@@ -2412,17 +2412,6 @@ int cli_bytecode_runlsig(cli_ctx *cctx, struct cli_target_info *tinfo,

     const struct cli_bc *bc = &bcs->all_bcs[bc_idx-1];

     struct cli_pe_hook_data pehookdata;

-    if (bc->hook_lsig_id) {

-	cli_dbgmsg("hook lsig id %d matched (bc %d)\n", bc->hook_lsig_id, bc->id);

-	/* this is a bytecode for a hook, defer running it until hook is

-	 * executed, so that it has all the info for the hook */

-	if (cctx->hook_lsig_matches)

-	    cli_bitset_set(cctx->hook_lsig_matches, bc->hook_lsig_id-1);

-	/* save match counts */

-	memcpy(&ctx.lsigcnt, lsigcnt, 64*4);

-	memcpy(&ctx.lsigoff, lsigsuboff, 64*4);

-	return CL_SUCCESS;

-    }

     memset(&ctx, 0, sizeof(ctx));

     cli_bytecode_context_setfuncid(&ctx, bc, 0);

     ctx.hooks.match_counts = lsigcnt;

@@ -2439,6 +2428,17 @@ int cli_bytecode_runlsig(cli_ctx *cctx, struct cli_target_info *tinfo,

 	ctx.hooks.pedata = &pehookdata;

 	ctx.resaddr = tinfo->exeinfo.res_addr;

     }

+    if (bc->hook_lsig_id) {

+	cli_dbgmsg("hook lsig id %d matched (bc %d)\n", bc->hook_lsig_id, bc->id);

+	/* this is a bytecode for a hook, defer running it until hook is

+	 * executed, so that it has all the info for the hook */

+	if (cctx->hook_lsig_matches)

+	    cli_bitset_set(cctx->hook_lsig_matches, bc->hook_lsig_id-1);

+	/* save match counts */

+	memcpy(&ctx.lsigcnt, lsigcnt, 64*4);

+	memcpy(&ctx.lsigoff, lsigsuboff, 64*4);

+	return CL_SUCCESS;

+    }

     cli_dbgmsg("Running bytecode for logical signature match\n");

     ret = cli_bytecode_run(bcs, bc, &ctx);

@@ -2610,6 +2610,15 @@ void cli_bytecode_describe(const struct cli_bc *bc)

 	    break;

 	case BC_PE_UNPACKER:

 	    if (bc->lsig)

+		puts("PE files matching logical signature (unpacked)");

+	    else

+		puts("all PE files! (unpacked)");

+	    break;

+	case BC_PDF:

+	    puts("PDF files");

+	    break;

+	case BC_PE_ALL:

+	    if (bc->lsig)

 		puts("PE files matching logical signature");

 	    else

 		puts("all PE files!");

@@ -25,7 +25,7 @@

  * SUCH DAMAGE.

  */

-/** @file */

+/** @file bytecode_api.h */

 #ifndef BYTECODE_API_H

 #define BYTECODE_API_H

@@ -37,7 +37,7 @@

 #endif

 #ifndef __CLAMBC__

-#include "execs.h"

+struct cli_exe_section;

 struct DISASM_RESULT;

 #endif

@@ -53,20 +53,26 @@ enum BytecodeKind {

     BC_PE_UNPACKER,

     /* PDF hook */

     BC_PDF,

+    BC_PE_ALL,/* both packed and unpacked files */

     _BC_LAST_HOOK

 };

-static const unsigned  PE_INVALID_RVA = 0xFFFFFFFF ;

+enum {

+  /** Invalid RVA specified */

+  PE_INVALID_RVA = 0xFFFFFFFF

+};

 /** LibClamAV functionality level constants */

 enum FunctionalityLevels {

     FUNC_LEVEL_096 = 51,

     FUNC_LEVEL_096_dev,

     FUNC_LEVEL_096_1,

-    FUNC_LEVEL_096_1_dev,

-    FUNC_LEVEL_096_2

+    FUNC_LEVEL_096_1_dev=54,

+    FUNC_LEVEL_096_2=54,

+    FUNC_LEVEL_096_2_dev

 };

+/** Phase of PDF parsing */

 enum pdf_phase {

     PDF_PHASE_NONE /* not a PDF */,

     PDF_PHASE_PARSED, /* after parsing a PDF, object flags can be set etc. */

@@ -74,6 +80,7 @@ enum pdf_phase {

     PDF_PHASE_END /* after the pdf scan finished */

 };

+/** PDF flags */

 enum pdf_flag {

     BAD_PDF_VERSION=0,

     BAD_PDF_HEADERPOS,

@@ -96,6 +103,7 @@ enum pdf_flag {

     LINEARIZED_PDF /* not bad, just as flag */

 };

+/** PDF obj flags */

 enum pdf_objflags {

     OBJ_STREAM=0,

     OBJ_DICT,

@@ -127,21 +135,27 @@ enum pdf_objflags {

  *

  *  This is a low-level variable, use the Macros in bytecode_local.h instead to

  *  access it.

+\group_globals

  * */

 extern const uint32_t __clambc_match_counts[64];

 /** @brief Logical signature match offsets

   * This is a low-level variable, use the Macros in bytecode_local.h instead to

   * access it.

+\group_globals

   */

 extern const uint32_t __clambc_match_offsets[64];

-/** PE data, if this is a PE hook */

+/** PE data, if this is a PE hook.

+  \group_globals */

 extern const struct cli_pe_hook_data __clambc_pedata;

-/** File size (max 4G) */

+/** File size (max 4G). 

+   \group_globals */

 extern const uint32_t __clambc_filesize[1];

-/** Kind of the bytecode */

+/** Kind of the bytecode

+\group_globals

+*/

 const uint16_t __clambc_kind;

 /* ---------------- END GLOBALS --------------------------------------------- */

 /* ---------------- BEGIN 0.96 APIs (don't touch) --------------------------- */

@@ -159,6 +173,7 @@ uint32_t test1(uint32_t a, uint32_t b);

  * @param[in] size amount of bytes to read

  * @param[out] data pointer to buffer where data is read into

  * @return amount read.

+ * \group_file

  */

 int32_t read(uint8_t *data, int32_t size);

@@ -179,6 +194,7 @@ enum {

  * \p size bytes to temporary file, from the buffer pointed to

  * byte

  * @return amount of bytes successfully written

+ * \group_file

  */

 int32_t write(uint8_t *data, int32_t size);

@@ -188,6 +204,7 @@ int32_t write(uint8_t *data, int32_t size);

  * @param[in] pos offset (absolute or relative depending on \p whence param)

  * @param[in] whence one of \p SEEK_SET, \p SEEK_CUR, \p SEEK_END

  * @return absolute position in file

+ * \group_file

  */

 int32_t seek(int32_t pos, uint32_t whence);

@@ -197,6 +214,7 @@ int32_t seek(int32_t pos, uint32_t whence);

  * @param[in] name the name of the virus

  * @param[in] len length of the virusname

  * @return 0

+ * \group_scan

  */

 uint32_t setvirusname(const uint8_t *name, uint32_t len);

@@ -206,6 +224,7 @@ uint32_t setvirusname(const uint8_t *name, uint32_t len);

  * @param[in] str Message to print

  * @param[in] len length of message to print

  * @return 0

+ * \group_string

  */

 uint32_t debug_print_str(const uint8_t *str, uint32_t len);

@@ -215,6 +234,7 @@ uint32_t debug_print_str(const uint8_t *str, uint32_t len);

  *

  * @param[in] a number to print

  * @return 0

+ * \group_string

  */

 uint32_t debug_print_uint(uint32_t a);

@@ -229,6 +249,7 @@ uint32_t debug_print_uint(uint32_t a);

  * This is a low-level API, the result is in ClamAV type-8 signature format 

  * (64 bytes/instruction).

  *  \sa DisassembleAt

+ \group_disasm

  */

 uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);

@@ -247,16 +268,19 @@ uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy);

   * @param rva a rva address from the PE file

   * @return absolute file offset mapped to the \p rva,

   * or PE_INVALID_RVA if the \p rva is invalid.

+  \group_pe

   */

 uint32_t pe_rawaddr(uint32_t rva);

 /** Looks for the specified sequence of bytes in the current file.

+  \group_file

   * @param[in] data the sequence of bytes to look for

   * @param len length of \p data, cannot be more than 1024

   * @return offset in the current file if match is found, -1 otherwise */

 int32_t file_find(const uint8_t* data, uint32_t len);

 /** Read a single byte from current file

+  \group_file

   * @param offset file offset

   * @return byte at offset \p off in the current file, or -1 if offset is

   * invalid */

@@ -264,6 +288,7 @@ int32_t file_byteat(uint32_t offset);

 /** Allocates memory. Currently this memory is freed automatically on exit

   from the bytecode, and there is no way to free it sooner.

+  \group_adt

   @param size amount of memory to allocate in bytes

   @return pointer to allocated memory */

 void* malloc(uint32_t size);

@@ -274,11 +299,15 @@ void* malloc(uint32_t size);

 uint32_t test2(uint32_t a);

 /** Gets information about the specified PE section.

+  \group_pe

  * @param[out] section PE section information will be stored here

- * @param[in] num PE section number */

+ * @param[in] num PE section number

+ * @return  0 - success

+           -1 - failure */

 int32_t get_pe_section(struct cli_exe_section *section, uint32_t num);

 /** Fills the specified buffer with at least \p fill bytes.

+  \group_file

  * @param[out] buffer the buffer to fill

  * @param[in] len length of buffer

  * @param[in] filled how much of the buffer is currently filled

@@ -295,13 +324,15 @@ int32_t fill_buffer(uint8_t* buffer, uint32_t len, uint32_t filled,

 /**

  * Prepares for extracting a new file, if we've already extracted one it scans

  * it.

+ \group_scan

  * @param[in] id an id for the new file (for example position in container)

  * @return 1 if previous extracted file was infected

 */

 int32_t extract_new(int32_t id);

-/**

-  * Reads a number in the specified radix starting from the current position.

+/**   

+ * Reads a number in the specified radix starting from the current position.

+ * \group_file 

   * Non-numeric characters are ignored.

   * @param[in] radix 10 or 16

   * @return the number read

@@ -310,11 +341,13 @@ int32_t read_number(uint32_t radix);

 /**

   * Creates a new hashset and returns its id.

+  \group_adt

   * @return ID for new hashset */

 int32_t hashset_new(void);

 /**

   * Add a new 32-bit key to the hashset.

+  \group_adt

   * @param hs ID of hashset (from hashset_new)

   * @param key the key to add

   * @return 0 on success */

@@ -322,6 +355,7 @@ int32_t hashset_add(int32_t hs, uint32_t key);

 /**

   * Remove a 32-bit key from the hashset.

+  \group_adt

   * @param hs ID of hashset (from hashset_new)

   * @param key the key to add

   * @return 0 on success */

@@ -329,6 +363,7 @@ int32_t hashset_remove(int32_t hs, uint32_t key);

 /**

   * Returns whether the hashset contains the specified key.

+  \group_adt

   * @param hs ID of hashset (from hashset_new)

   * @param key the key to lookup

   * @return 1 if found, 0 if not found, <0 on invalid hashset ID */

@@ -336,6 +371,7 @@ int32_t hashset_contains(int32_t hs, uint32_t key);

 /**

   * Deallocates the memory used by the specified hashset.

+  \group_adt

   * Trying to use the hashset after this will result in an error.

   * The hashset may not be used after this.

   * All hashsets are automatically deallocated when bytecode

@@ -346,18 +382,22 @@ int32_t hashset_done(int32_t id);

 /**

   * Returns whether the hashset is empty.

+  \group_adt

   * @param id of hashset (from hashset_new)

   * @return 0 on success */

 int32_t hashset_empty(int32_t id);

 /**

   * Creates a new pipe with the specified buffer size

+  \group_adt

   * @param size size of buffer

   * @return ID of newly created buffer_pipe */

 int32_t  buffer_pipe_new(uint32_t size);

 /**

   * Same as buffer_pipe_new, except the pipe's input is tied

+  \group_adt

+  \group_file

   * to the current file, at the specified position.

   * @param pos starting position of pipe input in current file

   * @return ID of newly created buffer_pipe */

@@ -365,12 +405,14 @@ int32_t  buffer_pipe_new_fromfile(uint32_t pos);

 /**

   * Returns the amount of bytes available to read.

+  \group_adt

   * @param id ID of buffer_pipe

   * @return amount of bytes available to read */

 uint32_t buffer_pipe_read_avail(int32_t id);

 /**

   * Returns a pointer to the buffer for reading.

+  \group_adt

   * The 'amount' parameter should be obtained by a call to

   * buffer_pipe_read_avail().

   * @param id ID of buffer_pipe

@@ -380,6 +422,7 @@ uint32_t buffer_pipe_read_avail(int32_t id);

 uint8_t *buffer_pipe_read_get(int32_t id, uint32_t amount);

 /**

+  \group_adt

   * Updates read cursor in buffer_pipe.

   * @param id ID of buffer_pipe

   * @param amount amount of bytes to move read cursor

@@ -388,11 +431,13 @@ int32_t  buffer_pipe_read_stopped(int32_t id, uint32_t amount);

 /**

   * Returns the amount of bytes available for writing.

+  \group_adt

   * @param id ID of buffer_pipe

   * @return amount of bytes available for writing */

 uint32_t buffer_pipe_write_avail(int32_t id);

 /**

+  \group_adt

   * Returns pointer to writable buffer.

   * The 'amount' parameter should be obtained by a call to

   * buffer_pipe_write_avail().

@@ -404,6 +449,7 @@ uint8_t *buffer_pipe_write_get(int32_t id, uint32_t size);

 /**

   * Updates the write cursor in buffer_pipe.

+  \group_adt

   * @param id ID of buffer_pipe

   * @param amount amount of bytes to move write cursor

   * @return 0 on success */

@@ -411,6 +457,7 @@ int32_t  buffer_pipe_write_stopped(int32_t id, uint32_t amount);

 /**

   * Deallocate memory used by buffer.

+  \group_adt

   * After this all attempts to use this buffer will result in error.

   * All buffer_pipes are automatically deallocated when bytecode

   * finishes execution.

@@ -420,6 +467,7 @@ int32_t  buffer_pipe_done(int32_t id);

 /**

   * Initializes inflate data structures for decompressing data

+  \group_adt

   * 'from_buffer' and writing uncompressed uncompressed data 'to_buffer'.

   * @param from_buffer ID of buffer_pipe to read compressed data from

   * @param to_buffer ID of buffer_pipe to write decompressed data to

@@ -435,6 +483,7 @@ int32_t inflate_init(int32_t from_buffer, int32_t to_buffer, int32_t windowBits)

   * buffer, and flushing the output buffer.

   * The inflate stream is done processing when 0 bytes are available from output

   * buffer, and input buffer is not empty.

+  \group_adt

   * @param id ID of inflate data structure

   * @return 0 on success, zlib error code otherwise */

 int32_t inflate_process(int32_t id);

@@ -444,12 +493,14 @@ int32_t inflate_process(int32_t id);

   * Using the inflate data structure after this will result in an error.

   * All inflate data structures are automatically deallocated when bytecode

   * finishes execution.

+  \group_adt

   * @param id ID of inflate data structure

   * @return 0 on success.*/

 int32_t inflate_done(int32_t id);

 /** 

   * Report a runtime error at the specified locationID.

+  \group_scan

   * @param locationid (line << 8) | (column&0xff)

   * @return 0 */

 int32_t bytecode_rt_error(int32_t locationid);

@@ -459,6 +510,7 @@ int32_t bytecode_rt_error(int32_t locationid);

   * Normalized JS will be written to a single tempfile,

   * one normalized JS per line, and automatically scanned 

   * when the bytecode finishes execution. 

+  \group_js

   * @param from_buffer ID of buffer_pipe to read javascript from

   * @return ID of JS normalizer, <0 on failure */

 int32_t jsnorm_init(int32_t from_buffer);

@@ -467,25 +519,30 @@ int32_t jsnorm_init(int32_t from_buffer);

   * Normalize all javascript from the input buffer, and write to tempfile.

   * You can call this function repeatedly on success, if you (re)fill the input

   * buffer.

+  \group_js

   * @param id ID of JS normalizer

   * @return 0 on success, <0 on failure */

 int32_t jsnorm_process(int32_t id);

 /**

   * Flushes JS normalizer.

-  * @param id ID of js normalizer to flush */

+  \group_js

+  * @param id ID of js normalizer to flush

+  * @return 0 - success

+           -1 - failure */

 int32_t jsnorm_done(int32_t id);

 /* ---------------- END 0.96 APIs (don't touch) --------------------------- */

 /* ---------------- BEGIN 0.96.1 APIs ------------------------------------- */

-/** --------------- math -----------------*/

+/* ---------------- Math -------------------------------------------------- */

 /**

   *  Returns 2^26*log2(a/b)

   * @param a input 

   * @param b input

   * @return 2^26*log2(a/b)

+  \group_math

   */

 int32_t ilog2(uint32_t a, uint32_t b);

@@ -495,6 +552,7 @@ int32_t ilog2(uint32_t a, uint32_t b);

   * @param b integer

   * @param c integer

   * @return c*pow(a,b)

+  \group_math

   */

 int32_t ipow(int32_t a, int32_t b, int32_t c);

@@ -504,6 +562,7 @@ int32_t ipow(int32_t a, int32_t b, int32_t c);

   * @param b integer

   * @param c integer

   * @return c*exp(a/b)

+  \group_math

   */

 uint32_t iexp(int32_t a, int32_t b, int32_t c);

@@ -513,6 +572,7 @@ uint32_t iexp(int32_t a, int32_t b, int32_t c);

   * @param b integer

   * @param c integer

   * @return c*sin(a/b)

+  \group_math

   */

 int32_t isin(int32_t a, int32_t b, int32_t c);

@@ -522,10 +582,11 @@ int32_t isin(int32_t a, int32_t b, int32_t c);

   * @param b integer

   * @param c integer

   * @return c*sin(a/b)

+  \group_math

   */

 int32_t icos(int32_t a, int32_t b, int32_t c);

-/** --------------- string operations -----------------*/

+/* ---------------- String operations --------------------------------------- */

 /**

   * Return position of match, -1 otherwise.

   * @param haystack buffer to search

@@ -533,6 +594,7 @@ int32_t icos(int32_t a, int32_t b, int32_t c);

   * @param needle substring to search

   * @param needlesize size of needle

   * @return location of match, -1 otherwise

+  \group_string

   */

 int32_t memstr(const uint8_t* haystack, int32_t haysize,

                const uint8_t* needle, int32_t needlesize);

@@ -543,6 +605,7 @@ int32_t memstr(const uint8_t* haystack, int32_t haysize,

   * @param hex1 hexadecimal character

   * @param hex2 hexadecimal character

   * @return hex1 hex2 converted to 8-bit integer, -1 on error

+  \group_string

   */

 int32_t hex2ui(uint32_t hex1, uint32_t hex2);

@@ -551,6 +614,7 @@ int32_t hex2ui(uint32_t hex1, uint32_t hex2);

   * @param str buffer

   * @param size size of \p str

   * @return >0 string converted to number if possible, -1 on error

+  \group_string

   */

 int32_t atoi(const uint8_t* str, int32_t size);

@@ -560,6 +624,7 @@ int32_t atoi(const uint8_t* str, int32_t size);

   * @param str the string

   * @param len length of \p str

   * @return 0

+  \group_string

   */

 uint32_t debug_print_str_start(const uint8_t *str, uint32_t len);

@@ -569,6 +634,7 @@ uint32_t debug_print_str_start(const uint8_t *str, uint32_t len);

   * @param str the string

   * @param len length of \p str

   * @return 0

+  \group_string

   */

 uint32_t debug_print_str_nonl(const uint8_t *str, uint32_t len);

@@ -577,15 +643,18 @@ uint32_t debug_print_str_nonl(const uint8_t *str, uint32_t len);

   * @param buffer input buffer

   * @param size size of buffer

   * @return entropy estimation * 2^26

+  \group_string

   */

 uint32_t entropy_buffer(uint8_t* buffer, int32_t size);

-/* ------------------ data structures -------------------- */

+/* ------------------ Data Structures --------------------------------------- */

 /**

   * Creates a new map and returns its id.

   * @param keysize size of key

   * @param valuesize size of value, if 0 then value is allocated separately

-  * @return ID of new map */

+  * @return ID of new map

+\group_adt

+  */

 int32_t map_new(int32_t keysize, int32_t valuesize);

 /**

@@ -596,6 +665,7 @@ int32_t map_new(int32_t keysize, int32_t valuesize);

   * @return 0 - if key existed before

             1 - if key didn't exist before

            <0 - if ksize doesn't match keysize specified at table creation

+\group_adt

   */

 int32_t map_addkey(const uint8_t *key, int32_t ksize, int32_t id);

@@ -606,6 +676,7 @@ int32_t map_addkey(const uint8_t *key, int32_t ksize, int32_t id);

   * @param vsize size of \p value

   * @return 0 - if update was successful

            <0 - if there is no last key

+\group_adt

   */

 int32_t map_setvalue(const uint8_t *value, int32_t vsize, int32_t id);

@@ -617,6 +688,7 @@ int32_t map_setvalue(const uint8_t *value, int32_t vsize, int32_t id);

   * @return 0 on success, key was present

             1 if key was not present

            <0 if ksize doesn't match keysize specified at table creation

+\group_adt

   */

 int32_t map_remove(const uint8_t* key, int32_t ksize, int32_t id);

@@ -631,6 +703,7 @@ int32_t map_remove(const uint8_t* key, int32_t ksize, int32_t id);

   * @return 0 - if not found

             1 - if found

            <0 - if ksize doesn't match the size specified at table creation

+\group_adt

   */

 int32_t map_find(const uint8_t* key, int32_t ksize, int32_t id);

@@ -638,6 +711,7 @@ int32_t map_find(const uint8_t* key, int32_t ksize, int32_t id);

   * Returns the size of value obtained during last map_find.

   * @param id id of map.

   * @return size of value

+\group_adt

   */

 int32_t map_getvaluesize(int32_t id);

@@ -646,6 +720,7 @@ int32_t map_getvaluesize(int32_t id);

   * @param id id of map.

   * @param size size of value (obtained from map_getvaluesize)

   * @return value

+\group_adt

   */

 uint8_t* map_getvalue(int32_t id, int32_t size);

@@ -654,10 +729,14 @@ uint8_t* map_getvalue(int32_t id, int32_t size);

   * Trying to use the map after this will result in an error.

   * All maps are automatically deallocated when the bytecode finishes

   * execution.

+  * @param id id of map

+  * @return 0 - success

+           -1 - invalid map

+\group_adt

   */

 int32_t map_done(int32_t id);

-/** -------------- file operations --------------------- */

+/* -------------- File Operations ------------------------------------------- */

 /** Looks for the specified sequence of bytes in the current file, up to the

  * specified position.

  * @param[in] data the sequence of bytes to look for

@@ -665,35 +744,49 @@ int32_t map_done(int32_t id);

  * @param maxpos maximum position to look for a match, 

  * note that this is 1 byte after the end of last possible match:

  * match_pos + \p len < \p maxpos

- * @return offset in the current file if match is found, -1 otherwise */

+ * @return offset in the current file if match is found, -1 otherwise 

+ * \group_file

+ */

 int32_t file_find_limit(const uint8_t *data, uint32_t len, int32_t maxpos);

-/** ------------- engine query ------------------------ */

+/* ------------- Engine Query ----------------------------------------------- */

 /**

   * Returns the current engine (feature) functionality level.

+  * To map these to ClamAV releases, compare it with #FunctionalityLevels.

+  * @return an integer representing current engine functionality level.

+  * \group_engine

   */

 uint32_t engine_functionality_level(void);

 /**

   * Returns the current engine (dconf) functionality level.

+  * Usually identical to engine_functionality_level(), unless distro backported

+  * patches. Compare with #FunctionalityLevels.

+  * @return an integer representing the DCONF (security fixes) level.

+  * \group_engine

   */

 uint32_t engine_dconf_level(void);

 /**

   * Returns the current engine's scan options.

+  * @return CL_SCAN* flags 

+  * \group_engine

   */

 uint32_t engine_scan_options(void);

 /**

   * Returns the current engine's db options.

+  * @return CL_DB_* flags

+  * \group_engine

   */

 uint32_t engine_db_options(void);

-/* ---------------- scan control --------------------------- */

+/* ---------------- Scan Control -------------------------------------------- */

 /**

   * Sets the container type for the currently extracted file.

   * @param container container type (CL_TYPE_*)

   * @return current setting for container (CL_TYPE_ANY default)

+  * \group_scan

   */

 int32_t extract_set_container(uint32_t container);

@@ -706,13 +799,23 @@ int32_t extract_set_container(uint32_t container);

                           0 - switch back to original input

   * @return -1 on error (if no extracted file exists)

              0 on success

+  * \group_scan

   */

 int32_t input_switch(int32_t extracted_file);

 /* ---------------- END 0.96.1 APIs ------------------------------------- */

 /* ---------------- BEGIN 0.96.2 APIs ----------------------------------- */

+/** Queries the environment this bytecode runs in.

+  * Used by BC_STARTUP to disable bytecode when bugs are known for the current

+  * platform.

+  * @param[out] env - the full environment

+  * @param len - size of \p env

+  * @return 0

+  \group_env

+  */

 uint32_t get_environment(struct cli_environment *env, uint32_t len);

+

 /** Disables the bytecode completely if condition is true.

   Can only be called from the BC_STARTUP bytecode.

   @param reason - why the bytecode had to be disabled

@@ -721,6 +824,7 @@ uint32_t get_environment(struct cli_environment *env, uint32_t len);

   @return 0 - auto mode

           1 - JIT disabled

           2 - fully disabled

+  \group_env

   */

 uint32_t disable_bytecode_if(const int8_t *reason, uint32_t len, uint32_t cond);

@@ -732,6 +836,7 @@ uint32_t disable_bytecode_if(const int8_t *reason, uint32_t len, uint32_t cond);

   @return 0 - auto mode

           1 - JIT disabled

           2 - fully disabled

+  \group_env

   */

 uint32_t disable_jit_if(const int8_t* reason, uint32_t len, uint32_t cond);

@@ -742,7 +847,9 @@ uint32_t disable_jit_if(const int8_t* reason, uint32_t len, uint32_t cond);

     @param rhs_len - length of \p rhs

     @return -1 - lhs < rhs

             0 - lhs == rhs

-            1 - lhs > rhs */

+            1 - lhs > rhs

+  \group_env

+  */

 int32_t version_compare(const uint8_t* lhs, uint32_t lhs_len,

                     const uint8_t* rhs, uint32_t rhs_len);

@@ -752,26 +859,36 @@ int32_t version_compare(const uint8_t* lhs, uint32_t lhs_len,

     @param b -  big_endian << 28 | sizeof_ptr << 24 | cpp_version

     @param c -  os_features << 24 | c_version

     @return 0 - no match

-            1 - match */

+            1 - match

+  \group_env

+  */

 uint32_t check_platform(uint32_t a, uint32_t b, uint32_t c);

+/* --------------------- PDF APIs ----------------------------------- */

 /** Return number of pdf objects 

  * @return -1 - if not called from PDF hook

           >=0 - number of PDF objects

+  \group_pdf

 */

 int32_t pdf_get_obj_num(void);

 /** Return the flags for the entire PDF (as set so far).

   * @return -1 - if not called from PDF hook

-           >=0 - pdf flags */

+           >=0 - pdf flags

+  \group_pdf

+  */

 int32_t pdf_get_flags(void);

 /** Sets the flags for the entire PDF.

   * It is recommended that you retrieve old flags, and just add new ones.

-  * @param flags - flags to set */

+  \group_pdf

+  * @param flags - flags to set.

+  * @return 0 - success

+           -1 - invalid phase */

 int32_t pdf_set_flags(int32_t flags);

 /** Lookup pdf object with specified id.

+  \group_pdf

   * @param id - pdf id (objnumber << 8 | generationid)

     @return -1 - if object id doesn't exist

            >=0 - object index

@@ -779,12 +896,14 @@ int32_t pdf_set_flags(int32_t flags);

 int32_t pdf_lookupobj(uint32_t id);

 /** Return the size of the specified PDF obj.

-  * @param objnum - object index (from 0), not object id!

+  \group_pdf

+  * @param objidx - object index (from 0), not object id!

   * @return 0 - if not called from PDF hook, or invalid objnum

           >=0 - size of object */

 uint32_t pdf_getobjsize(int32_t objidx);

 /** Return the undecoded object.

+  \group_pdf

   Meant only for reading, write modifies the fmap buffer, so avoid!

   @param objidx - object index (from 0), not object id!

   @param amount - size returned by pdf_getobjsize (or smaller)

@@ -793,6 +912,7 @@ uint32_t pdf_getobjsize(int32_t objidx);

 uint8_t *pdf_getobj(int32_t objidx, uint32_t amount);

 /* Return the object id for the specified object index.

+  \group_pdf

    @param objidx - object index (from 0)

    @return -1 - object index invalid

           >=0 - object id (obj id << 8 | generation id)

@@ -800,6 +920,7 @@ uint8_t *pdf_getobj(int32_t objidx, uint32_t amount);

 int32_t pdf_getobjid(int32_t objidx);

 /* Return the object flags for the specified object index.

+  \group_pdf

    @param objidx - object index (from 0)

    @return -1 - object index invalid

           >=0 - object flags

@@ -807,6 +928,7 @@ int32_t pdf_getobjid(int32_t objidx);

 int32_t pdf_getobjflags(int32_t objidx);

 /* Sets the object flags for the specified object index.

+  \group_pdf

    This can be used to force dumping of a certain obj, by setting the

    OBJ_FORCEDUMP flag for example.

    @param objidx - object index (from 0)

@@ -816,6 +938,7 @@ int32_t pdf_getobjflags(int32_t objidx);

 int32_t pdf_setobjflags(int32_t objidx, int32_t flags);

 /* Return the object's offset in the PDF.

+  \group_pdf

    @param objidx - object index (from 0)

    @return -1 - object index invalid

           >=0 - offset

@@ -823,19 +946,31 @@ int32_t pdf_setobjflags(int32_t objidx, int32_t flags);

 int32_t pdf_get_offset(int32_t objidx);

 /** Return an 'enum pdf_phase'.

-  * Identifies at which phase this bytecode was called */

+  \group_pdf

+  * Identifies at which phase this bytecode was called.

+  * @return the current #pdf_phase

+  */

 int32_t pdf_get_phase(void);

-/** Return the currently dumped obj id.

-  Valid only in PDF_PHASE_POSTDUMP */

+/** Return the currently dumped obj index.

+  \group_pdf

+ * Valid only in PDF_PHASE_POSTDUMP.

+ * @return >=0 - object index

+            -1 - invalid phase

+ */

 int32_t pdf_get_dumpedobjid(void);

+/* ----------------------------- Icon APIs -------------------------- */

 /** Attempts to match current executable's icon against the specified icon

  * groups.

+ \group_icon

  * @param[in] group1 - same as GROUP1 in LDB signatures

  * @param group1_len - length of \p group1

  * @param[in] group2 - same as GROUP2 in LDB signatures

  * @param group2_len - length of \p group2

+ * @return -1 - invalid call, or sizes (only valid for PE hooks)

+            0 - not a match

+            1 - match

  */

 int32_t matchicon(const uint8_t* group1, int32_t group1_len,

@@ -131,6 +131,4 @@ enum bc_global {

 };

 #define BC_START_TID 69

-

-

 #endif

@@ -26,7 +26,9 @@

 #include "bcfeatures.h"

 /** @file */

-/** Section of executable file */

+/** Section of executable file.

+  \group_pe

+*/

 struct cli_exe_section {

     uint32_t rva;/**< Relative VirtualAddress */

     uint32_t vsz;/**< VirtualSize */

@@ -39,11 +41,13 @@ struct cli_exe_section {

     uint32_t ursz; /**< PE - unaligned SizeOfRawData */

 };

-/** Executable file information */

+/** Executable file information

+  \group_pe

+*/

 struct cli_exe_info {

     /** Information about all the sections of this file. 

      * This array has \p nsection elements */

-    struct cli_exe_section *section EBOUNDS(nsections);

+    struct cli_exe_section *section;

     /** Offset where this executable start in file (nonzero if embedded) */

     uint32_t offset;

     /** Entrypoint of executable */

@@ -470,7 +470,7 @@ int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t* grp1, int32_

     group1[grp1len] = 0;

     group2[grp2len] = 0;

     memset(&info, 0, sizeof(info));

-    if (ctx->bc->kind == BC_PE_UNPACKER) {

+    if (ctx->bc->kind == BC_PE_UNPACKER || ctx->bc->kind == BC_PE_ALL) {

 	if(le16_to_host(ctx->hooks.pedata->file_hdr.Characteristics) & 0x2000 ||

 	   !ctx->hooks.pedata->dirs[2].Size)

 	    info.res_addr = 0;

@@ -1129,7 +1129,7 @@ int cli_scanpe(cli_ctx *ctx)

     }

     cli_bytecode_context_setpe(bc_ctx, &pedata, exe_sections);

     cli_bytecode_context_setctx(bc_ctx, ctx);

-    ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_ALL, ctx->virname);

+    ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_ALL, map, ctx->virname);

     if (ret == CL_VIRUS) {

 	free(exe_sections);

 	cli_bytecode_context_destroy(bc_ctx);

@@ -28,7 +28,8 @@

 #include "fmap.h"

 #include "bcfeatures.h"

 /** @file */

-/** Header for this PE file */

+/** Header for this PE file

+  \group_pe */

 struct pe_image_file_hdr {

     uint32_t Magic;  /**< PE magic header: PE\\0\\0 */