1. clamav-devel
  2. Commit 68a77450aa6936b40228665aef1a2ae78e48c03a
Browse code

preliminary x86 disassembler support

git-svn: trunk@4002

aCaB authored on 2008/07/28 01:27:29
Showing 4 changed files
ChangeLog
History View file @ 68a7745
... ... 
@@ -1,3 +1,7 @@
1 
+Sun Jul 27 18:09:23 CEST 2008 (acab)
2 
+------------------------------------
3 
+  * libclamav: preliminary x86 disassembler support
4 
+
1 5 
 Sat Jul 26 18:41:40 CEST 2008 (tk)
2 6 
 ----------------------------------
3 7 
   * sigtool/sigtool.c: handle .ldb/.ldu files (bb#896)
libclamav/disasm.c
History View file @ 68a7745
... ... 
@@ -1664,21 +1664,58 @@ uint8_t *disasm_x86(uint8_t *command, unsigned int len, struct DISASMED *s) {
1664 1664
1665 1665
1666 1666 
 void disasmbuf(uint8_t *buff, unsigned int len, int fd) {
1667 
-  char hr[128];
1668 1667 
   uint8_t *next = buff;
1669 1668 
   unsigned int counter=0;
1670 1669 
   struct DISASMED s;
1670 
+  struct MARIO {
1671 
+    uint16_t real_op;
1672 
+    uint8_t opsize;
1673 
+    uint8_t adsize;
1674 
+    uint8_t segment;
1675 
+
1676 
+    uint8_t arg[3][11];
1677 
+
1678 
+    uint8_t extra[26];
1679 
+  } w;
1680 
+
1681 
+  memset(&w.extra[0], 0, sizeof(w.extra));
1671 1682
1672 1683 
   while(len && counter++<200) {
1684 
+    int i;
1673 1685 
     if(!(next = disasm_x86(next, len, &s))) {
1674 1686 
       /* TODO: invd opcode or buff over */
1675 1687 
       return;
1676 1688 
     }
1677 
-    spam_x86(&s, hr);
1678 
-    /* TODO: save stuff here */
1689 
+    if(cli_debug_flag) {
1690 
+      char hr[128];
1691 
+      spam_x86(&s, hr);
1692 
+      cli_dbgmsg("%s\n", hr);
1693 
+    }
1694 
+
1679 1695 
     len -= next-buff;
1680 1696 
     buff=next;
1681 
-  }
1682 1697
1698 
+    cli_writeint32(&w.real_op, s.real_op);
1699 
+    w.opsize = s.opsize;
1700 
+    w.adsize = s.adsize;
1701 
+    w.segment = s.segment;
1702 
+
1703 
+    for (i=0; i<3; i++) {
1704 
+      w.arg[i][0] = s.args[i].access;
1705 
+      w.arg[i][1] = s.args[i].size;
1706 
+      w.arg[i][2] = s.args[i].reg;
1707 
+      if(s.args[i].access==ACCESS_MEM) {
1708 
+	w.arg[i][3]=s.args[i].arg.marg.r1;
1709 
+	w.arg[i][4]=s.args[i].arg.marg.r1;
1710 
+	w.arg[i][5]=s.args[i].arg.marg.scale;
1711 
+	cli_writeint32(&w.arg[i][6], s.args[i].arg.marg.disp);
1712 
+	w.arg[i][10]=0;
1713 
+      } else {
1714 
+	cli_writeint32(&w.arg[i][3], s.args[i].arg.d);
1715 
+	cli_writeint32(&w.arg[i][7], s.args[i].arg.q>>32);
1716 
+      }
1717 
+    }
1718 
+    cli_writen(fd, &w, sizeof(w));
1719 
+  }
1683 1720 
 }
1684 1721
libclamav/disasmpriv.h
History View file @ 68a7745
... ... 
@@ -398,7 +398,6 @@ struct DISASMED {
398 398 
   uint32_t segment;
399 399 
   struct DIS_ARGS args[3];
400 400 
   uint8_t cur;
401 
-  uint8_t padding[40]; /* FIXME: for future versions */
402 401 
 };
403 402
404 403 
 #endif
libclamav/pe.c
History View file @ 68a7745
... ... 
@@ -892,6 +892,10 @@ int cli_scanpe(int desc, cli_ctx *ctx)
892 892 
     lseek(desc, ep, SEEK_SET);
893 893 
     epsize = cli_readn(desc, epbuff, 4096);
894 894
895 
+    CLI_UNPTEMP("DISASM",(exe_sections,0));
896 
+    disasmbuf(epbuff, epsize, ndesc);
897 
+    CLI_TMPUNLK();
898 
+
895 899 
     /* Attempt to detect some popular polymorphic viruses */
896 900
897 901 
     /* W32.Parite.B */