1. clamav-devel
  2. Blame
examples/fileprop_analysis/ftype_sample.c
b2b7855e 
 VIRUSNAME_PREFIX("SUBMIT.filetype")
 VIRUSNAMES("CL_TYPE_MSWORD", "CL_TYPE_MSPPT", "CL_TYPE_MSXL",
            "CL_TYPE_OOXML_WORD", "CL_TYPE_OOXML_PPT", "CL_TYPE_OOXML_XL",
            "CL_TYPE_MSEXE", "CL_TYPE_PDF", "CL_TYPE_MSOLE2", "CL_TYPE_UNKNOWN", "InActive")
0945e3c5 
 /* Target type is 0, all relevant files */
 TARGET(0)
b2b7855e
0945e3c5 
 /* Declares to run bytecode only for preclassification (affecting only preclass files) */
 PRECLASS_HOOK_DECLARE
b2b7855e
0945e3c5 
 /* JSON API call will require FUNC_LEVEL_098_5 = 78 */
 /* PRECLASS_HOOK_DECLARE will require FUNC_LEVEL_098_7 = 80 */
 FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_7)
b2b7855e 
 
 #define STR_MAXLEN 256
 
 int entrypoint ()
 {
     int32_t objid, type, strlen;
     char str[STR_MAXLEN];
 
     /* check is json is available, alerts on inactive (optional) */
     if (!json_is_active())
         foundVirus("InActive");
 
     /* acquire the filetype object */
     objid = json_get_object("FileType", 8, 0);
     if (objid <= 0) {
         debug_print_str("json object has no filetype!", 28);
         return 1;
     }
     type = json_get_type(objid);
     if (type != JSON_TYPE_STRING) {
         debug_print_str("json object filetype property is not string!", 44);
         return 1;
     }
 
     /* acquire string length, note +1 is for the NULL terminator */
     strlen = json_get_string_length(objid)+1;
     /* prevent buffer overflow */
     if (strlen > STR_MAXLEN)
         strlen = STR_MAXLEN;
     
     /* acquire string data, note strlen includes NULL terminator */
     if (json_get_string(str, strlen, objid)) {
         /* debug print str (with '\n' and prepended message */
         debug_print_str(str,strlen);
 
         /* check the contained object's filetype */
         if (strlen == 14 && !memcmp(str, "CL_TYPE_MSEXE", 14)) {
             foundVirus("CL_TYPE_MSEXE");
             return 0;
         }
         if (strlen == 12 && !memcmp(str, "CL_TYPE_PDF", 12)) {
             foundVirus("CL_TYPE_PDF");
             return 0;
         }
         if (strlen == 19 && !memcmp(str, "CL_TYPE_OOXML_WORD", 19)) {
             foundVirus("CL_TYPE_OOXML_WORD");
             return 0;
         }
         if (strlen == 18 && !memcmp(str, "CL_TYPE_OOXML_PPT", 18)) {
             foundVirus("CL_TYPE_OOXML_PPT");
             return 0;
         }
         if (strlen == 17 && !memcmp(str, "CL_TYPE_OOXML_XL", 17)) {
             foundVirus("CL_TYPE_OOXML_XL");
             return 0;
         }
         if (strlen == 15 && !memcmp(str, "CL_TYPE_MSWORD", 15)) {
             foundVirus("CL_TYPE_MSWORD");
             return 0;
         }
         if (strlen == 14 && !memcmp(str, "CL_TYPE_MSPPT", 14)) {
             foundVirus("CL_TYPE_MSPPT");
             return 0;
         }
         if (strlen == 13 && !memcmp(str, "CL_TYPE_MSXL", 13)) {
             foundVirus("CL_TYPE_MSXL");
             return 0;
         }
         if (strlen == 15 && !memcmp(str, "CL_TYPE_MSOLE2", 15)) {
             foundVirus("CL_TYPE_MSOLE2");
             return 0;
         }
 
         foundVirus("CL_TYPE_UNKNOWN");
         return 0;
     }
 
     return 0;
 }