Browse code
libclamav: provide information about lsig matches to bytecode (bb#1799)
Tomasz Kojm authored on 2010/01/28 20:54:28Showing 6 changed files
- ChangeLog
- libclamav/bytecode.c
- libclamav/bytecode.h
- libclamav/matcher-ac.c
- libclamav/matcher-ac.h
- libclamav/matcher.c
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Thu Jan 28 12:53:45 CET 2010 (tk) |
|
| 2 |
+--------------------------------- |
|
| 3 |
+ * libclamav: provide information about lsig matches to bytecode (bb#1799) |
|
| 4 |
+ |
|
| 1 | 5 |
Wed Jan 27 18:33:09 CET 2010 (tk) |
| 2 | 6 |
--------------------------------- |
| 3 | 7 |
* libclamav: provide offset in cli_ac_result (bb#1799) |
| ... | ... |
@@ -1624,7 +1624,7 @@ int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, fmap_t *map) |
| 1624 | 1624 |
return 0; |
| 1625 | 1625 |
} |
| 1626 | 1626 |
|
| 1627 |
-int cli_bytecode_runlsig(cli_ctx *cctx, const struct cli_all_bc *bcs, const struct cli_bc *bc, const char **virname, const uint32_t* lsigcnt, fmap_t *map) |
|
| 1627 |
+int cli_bytecode_runlsig(cli_ctx *cctx, const struct cli_all_bc *bcs, const struct cli_bc *bc, const char **virname, const uint32_t* lsigcnt, const uint32_t *lsigsuboff, fmap_t *map) |
|
| 1628 | 1628 |
{
|
| 1629 | 1629 |
int ret; |
| 1630 | 1630 |
struct cli_bc_ctx ctx; |
| ... | ... |
@@ -108,7 +108,7 @@ void cli_bytecode_describe(const struct cli_bc *bc); |
| 108 | 108 |
/* Hooks */ |
| 109 | 109 |
struct cli_exe_info; |
| 110 | 110 |
struct cli_ctx_tag; |
| 111 |
-int cli_bytecode_runlsig(struct cli_ctx_tag *ctx, const struct cli_all_bc *bcs, const struct cli_bc* bc, const char **virname, const uint32_t* lsigcnt, fmap_t *fmap); |
|
| 111 |
+int cli_bytecode_runlsig(struct cli_ctx_tag *ctx, const struct cli_all_bc *bcs, const struct cli_bc *bc, const char **virname, const uint32_t* lsigcnt, const uint32_t *lsigsuboff, fmap_t *map); |
|
| 112 | 112 |
int cli_bytecode_runhook(struct cli_ctx_tag *cctx, const struct cl_engine *engine, struct cli_bc_ctx *ctx, unsigned id, fmap_t *map, const char **virname); |
| 113 | 113 |
|
| 114 | 114 |
#ifdef __cplusplus |
| ... | ... |
@@ -864,7 +864,7 @@ inline static int ac_findmatch(const unsigned char *buffer, uint32_t offset, uin |
| 864 | 864 |
|
| 865 | 865 |
int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs, uint32_t reloffsigs, uint8_t tracklen) |
| 866 | 866 |
{
|
| 867 |
- unsigned int i; |
|
| 867 |
+ unsigned int i, j; |
|
| 868 | 868 |
|
| 869 | 869 |
|
| 870 | 870 |
if(!data) {
|
| ... | ... |
@@ -919,6 +919,38 @@ int cli_ac_initdata(struct cli_ac_data *data, uint32_t partsigs, uint32_t lsigs, |
| 919 | 919 |
} |
| 920 | 920 |
for(i = 1; i < lsigs; i++) |
| 921 | 921 |
data->lsigcnt[i] = data->lsigcnt[0] + 64 * i; |
| 922 |
+ |
|
| 923 |
+ /* subsig offsets */ |
|
| 924 |
+ data->lsigsuboff = (uint32_t **) cli_malloc(lsigs * sizeof(uint32_t *)); |
|
| 925 |
+ if(!data->lsigsuboff) {
|
|
| 926 |
+ free(data->lsigcnt[0]); |
|
| 927 |
+ free(data->lsigcnt); |
|
| 928 |
+ if(partsigs) |
|
| 929 |
+ free(data->offmatrix); |
|
| 930 |
+ if(reloffsigs) |
|
| 931 |
+ free(data->offset); |
|
| 932 |
+ cli_errmsg("cli_ac_init: Can't allocate memory for data->lsigsuboff\n");
|
|
| 933 |
+ return CL_EMEM; |
|
| 934 |
+ } |
|
| 935 |
+ data->lsigsuboff[0] = (uint32_t *) cli_calloc(lsigs * 64, sizeof(uint32_t)); |
|
| 936 |
+ if(!data->lsigsuboff[0]) {
|
|
| 937 |
+ free(data->lsigsuboff); |
|
| 938 |
+ free(data->lsigcnt[0]); |
|
| 939 |
+ free(data->lsigcnt); |
|
| 940 |
+ if(partsigs) |
|
| 941 |
+ free(data->offmatrix); |
|
| 942 |
+ if(reloffsigs) |
|
| 943 |
+ free(data->offset); |
|
| 944 |
+ cli_errmsg("cli_ac_init: Can't allocate memory for data->lsigsuboff[0]\n");
|
|
| 945 |
+ return CL_EMEM; |
|
| 946 |
+ } |
|
| 947 |
+ for(j = 0; j < 64; j++) |
|
| 948 |
+ data->lsigsuboff[0][j] = CLI_OFF_NONE; |
|
| 949 |
+ for(i = 1; i < lsigs; i++) {
|
|
| 950 |
+ data->lsigsuboff[i] = data->lsigsuboff[0] + 64 * i; |
|
| 951 |
+ for(j = 0; j < 64; j++) |
|
| 952 |
+ data->lsigsuboff[i][j] = CLI_OFF_NONE; |
|
| 953 |
+ } |
|
| 922 | 954 |
} |
| 923 | 955 |
|
| 924 | 956 |
return CL_SUCCESS; |
| ... | ... |
@@ -977,6 +1009,8 @@ void cli_ac_freedata(struct cli_ac_data *data) |
| 977 | 977 |
if(data && data->lsigs) {
|
| 978 | 978 |
free(data->lsigcnt[0]); |
| 979 | 979 |
free(data->lsigcnt); |
| 980 |
+ free(data->lsigsuboff[0]); |
|
| 981 |
+ free(data->lsigsuboff); |
|
| 980 | 982 |
data->lsigs = 0; |
| 981 | 983 |
} |
| 982 | 984 |
|
| ... | ... |
@@ -1177,6 +1211,8 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v |
| 1177 | 1177 |
} else { /* !pt->type */
|
| 1178 | 1178 |
if(pt->lsigid[0]) {
|
| 1179 | 1179 |
mdata->lsigcnt[pt->lsigid[1]][pt->lsigid[2]]++; |
| 1180 |
+ if(mdata->lsigsuboff[pt->lsigid[1]][pt->lsigid[2]] == CLI_OFF_NONE) |
|
| 1181 |
+ mdata->lsigsuboff[pt->lsigid[1]][pt->lsigid[2]] = realoff; |
|
| 1180 | 1182 |
pt = pt->next_same; |
| 1181 | 1183 |
continue; |
| 1182 | 1184 |
} |
| ... | ... |
@@ -1220,6 +1256,8 @@ int cli_ac_scanbuff(const unsigned char *buffer, uint32_t length, const char **v |
| 1220 | 1220 |
} else {
|
| 1221 | 1221 |
if(pt->lsigid[0]) {
|
| 1222 | 1222 |
mdata->lsigcnt[pt->lsigid[1]][pt->lsigid[2]]++; |
| 1223 |
+ if(mdata->lsigsuboff[pt->lsigid[1]][pt->lsigid[2]] == CLI_OFF_NONE) |
|
| 1224 |
+ mdata->lsigsuboff[pt->lsigid[1]][pt->lsigid[2]] = realoff; |
|
| 1223 | 1225 |
pt = pt->next_same; |
| 1224 | 1226 |
continue; |
| 1225 | 1227 |
} |
| ... | ... |
@@ -512,7 +512,7 @@ int cli_fmap_scandesc(cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli |
| 512 | 512 |
ret = CL_VIRUS; \ |
| 513 | 513 |
break; \ |
| 514 | 514 |
} \ |
| 515 |
- if(cli_bytecode_runlsig(ctx, &ctx->engine->bcs, xroot->ac_lsigtable[i]->bc, ctx->virname, xdata.lsigcnt[i], map) == CL_VIRUS) { \
|
|
| 515 |
+ if(cli_bytecode_runlsig(ctx, &ctx->engine->bcs, xroot->ac_lsigtable[i]->bc, ctx->virname, xdata.lsigcnt[i], xdata.lsigsuboff[i], map) == CL_VIRUS) { \
|
|
| 516 | 516 |
ret = CL_VIRUS; \ |
| 517 | 517 |
break; \ |
| 518 | 518 |
} \ |