Browse code
add match_offsets support.
Török Edvin authored on 2010/05/07 15:57:30Showing 8 changed files
- ChangeLog
- clambc/bcrun.c
- libclamav/bytecode.c
- libclamav/bytecode_api.h
- libclamav/bytecode_api_decl.c
- libclamav/bytecode_hooks.h
- libclamav/clambc.h
- libclamav/pe.h
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Fri May 7 09:56:57 EEST 2010 (edwin) |
|
| 2 |
+------------------------------------- |
|
| 3 |
+ * libclamav/bytecode*: add match_offsets support. |
|
| 4 |
+ |
|
| 1 | 5 |
Wed May 5 21:28:04 CEST 2010 (tk) |
| 2 | 6 |
---------------------------------- |
| 3 | 7 |
* shared/output.c: workaround FreeBSD's file locking issue (bb#1918) |
| ... | ... |
@@ -386,6 +386,7 @@ int main(int argc, char *argv[]) |
| 386 | 386 |
} |
| 387 | 387 |
/* for testing */ |
| 388 | 388 |
ctx->hooks.match_counts = deadbeefcounts; |
| 389 |
+ ctx->hooks.match_offsets = deadbeefcounts; |
|
| 389 | 390 |
rc = cli_bytecode_run(&bcs, bc, ctx); |
| 390 | 391 |
if (rc != CL_SUCCESS) {
|
| 391 | 392 |
fprintf(stderr,"Unable to run bytecode: %s\n", cl_strerror(rc)); |
| ... | ... |
@@ -49,6 +49,24 @@ static const uint32_t nomatch[64] = {
|
| 49 | 49 |
0, 0, 0, 0, 0, 0, 0, 0, |
| 50 | 50 |
0, 0, 0, 0, 0, 0, 0, 0 |
| 51 | 51 |
}; |
| 52 |
+static const uint32_t nooffsets[64] = {
|
|
| 53 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 54 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 55 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 56 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 57 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 58 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 59 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 60 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 61 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 62 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 63 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 64 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 65 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 66 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 67 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, |
|
| 68 |
+ CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE, CLI_OFF_NONE |
|
| 69 |
+}; |
|
| 52 | 70 |
|
| 53 | 71 |
static const uint16_t nokind; |
| 54 | 72 |
static const uint32_t nofilesize; |
| ... | ... |
@@ -61,6 +79,8 @@ static void context_safe(struct cli_bc_ctx *ctx) |
| 61 | 61 |
ctx->hooks.kind = &nokind; |
| 62 | 62 |
if (!ctx->hooks.match_counts) |
| 63 | 63 |
ctx->hooks.match_counts = nomatch; |
| 64 |
+ if (!ctx->hooks.match_offsets) |
|
| 65 |
+ ctx->hooks.match_counts = nooffsets; |
|
| 64 | 66 |
if (!ctx->hooks.filesize) |
| 65 | 67 |
ctx->hooks.filesize = &nofilesize; |
| 66 | 68 |
if (!ctx->hooks.pedata) |
| ... | ... |
@@ -1940,6 +1960,7 @@ int cli_bytecode_runlsig(cli_ctx *cctx, const struct cli_all_bc *bcs, unsigned b |
| 1940 | 1940 |
memset(&ctx, 0, sizeof(ctx)); |
| 1941 | 1941 |
cli_bytecode_context_setfuncid(&ctx, bc, 0); |
| 1942 | 1942 |
ctx.hooks.match_counts = lsigcnt; |
| 1943 |
+ ctx.hooks.match_offsets = lsigsuboff; |
|
| 1943 | 1944 |
cli_bytecode_context_setctx(&ctx, cctx); |
| 1944 | 1945 |
cli_bytecode_context_setfile(&ctx, map); |
| 1945 | 1946 |
|
| ... | ... |
@@ -54,6 +54,12 @@ enum BytecodeKind {
|
| 54 | 54 |
|
| 55 | 55 |
enum { PE_INVALID_RVA = 0xFFFFFFFF };
|
| 56 | 56 |
|
| 57 |
+/** LibClamAV functionality level constants */ |
|
| 58 |
+enum FunctionalityLevels {
|
|
| 59 |
+ FUNC_LEVEL_096 = 51, |
|
| 60 |
+ FUNC_LEVEL_096_dev |
|
| 61 |
+}; |
|
| 62 |
+ |
|
| 57 | 63 |
#ifdef __CLAMBC__ |
| 58 | 64 |
|
| 59 | 65 |
/** @brief Logical signature match counts |
| ... | ... |
@@ -62,6 +68,13 @@ enum { PE_INVALID_RVA = 0xFFFFFFFF };
|
| 62 | 62 |
* access it. |
| 63 | 63 |
* */ |
| 64 | 64 |
extern const uint32_t __clambc_match_counts[64]; |
| 65 |
+ |
|
| 66 |
+/** @brief Logical signature match offsets |
|
| 67 |
+ * This is a low-level variable, use the Macros in bytecode_local.h instead to |
|
| 68 |
+ * access it. |
|
| 69 |
+ */ |
|
| 70 |
+extern const uint32_t __clambc_match_offsets[64]; |
|
| 71 |
+ |
|
| 65 | 72 |
/** PE data, if this is a PE hook */ |
| 66 | 73 |
extern const struct cli_pe_hook_data __clambc_pedata; |
| 67 | 74 |
/** File size (max 4G) */ |
| ... | ... |
@@ -81,6 +81,8 @@ int32_t cli_bcapi_jsnorm_done(struct cli_bc_ctx *ctx , int32_t); |
| 81 | 81 |
|
| 82 | 82 |
const struct cli_apiglobal cli_globals[] = {
|
| 83 | 83 |
/* Bytecode globals BEGIN */ |
| 84 |
+ {"__clambc_match_offsets", GLOBAL_MATCH_OFFSETS, 76,
|
|
| 85 |
+ ((char*)&((struct cli_bc_ctx*)0)->hooks.match_offsets - (char*)NULL)}, |
|
| 84 | 86 |
{"__clambc_kind", GLOBAL_KIND, 16,
|
| 85 | 87 |
((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)}, |
| 86 | 88 |
{"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 76,
|
| ... | ... |
@@ -62,11 +62,11 @@ struct pe_image_optional_hdr32 {
|
| 62 | 62 |
uint32_t FileAlignment; /**< usually 32 or 512 */ |
| 63 | 63 |
uint16_t MajorOperatingSystemVersion; /**< not used */ |
| 64 | 64 |
uint16_t MinorOperatingSystemVersion; /**< not used */ |
| 65 |
- uint16_t MajorImageVersion; /** unreliable */ |
|
| 66 |
- uint16_t MinorImageVersion; /** unreliable */ |
|
| 65 |
+ uint16_t MajorImageVersion; /**< unreliable */ |
|
| 66 |
+ uint16_t MinorImageVersion; /**< unreliable */ |
|
| 67 | 67 |
uint16_t MajorSubsystemVersion; |
| 68 | 68 |
uint16_t MinorSubsystemVersion; |
| 69 |
- uint32_t Win32VersionValue; /* ? */ |
|
| 69 |
+ uint32_t Win32VersionValue; /*< ? */ |
|
| 70 | 70 |
uint32_t SizeOfImage; |
| 71 | 71 |
uint32_t SizeOfHeaders; |
| 72 | 72 |
uint32_t CheckSum; /**< NT drivers only */ |
| ... | ... |
@@ -76,7 +76,7 @@ struct pe_image_optional_hdr32 {
|
| 76 | 76 |
uint32_t SizeOfStackCommit; |
| 77 | 77 |
uint32_t SizeOfHeapReserve; |
| 78 | 78 |
uint32_t SizeOfHeapCommit; |
| 79 |
- uint32_t LoaderFlags; /* ? */ |
|
| 79 |
+ uint32_t LoaderFlags; /*< ? */ |
|
| 80 | 80 |
uint32_t NumberOfRvaAndSizes; /**< unreliable */ |
| 81 | 81 |
struct pe_image_data_dir DataDirectory[16]; |
| 82 | 82 |
}; |
| ... | ... |
@@ -138,14 +138,14 @@ struct pe_image_section_hdr {
|
| 138 | 138 |
/** Data for the bytecode PE hook */ |
| 139 | 139 |
struct cli_pe_hook_data {
|
| 140 | 140 |
uint32_t offset; |
| 141 |
- uint32_t ep; |
|
| 142 |
- uint16_t nsections; |
|
| 141 |
+ uint32_t ep; /**< EntryPoint as file offset */ |
|
| 142 |
+ uint16_t nsections;/**< Number of sections */ |
|
| 143 | 143 |
uint16_t dummy; /* align */ |
| 144 |
- struct pe_image_file_hdr file_hdr; |
|
| 145 |
- struct pe_image_optional_hdr32 opt32; |
|
| 144 |
+ struct pe_image_file_hdr file_hdr;/**< Header for this PE file */ |
|
| 145 |
+ struct pe_image_optional_hdr32 opt32; /**< 32-bit PE optional header */ |
|
| 146 | 146 |
uint32_t dummy2; /* align */ |
| 147 |
- struct pe_image_optional_hdr64 opt64; |
|
| 148 |
- struct pe_image_data_dir dirs[16]; |
|
| 147 |
+ struct pe_image_optional_hdr64 opt64;/**< 64-bit PE optional header */ |
|
| 148 |
+ struct pe_image_data_dir dirs[16]; /**< PE data directory header */ |
|
| 149 | 149 |
uint32_t e_lfanew;/**< address of new exe header */ |
| 150 | 150 |
uint32_t overlays;/**< number of overlays */ |
| 151 | 151 |
int32_t overlays_sz;/**< size of overlays */ |