1a486dca |
/* |
847d7fc1 |
* Copyright (C) 2009-2010 Sourcefire, Inc. |
75acf165 |
* All rights reserved. |
1a486dca |
* Authors: Török Edvin
* |
75acf165 |
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution. |
1a486dca |
* |
75acf165 |
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE. |
1a486dca |
*/ |
b8656613 |
/** @file */ |
ab636570 |
#ifndef BYTECODE_API_H
#define BYTECODE_API_H |
1a486dca |
|
88815fd8 |
#ifdef __CLAMBC__
#include "bytecode_execs.h" |
250d92c5 |
#include "bytecode_pe.h"
#include "bytecode_disasm.h" |
88815fd8 |
#endif
#ifndef __CLAMBC__
#include "execs.h" |
250d92c5 |
struct DISASM_RESULT; |
88815fd8 |
#endif |
1a486dca |
|
b8656613 |
/** Bytecode trigger kind */ |
ab636570 |
enum BytecodeKind { |
b8656613 |
/** generic bytecode, not tied a specific hook */
BC_GENERIC=0, |
ab636570 |
_BC_START_HOOKS=256, |
b8656613 |
/** triggered by a logical signature */
BC_LOGICAL=256,
/** a PE unpacker */
BC_PE_UNPACKER, |
ab636570 |
_BC_LAST_HOOK
};
|
0fa95ef2 |
enum { PE_INVALID_RVA = 0xFFFFFFFF };
|
4789b8a5 |
#ifdef __CLAMBC__
|
b8656613 |
/** @brief Logical signature match counts
*
* This is a low-level variable, use the Macros in bytecode_local.h instead to
* access it.
* */ |
88815fd8 |
extern const uint32_t __clambc_match_counts[64]; |
b8656613 |
/** PE data, if this is a PE hook */ |
ec41017b |
extern const struct cli_pe_hook_data __clambc_pedata; |
0fa95ef2 |
/** File size (max 4G) */ |
f4e34215 |
extern const uint32_t __clambc_filesize[1]; |
88815fd8 |
|
b8656613 |
/** Kind of the bytecode */ |
ec41017b |
const uint16_t __clambc_kind; |
88815fd8 |
|
d0af4afe |
uint32_t test1(uint32_t, uint32_t); |
4789b8a5 |
|
b8656613 |
/**
* @brief Reads specified amount of bytes from the current file |
4395bb9a |
* into a buffer. Also moves current position in the file. |
b8656613 |
*
* @param[in] size amount of bytes to read
* @param[out] data pointer to buffer where data is read into
* @return amount read.
*/ |
dcee45cc |
int32_t read(uint8_t *data, int32_t size); |
4789b8a5 |
|
b8656613 |
|
4789b8a5 |
enum { |
b8656613 |
/**set file position to specified absolute position */ |
4789b8a5 |
SEEK_SET=0, |
b8656613 |
/**set file position relative to current position */ |
4789b8a5 |
SEEK_CUR, |
b8656613 |
/**set file position relative to file end*/ |
4789b8a5 |
SEEK_END
};
|
b8656613 |
/**
* @brief Writes the specified amount of bytes from a buffer to the
* current temporary file.
* @param[in] data pointer to buffer of data to write
* @param[in] size amount of bytes to write
* \p size bytes to temporary file, from the buffer pointed to
* byte
* @return amount of bytes successfully written
*/ |
250d92c5 |
int32_t write(uint8_t *data, int32_t size); |
b8656613 |
/**
* @brief Changes the current file position to the specified one.
* @sa SEEK_SET, SEEK_CUR, SEEK_END
* @param[in] pos offset (absolute or relative depending on \p whence param)
* @param[in] whence one of \p SEEK_SET, \p SEEK_CUR, \p SEEK_END
* @return absolute position in file
*/ |
4789b8a5 |
int32_t seek(int32_t pos, uint32_t whence);
|
b8656613 |
/**
* Sets the name of the virus found.
*
* @param[in] name the name of the virus
* @param[in] len length of the virusname
* @return 0
*/ |
d38d6dad |
uint32_t setvirusname(const uint8_t *name, uint32_t len);
|
b8656613 |
/**
* Prints a debug message.
*
* @param[in] str Message to print
* @param[in] len length of message to print
* @return 0
*/ |
dcee45cc |
uint32_t debug_print_str(const uint8_t *str, uint32_t len); |
b8656613 |
/**
* Prints a number as a debug message.
*
* @param[in] a number to print
* @return 0
*/ |
2d45ef06 |
uint32_t debug_print_uint(uint32_t a); |
7189addb |
|
b8656613 |
/**
* Disassembles starting from current file position, the specified amount of
* bytes.
* @param[out] result pointer to struct holding result
* @param[in] len how many bytes to disassemble
* @return 0 for success
*
* You can use lseek to disassemble starting from a different location.
* This is a low-level API, the result is in ClamAV type-8 signature format
* (64 bytes/instruction).
* \sa DisassembleAt |
0fa95ef2 |
*/ |
b8656613 |
uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len); |
65c740d7 |
/* tracing API */
/* a scope: lexical block, function, or compile unit */
uint32_t trace_directory(const uint8_t* directory, uint32_t dummy);
uint32_t trace_scope(const uint8_t* newscope, uint32_t scopeid);
uint32_t trace_source(const uint8_t* srcfile, uint32_t line);
uint32_t trace_op(const uint8_t* opname, uint32_t column);
uint32_t trace_value(const uint8_t* name, uint32_t v); |
688799d1 |
uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy); |
65c740d7 |
|
0fa95ef2 |
/** Converts a RVA (Relative Virtual Address) to
* an absolute PE file offset.
* @param rva a rva address from the PE file
* @return absolute file offset mapped to the \p rva,
* or PE_INVALID_RVA if the \p rva is invalid.
*/ |
2d45ef06 |
uint32_t pe_rawaddr(uint32_t rva); |
0fa95ef2 |
|
565e677f |
/** Looks for the specified sequence of bytes in the current file.
* @param[in] data the sequence of bytes to look for
* @param len length of \p data, cannot be more than 1024
* @return offset in the current file if match is found, -1 otherwise */
int32_t file_find(const uint8_t* data, uint32_t len);
/** Read a single byte from current file
* @param offset file offset
* @return byte at offset \p off in the current file, or -1 if offset is
* invalid */ |
2d45ef06 |
int32_t file_byteat(uint32_t offset);
/** Allocates memory. Currently this memory is freed automatically on exit
from the bytecode, and there is no way to free it sooner.
@param size amount of memory to allocate in bytes
@return pointer to allocated memory */
void* malloc(uint32_t size);
uint32_t test2(uint32_t a); |
565e677f |
|
236fb136 |
int32_t get_pe_section(struct cli_exe_section *section, uint32_t num);
|
4789b8a5 |
#endif |
ab636570 |
#endif |