc));
optfree(opts);
exit(4);
} |
540fc128 |
rc = cli_bytecode_prepare2(engine, &bcs, BYTECODE_ENGINE_MASK); |
d4c9f766 |
if (rc != CL_SUCCESS) {
fprintf(stderr,"Unable to prepare bytecode: %s\n", cl_strerror(rc));
optfree(opts);
exit(4);
} |
a46e16af |
if (debug_flag) |
d4c9f766 |
printf("[clambc] Bytecode prepared\n"); |
d6ada03c |
|
a35cfe51 |
ctx = cli_bytecode_context_alloc();
if (!ctx) {
fprintf(stderr,"Out of memory\n");
exit(3);
} |
3de96271 |
ctx->ctx = &cctx; |
562fdb82 |
cctx.engine = engine;
cctx.fmap = cli_calloc(sizeof(fmap_t*), engine->maxreclevel+2);
if (!cctx.fmap) {
fprintf(stderr,"Out of memory\n");
exit(3);
} |
a35cfe51 |
memset(&dbg_state, 0, sizeof(dbg_state));
dbg_state.file = "<libclamav>";
dbg_state.line = 0;
dbg_state.col = 0;
dbg_state.showline = !optget(opts, "no-trace-showsource")->enabled;
tracelevel = optget(opts, "trace")->numarg;
cli_bytecode_context_set_trace(ctx, tracelevel,
tracehook,
tracehook_op,
tracehook_val,
tracehook_ptr); |
e0c4fd85 |
|
a35cfe51 |
if (opts->filename[1]) {
funcid = atoi(opts->filename[1]); |
e0c4fd85 |
} |
a35cfe51 |
cli_bytecode_context_setfuncid(ctx, bc, funcid); |
a46e16af |
if (debug_flag) |
d4c9f766 |
printf("[clambc] Running bytecode function :%u\n", funcid); |
e0c4fd85 |
|
a35cfe51 |
if (opts->filename[1]) {
i=2;
while (opts->filename[i]) {
rc = cli_bytecode_context_setparam_int(ctx, i-2, atoi(opts->filename[i]));
if (rc != CL_SUCCESS) {
fprintf(stderr,"Unable to set param %u: %s\n", i-2, cl_strerror(rc));
}
i++;
} |
a1781898 |
} |
a35cfe51 |
if ((opt = optget(opts,"input"))->enabled) {
fd = open(opt->strarg, O_RDONLY);
if (fd == -1) {
fprintf(stderr, "Unable to open input file %s: %s\n", opt->strarg, strerror(errno));
optfree(opts);
exit(5);
}
map = fmap(fd, 0, 0);
if (!map) {
fprintf(stderr, "Unable to map input file %s\n", opt->strarg); |
948ecd35 |
exit(5); |
a35cfe51 |
}
rc = cli_bytecode_context_setfile(ctx, map);
if (rc != CL_SUCCESS) {
fprintf(stderr, "Unable to set file %s: %s\n", opt->strarg, cl_strerror(rc));
optfree(opts);
exit(5);
} |
74b00233 |
} |
74f5816c |
/* for testing */
ctx->hooks.match_counts = deadbeefcounts; |
1c4683ac |
ctx->hooks.match_offsets = deadbeefcounts; |
a35cfe51 |
rc = cli_bytecode_run(&bcs, bc, ctx); |
a1781898 |
if (rc != CL_SUCCESS) { |
a35cfe51 |
fprintf(stderr,"Unable to run bytecode: %s\n", cl_strerror(rc));
} else {
uint64_t v; |
a46e16af |
if (debug_flag) |
d4c9f766 |
printf("[clambc] Bytecode run finished\n"); |
a35cfe51 |
v = cli_bytecode_context_getresult_int(ctx); |
a46e16af |
if (debug_flag) |
d4c9f766 |
printf("[clambc] Bytecode returned: 0x%llx\n", (long long)v); |
a1781898 |
} |
a35cfe51 |
cli_bytecode_context_destroy(ctx); |
349e6e11 |
if (map)
funmap(map); |
562fdb82 |
cl_engine_free(engine);
free(cctx.fmap); |
e0c4fd85 |
} |
d6ada03c |
cli_bytecode_destroy(bc); |
d1487222 |
cli_bytecode_done(&bcs); |
d6ada03c |
free(bc); |
2e0a9ae6 |
optfree(opts); |
a1781898 |
if (fd != -1)
close(fd); |
a46e16af |
if (debug_flag) |
d4c9f766 |
printf("[clambc] Exiting\n"); |
f9afc309 |
cl_cleanup_crypto(); |
d6ada03c |
return 0;
} |