@@ -1,3 +1,7 @@

+Mon Aug  2 21:51:32 EEST 2010 (edwin)

+-------------------------------------

+ * libclamav/{bytecode,matcher}.c: matchicon API (bb #2139)

+

 Mon Aug  2 17:16:24 CEST 2010 (acab)

 ------------------------------------

  * libclamav/pe_icons.c: BE fixes (bb#2151)

@@ -2400,11 +2400,15 @@ int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, fmap_t *map)

     return 0;

 }

-int cli_bytecode_runlsig(cli_ctx *cctx, const struct cli_all_bc *bcs, unsigned bc_idx, const char **virname, const uint32_t* lsigcnt, const uint32_t *lsigsuboff, fmap_t *map)

+int cli_bytecode_runlsig(cli_ctx *cctx, struct cli_target_info *tinfo,

+			 const struct cli_all_bc *bcs, unsigned bc_idx,

+			 const char **virname, const uint32_t* lsigcnt,

+			 const uint32_t *lsigsuboff, fmap_t *map)

 {

     int ret;

     struct cli_bc_ctx ctx;

     const struct cli_bc *bc = &bcs->all_bcs[bc_idx-1];

+    struct cli_pe_hook_data pehookdata;

     if (bc->hook_lsig_id) {

 	cli_dbgmsg("hook lsig id %d matched (bc %d)\n", bc->hook_lsig_id, bc->id);

@@ -2420,6 +2424,16 @@ int cli_bytecode_runlsig(cli_ctx *cctx, const struct cli_all_bc *bcs, unsigned b

     ctx.hooks.match_offsets = lsigsuboff;

     cli_bytecode_context_setctx(&ctx, cctx);

     cli_bytecode_context_setfile(&ctx, map);

+    if (tinfo && tinfo->status == 1) {

+	ctx.sections = tinfo->exeinfo.section;

+	memset(&pehookdata, 0, sizeof(pehookdata));

+	pehookdata.offset = tinfo->exeinfo.offset;

+	pehookdata.ep = tinfo->exeinfo.ep;

+	pehookdata.nsections = tinfo->exeinfo.nsections;

+	pehookdata.hdr_size = tinfo->exeinfo.hdr_size;

+	ctx.hooks.pedata = &pehookdata;

+	ctx.resaddr = tinfo->exeinfo.res_addr;

+    }

     cli_dbgmsg("Running bytecode for logical signature match\n");

     ret = cli_bytecode_run(bcs, bc, &ctx);

@@ -117,7 +117,8 @@ void cli_bytecode_describe(const struct cli_bc *bc);

 /* Hooks */

 struct cli_exe_info;

 struct cli_ctx_tag;

-int cli_bytecode_runlsig(struct cli_ctx_tag *ctx, const struct cli_all_bc *bcs, unsigned bc_idx, const char **virname, const uint32_t* lsigcnt, const uint32_t *lsigsuboff, fmap_t *map);

+struct cli_target_info;

+int cli_bytecode_runlsig(struct cli_ctx_tag *ctx, struct cli_target_info *info, const struct cli_all_bc *bcs, unsigned bc_idx, const char **virname, const uint32_t* lsigcnt, const uint32_t *lsigsuboff, fmap_t *map);

 int cli_bytecode_runhook(struct cli_ctx_tag *cctx, const struct cl_engine *engine, struct cli_bc_ctx *ctx, unsigned id, fmap_t *map, const char **virname);

 #ifdef __cplusplus

@@ -165,6 +165,7 @@ struct cli_bc_ctx {

     unsigned pdf_phase;

     int32_t pdf_dumpedid;

     const struct cli_exe_section *sections;

+    uint32_t resaddr;

     char *tempfile;

     void *ctx;

     unsigned written;

@@ -454,10 +454,10 @@ int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t* grp1, int32_

 {

     int ret;

     char group1[128], group2[128];

-    const char *oldvirname;

+    const char **oldvirname;

     struct cli_exe_info info;

-    if (ctx->bc->kind != BC_PE_UNPACKER) {

+    if (!ctx->hooks.pedata->ep) {

 	cli_dbgmsg("bytecode: matchicon only works with PE files\n");

 	return -1;

     }

@@ -465,20 +465,26 @@ int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t* grp1, int32_

 	grp2len > sizeof(group2)-1)

 	return -1;

     oldvirname = ((cli_ctx*)ctx->ctx)->virname;

+    ((cli_ctx*)ctx->ctx)->virname = NULL;

     memcpy(group1, grp1, grp1len);

     memcpy(group2, grp2, grp2len);

     group1[grp1len] = 0;

-    group2[grp1len] = 0;

+    group2[grp2len] = 0;

     memset(&info, 0, sizeof(info));

-    if(le16_to_host(ctx->hooks.pedata->file_hdr.Characteristics) & 0x2000 ||

-       !ctx->hooks.pedata->dirs[2].Size)

-	info.res_addr = 0;

-    else

-	info.res_addr = le32_to_host(ctx->hooks.pedata->dirs[2].VirtualAddress);

+    if (ctx->bc->kind == BC_PE_UNPACKER) {

+	if(le16_to_host(ctx->hooks.pedata->file_hdr.Characteristics) & 0x2000 ||

+	   !ctx->hooks.pedata->dirs[2].Size)

+	    info.res_addr = 0;

+	else

+	    info.res_addr = le32_to_host(ctx->hooks.pedata->dirs[2].VirtualAddress);

+    } else

+	info.res_addr = ctx->resaddr; /* from target_info */

     info.section = (struct cli_exe_section*)ctx->sections;

     info.nsections = ctx->hooks.pedata->nsections;

     info.hdr_size = ctx->hooks.pedata->hdr_size;

-    ret = matchicon(ctx->ctx, &info, group1, group2);

+    cli_dbgmsg("bytecode matchicon %s %s\n", group1, group2);

+    ret = matchicon(ctx->ctx, &info, group1[0] ? group1 : NULL,

+		    group2[0] ? group2 : NULL);

     ((cli_ctx*)ctx->ctx)->virname = oldvirname;

     return ret;

 }

@@ -533,7 +539,7 @@ int cli_lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *ac

 			if(ctx->virname)

 			    *ctx->virname = root->ac_lsigtable[i]->virname;

 			return CL_VIRUS;

-		    } else if(cli_bytecode_runlsig(ctx, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff[i], map) == CL_VIRUS) {

+		    } else if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff[i], map) == CL_VIRUS) {

 			return CL_VIRUS;

 		    }

 		}

@@ -544,7 +550,7 @@ int cli_lsig_eval(cli_ctx *ctx, struct cli_matcher *root, struct cli_ac_data *ac

 		    *ctx->virname = root->ac_lsigtable[i]->virname;

 		return CL_VIRUS;

 	    }

-	    if(cli_bytecode_runlsig(ctx, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff[i], map) == CL_VIRUS) {

+	    if(cli_bytecode_runlsig(ctx, target_info, &ctx->engine->bcs, root->ac_lsigtable[i]->bc_idx, ctx->virname, acdata->lsigcnt[i], acdata->lsigsuboff[i], map) == CL_VIRUS) {

 		return CL_VIRUS;

 	    }

 	}