6307ca15 |
/* |
e1cbc270 |
* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2007-2013 Sourcefire, Inc. |
6307ca15 |
* |
1d7f6b27 |
* Authors: Alberto Wu, Tomasz Kojm, Andrew Williams |
e0133592 |
*
* Acknowledgements: The header structures were based upon a PE format |
6289eda8 |
* analysis by B. Luevelsmeyer. |
85dd8460 |
* |
6307ca15 |
* This program is free software; you can redistribute it and/or modify |
2023340a |
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. |
6307ca15 |
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software |
48b7b4a7 |
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA. |
6307ca15 |
*/
#ifndef __PE_H
#define __PE_H
#include "clamav.h" |
3c91998b |
#include "others.h" |
048d7677 |
#include "fmap.h" |
34da9ae4 |
#include "bcfeatures.h" |
afe940da |
#include "pe_structs.h"
#include "execs.h" |
b7d7a7bd |
|
4abbeb3a |
/** Data for the bytecode PE hook |
e0133592 |
* \group_pe |
afe940da |
*
* NOTE: This structure must stay in-sync with the ones defined within the
* clamav-bytecode-compiler source at:
* - clang/lib/Headers/bytecode_pe.h
* - llvm/tools/clang/lib/Headers/bytecode_pe.h
* We allocate space for this, populate the values via cli_peheader, and pass
* it to the bytecode sig runtime for use.
*
* TODO Next time we are making changes to the clamav-bytecode-compiler
* source, update pe_image_optional_hdr32 and pe_image_optional_hdr64 to
* remove DataDirectory from both (like with the definitions here). Then,
* remove opt32_dirs and opt64_dirs below. There's no need to have these
* bytes in 3 places! Also, consider using a union to hold opt32 and opt64,
* since you never need more than one at a time.
*/ |
ab636570 |
struct cli_pe_hook_data { |
288057e9 |
uint32_t offset;
uint32_t ep; /**< EntryPoint as file offset */
uint16_t nsections; /**< Number of sections */
uint16_t dummy; /* align */
struct pe_image_file_hdr file_hdr; /**< Header for this PE file */
struct pe_image_optional_hdr32 opt32; /**< 32-bit PE optional header */ |
afe940da |
/** Our opt32 no longer includes DataDirectory[16], but the one in the |
e0133592 |
* bytecode compiler source still does. Add this here as a placeholder (and
* it gets used, so we need to populate it also */ |
afe940da |
struct pe_image_data_dir opt32_dirs[16];
uint32_t dummy2; /* align */
struct pe_image_optional_hdr64 opt64; /**< 64-bit PE optional header */
struct pe_image_data_dir opt64_dirs[16]; /** See note about opt32_dirs */
struct pe_image_data_dir dirs[16]; /**< PE data directory header */
uint32_t e_lfanew; /**< address of new exe header */
uint32_t overlays; /**< number of overlays */
int32_t overlays_sz; /**< size of overlays */
uint32_t hdr_size; /**< internally needed by rawaddr */ |
ab636570 |
};
|
453d8180 |
int cli_scanpe(cli_ctx *ctx); |
6307ca15 |
|
3cc632ad |
enum {
CL_GENHASH_PE_CLASS_SECTION,
CL_GENHASH_PE_CLASS_IMPTBL,
/* place new class types above this line */
CL_GENHASH_PE_CLASS_LAST
};
|
afe940da |
// For info about these, see the cli_peheader definition in pe.c
#define CLI_PEHEADER_OPT_NONE 0x0
#define CLI_PEHEADER_OPT_COLLECT_JSON 0x1
#define CLI_PEHEADER_OPT_DBG_PRINT_INFO 0x2
#define CLI_PEHEADER_OPT_EXTRACT_VINFO 0x4
#define CLI_PEHEADER_OPT_STRICT_ON_PE_ERRORS 0x8 |
5319602c |
#define CLI_PEHEADER_OPT_REMOVE_MISSING_SECTIONS 0x10 |
afe940da |
#define CLI_PEHEADER_RET_SUCCESS 0
#define CLI_PEHEADER_RET_GENERIC_ERROR -1
#define CLI_PEHEADER_RET_BROKEN_PE -2
#define CLI_PEHEADER_RET_JSON_TIMEOUT -3
int cli_pe_targetinfo(fmap_t *map, struct cli_exe_info *peinfo);
int cli_peheader(fmap_t *map, struct cli_exe_info *peinfo, uint32_t opts, cli_ctx *ctx);
|
d92c0129 |
cl_error_t cli_check_auth_header(cli_ctx *ctx, struct cli_exe_info *peinfo); |
dd25061b |
int cli_genhash_pe(cli_ctx *ctx, unsigned int class, int type, stats_section_t *hashes); |
cdbf8c8e |
|
c80f26a2 |
uint32_t cli_rawaddr(uint32_t, const struct cli_exe_section *, uint16_t, unsigned int *, size_t, uint32_t); |
afe940da |
void findres(uint32_t, uint32_t, fmap_t *map, struct cli_exe_info *, int (*)(void *, uint32_t, uint32_t, uint32_t, uint32_t), void *); |
235464bb |
|
6307ca15 |
#endif |