Browse code

filesize, and pe_rawaddr API.

Török Edvin authored on 2010/01/19 02:31:59
Showing 10 changed files
... ...
@@ -1605,6 +1605,7 @@ int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, fmap_t *map)
1605 1605
 {
1606 1606
     ctx->fmap = map;
1607 1607
     ctx->file_size = map->len + map->offset;
1608
+    ctx->hooks.filesize = &ctx->file_size;
1608 1609
     return 0;
1609 1610
 }
1610 1611
 
... ...
@@ -38,6 +38,7 @@
38 38
 #include "bytecode_api.h"
39 39
 #include "bytecode_api_impl.h"
40 40
 #include "others.h"
41
+#include "pe.h"
41 42
 
42 43
 uint32_t cli_bcapi_test0(struct cli_bc_ctx *ctx, struct foo* s, uint32_t u)
43 44
 {
... ...
@@ -239,3 +240,15 @@ uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t* ptr, u
239 239
 	ctx->trace_ptr(ctx, ptr);
240 240
     return 0;
241 241
 }
242
+
243
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t rva, uint32_t dummy)
244
+{
245
+  uint32_t ret;
246
+  int err = 0;
247
+  const struct cli_pe_hook_data *pe = ctx->hooks.pedata;
248
+  ret = cli_rawaddr(rva, pe->exe_info.section, pe->exe_info.nsections, &err,
249
+		    ctx->file_size, pe->hdr_size);
250
+  if (err)
251
+    return PE_INVALID_RVA;
252
+  return ret;
253
+}
... ...
@@ -56,6 +56,8 @@ enum BytecodeKind {
56 56
     _BC_LAST_HOOK
57 57
 };
58 58
 
59
+enum { PE_INVALID_RVA = 0xFFFFFFFF };
60
+
59 61
 #ifdef __CLAMBC__
60 62
 
61 63
 /** @brief Logical signature match counts
... ...
@@ -68,6 +70,8 @@ extern const uint32_t __clambc_match_counts[64];
68 68
 extern const struct cli_exe_info __clambc_exeinfo;
69 69
 /** PE data, if this is a PE hook */
70 70
 extern const struct cli_pe_hook_data __clambc_pedata;
71
+/** File size (max 4G) */
72
+extern const uint32_t __clambc_filesize;
71 73
 
72 74
 /** Kind of the bytecode */
73 75
 const uint16_t __clambc_kind;
... ...
@@ -153,7 +157,7 @@ uint32_t debug_print_uint(uint32_t a, uint32_t b);
153 153
  * This is a low-level API, the result is in ClamAV type-8 signature format 
154 154
  * (64 bytes/instruction).
155 155
  *  \sa DisassembleAt
156
- * */
156
+ */
157 157
 uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);
158 158
 
159 159
 /* tracing API */
... ...
@@ -166,5 +170,13 @@ uint32_t trace_op(const uint8_t* opname, uint32_t column);
166 166
 uint32_t trace_value(const uint8_t* name, uint32_t v);
167 167
 uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy);
168 168
 
169
+/** Converts a RVA (Relative Virtual Address) to
170
+  * an absolute PE file offset.
171
+  * @param rva a rva address from the PE file
172
+  * @return absolute file offset mapped to the \p rva,
173
+  * or PE_INVALID_RVA if the \p rva is invalid.
174
+  */
175
+uint32_t pe_rawaddr(uint32_t rva, uint32_t dummy);
176
+
169 177
 #endif
170 178
 #endif
... ...
@@ -48,6 +48,7 @@ uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const const uint8_t*, ui
48 48
 uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
49 49
 uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
50 50
 uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
51
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
51 52
 
52 53
 const struct cli_apiglobal cli_globals[] = {
53 54
 /* Bytecode globals BEGIN */
... ...
@@ -55,6 +56,8 @@ const struct cli_apiglobal cli_globals[] = {
55 55
 	 ((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)},
56 56
 	{"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 82,
57 57
 	 ((char*)&((struct cli_bc_ctx*)0)->hooks.match_counts - (char*)NULL)},
58
+	{"__clambc_filesize", GLOBAL_FILESIZE, 32,
59
+	 ((char*)&((struct cli_bc_ctx*)0)->hooks.filesize - (char*)NULL)},
58 60
 	{"__clambc_exeinfo", GLOBAL_EXEINFO, 79,
59 61
 	 ((char*)&((struct cli_bc_ctx*)0)->hooks.exeinfo - (char*)NULL)},
60 62
 	{"__clambc_pedata", GLOBAL_PEDATA, 69,
... ...
@@ -76,14 +79,14 @@ static uint16_t cli_tmp10[]={80, 32, 32, 16};
76 76
 static uint16_t cli_tmp11[]={81};
77 77
 static uint16_t cli_tmp12[]={32, 32, 32, 32, 32, 32, 32, 32, 32};
78 78
 static uint16_t cli_tmp13[]={32};
79
-static uint16_t cli_tmp14[]={32, 65, 32};
80
-static uint16_t cli_tmp15[]={32, 85, 32};
81
-static uint16_t cli_tmp16[]={86};
82
-static uint16_t cli_tmp17[]={16, 8, 8, 8, 88, 87};
83
-static uint16_t cli_tmp18[]={8};
84
-static uint16_t cli_tmp19[]={89};
85
-static uint16_t cli_tmp20[]={8};
86
-static uint16_t cli_tmp21[]={32, 32, 32};
79
+static uint16_t cli_tmp14[]={32, 32, 32};
80
+static uint16_t cli_tmp15[]={32, 65, 32};
81
+static uint16_t cli_tmp16[]={32, 86, 32};
82
+static uint16_t cli_tmp17[]={87};
83
+static uint16_t cli_tmp18[]={16, 8, 8, 8, 89, 88};
84
+static uint16_t cli_tmp19[]={8};
85
+static uint16_t cli_tmp20[]={90};
86
+static uint16_t cli_tmp21[]={8};
87 87
 static uint16_t cli_tmp22[]={32, 92, 32};
88 88
 static uint16_t cli_tmp23[]={93};
89 89
 static uint16_t cli_tmp24[]={92};
... ...
@@ -105,12 +108,12 @@ const struct cli_bc_type cli_apicall_types[]={
105 105
 	{DArrayType, cli_tmp13, 64, 0, 0},
106 106
 	{DFunctionType, cli_tmp14, 3, 0, 0},
107 107
 	{DFunctionType, cli_tmp15, 3, 0, 0},
108
-	{DPointerType, cli_tmp16, 1, 0, 0},
109
-	{DStructType, cli_tmp17, 6, 0, 0},
110
-	{DArrayType, cli_tmp18, 29, 0, 0},
111
-	{DArrayType, cli_tmp19, 10, 0, 0},
112
-	{DArrayType, cli_tmp20, 3, 0, 0},
113
-	{DFunctionType, cli_tmp21, 3, 0, 0},
108
+	{DFunctionType, cli_tmp16, 3, 0, 0},
109
+	{DPointerType, cli_tmp17, 1, 0, 0},
110
+	{DStructType, cli_tmp18, 6, 0, 0},
111
+	{DArrayType, cli_tmp19, 29, 0, 0},
112
+	{DArrayType, cli_tmp20, 10, 0, 0},
113
+	{DArrayType, cli_tmp21, 3, 0, 0},
114 114
 	{DFunctionType, cli_tmp22, 3, 0, 0},
115 115
 	{DPointerType, cli_tmp23, 1, 0, 0},
116 116
 	{DStructType, cli_tmp24, 1, 0, 0}
... ...
@@ -120,26 +123,28 @@ const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall
120 120
 const struct cli_apicall cli_apicalls[]={
121 121
 /* Bytecode APIcalls BEGIN */
122 122
 	{"test0", 22, 0, 1},
123
-	{"test1", 21, 0, 0},
124
-	{"read", 14, 1, 1},
125
-	{"write", 14, 2, 1},
126
-	{"seek", 21, 1, 0},
127
-	{"setvirusname", 14, 3, 1},
128
-	{"debug_print_str", 14, 4, 1},
129
-	{"debug_print_uint", 21, 2, 0},
130
-	{"disasm_x86", 15, 5, 1},
131
-	{"trace_directory", 14, 6, 1},
132
-	{"trace_scope", 14, 7, 1},
133
-	{"trace_source", 14, 8, 1},
134
-	{"trace_op", 14, 9, 1},
135
-	{"trace_value", 14, 10, 1},
136
-	{"trace_ptr", 14, 11, 1}
123
+	{"test1", 14, 0, 0},
124
+	{"read", 15, 1, 1},
125
+	{"write", 15, 2, 1},
126
+	{"seek", 14, 1, 0},
127
+	{"setvirusname", 15, 3, 1},
128
+	{"debug_print_str", 15, 4, 1},
129
+	{"debug_print_uint", 14, 2, 0},
130
+	{"disasm_x86", 16, 5, 1},
131
+	{"trace_directory", 15, 6, 1},
132
+	{"trace_scope", 15, 7, 1},
133
+	{"trace_source", 15, 8, 1},
134
+	{"trace_op", 15, 9, 1},
135
+	{"trace_value", 15, 10, 1},
136
+	{"trace_ptr", 15, 11, 1},
137
+	{"pe_rawaddr", 14, 3, 0}
137 138
 /* Bytecode APIcalls END */
138 139
 };
139 140
 const cli_apicall_int2 cli_apicalls0[] = {
140 141
 	(cli_apicall_int2)cli_bcapi_test1,
141 142
 	(cli_apicall_int2)cli_bcapi_seek,
142
-	(cli_apicall_int2)cli_bcapi_debug_print_uint
143
+	(cli_apicall_int2)cli_bcapi_debug_print_uint,
144
+	(cli_apicall_int2)cli_bcapi_pe_rawaddr
143 145
 };
144 146
 const cli_apicall_pointer cli_apicalls1[] = {
145 147
 	(cli_apicall_pointer)cli_bcapi_test0,
... ...
@@ -45,5 +45,6 @@ uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const const uint8_t*, ui
45 45
 uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
46 46
 uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
47 47
 uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
48
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
48 49
 
49 50
 #endif
... ...
@@ -32,6 +32,7 @@
32 32
 struct cli_bc_hooks {
33 33
 	 const uint16_t* kind;
34 34
 	 const uint32_t* match_counts;
35
+	 const uint32_t* filesize;
35 36
 	 const struct cli_exe_info* exeinfo;
36 37
 	 const struct cli_pe_hook_data* pedata;
37 38
 };
... ...
@@ -124,7 +124,7 @@ struct cli_bc_ctx {
124 124
     operand_t *operands;
125 125
     uint16_t funcid;
126 126
     unsigned numParams;
127
-    size_t file_size;
127
+    uint32_t file_size;
128 128
     off_t off;
129 129
     fmap_t *fmap;
130 130
     const char *virname;
... ...
@@ -119,6 +119,7 @@ enum bc_global {
119 119
   GLOBAL_VIRUSNAMES,
120 120
   GLOBAL_EXEINFO,
121 121
   GLOBAL_PEDATA,
122
+  GLOBAL_FILESIZE,
122 123
   _LAST_GLOBAL
123 124
 };
124 125
 
... ...
@@ -2236,6 +2236,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
2236 2236
     pedata.e_lfanew = e_lfanew;
2237 2237
     pedata.overlays = overlays;
2238 2238
     pedata.overlays_sz = fsize - overlays;
2239
+    pedata.hdr_size = hdr_size;
2239 2240
     cli_bytecode_context_setpe(bc_ctx, &pedata);
2240 2241
     cli_bytecode_context_setctx(bc_ctx, ctx);
2241 2242
     ret = cli_bytecode_runhook(ctx->engine, bc_ctx, BC_PE_UNPACKER, map, ctx->virname);
... ...
@@ -145,6 +145,7 @@ struct cli_pe_hook_data {
145 145
     uint32_t e_lfanew;/**< address of new exe header */
146 146
     uint32_t overlays;/**< number of overlays */
147 147
     int32_t overlays_sz;/**< size of overlays */
148
+    uint32_t hdr_size;/**< internally needed by rawaddr */
148 149
     /* FIXME: these should not be necessary (they are for now) */
149 150
     uint8_t dummyn;
150 151
     uint8_t *dummy EBOUNDS(dummyn);