... | ... |
@@ -2412,17 +2412,6 @@ int cli_bytecode_runlsig(cli_ctx *cctx, struct cli_target_info *tinfo, |
2412 | 2412 |
const struct cli_bc *bc = &bcs->all_bcs[bc_idx-1]; |
2413 | 2413 |
struct cli_pe_hook_data pehookdata; |
2414 | 2414 |
|
2415 |
- if (bc->hook_lsig_id) { |
|
2416 |
- cli_dbgmsg("hook lsig id %d matched (bc %d)\n", bc->hook_lsig_id, bc->id); |
|
2417 |
- /* this is a bytecode for a hook, defer running it until hook is |
|
2418 |
- * executed, so that it has all the info for the hook */ |
|
2419 |
- if (cctx->hook_lsig_matches) |
|
2420 |
- cli_bitset_set(cctx->hook_lsig_matches, bc->hook_lsig_id-1); |
|
2421 |
- /* save match counts */ |
|
2422 |
- memcpy(&ctx.lsigcnt, lsigcnt, 64*4); |
|
2423 |
- memcpy(&ctx.lsigoff, lsigsuboff, 64*4); |
|
2424 |
- return CL_SUCCESS; |
|
2425 |
- } |
|
2426 | 2415 |
memset(&ctx, 0, sizeof(ctx)); |
2427 | 2416 |
cli_bytecode_context_setfuncid(&ctx, bc, 0); |
2428 | 2417 |
ctx.hooks.match_counts = lsigcnt; |
... | ... |
@@ -2439,6 +2428,17 @@ int cli_bytecode_runlsig(cli_ctx *cctx, struct cli_target_info *tinfo, |
2439 | 2439 |
ctx.hooks.pedata = &pehookdata; |
2440 | 2440 |
ctx.resaddr = tinfo->exeinfo.res_addr; |
2441 | 2441 |
} |
2442 |
+ if (bc->hook_lsig_id) { |
|
2443 |
+ cli_dbgmsg("hook lsig id %d matched (bc %d)\n", bc->hook_lsig_id, bc->id); |
|
2444 |
+ /* this is a bytecode for a hook, defer running it until hook is |
|
2445 |
+ * executed, so that it has all the info for the hook */ |
|
2446 |
+ if (cctx->hook_lsig_matches) |
|
2447 |
+ cli_bitset_set(cctx->hook_lsig_matches, bc->hook_lsig_id-1); |
|
2448 |
+ /* save match counts */ |
|
2449 |
+ memcpy(&ctx.lsigcnt, lsigcnt, 64*4); |
|
2450 |
+ memcpy(&ctx.lsigoff, lsigsuboff, 64*4); |
|
2451 |
+ return CL_SUCCESS; |
|
2452 |
+ } |
|
2442 | 2453 |
|
2443 | 2454 |
cli_dbgmsg("Running bytecode for logical signature match\n"); |
2444 | 2455 |
ret = cli_bytecode_run(bcs, bc, &ctx); |
... | ... |
@@ -2610,6 +2610,15 @@ void cli_bytecode_describe(const struct cli_bc *bc) |
2610 | 2610 |
break; |
2611 | 2611 |
case BC_PE_UNPACKER: |
2612 | 2612 |
if (bc->lsig) |
2613 |
+ puts("PE files matching logical signature (unpacked)"); |
|
2614 |
+ else |
|
2615 |
+ puts("all PE files! (unpacked)"); |
|
2616 |
+ break; |
|
2617 |
+ case BC_PDF: |
|
2618 |
+ puts("PDF files"); |
|
2619 |
+ break; |
|
2620 |
+ case BC_PE_ALL: |
|
2621 |
+ if (bc->lsig) |
|
2613 | 2622 |
puts("PE files matching logical signature"); |
2614 | 2623 |
else |
2615 | 2624 |
puts("all PE files!"); |
... | ... |
@@ -25,7 +25,7 @@ |
25 | 25 |
* SUCH DAMAGE. |
26 | 26 |
*/ |
27 | 27 |
|
28 |
-/** @file */ |
|
28 |
+/** @file bytecode_api.h */ |
|
29 | 29 |
#ifndef BYTECODE_API_H |
30 | 30 |
#define BYTECODE_API_H |
31 | 31 |
|
... | ... |
@@ -37,7 +37,7 @@ |
37 | 37 |
#endif |
38 | 38 |
|
39 | 39 |
#ifndef __CLAMBC__ |
40 |
-#include "execs.h" |
|
40 |
+struct cli_exe_section; |
|
41 | 41 |
struct DISASM_RESULT; |
42 | 42 |
#endif |
43 | 43 |
|
... | ... |
@@ -53,20 +53,26 @@ enum BytecodeKind { |
53 | 53 |
BC_PE_UNPACKER, |
54 | 54 |
/* PDF hook */ |
55 | 55 |
BC_PDF, |
56 |
+ BC_PE_ALL,/* both packed and unpacked files */ |
|
56 | 57 |
_BC_LAST_HOOK |
57 | 58 |
}; |
58 | 59 |
|
59 |
-static const unsigned PE_INVALID_RVA = 0xFFFFFFFF ; |
|
60 |
+enum { |
|
61 |
+ /** Invalid RVA specified */ |
|
62 |
+ PE_INVALID_RVA = 0xFFFFFFFF |
|
63 |
+}; |
|
60 | 64 |
|
61 | 65 |
/** LibClamAV functionality level constants */ |
62 | 66 |
enum FunctionalityLevels { |
63 | 67 |
FUNC_LEVEL_096 = 51, |
64 | 68 |
FUNC_LEVEL_096_dev, |
65 | 69 |
FUNC_LEVEL_096_1, |
66 |
- FUNC_LEVEL_096_1_dev, |
|
67 |
- FUNC_LEVEL_096_2 |
|
70 |
+ FUNC_LEVEL_096_1_dev=54, |
|
71 |
+ FUNC_LEVEL_096_2=54, |
|
72 |
+ FUNC_LEVEL_096_2_dev |
|
68 | 73 |
}; |
69 | 74 |
|
75 |
+/** Phase of PDF parsing */ |
|
70 | 76 |
enum pdf_phase { |
71 | 77 |
PDF_PHASE_NONE /* not a PDF */, |
72 | 78 |
PDF_PHASE_PARSED, /* after parsing a PDF, object flags can be set etc. */ |
... | ... |
@@ -74,6 +80,7 @@ enum pdf_phase { |
74 | 74 |
PDF_PHASE_END /* after the pdf scan finished */ |
75 | 75 |
}; |
76 | 76 |
|
77 |
+/** PDF flags */ |
|
77 | 78 |
enum pdf_flag { |
78 | 79 |
BAD_PDF_VERSION=0, |
79 | 80 |
BAD_PDF_HEADERPOS, |
... | ... |
@@ -96,6 +103,7 @@ enum pdf_flag { |
96 | 96 |
LINEARIZED_PDF /* not bad, just as flag */ |
97 | 97 |
}; |
98 | 98 |
|
99 |
+/** PDF obj flags */ |
|
99 | 100 |
enum pdf_objflags { |
100 | 101 |
OBJ_STREAM=0, |
101 | 102 |
OBJ_DICT, |
... | ... |
@@ -127,21 +135,27 @@ enum pdf_objflags { |
127 | 127 |
* |
128 | 128 |
* This is a low-level variable, use the Macros in bytecode_local.h instead to |
129 | 129 |
* access it. |
130 |
+\group_globals |
|
130 | 131 |
* */ |
131 | 132 |
extern const uint32_t __clambc_match_counts[64]; |
132 | 133 |
|
133 | 134 |
/** @brief Logical signature match offsets |
134 | 135 |
* This is a low-level variable, use the Macros in bytecode_local.h instead to |
135 | 136 |
* access it. |
137 |
+\group_globals |
|
136 | 138 |
*/ |
137 | 139 |
extern const uint32_t __clambc_match_offsets[64]; |
138 | 140 |
|
139 |
-/** PE data, if this is a PE hook */ |
|
141 |
+/** PE data, if this is a PE hook. |
|
142 |
+ \group_globals */ |
|
140 | 143 |
extern const struct cli_pe_hook_data __clambc_pedata; |
141 |
-/** File size (max 4G) */ |
|
144 |
+/** File size (max 4G). |
|
145 |
+ \group_globals */ |
|
142 | 146 |
extern const uint32_t __clambc_filesize[1]; |
143 | 147 |
|
144 |
-/** Kind of the bytecode */ |
|
148 |
+/** Kind of the bytecode |
|
149 |
+\group_globals |
|
150 |
+*/ |
|
145 | 151 |
const uint16_t __clambc_kind; |
146 | 152 |
/* ---------------- END GLOBALS --------------------------------------------- */ |
147 | 153 |
/* ---------------- BEGIN 0.96 APIs (don't touch) --------------------------- */ |
... | ... |
@@ -159,6 +173,7 @@ uint32_t test1(uint32_t a, uint32_t b); |
159 | 159 |
* @param[in] size amount of bytes to read |
160 | 160 |
* @param[out] data pointer to buffer where data is read into |
161 | 161 |
* @return amount read. |
162 |
+ * \group_file |
|
162 | 163 |
*/ |
163 | 164 |
int32_t read(uint8_t *data, int32_t size); |
164 | 165 |
|
... | ... |
@@ -179,6 +194,7 @@ enum { |
179 | 179 |
* \p size bytes to temporary file, from the buffer pointed to |
180 | 180 |
* byte |
181 | 181 |
* @return amount of bytes successfully written |
182 |
+ * \group_file |
|
182 | 183 |
*/ |
183 | 184 |
int32_t write(uint8_t *data, int32_t size); |
184 | 185 |
|
... | ... |
@@ -188,6 +204,7 @@ int32_t write(uint8_t *data, int32_t size); |
188 | 188 |
* @param[in] pos offset (absolute or relative depending on \p whence param) |
189 | 189 |
* @param[in] whence one of \p SEEK_SET, \p SEEK_CUR, \p SEEK_END |
190 | 190 |
* @return absolute position in file |
191 |
+ * \group_file |
|
191 | 192 |
*/ |
192 | 193 |
int32_t seek(int32_t pos, uint32_t whence); |
193 | 194 |
|
... | ... |
@@ -197,6 +214,7 @@ int32_t seek(int32_t pos, uint32_t whence); |
197 | 197 |
* @param[in] name the name of the virus |
198 | 198 |
* @param[in] len length of the virusname |
199 | 199 |
* @return 0 |
200 |
+ * \group_scan |
|
200 | 201 |
*/ |
201 | 202 |
uint32_t setvirusname(const uint8_t *name, uint32_t len); |
202 | 203 |
|
... | ... |
@@ -206,6 +224,7 @@ uint32_t setvirusname(const uint8_t *name, uint32_t len); |
206 | 206 |
* @param[in] str Message to print |
207 | 207 |
* @param[in] len length of message to print |
208 | 208 |
* @return 0 |
209 |
+ * \group_string |
|
209 | 210 |
*/ |
210 | 211 |
uint32_t debug_print_str(const uint8_t *str, uint32_t len); |
211 | 212 |
|
... | ... |
@@ -215,6 +234,7 @@ uint32_t debug_print_str(const uint8_t *str, uint32_t len); |
215 | 215 |
* |
216 | 216 |
* @param[in] a number to print |
217 | 217 |
* @return 0 |
218 |
+ * \group_string |
|
218 | 219 |
*/ |
219 | 220 |
uint32_t debug_print_uint(uint32_t a); |
220 | 221 |
|
... | ... |
@@ -229,6 +249,7 @@ uint32_t debug_print_uint(uint32_t a); |
229 | 229 |
* This is a low-level API, the result is in ClamAV type-8 signature format |
230 | 230 |
* (64 bytes/instruction). |
231 | 231 |
* \sa DisassembleAt |
232 |
+ \group_disasm |
|
232 | 233 |
*/ |
233 | 234 |
uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len); |
234 | 235 |
|
... | ... |
@@ -247,16 +268,19 @@ uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy); |
247 | 247 |
* @param rva a rva address from the PE file |
248 | 248 |
* @return absolute file offset mapped to the \p rva, |
249 | 249 |
* or PE_INVALID_RVA if the \p rva is invalid. |
250 |
+ \group_pe |
|
250 | 251 |
*/ |
251 | 252 |
uint32_t pe_rawaddr(uint32_t rva); |
252 | 253 |
|
253 | 254 |
/** Looks for the specified sequence of bytes in the current file. |
255 |
+ \group_file |
|
254 | 256 |
* @param[in] data the sequence of bytes to look for |
255 | 257 |
* @param len length of \p data, cannot be more than 1024 |
256 | 258 |
* @return offset in the current file if match is found, -1 otherwise */ |
257 | 259 |
int32_t file_find(const uint8_t* data, uint32_t len); |
258 | 260 |
|
259 | 261 |
/** Read a single byte from current file |
262 |
+ \group_file |
|
260 | 263 |
* @param offset file offset |
261 | 264 |
* @return byte at offset \p off in the current file, or -1 if offset is |
262 | 265 |
* invalid */ |
... | ... |
@@ -264,6 +288,7 @@ int32_t file_byteat(uint32_t offset); |
264 | 264 |
|
265 | 265 |
/** Allocates memory. Currently this memory is freed automatically on exit |
266 | 266 |
from the bytecode, and there is no way to free it sooner. |
267 |
+ \group_adt |
|
267 | 268 |
@param size amount of memory to allocate in bytes |
268 | 269 |
@return pointer to allocated memory */ |
269 | 270 |
void* malloc(uint32_t size); |
... | ... |
@@ -274,11 +299,15 @@ void* malloc(uint32_t size); |
274 | 274 |
uint32_t test2(uint32_t a); |
275 | 275 |
|
276 | 276 |
/** Gets information about the specified PE section. |
277 |
+ \group_pe |
|
277 | 278 |
* @param[out] section PE section information will be stored here |
278 |
- * @param[in] num PE section number */ |
|
279 |
+ * @param[in] num PE section number |
|
280 |
+ * @return 0 - success |
|
281 |
+ -1 - failure */ |
|
279 | 282 |
int32_t get_pe_section(struct cli_exe_section *section, uint32_t num); |
280 | 283 |
|
281 | 284 |
/** Fills the specified buffer with at least \p fill bytes. |
285 |
+ \group_file |
|
282 | 286 |
* @param[out] buffer the buffer to fill |
283 | 287 |
* @param[in] len length of buffer |
284 | 288 |
* @param[in] filled how much of the buffer is currently filled |
... | ... |
@@ -295,13 +324,15 @@ int32_t fill_buffer(uint8_t* buffer, uint32_t len, uint32_t filled, |
295 | 295 |
/** |
296 | 296 |
* Prepares for extracting a new file, if we've already extracted one it scans |
297 | 297 |
* it. |
298 |
+ \group_scan |
|
298 | 299 |
* @param[in] id an id for the new file (for example position in container) |
299 | 300 |
* @return 1 if previous extracted file was infected |
300 | 301 |
*/ |
301 | 302 |
int32_t extract_new(int32_t id); |
302 | 303 |
|
303 |
-/** |
|
304 |
- * Reads a number in the specified radix starting from the current position. |
|
304 |
+/** |
|
305 |
+ * Reads a number in the specified radix starting from the current position. |
|
306 |
+ * \group_file |
|
305 | 307 |
* Non-numeric characters are ignored. |
306 | 308 |
* @param[in] radix 10 or 16 |
307 | 309 |
* @return the number read |
... | ... |
@@ -310,11 +341,13 @@ int32_t read_number(uint32_t radix); |
310 | 310 |
|
311 | 311 |
/** |
312 | 312 |
* Creates a new hashset and returns its id. |
313 |
+ \group_adt |
|
313 | 314 |
* @return ID for new hashset */ |
314 | 315 |
int32_t hashset_new(void); |
315 | 316 |
|
316 | 317 |
/** |
317 | 318 |
* Add a new 32-bit key to the hashset. |
319 |
+ \group_adt |
|
318 | 320 |
* @param hs ID of hashset (from hashset_new) |
319 | 321 |
* @param key the key to add |
320 | 322 |
* @return 0 on success */ |
... | ... |
@@ -322,6 +355,7 @@ int32_t hashset_add(int32_t hs, uint32_t key); |
322 | 322 |
|
323 | 323 |
/** |
324 | 324 |
* Remove a 32-bit key from the hashset. |
325 |
+ \group_adt |
|
325 | 326 |
* @param hs ID of hashset (from hashset_new) |
326 | 327 |
* @param key the key to add |
327 | 328 |
* @return 0 on success */ |
... | ... |
@@ -329,6 +363,7 @@ int32_t hashset_remove(int32_t hs, uint32_t key); |
329 | 329 |
|
330 | 330 |
/** |
331 | 331 |
* Returns whether the hashset contains the specified key. |
332 |
+ \group_adt |
|
332 | 333 |
* @param hs ID of hashset (from hashset_new) |
333 | 334 |
* @param key the key to lookup |
334 | 335 |
* @return 1 if found, 0 if not found, <0 on invalid hashset ID */ |
... | ... |
@@ -336,6 +371,7 @@ int32_t hashset_contains(int32_t hs, uint32_t key); |
336 | 336 |
|
337 | 337 |
/** |
338 | 338 |
* Deallocates the memory used by the specified hashset. |
339 |
+ \group_adt |
|
339 | 340 |
* Trying to use the hashset after this will result in an error. |
340 | 341 |
* The hashset may not be used after this. |
341 | 342 |
* All hashsets are automatically deallocated when bytecode |
... | ... |
@@ -346,18 +382,22 @@ int32_t hashset_done(int32_t id); |
346 | 346 |
|
347 | 347 |
/** |
348 | 348 |
* Returns whether the hashset is empty. |
349 |
+ \group_adt |
|
349 | 350 |
* @param id of hashset (from hashset_new) |
350 | 351 |
* @return 0 on success */ |
351 | 352 |
int32_t hashset_empty(int32_t id); |
352 | 353 |
|
353 | 354 |
/** |
354 | 355 |
* Creates a new pipe with the specified buffer size |
356 |
+ \group_adt |
|
355 | 357 |
* @param size size of buffer |
356 | 358 |
* @return ID of newly created buffer_pipe */ |
357 | 359 |
int32_t buffer_pipe_new(uint32_t size); |
358 | 360 |
|
359 | 361 |
/** |
360 | 362 |
* Same as buffer_pipe_new, except the pipe's input is tied |
363 |
+ \group_adt |
|
364 |
+ \group_file |
|
361 | 365 |
* to the current file, at the specified position. |
362 | 366 |
* @param pos starting position of pipe input in current file |
363 | 367 |
* @return ID of newly created buffer_pipe */ |
... | ... |
@@ -365,12 +405,14 @@ int32_t buffer_pipe_new_fromfile(uint32_t pos); |
365 | 365 |
|
366 | 366 |
/** |
367 | 367 |
* Returns the amount of bytes available to read. |
368 |
+ \group_adt |
|
368 | 369 |
* @param id ID of buffer_pipe |
369 | 370 |
* @return amount of bytes available to read */ |
370 | 371 |
uint32_t buffer_pipe_read_avail(int32_t id); |
371 | 372 |
|
372 | 373 |
/** |
373 | 374 |
* Returns a pointer to the buffer for reading. |
375 |
+ \group_adt |
|
374 | 376 |
* The 'amount' parameter should be obtained by a call to |
375 | 377 |
* buffer_pipe_read_avail(). |
376 | 378 |
* @param id ID of buffer_pipe |
... | ... |
@@ -380,6 +422,7 @@ uint32_t buffer_pipe_read_avail(int32_t id); |
380 | 380 |
uint8_t *buffer_pipe_read_get(int32_t id, uint32_t amount); |
381 | 381 |
|
382 | 382 |
/** |
383 |
+ \group_adt |
|
383 | 384 |
* Updates read cursor in buffer_pipe. |
384 | 385 |
* @param id ID of buffer_pipe |
385 | 386 |
* @param amount amount of bytes to move read cursor |
... | ... |
@@ -388,11 +431,13 @@ int32_t buffer_pipe_read_stopped(int32_t id, uint32_t amount); |
388 | 388 |
|
389 | 389 |
/** |
390 | 390 |
* Returns the amount of bytes available for writing. |
391 |
+ \group_adt |
|
391 | 392 |
* @param id ID of buffer_pipe |
392 | 393 |
* @return amount of bytes available for writing */ |
393 | 394 |
uint32_t buffer_pipe_write_avail(int32_t id); |
394 | 395 |
|
395 | 396 |
/** |
397 |
+ \group_adt |
|
396 | 398 |
* Returns pointer to writable buffer. |
397 | 399 |
* The 'amount' parameter should be obtained by a call to |
398 | 400 |
* buffer_pipe_write_avail(). |
... | ... |
@@ -404,6 +449,7 @@ uint8_t *buffer_pipe_write_get(int32_t id, uint32_t size); |
404 | 404 |
|
405 | 405 |
/** |
406 | 406 |
* Updates the write cursor in buffer_pipe. |
407 |
+ \group_adt |
|
407 | 408 |
* @param id ID of buffer_pipe |
408 | 409 |
* @param amount amount of bytes to move write cursor |
409 | 410 |
* @return 0 on success */ |
... | ... |
@@ -411,6 +457,7 @@ int32_t buffer_pipe_write_stopped(int32_t id, uint32_t amount); |
411 | 411 |
|
412 | 412 |
/** |
413 | 413 |
* Deallocate memory used by buffer. |
414 |
+ \group_adt |
|
414 | 415 |
* After this all attempts to use this buffer will result in error. |
415 | 416 |
* All buffer_pipes are automatically deallocated when bytecode |
416 | 417 |
* finishes execution. |
... | ... |
@@ -420,6 +467,7 @@ int32_t buffer_pipe_done(int32_t id); |
420 | 420 |
|
421 | 421 |
/** |
422 | 422 |
* Initializes inflate data structures for decompressing data |
423 |
+ \group_adt |
|
423 | 424 |
* 'from_buffer' and writing uncompressed uncompressed data 'to_buffer'. |
424 | 425 |
* @param from_buffer ID of buffer_pipe to read compressed data from |
425 | 426 |
* @param to_buffer ID of buffer_pipe to write decompressed data to |
... | ... |
@@ -435,6 +483,7 @@ int32_t inflate_init(int32_t from_buffer, int32_t to_buffer, int32_t windowBits) |
435 | 435 |
* buffer, and flushing the output buffer. |
436 | 436 |
* The inflate stream is done processing when 0 bytes are available from output |
437 | 437 |
* buffer, and input buffer is not empty. |
438 |
+ \group_adt |
|
438 | 439 |
* @param id ID of inflate data structure |
439 | 440 |
* @return 0 on success, zlib error code otherwise */ |
440 | 441 |
int32_t inflate_process(int32_t id); |
... | ... |
@@ -444,12 +493,14 @@ int32_t inflate_process(int32_t id); |
444 | 444 |
* Using the inflate data structure after this will result in an error. |
445 | 445 |
* All inflate data structures are automatically deallocated when bytecode |
446 | 446 |
* finishes execution. |
447 |
+ \group_adt |
|
447 | 448 |
* @param id ID of inflate data structure |
448 | 449 |
* @return 0 on success.*/ |
449 | 450 |
int32_t inflate_done(int32_t id); |
450 | 451 |
|
451 | 452 |
/** |
452 | 453 |
* Report a runtime error at the specified locationID. |
454 |
+ \group_scan |
|
453 | 455 |
* @param locationid (line << 8) | (column&0xff) |
454 | 456 |
* @return 0 */ |
455 | 457 |
int32_t bytecode_rt_error(int32_t locationid); |
... | ... |
@@ -459,6 +510,7 @@ int32_t bytecode_rt_error(int32_t locationid); |
459 | 459 |
* Normalized JS will be written to a single tempfile, |
460 | 460 |
* one normalized JS per line, and automatically scanned |
461 | 461 |
* when the bytecode finishes execution. |
462 |
+ \group_js |
|
462 | 463 |
* @param from_buffer ID of buffer_pipe to read javascript from |
463 | 464 |
* @return ID of JS normalizer, <0 on failure */ |
464 | 465 |
int32_t jsnorm_init(int32_t from_buffer); |
... | ... |
@@ -467,25 +519,30 @@ int32_t jsnorm_init(int32_t from_buffer); |
467 | 467 |
* Normalize all javascript from the input buffer, and write to tempfile. |
468 | 468 |
* You can call this function repeatedly on success, if you (re)fill the input |
469 | 469 |
* buffer. |
470 |
+ \group_js |
|
470 | 471 |
* @param id ID of JS normalizer |
471 | 472 |
* @return 0 on success, <0 on failure */ |
472 | 473 |
int32_t jsnorm_process(int32_t id); |
473 | 474 |
|
474 | 475 |
/** |
475 | 476 |
* Flushes JS normalizer. |
476 |
- * @param id ID of js normalizer to flush */ |
|
477 |
+ \group_js |
|
478 |
+ * @param id ID of js normalizer to flush |
|
479 |
+ * @return 0 - success |
|
480 |
+ -1 - failure */ |
|
477 | 481 |
int32_t jsnorm_done(int32_t id); |
478 | 482 |
|
479 | 483 |
/* ---------------- END 0.96 APIs (don't touch) --------------------------- */ |
480 | 484 |
/* ---------------- BEGIN 0.96.1 APIs ------------------------------------- */ |
481 | 485 |
|
482 |
-/** --------------- math -----------------*/ |
|
486 |
+/* ---------------- Math -------------------------------------------------- */ |
|
483 | 487 |
|
484 | 488 |
/** |
485 | 489 |
* Returns 2^26*log2(a/b) |
486 | 490 |
* @param a input |
487 | 491 |
* @param b input |
488 | 492 |
* @return 2^26*log2(a/b) |
493 |
+ \group_math |
|
489 | 494 |
*/ |
490 | 495 |
int32_t ilog2(uint32_t a, uint32_t b); |
491 | 496 |
|
... | ... |
@@ -495,6 +552,7 @@ int32_t ilog2(uint32_t a, uint32_t b); |
495 | 495 |
* @param b integer |
496 | 496 |
* @param c integer |
497 | 497 |
* @return c*pow(a,b) |
498 |
+ \group_math |
|
498 | 499 |
*/ |
499 | 500 |
int32_t ipow(int32_t a, int32_t b, int32_t c); |
500 | 501 |
|
... | ... |
@@ -504,6 +562,7 @@ int32_t ipow(int32_t a, int32_t b, int32_t c); |
504 | 504 |
* @param b integer |
505 | 505 |
* @param c integer |
506 | 506 |
* @return c*exp(a/b) |
507 |
+ \group_math |
|
507 | 508 |
*/ |
508 | 509 |
uint32_t iexp(int32_t a, int32_t b, int32_t c); |
509 | 510 |
|
... | ... |
@@ -513,6 +572,7 @@ uint32_t iexp(int32_t a, int32_t b, int32_t c); |
513 | 513 |
* @param b integer |
514 | 514 |
* @param c integer |
515 | 515 |
* @return c*sin(a/b) |
516 |
+ \group_math |
|
516 | 517 |
*/ |
517 | 518 |
int32_t isin(int32_t a, int32_t b, int32_t c); |
518 | 519 |
|
... | ... |
@@ -522,10 +582,11 @@ int32_t isin(int32_t a, int32_t b, int32_t c); |
522 | 522 |
* @param b integer |
523 | 523 |
* @param c integer |
524 | 524 |
* @return c*sin(a/b) |
525 |
+ \group_math |
|
525 | 526 |
*/ |
526 | 527 |
int32_t icos(int32_t a, int32_t b, int32_t c); |
527 | 528 |
|
528 |
-/** --------------- string operations -----------------*/ |
|
529 |
+/* ---------------- String operations --------------------------------------- */ |
|
529 | 530 |
/** |
530 | 531 |
* Return position of match, -1 otherwise. |
531 | 532 |
* @param haystack buffer to search |
... | ... |
@@ -533,6 +594,7 @@ int32_t icos(int32_t a, int32_t b, int32_t c); |
533 | 533 |
* @param needle substring to search |
534 | 534 |
* @param needlesize size of needle |
535 | 535 |
* @return location of match, -1 otherwise |
536 |
+ \group_string |
|
536 | 537 |
*/ |
537 | 538 |
int32_t memstr(const uint8_t* haystack, int32_t haysize, |
538 | 539 |
const uint8_t* needle, int32_t needlesize); |
... | ... |
@@ -543,6 +605,7 @@ int32_t memstr(const uint8_t* haystack, int32_t haysize, |
543 | 543 |
* @param hex1 hexadecimal character |
544 | 544 |
* @param hex2 hexadecimal character |
545 | 545 |
* @return hex1 hex2 converted to 8-bit integer, -1 on error |
546 |
+ \group_string |
|
546 | 547 |
*/ |
547 | 548 |
int32_t hex2ui(uint32_t hex1, uint32_t hex2); |
548 | 549 |
|
... | ... |
@@ -551,6 +614,7 @@ int32_t hex2ui(uint32_t hex1, uint32_t hex2); |
551 | 551 |
* @param str buffer |
552 | 552 |
* @param size size of \p str |
553 | 553 |
* @return >0 string converted to number if possible, -1 on error |
554 |
+ \group_string |
|
554 | 555 |
*/ |
555 | 556 |
int32_t atoi(const uint8_t* str, int32_t size); |
556 | 557 |
|
... | ... |
@@ -560,6 +624,7 @@ int32_t atoi(const uint8_t* str, int32_t size); |
560 | 560 |
* @param str the string |
561 | 561 |
* @param len length of \p str |
562 | 562 |
* @return 0 |
563 |
+ \group_string |
|
563 | 564 |
*/ |
564 | 565 |
uint32_t debug_print_str_start(const uint8_t *str, uint32_t len); |
565 | 566 |
|
... | ... |
@@ -569,6 +634,7 @@ uint32_t debug_print_str_start(const uint8_t *str, uint32_t len); |
569 | 569 |
* @param str the string |
570 | 570 |
* @param len length of \p str |
571 | 571 |
* @return 0 |
572 |
+ \group_string |
|
572 | 573 |
*/ |
573 | 574 |
uint32_t debug_print_str_nonl(const uint8_t *str, uint32_t len); |
574 | 575 |
|
... | ... |
@@ -577,15 +643,18 @@ uint32_t debug_print_str_nonl(const uint8_t *str, uint32_t len); |
577 | 577 |
* @param buffer input buffer |
578 | 578 |
* @param size size of buffer |
579 | 579 |
* @return entropy estimation * 2^26 |
580 |
+ \group_string |
|
580 | 581 |
*/ |
581 | 582 |
uint32_t entropy_buffer(uint8_t* buffer, int32_t size); |
582 | 583 |
|
583 |
-/* ------------------ data structures -------------------- */ |
|
584 |
+/* ------------------ Data Structures --------------------------------------- */ |
|
584 | 585 |
/** |
585 | 586 |
* Creates a new map and returns its id. |
586 | 587 |
* @param keysize size of key |
587 | 588 |
* @param valuesize size of value, if 0 then value is allocated separately |
588 |
- * @return ID of new map */ |
|
589 |
+ * @return ID of new map |
|
590 |
+\group_adt |
|
591 |
+ */ |
|
589 | 592 |
int32_t map_new(int32_t keysize, int32_t valuesize); |
590 | 593 |
|
591 | 594 |
/** |
... | ... |
@@ -596,6 +665,7 @@ int32_t map_new(int32_t keysize, int32_t valuesize); |
596 | 596 |
* @return 0 - if key existed before |
597 | 597 |
1 - if key didn't exist before |
598 | 598 |
<0 - if ksize doesn't match keysize specified at table creation |
599 |
+\group_adt |
|
599 | 600 |
*/ |
600 | 601 |
int32_t map_addkey(const uint8_t *key, int32_t ksize, int32_t id); |
601 | 602 |
|
... | ... |
@@ -606,6 +676,7 @@ int32_t map_addkey(const uint8_t *key, int32_t ksize, int32_t id); |
606 | 606 |
* @param vsize size of \p value |
607 | 607 |
* @return 0 - if update was successful |
608 | 608 |
<0 - if there is no last key |
609 |
+\group_adt |
|
609 | 610 |
*/ |
610 | 611 |
int32_t map_setvalue(const uint8_t *value, int32_t vsize, int32_t id); |
611 | 612 |
|
... | ... |
@@ -617,6 +688,7 @@ int32_t map_setvalue(const uint8_t *value, int32_t vsize, int32_t id); |
617 | 617 |
* @return 0 on success, key was present |
618 | 618 |
1 if key was not present |
619 | 619 |
<0 if ksize doesn't match keysize specified at table creation |
620 |
+\group_adt |
|
620 | 621 |
*/ |
621 | 622 |
int32_t map_remove(const uint8_t* key, int32_t ksize, int32_t id); |
622 | 623 |
|
... | ... |
@@ -631,6 +703,7 @@ int32_t map_remove(const uint8_t* key, int32_t ksize, int32_t id); |
631 | 631 |
* @return 0 - if not found |
632 | 632 |
1 - if found |
633 | 633 |
<0 - if ksize doesn't match the size specified at table creation |
634 |
+\group_adt |
|
634 | 635 |
*/ |
635 | 636 |
int32_t map_find(const uint8_t* key, int32_t ksize, int32_t id); |
636 | 637 |
|
... | ... |
@@ -638,6 +711,7 @@ int32_t map_find(const uint8_t* key, int32_t ksize, int32_t id); |
638 | 638 |
* Returns the size of value obtained during last map_find. |
639 | 639 |
* @param id id of map. |
640 | 640 |
* @return size of value |
641 |
+\group_adt |
|
641 | 642 |
*/ |
642 | 643 |
int32_t map_getvaluesize(int32_t id); |
643 | 644 |
|
... | ... |
@@ -646,6 +720,7 @@ int32_t map_getvaluesize(int32_t id); |
646 | 646 |
* @param id id of map. |
647 | 647 |
* @param size size of value (obtained from map_getvaluesize) |
648 | 648 |
* @return value |
649 |
+\group_adt |
|
649 | 650 |
*/ |
650 | 651 |
uint8_t* map_getvalue(int32_t id, int32_t size); |
651 | 652 |
|
... | ... |
@@ -654,10 +729,14 @@ uint8_t* map_getvalue(int32_t id, int32_t size); |
654 | 654 |
* Trying to use the map after this will result in an error. |
655 | 655 |
* All maps are automatically deallocated when the bytecode finishes |
656 | 656 |
* execution. |
657 |
+ * @param id id of map |
|
658 |
+ * @return 0 - success |
|
659 |
+ -1 - invalid map |
|
660 |
+\group_adt |
|
657 | 661 |
*/ |
658 | 662 |
int32_t map_done(int32_t id); |
659 | 663 |
|
660 |
-/** -------------- file operations --------------------- */ |
|
664 |
+/* -------------- File Operations ------------------------------------------- */ |
|
661 | 665 |
/** Looks for the specified sequence of bytes in the current file, up to the |
662 | 666 |
* specified position. |
663 | 667 |
* @param[in] data the sequence of bytes to look for |
... | ... |
@@ -665,35 +744,49 @@ int32_t map_done(int32_t id); |
665 | 665 |
* @param maxpos maximum position to look for a match, |
666 | 666 |
* note that this is 1 byte after the end of last possible match: |
667 | 667 |
* match_pos + \p len < \p maxpos |
668 |
- * @return offset in the current file if match is found, -1 otherwise */ |
|
668 |
+ * @return offset in the current file if match is found, -1 otherwise |
|
669 |
+ * \group_file |
|
670 |
+ */ |
|
669 | 671 |
int32_t file_find_limit(const uint8_t *data, uint32_t len, int32_t maxpos); |
670 | 672 |
|
671 |
-/** ------------- engine query ------------------------ */ |
|
673 |
+/* ------------- Engine Query ----------------------------------------------- */ |
|
672 | 674 |
/** |
673 | 675 |
* Returns the current engine (feature) functionality level. |
676 |
+ * To map these to ClamAV releases, compare it with #FunctionalityLevels. |
|
677 |
+ * @return an integer representing current engine functionality level. |
|
678 |
+ * \group_engine |
|
674 | 679 |
*/ |
675 | 680 |
uint32_t engine_functionality_level(void); |
676 | 681 |
|
677 | 682 |
/** |
678 | 683 |
* Returns the current engine (dconf) functionality level. |
684 |
+ * Usually identical to engine_functionality_level(), unless distro backported |
|
685 |
+ * patches. Compare with #FunctionalityLevels. |
|
686 |
+ * @return an integer representing the DCONF (security fixes) level. |
|
687 |
+ * \group_engine |
|
679 | 688 |
*/ |
680 | 689 |
uint32_t engine_dconf_level(void); |
681 | 690 |
|
682 | 691 |
/** |
683 | 692 |
* Returns the current engine's scan options. |
693 |
+ * @return CL_SCAN* flags |
|
694 |
+ * \group_engine |
|
684 | 695 |
*/ |
685 | 696 |
uint32_t engine_scan_options(void); |
686 | 697 |
|
687 | 698 |
/** |
688 | 699 |
* Returns the current engine's db options. |
700 |
+ * @return CL_DB_* flags |
|
701 |
+ * \group_engine |
|
689 | 702 |
*/ |
690 | 703 |
uint32_t engine_db_options(void); |
691 | 704 |
|
692 |
-/* ---------------- scan control --------------------------- */ |
|
705 |
+/* ---------------- Scan Control -------------------------------------------- */ |
|
693 | 706 |
/** |
694 | 707 |
* Sets the container type for the currently extracted file. |
695 | 708 |
* @param container container type (CL_TYPE_*) |
696 | 709 |
* @return current setting for container (CL_TYPE_ANY default) |
710 |
+ * \group_scan |
|
697 | 711 |
*/ |
698 | 712 |
int32_t extract_set_container(uint32_t container); |
699 | 713 |
|
... | ... |
@@ -706,13 +799,23 @@ int32_t extract_set_container(uint32_t container); |
706 | 706 |
0 - switch back to original input |
707 | 707 |
* @return -1 on error (if no extracted file exists) |
708 | 708 |
0 on success |
709 |
+ * \group_scan |
|
709 | 710 |
*/ |
710 | 711 |
int32_t input_switch(int32_t extracted_file); |
711 | 712 |
|
712 | 713 |
/* ---------------- END 0.96.1 APIs ------------------------------------- */ |
713 | 714 |
/* ---------------- BEGIN 0.96.2 APIs ----------------------------------- */ |
714 | 715 |
|
716 |
+/** Queries the environment this bytecode runs in. |
|
717 |
+ * Used by BC_STARTUP to disable bytecode when bugs are known for the current |
|
718 |
+ * platform. |
|
719 |
+ * @param[out] env - the full environment |
|
720 |
+ * @param len - size of \p env |
|
721 |
+ * @return 0 |
|
722 |
+ \group_env |
|
723 |
+ */ |
|
715 | 724 |
uint32_t get_environment(struct cli_environment *env, uint32_t len); |
725 |
+ |
|
716 | 726 |
/** Disables the bytecode completely if condition is true. |
717 | 727 |
Can only be called from the BC_STARTUP bytecode. |
718 | 728 |
@param reason - why the bytecode had to be disabled |
... | ... |
@@ -721,6 +824,7 @@ uint32_t get_environment(struct cli_environment *env, uint32_t len); |
721 | 721 |
@return 0 - auto mode |
722 | 722 |
1 - JIT disabled |
723 | 723 |
2 - fully disabled |
724 |
+ \group_env |
|
724 | 725 |
*/ |
725 | 726 |
uint32_t disable_bytecode_if(const int8_t *reason, uint32_t len, uint32_t cond); |
726 | 727 |
|
... | ... |
@@ -732,6 +836,7 @@ uint32_t disable_bytecode_if(const int8_t *reason, uint32_t len, uint32_t cond); |
732 | 732 |
@return 0 - auto mode |
733 | 733 |
1 - JIT disabled |
734 | 734 |
2 - fully disabled |
735 |
+ \group_env |
|
735 | 736 |
*/ |
736 | 737 |
uint32_t disable_jit_if(const int8_t* reason, uint32_t len, uint32_t cond); |
737 | 738 |
|
... | ... |
@@ -742,7 +847,9 @@ uint32_t disable_jit_if(const int8_t* reason, uint32_t len, uint32_t cond); |
742 | 742 |
@param rhs_len - length of \p rhs |
743 | 743 |
@return -1 - lhs < rhs |
744 | 744 |
0 - lhs == rhs |
745 |
- 1 - lhs > rhs */ |
|
745 |
+ 1 - lhs > rhs |
|
746 |
+ \group_env |
|
747 |
+ */ |
|
746 | 748 |
int32_t version_compare(const uint8_t* lhs, uint32_t lhs_len, |
747 | 749 |
const uint8_t* rhs, uint32_t rhs_len); |
748 | 750 |
|
... | ... |
@@ -752,26 +859,36 @@ int32_t version_compare(const uint8_t* lhs, uint32_t lhs_len, |
752 | 752 |
@param b - big_endian << 28 | sizeof_ptr << 24 | cpp_version |
753 | 753 |
@param c - os_features << 24 | c_version |
754 | 754 |
@return 0 - no match |
755 |
- 1 - match */ |
|
755 |
+ 1 - match |
|
756 |
+ \group_env |
|
757 |
+ */ |
|
756 | 758 |
uint32_t check_platform(uint32_t a, uint32_t b, uint32_t c); |
757 | 759 |
|
760 |
+/* --------------------- PDF APIs ----------------------------------- */ |
|
758 | 761 |
/** Return number of pdf objects |
759 | 762 |
* @return -1 - if not called from PDF hook |
760 | 763 |
>=0 - number of PDF objects |
764 |
+ \group_pdf |
|
761 | 765 |
*/ |
762 | 766 |
int32_t pdf_get_obj_num(void); |
763 | 767 |
|
764 | 768 |
/** Return the flags for the entire PDF (as set so far). |
765 | 769 |
* @return -1 - if not called from PDF hook |
766 |
- >=0 - pdf flags */ |
|
770 |
+ >=0 - pdf flags |
|
771 |
+ \group_pdf |
|
772 |
+ */ |
|
767 | 773 |
int32_t pdf_get_flags(void); |
768 | 774 |
|
769 | 775 |
/** Sets the flags for the entire PDF. |
770 | 776 |
* It is recommended that you retrieve old flags, and just add new ones. |
771 |
- * @param flags - flags to set */ |
|
777 |
+ \group_pdf |
|
778 |
+ * @param flags - flags to set. |
|
779 |
+ * @return 0 - success |
|
780 |
+ -1 - invalid phase */ |
|
772 | 781 |
int32_t pdf_set_flags(int32_t flags); |
773 | 782 |
|
774 | 783 |
/** Lookup pdf object with specified id. |
784 |
+ \group_pdf |
|
775 | 785 |
* @param id - pdf id (objnumber << 8 | generationid) |
776 | 786 |
@return -1 - if object id doesn't exist |
777 | 787 |
>=0 - object index |
... | ... |
@@ -779,12 +896,14 @@ int32_t pdf_set_flags(int32_t flags); |
779 | 779 |
int32_t pdf_lookupobj(uint32_t id); |
780 | 780 |
|
781 | 781 |
/** Return the size of the specified PDF obj. |
782 |
- * @param objnum - object index (from 0), not object id! |
|
782 |
+ \group_pdf |
|
783 |
+ * @param objidx - object index (from 0), not object id! |
|
783 | 784 |
* @return 0 - if not called from PDF hook, or invalid objnum |
784 | 785 |
>=0 - size of object */ |
785 | 786 |
uint32_t pdf_getobjsize(int32_t objidx); |
786 | 787 |
|
787 | 788 |
/** Return the undecoded object. |
789 |
+ \group_pdf |
|
788 | 790 |
Meant only for reading, write modifies the fmap buffer, so avoid! |
789 | 791 |
@param objidx - object index (from 0), not object id! |
790 | 792 |
@param amount - size returned by pdf_getobjsize (or smaller) |
... | ... |
@@ -793,6 +912,7 @@ uint32_t pdf_getobjsize(int32_t objidx); |
793 | 793 |
uint8_t *pdf_getobj(int32_t objidx, uint32_t amount); |
794 | 794 |
|
795 | 795 |
/* Return the object id for the specified object index. |
796 |
+ \group_pdf |
|
796 | 797 |
@param objidx - object index (from 0) |
797 | 798 |
@return -1 - object index invalid |
798 | 799 |
>=0 - object id (obj id << 8 | generation id) |
... | ... |
@@ -800,6 +920,7 @@ uint8_t *pdf_getobj(int32_t objidx, uint32_t amount); |
800 | 800 |
int32_t pdf_getobjid(int32_t objidx); |
801 | 801 |
|
802 | 802 |
/* Return the object flags for the specified object index. |
803 |
+ \group_pdf |
|
803 | 804 |
@param objidx - object index (from 0) |
804 | 805 |
@return -1 - object index invalid |
805 | 806 |
>=0 - object flags |
... | ... |
@@ -807,6 +928,7 @@ int32_t pdf_getobjid(int32_t objidx); |
807 | 807 |
int32_t pdf_getobjflags(int32_t objidx); |
808 | 808 |
|
809 | 809 |
/* Sets the object flags for the specified object index. |
810 |
+ \group_pdf |
|
810 | 811 |
This can be used to force dumping of a certain obj, by setting the |
811 | 812 |
OBJ_FORCEDUMP flag for example. |
812 | 813 |
@param objidx - object index (from 0) |
... | ... |
@@ -816,6 +938,7 @@ int32_t pdf_getobjflags(int32_t objidx); |
816 | 816 |
int32_t pdf_setobjflags(int32_t objidx, int32_t flags); |
817 | 817 |
|
818 | 818 |
/* Return the object's offset in the PDF. |
819 |
+ \group_pdf |
|
819 | 820 |
@param objidx - object index (from 0) |
820 | 821 |
@return -1 - object index invalid |
821 | 822 |
>=0 - offset |
... | ... |
@@ -823,19 +946,31 @@ int32_t pdf_setobjflags(int32_t objidx, int32_t flags); |
823 | 823 |
int32_t pdf_get_offset(int32_t objidx); |
824 | 824 |
|
825 | 825 |
/** Return an 'enum pdf_phase'. |
826 |
- * Identifies at which phase this bytecode was called */ |
|
826 |
+ \group_pdf |
|
827 |
+ * Identifies at which phase this bytecode was called. |
|
828 |
+ * @return the current #pdf_phase |
|
829 |
+ */ |
|
827 | 830 |
int32_t pdf_get_phase(void); |
828 | 831 |
|
829 |
-/** Return the currently dumped obj id. |
|
830 |
- Valid only in PDF_PHASE_POSTDUMP */ |
|
832 |
+/** Return the currently dumped obj index. |
|
833 |
+ \group_pdf |
|
834 |
+ * Valid only in PDF_PHASE_POSTDUMP. |
|
835 |
+ * @return >=0 - object index |
|
836 |
+ -1 - invalid phase |
|
837 |
+ */ |
|
831 | 838 |
int32_t pdf_get_dumpedobjid(void); |
832 | 839 |
|
840 |
+/* ----------------------------- Icon APIs -------------------------- */ |
|
833 | 841 |
/** Attempts to match current executable's icon against the specified icon |
834 | 842 |
* groups. |
843 |
+ \group_icon |
|
835 | 844 |
* @param[in] group1 - same as GROUP1 in LDB signatures |
836 | 845 |
* @param group1_len - length of \p group1 |
837 | 846 |
* @param[in] group2 - same as GROUP2 in LDB signatures |
838 | 847 |
* @param group2_len - length of \p group2 |
848 |
+ * @return -1 - invalid call, or sizes (only valid for PE hooks) |
|
849 |
+ 0 - not a match |
|
850 |
+ 1 - match |
|
839 | 851 |
*/ |
840 | 852 |
|
841 | 853 |
int32_t matchicon(const uint8_t* group1, int32_t group1_len, |
... | ... |
@@ -26,7 +26,9 @@ |
26 | 26 |
#include "bcfeatures.h" |
27 | 27 |
|
28 | 28 |
/** @file */ |
29 |
-/** Section of executable file */ |
|
29 |
+/** Section of executable file. |
|
30 |
+ \group_pe |
|
31 |
+*/ |
|
30 | 32 |
struct cli_exe_section { |
31 | 33 |
uint32_t rva;/**< Relative VirtualAddress */ |
32 | 34 |
uint32_t vsz;/**< VirtualSize */ |
... | ... |
@@ -39,11 +41,13 @@ struct cli_exe_section { |
39 | 39 |
uint32_t ursz; /**< PE - unaligned SizeOfRawData */ |
40 | 40 |
}; |
41 | 41 |
|
42 |
-/** Executable file information */ |
|
42 |
+/** Executable file information |
|
43 |
+ \group_pe |
|
44 |
+*/ |
|
43 | 45 |
struct cli_exe_info { |
44 | 46 |
/** Information about all the sections of this file. |
45 | 47 |
* This array has \p nsection elements */ |
46 |
- struct cli_exe_section *section EBOUNDS(nsections); |
|
48 |
+ struct cli_exe_section *section; |
|
47 | 49 |
/** Offset where this executable start in file (nonzero if embedded) */ |
48 | 50 |
uint32_t offset; |
49 | 51 |
/** Entrypoint of executable */ |
... | ... |
@@ -470,7 +470,7 @@ int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t* grp1, int32_ |
470 | 470 |
group1[grp1len] = 0; |
471 | 471 |
group2[grp2len] = 0; |
472 | 472 |
memset(&info, 0, sizeof(info)); |
473 |
- if (ctx->bc->kind == BC_PE_UNPACKER) { |
|
473 |
+ if (ctx->bc->kind == BC_PE_UNPACKER || ctx->bc->kind == BC_PE_ALL) { |
|
474 | 474 |
if(le16_to_host(ctx->hooks.pedata->file_hdr.Characteristics) & 0x2000 || |
475 | 475 |
!ctx->hooks.pedata->dirs[2].Size) |
476 | 476 |
info.res_addr = 0; |
... | ... |
@@ -1129,7 +1129,7 @@ int cli_scanpe(cli_ctx *ctx) |
1129 | 1129 |
} |
1130 | 1130 |
cli_bytecode_context_setpe(bc_ctx, &pedata, exe_sections); |
1131 | 1131 |
cli_bytecode_context_setctx(bc_ctx, ctx); |
1132 |
- ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_ALL, ctx->virname); |
|
1132 |
+ ret = cli_bytecode_runhook(ctx, ctx->engine, bc_ctx, BC_PE_ALL, map, ctx->virname); |
|
1133 | 1133 |
if (ret == CL_VIRUS) { |
1134 | 1134 |
free(exe_sections); |
1135 | 1135 |
cli_bytecode_context_destroy(bc_ctx); |
... | ... |
@@ -28,7 +28,8 @@ |
28 | 28 |
#include "fmap.h" |
29 | 29 |
#include "bcfeatures.h" |
30 | 30 |
/** @file */ |
31 |
-/** Header for this PE file */ |
|
31 |
+/** Header for this PE file |
|
32 |
+ \group_pe */ |
|
32 | 33 |
struct pe_image_file_hdr { |
33 | 34 |
uint32_t Magic; /**< PE magic header: PE\\0\\0 */ |
34 | 35 |
uint16_t Machine;/**< CPU this executable runs on, see libclamav/pe.c for possible values */ |
... | ... |
@@ -40,13 +41,15 @@ struct pe_image_file_hdr { |
40 | 40 |
uint16_t Characteristics; |
41 | 41 |
}; |
42 | 42 |
|
43 |
-/** PE data directory header */ |
|
43 |
+/** PE data directory header |
|
44 |
+ \group_pe */ |
|
44 | 45 |
struct pe_image_data_dir { |
45 | 46 |
uint32_t VirtualAddress; |
46 | 47 |
uint32_t Size; |
47 | 48 |
}; |
48 | 49 |
|
49 |
-/** 32-bit PE optional header */ |
|
50 |
+/** 32-bit PE optional header |
|
51 |
+ \group_pe */ |
|
50 | 52 |
struct pe_image_optional_hdr32 { |
51 | 53 |
uint16_t Magic; |
52 | 54 |
uint8_t MajorLinkerVersion; /**< unreliable */ |
... | ... |
@@ -81,7 +84,8 @@ struct pe_image_optional_hdr32 { |
81 | 81 |
struct pe_image_data_dir DataDirectory[16]; |
82 | 82 |
}; |
83 | 83 |
|
84 |
-/** PE 64-bit optional header */ |
|
84 |
+/** PE 64-bit optional header |
|
85 |
+ \group_pe */ |
|
85 | 86 |
struct pe_image_optional_hdr64 { |
86 | 87 |
uint16_t Magic; |
87 | 88 |
uint8_t MajorLinkerVersion; /**< unreliable */ |
... | ... |
@@ -115,7 +119,8 @@ struct pe_image_optional_hdr64 { |
115 | 115 |
struct pe_image_data_dir DataDirectory[16]; |
116 | 116 |
}; |
117 | 117 |
|
118 |
-/** PE section header */ |
|
118 |
+/** PE section header |
|
119 |
+ \group_pe */ |
|
119 | 120 |
struct pe_image_section_hdr { |
120 | 121 |
uint8_t Name[8]; /**< may not end with NULL */ |
121 | 122 |
/* |
... | ... |
@@ -135,7 +140,8 @@ struct pe_image_section_hdr { |
135 | 135 |
uint32_t Characteristics; |
136 | 136 |
}; |
137 | 137 |
|
138 |
-/** Data for the bytecode PE hook */ |
|
138 |
+/** Data for the bytecode PE hook |
|
139 |
+ \group_pe */ |
|
139 | 140 |
struct cli_pe_hook_data { |
140 | 141 |
uint32_t offset; |
141 | 142 |
uint32_t ep; /**< EntryPoint as file offset */ |