... | ... |
@@ -38,6 +38,7 @@ |
38 | 38 |
#include "bytecode_api.h" |
39 | 39 |
#include "bytecode_api_impl.h" |
40 | 40 |
#include "others.h" |
41 |
+#include "pe.h" |
|
41 | 42 |
|
42 | 43 |
uint32_t cli_bcapi_test0(struct cli_bc_ctx *ctx, struct foo* s, uint32_t u) |
43 | 44 |
{ |
... | ... |
@@ -239,3 +240,15 @@ uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t* ptr, u |
239 | 239 |
ctx->trace_ptr(ctx, ptr); |
240 | 240 |
return 0; |
241 | 241 |
} |
242 |
+ |
|
243 |
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t rva, uint32_t dummy) |
|
244 |
+{ |
|
245 |
+ uint32_t ret; |
|
246 |
+ int err = 0; |
|
247 |
+ const struct cli_pe_hook_data *pe = ctx->hooks.pedata; |
|
248 |
+ ret = cli_rawaddr(rva, pe->exe_info.section, pe->exe_info.nsections, &err, |
|
249 |
+ ctx->file_size, pe->hdr_size); |
|
250 |
+ if (err) |
|
251 |
+ return PE_INVALID_RVA; |
|
252 |
+ return ret; |
|
253 |
+} |
... | ... |
@@ -56,6 +56,8 @@ enum BytecodeKind { |
56 | 56 |
_BC_LAST_HOOK |
57 | 57 |
}; |
58 | 58 |
|
59 |
+enum { PE_INVALID_RVA = 0xFFFFFFFF }; |
|
60 |
+ |
|
59 | 61 |
#ifdef __CLAMBC__ |
60 | 62 |
|
61 | 63 |
/** @brief Logical signature match counts |
... | ... |
@@ -68,6 +70,8 @@ extern const uint32_t __clambc_match_counts[64]; |
68 | 68 |
extern const struct cli_exe_info __clambc_exeinfo; |
69 | 69 |
/** PE data, if this is a PE hook */ |
70 | 70 |
extern const struct cli_pe_hook_data __clambc_pedata; |
71 |
+/** File size (max 4G) */ |
|
72 |
+extern const uint32_t __clambc_filesize; |
|
71 | 73 |
|
72 | 74 |
/** Kind of the bytecode */ |
73 | 75 |
const uint16_t __clambc_kind; |
... | ... |
@@ -153,7 +157,7 @@ uint32_t debug_print_uint(uint32_t a, uint32_t b); |
153 | 153 |
* This is a low-level API, the result is in ClamAV type-8 signature format |
154 | 154 |
* (64 bytes/instruction). |
155 | 155 |
* \sa DisassembleAt |
156 |
- * */ |
|
156 |
+ */ |
|
157 | 157 |
uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len); |
158 | 158 |
|
159 | 159 |
/* tracing API */ |
... | ... |
@@ -166,5 +170,13 @@ uint32_t trace_op(const uint8_t* opname, uint32_t column); |
166 | 166 |
uint32_t trace_value(const uint8_t* name, uint32_t v); |
167 | 167 |
uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy); |
168 | 168 |
|
169 |
+/** Converts a RVA (Relative Virtual Address) to |
|
170 |
+ * an absolute PE file offset. |
|
171 |
+ * @param rva a rva address from the PE file |
|
172 |
+ * @return absolute file offset mapped to the \p rva, |
|
173 |
+ * or PE_INVALID_RVA if the \p rva is invalid. |
|
174 |
+ */ |
|
175 |
+uint32_t pe_rawaddr(uint32_t rva, uint32_t dummy); |
|
176 |
+ |
|
169 | 177 |
#endif |
170 | 178 |
#endif |
... | ... |
@@ -48,6 +48,7 @@ uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const const uint8_t*, ui |
48 | 48 |
uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t); |
49 | 49 |
uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t); |
50 | 50 |
uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t); |
51 |
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t, uint32_t); |
|
51 | 52 |
|
52 | 53 |
const struct cli_apiglobal cli_globals[] = { |
53 | 54 |
/* Bytecode globals BEGIN */ |
... | ... |
@@ -55,6 +56,8 @@ const struct cli_apiglobal cli_globals[] = { |
55 | 55 |
((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)}, |
56 | 56 |
{"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 82, |
57 | 57 |
((char*)&((struct cli_bc_ctx*)0)->hooks.match_counts - (char*)NULL)}, |
58 |
+ {"__clambc_filesize", GLOBAL_FILESIZE, 32, |
|
59 |
+ ((char*)&((struct cli_bc_ctx*)0)->hooks.filesize - (char*)NULL)}, |
|
58 | 60 |
{"__clambc_exeinfo", GLOBAL_EXEINFO, 79, |
59 | 61 |
((char*)&((struct cli_bc_ctx*)0)->hooks.exeinfo - (char*)NULL)}, |
60 | 62 |
{"__clambc_pedata", GLOBAL_PEDATA, 69, |
... | ... |
@@ -76,14 +79,14 @@ static uint16_t cli_tmp10[]={80, 32, 32, 16}; |
76 | 76 |
static uint16_t cli_tmp11[]={81}; |
77 | 77 |
static uint16_t cli_tmp12[]={32, 32, 32, 32, 32, 32, 32, 32, 32}; |
78 | 78 |
static uint16_t cli_tmp13[]={32}; |
79 |
-static uint16_t cli_tmp14[]={32, 65, 32}; |
|
80 |
-static uint16_t cli_tmp15[]={32, 85, 32}; |
|
81 |
-static uint16_t cli_tmp16[]={86}; |
|
82 |
-static uint16_t cli_tmp17[]={16, 8, 8, 8, 88, 87}; |
|
83 |
-static uint16_t cli_tmp18[]={8}; |
|
84 |
-static uint16_t cli_tmp19[]={89}; |
|
85 |
-static uint16_t cli_tmp20[]={8}; |
|
86 |
-static uint16_t cli_tmp21[]={32, 32, 32}; |
|
79 |
+static uint16_t cli_tmp14[]={32, 32, 32}; |
|
80 |
+static uint16_t cli_tmp15[]={32, 65, 32}; |
|
81 |
+static uint16_t cli_tmp16[]={32, 86, 32}; |
|
82 |
+static uint16_t cli_tmp17[]={87}; |
|
83 |
+static uint16_t cli_tmp18[]={16, 8, 8, 8, 89, 88}; |
|
84 |
+static uint16_t cli_tmp19[]={8}; |
|
85 |
+static uint16_t cli_tmp20[]={90}; |
|
86 |
+static uint16_t cli_tmp21[]={8}; |
|
87 | 87 |
static uint16_t cli_tmp22[]={32, 92, 32}; |
88 | 88 |
static uint16_t cli_tmp23[]={93}; |
89 | 89 |
static uint16_t cli_tmp24[]={92}; |
... | ... |
@@ -105,12 +108,12 @@ const struct cli_bc_type cli_apicall_types[]={ |
105 | 105 |
{DArrayType, cli_tmp13, 64, 0, 0}, |
106 | 106 |
{DFunctionType, cli_tmp14, 3, 0, 0}, |
107 | 107 |
{DFunctionType, cli_tmp15, 3, 0, 0}, |
108 |
- {DPointerType, cli_tmp16, 1, 0, 0}, |
|
109 |
- {DStructType, cli_tmp17, 6, 0, 0}, |
|
110 |
- {DArrayType, cli_tmp18, 29, 0, 0}, |
|
111 |
- {DArrayType, cli_tmp19, 10, 0, 0}, |
|
112 |
- {DArrayType, cli_tmp20, 3, 0, 0}, |
|
113 |
- {DFunctionType, cli_tmp21, 3, 0, 0}, |
|
108 |
+ {DFunctionType, cli_tmp16, 3, 0, 0}, |
|
109 |
+ {DPointerType, cli_tmp17, 1, 0, 0}, |
|
110 |
+ {DStructType, cli_tmp18, 6, 0, 0}, |
|
111 |
+ {DArrayType, cli_tmp19, 29, 0, 0}, |
|
112 |
+ {DArrayType, cli_tmp20, 10, 0, 0}, |
|
113 |
+ {DArrayType, cli_tmp21, 3, 0, 0}, |
|
114 | 114 |
{DFunctionType, cli_tmp22, 3, 0, 0}, |
115 | 115 |
{DPointerType, cli_tmp23, 1, 0, 0}, |
116 | 116 |
{DStructType, cli_tmp24, 1, 0, 0} |
... | ... |
@@ -120,26 +123,28 @@ const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall |
120 | 120 |
const struct cli_apicall cli_apicalls[]={ |
121 | 121 |
/* Bytecode APIcalls BEGIN */ |
122 | 122 |
{"test0", 22, 0, 1}, |
123 |
- {"test1", 21, 0, 0}, |
|
124 |
- {"read", 14, 1, 1}, |
|
125 |
- {"write", 14, 2, 1}, |
|
126 |
- {"seek", 21, 1, 0}, |
|
127 |
- {"setvirusname", 14, 3, 1}, |
|
128 |
- {"debug_print_str", 14, 4, 1}, |
|
129 |
- {"debug_print_uint", 21, 2, 0}, |
|
130 |
- {"disasm_x86", 15, 5, 1}, |
|
131 |
- {"trace_directory", 14, 6, 1}, |
|
132 |
- {"trace_scope", 14, 7, 1}, |
|
133 |
- {"trace_source", 14, 8, 1}, |
|
134 |
- {"trace_op", 14, 9, 1}, |
|
135 |
- {"trace_value", 14, 10, 1}, |
|
136 |
- {"trace_ptr", 14, 11, 1} |
|
123 |
+ {"test1", 14, 0, 0}, |
|
124 |
+ {"read", 15, 1, 1}, |
|
125 |
+ {"write", 15, 2, 1}, |
|
126 |
+ {"seek", 14, 1, 0}, |
|
127 |
+ {"setvirusname", 15, 3, 1}, |
|
128 |
+ {"debug_print_str", 15, 4, 1}, |
|
129 |
+ {"debug_print_uint", 14, 2, 0}, |
|
130 |
+ {"disasm_x86", 16, 5, 1}, |
|
131 |
+ {"trace_directory", 15, 6, 1}, |
|
132 |
+ {"trace_scope", 15, 7, 1}, |
|
133 |
+ {"trace_source", 15, 8, 1}, |
|
134 |
+ {"trace_op", 15, 9, 1}, |
|
135 |
+ {"trace_value", 15, 10, 1}, |
|
136 |
+ {"trace_ptr", 15, 11, 1}, |
|
137 |
+ {"pe_rawaddr", 14, 3, 0} |
|
137 | 138 |
/* Bytecode APIcalls END */ |
138 | 139 |
}; |
139 | 140 |
const cli_apicall_int2 cli_apicalls0[] = { |
140 | 141 |
(cli_apicall_int2)cli_bcapi_test1, |
141 | 142 |
(cli_apicall_int2)cli_bcapi_seek, |
142 |
- (cli_apicall_int2)cli_bcapi_debug_print_uint |
|
143 |
+ (cli_apicall_int2)cli_bcapi_debug_print_uint, |
|
144 |
+ (cli_apicall_int2)cli_bcapi_pe_rawaddr |
|
143 | 145 |
}; |
144 | 146 |
const cli_apicall_pointer cli_apicalls1[] = { |
145 | 147 |
(cli_apicall_pointer)cli_bcapi_test0, |
... | ... |
@@ -45,5 +45,6 @@ uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const const uint8_t*, ui |
45 | 45 |
uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t); |
46 | 46 |
uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t); |
47 | 47 |
uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t); |
48 |
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t, uint32_t); |
|
48 | 49 |
|
49 | 50 |
#endif |
... | ... |
@@ -2236,6 +2236,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset) |
2236 | 2236 |
pedata.e_lfanew = e_lfanew; |
2237 | 2237 |
pedata.overlays = overlays; |
2238 | 2238 |
pedata.overlays_sz = fsize - overlays; |
2239 |
+ pedata.hdr_size = hdr_size; |
|
2239 | 2240 |
cli_bytecode_context_setpe(bc_ctx, &pedata); |
2240 | 2241 |
cli_bytecode_context_setctx(bc_ctx, ctx); |
2241 | 2242 |
ret = cli_bytecode_runhook(ctx->engine, bc_ctx, BC_PE_UNPACKER, map, ctx->virname); |
... | ... |
@@ -145,6 +145,7 @@ struct cli_pe_hook_data { |
145 | 145 |
uint32_t e_lfanew;/**< address of new exe header */ |
146 | 146 |
uint32_t overlays;/**< number of overlays */ |
147 | 147 |
int32_t overlays_sz;/**< size of overlays */ |
148 |
+ uint32_t hdr_size;/**< internally needed by rawaddr */ |
|
148 | 149 |
/* FIXME: these should not be necessary (they are for now) */ |
149 | 150 |
uint8_t dummyn; |
150 | 151 |
uint8_t *dummy EBOUNDS(dummyn); |