01302683 |
/* |
e1cbc270 |
* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2007-2013 Sourcefire, Inc. |
2023340a |
*
* Authors: Tomasz Kojm |
01302683 |
*
* This program is free software; you can redistribute it and/or modify |
2023340a |
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. |
01302683 |
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
48b7b4a7 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
01302683 |
*/
#ifndef __EXECS_H
#define __EXECS_H
|
e030ba4f |
#include "clamav-types.h" |
d2ba6f98 |
#include "hashtab.h" |
ea7b98f8 |
#include "bcfeatures.h" |
afe940da |
#include "pe_structs.h" |
d2ba6f98 |
|
b8656613 |
/** @file */ |
4abbeb3a |
/** Section of executable file. |
e0133592 |
* \group_pe |
afe940da |
* NOTE: This is used to store PE, MachO, and ELF section information. Not
* all members are populated by the respective parsing functions.
* |
8650c790 |
* NOTE: This header file originates in the clamav-devel source and gets
* copied into the clamav-bytecode-compiler source through a script
* (sync-clamav.sh). This is done because an array of this structure is
* allocated by libclamav and passed to the bytecode sig runtime. |
afe940da |
* |
8650c790 |
* If you need to make changes to this structure, you will need to update
* it in both repos. Also, I'm not sure whether changing this structure
* would require a recompile of all previous bytecode sigs. This should
* be investigated before changes are made.
*
* TODO Modify this structure to also include the section name (in both
* repos). Then, populate this field in the libclamav PE/MachO/ELF header
* parsing functions. Choose a length that's reasonable for all platforms |
e0133592 |
*/ |
01302683 |
struct cli_exe_section { |
288057e9 |
uint32_t rva; /**< Relative VirtualAddress */
uint32_t vsz; /**< VirtualSize */
uint32_t raw; /**< Raw offset (in file) */
uint32_t rsz; /**< Raw size (in file) */
uint32_t chr; /**< Section characteristics */ |
b8656613 |
uint32_t urva; /**< PE - unaligned VirtualAddress */
uint32_t uvsz; /**< PE - unaligned VirtualSize */
uint32_t uraw; /**< PE - unaligned PointerToRawData */
uint32_t ursz; /**< PE - unaligned SizeOfRawData */ |
01302683 |
};
|
4abbeb3a |
/** Executable file information |
afe940da |
* NOTE: This is used to store PE, MachO, and ELF executable information,
* but it predominantly has fields for PE info. Not all members are
* populated by the respective parsing functions.
* |
8650c790 |
* NOTE: This header file originates in the clamav-devel source and gets
* copied into the clamav-bytecode-compiler source through a script
* (sync-clamav.sh). This is done because an array of cli_exe_section
* structs is allocated by libclamav and passed to the bytecode sig
* runtime.
*
* This structure is not used by the bytecode sig runtime, so it can be
* modified in the clamav-devel repo without requiring the changes to
* be propagated to the clamav-bytecode-compile repo and that code rebuilt.
* It'd be nice to keep them in sync if possible, though. |
e0133592 |
*/ |
01302683 |
struct cli_exe_info { |
e0133592 |
/** Information about all the sections of this file. |
b8656613 |
* This array has \p nsection elements */ |
afe940da |
struct cli_exe_section *sections;
/** Offset where this executable starts in file (nonzero if embedded) */ |
88815fd8 |
uint32_t offset; |
afe940da |
/** File offset to the entrypoint of the executable. */ |
01302683 |
uint32_t ep; |
afe940da |
/** Number of sections.
* NOTE: If a section is determined to be invalid (exists outside of the
* file) then it will not be included in this count (at least for PE).
*/ |
01302683 |
uint16_t nsections; |
afe940da |
|
8650c790 |
/***************** Begin PE-specific Section *****************/ |
afe940da |
|
8650c790 |
/** Resources RVA */ |
453d8180 |
uint32_t res_addr; |
afe940da |
|
8650c790 |
/** Size of the header (aligned). This corresponds to |
afe940da |
* SizeOfHeaders in the optional header
*/ |
453d8180 |
uint32_t hdr_size; |
afe940da |
|
acc8bccb |
/** Hashset for versioninfo matching */
struct cli_hashset vinfo; |
afe940da |
/** Entry point RVA */
uint32_t vep;
/** Number of data directory entries at the end of the optional header.
* This also corresponds to the number of entries in dirs that has
* been populated with information.
*/
uint32_t ndatadirs;
/** Whether this file is a DLL */
uint32_t is_dll;
/** Whether this file is a PE32+ exe (64-bit) */
uint32_t is_pe32plus;
/**< address of new exe header */
uint32_t e_lfanew;
/** The lowest section RVA */
uint32_t min;
/** The RVA of the highest byte contained within a section */
uint32_t max;
/** Offset of any file overlays, as determined by parsing the PE header */
uint32_t overlay_start;
/**< size of overlay */
uint32_t overlay_size;
/* Raw data copied in from the EXE directly.
*
* NOTE: The data in the members below haven't been converted to host |
8650c790 |
* endianness, so all field accesses must account for this to ensure |
afe940da |
* proper functionality on big endian systems (the PE header is always
* little-endian)
*/
/** Image File Header for this PE file */
struct pe_image_file_hdr file_hdr;
/** PE optional header. Use is_pe32plus to determine whether the 32-bit
* or 64-bit union member should be used. */
union {
struct pe_image_optional_hdr64 opt64;
struct pe_image_optional_hdr32 opt32;
} pe_opt;
/**< PE data directory header. If ndatadirs is less than 16,
* the unpopulated entries will be memset'd to zero.
*/
struct pe_image_data_dir dirs[16]; |
8650c790 |
/***************** End PE-specific Section *****************/ |
01302683 |
};
|
afe940da |
void cli_exe_info_init(struct cli_exe_info *exeinfo, uint32_t offset);
void cli_exe_info_destroy(struct cli_exe_info *exeinfo);
|
01302683 |
#endif |