8000d078 |
/* |
e1cbc270 |
* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2007-2013 Sourcefire, Inc. |
1a2906f4 |
* |
2023340a |
* Authors: Tomasz Kojm |
8000d078 |
*
* This program is free software; you can redistribute it and/or modify |
bb34cb31 |
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. |
8000d078 |
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
48b7b4a7 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
8000d078 |
*/
#ifndef __MATCHER_AC_H
#define __MATCHER_AC_H
|
ee99255a |
#include <sys/types.h>
|
a85bd2ac |
#include "filetypes.h" |
e030ba4f |
#include "clamav-types.h" |
048d7677 |
#include "fmap.h" |
d2ba6f98 |
#include "hashtab.h" |
8000d078 |
|
1a2906f4 |
#define AC_CH_MAXDIST 32 |
4ffcf308 |
#define ACPATT_ALTN_MAXNEST 15 |
4e9ab8ed |
|
7fc5eab8 |
/* AC scanning modes */ |
6038397e |
#define AC_SCAN_VIR 1 |
288057e9 |
#define AC_SCAN_FT 2 |
6038397e |
|
dc70379a |
/* Pattern options */ |
288057e9 |
#define ACPATT_OPTION_NOOPTS 0x00
#define ACPATT_OPTION_NOCASE 0x01 |
dc70379a |
#define ACPATT_OPTION_FULLWORD 0x02 |
288057e9 |
#define ACPATT_OPTION_WIDE 0x04
#define ACPATT_OPTION_ASCII 0x08 |
7fc5eab8 |
|
288057e9 |
#define ACPATT_OPTION_ONCE 0x80 |
8ea34681 |
|
b7999b89 |
struct cli_subsig_matches {
uint32_t last;
uint32_t next;
uint32_t offsets[16]; /* offsets[] is variable length */
};
struct cli_lsig_matches {
uint32_t subsigs; |
288057e9 |
struct cli_subsig_matches *matches[1]; /* matches[] is variable length */ |
b7999b89 |
};
|
4e9ab8ed |
struct cli_ac_data { |
d0cba11e |
uint32_t ***offmatrix; |
aca9ea82 |
uint32_t partsigs, lsigs, reloffsigs; |
677fc4ba |
uint32_t **lsigcnt; |
0d710688 |
uint32_t **lsigsuboff_last, **lsigsuboff_first; |
b7999b89 |
struct cli_lsig_matches **lsig_matches; |
7665e02d |
uint8_t *yr_matches; |
aca9ea82 |
uint32_t *offset; |
ab893605 |
uint32_t macro_lastmatch[32]; |
d2ba6f98 |
/** Hashset for versioninfo matching */ |
2db3514c |
const struct cli_hashset *vinfo; |
b87fe385 |
uint32_t min_partno; |
bedc58de |
};
|
59506ff5 |
struct cli_alt_node { |
dda6b057 |
uint16_t *str; |
59506ff5 |
uint16_t len; |
590d4023 |
uint8_t unique; |
59506ff5 |
struct cli_alt_node *next;
};
struct cli_ac_special {
union {
unsigned char *byte;
unsigned char **f_str;
struct cli_alt_node *v_str;
} alt; |
b7d0b832 |
uint16_t len[2], num; /* 0=MIN, 1=MAX */ |
6b725bb7 |
uint16_t type, negative; |
1a648b37 |
};
|
bedc58de |
struct cli_ac_patt { |
6953341f |
uint16_t *pattern, *prefix, length[3], prefix_length[3]; |
bedc58de |
uint32_t mindist, maxdist;
uint32_t sigid; |
677fc4ba |
uint32_t lsigid[3]; |
1a2906f4 |
uint16_t ch[2]; |
33872a43 |
char *virname; |
10290ba3 |
void *customdata; |
1a2906f4 |
uint16_t ch_mindist[2];
uint16_t ch_maxdist[2]; |
d2092491 |
uint16_t parts, partno, special, special_pattern; |
a6d4c62e |
struct cli_ac_special **special_table; |
6038397e |
uint16_t rtype, type; |
33872a43 |
uint32_t offdata[4], offset_min, offset_max; |
8c3c77b4 |
uint32_t boundary; |
2545f976 |
uint8_t depth; |
dc70379a |
uint8_t sigopts; |
51ca644c |
};
|
3e265c46 |
struct cli_ac_list { |
51ca644c |
struct cli_ac_patt *me; |
3e265c46 |
struct cli_ac_list *next, *next_same; |
4e9ab8ed |
}; |
c6fb0b98 |
|
bedc58de |
struct cli_ac_node { |
3e265c46 |
struct cli_ac_list *list; |
fbcef1b0 |
struct cli_ac_node **trans, *fail; |
bedc58de |
};
|
fc0493d2 |
#define IS_LEAF(node) (!node->trans)
#define IS_FINAL(node) (!!node->list)
|
710a22f1 |
struct cli_ac_result {
const char *virname;
void *customdata; |
2e4fd44f |
off_t offset; |
710a22f1 |
struct cli_ac_result *next;
};
|
bedc58de |
#include "matcher.h"
|
102cd430 |
cl_error_t cli_ac_addpatt(struct cli_matcher *root, struct cli_ac_patt *pattern);
cl_error_t cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs, uint32_t reloffsigs, uint8_t tracklen);
cl_error_t lsig_sub_matched(const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t lsigid1, uint32_t lsigid2, uint32_t realoff, int partial);
cl_error_t cli_ac_chkmacro(struct cli_matcher *root, struct cli_ac_data *data, unsigned lsigid1); |
ee8bd2fb |
int cli_ac_chklsig(const char *expr, const char *end, uint32_t *lsigcnt, unsigned int *cnt, uint64_t *ids, unsigned int parse_only); |
4e9ab8ed |
void cli_ac_freedata(struct cli_ac_data *data); |
102cd430 |
cl_error_t cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **virname, void **customdata, struct cli_ac_result **res, const struct cli_matcher *root, struct cli_ac_data *mdata, uint32_t offset, cli_file_t ftype, struct cli_matched_type **ftoffset, unsigned int mode, cli_ctx *ctx);
cl_error_t cli_ac_buildtrie(struct cli_matcher *root);
cl_error_t cli_ac_init(struct cli_matcher *root, uint8_t mindepth, uint8_t maxdepth, uint8_t dconf_prefiltering);
cl_error_t cli_ac_caloff(const struct cli_matcher *root, struct cli_ac_data *data, const struct cli_target_info *info); |
5612732c |
void cli_ac_free(struct cli_matcher *root); |
102cd430 |
cl_error_t cli_ac_addsig(struct cli_matcher *root, const char *virname, const char *hexsig, uint8_t sigopts, uint32_t sigid, uint16_t parts, uint16_t partno, uint16_t rtype, uint16_t type, uint32_t mindist, uint32_t maxdist, const char *offset, const uint32_t *lsigid, unsigned int options); |
8000d078 |
#endif |