new file mode 100644

@@ -0,0 +1 @@

+ChangeLog merge=cl-merge

@@ -1,3 +1,31 @@

+Tue Jul 14 23:41:37 CEST 2009 (acab)

+------------------------------------

+ * libclamav: add preliminary support for IS executables (IS-cab and IS-msi)

+		part of bb#1571

+

+Tue Jul 14 18:17:59 CEST 2009 (tk)

+----------------------------------

+ * libclamav: add support for Universal Binaries (archives with Mach-O files for

+	      different architectures, bb#1592)

+

+Mon Jul 13 21:40:51 CEST 2009 (tk)

+----------------------------------

+ * docs/signatures.pdf: cover Mach-O files

+

+Mon Jul 13 21:24:05 CEST 2009 (tk)

+----------------------------------

+ * libclamav: handle Mach-O files with type-9 signatures; all special offsets are

+	      supported for PPC32/64 and x86 executables; for ARM and other archs

+	      only section based extensions (Sx[+-]n, SL[+-]n) are supported atm

+

+Mon Jul 13 19:34:36 EEST 2009 (edwin)

+-------------------------------------

+ * clambc/, libclamav/, unit_tests/: Initial draft of bytecode interpreter (bb #1243).

+

+Mon Jul 13 16:06:31 CEST 2009 (tk)

+----------------------------------

+ * libclamav/macho.c: handle LC_THREAD; calculate EP

+

 Fri Jul 10 10:10:35 CEST 2009 (tk)

 ----------------------------------

  * libclamav/filetypes_int.h: sync with daily.ftm

Binary files a/docs/signatures.pdf and b/docs/signatures.pdf differ

@@ -166,6 +166,8 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]

 	\item 5 = Graphics

 	\item 6 = ELF

 	\item 7 = ASCII text file (normalized)

+	\item 8 = Disassembler data

+	\item 9 = Mach-O files

     \end{itemize}

     And	\verb+Offset+ is an asterisk or a decimal number \verb+n+ possibly

     combined with a special modifier:

@@ -174,7 +176,7 @@ MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel:[Max]]

 	\item \verb+n+ = absolute offset

 	\item \verb+EOF-n+ = end of file minus \verb+n+ bytes

     \end{itemize}

-    Signatures for PE and ELF files additionally support:

+    Signatures for PE, ELF and Mach-O files additionally support:

     \begin{itemize}

 	\item \verb#EP+n# = entry point plus n bytes (\verb#EP+0# for \verb+EP+)

 	\item \verb#EP-n# = entry point minus n bytes

@@ -55,10 +55,10 @@ int cli_bytecode_context_clear(struct cli_bc_ctx *ctx)

     return CL_SUCCESS;

 }

-int cli_bytecode_context_setfuncid(struct cli_bc_ctx *ctx, struct cli_bc *bc, unsigned funcid)

+int cli_bytecode_context_setfuncid(struct cli_bc_ctx *ctx, const struct cli_bc *bc, unsigned funcid)

 {

     unsigned i;

-    struct cli_bc_func *func;

+    const struct cli_bc_func *func;

     if (funcid >= bc->num_func) {

 	cli_errmsg("bytecode: function ID doesn't exist: %u\n", funcid);

 	return CL_EARG;

@@ -275,7 +275,7 @@ static int parseHeader(struct cli_bc *bc, unsigned char *buffer)

     unsigned magic2;

     char ok = 1;

     unsigned offset, len, flevel;

-    if (strncmp(buffer, BC_HEADER, sizeof(BC_HEADER)-1)) {

+    if (strncmp((const char*)buffer, BC_HEADER, sizeof(BC_HEADER)-1)) {

 	cli_errmsg("Missing file magic in bytecode");

 	return CL_EMALFDB;

     }

@@ -481,10 +481,12 @@ static int parseBB(struct cli_bc *bc, unsigned func, unsigned bb, unsigned char

 	    case OP_SEXT:

 	    case OP_TRUNC:

 		inst.u.cast.source = readOperand(bcfunc, buffer, &offset, len, &ok);

-		if (ok) {

-		    /* calculate mask */

-		    inst.u.cast.mask = (1<<bcfunc->allinsts[inst.u.cast.source].type)-1;

-		}

+		inst.u.cast.mask = bcfunc->types[inst.u.cast.source];

+		/* calculate mask */

+		if (inst.opcode != OP_SEXT)

+		    inst.u.cast.mask = inst.u.cast.mask != 64 ?

+			(1ull<<inst.u.cast.mask)-1 :

+			~0ull;

 		break;

 	    default:

 		numOp = operand_counts[inst.opcode];

@@ -528,7 +530,7 @@ static int parseBB(struct cli_bc *bc, unsigned func, unsigned bb, unsigned char

 	    case OP_ICMP_SGE:

 	    case OP_ICMP_SLE:

 	    case OP_ICMP_SLT:

-		inst.type = bcfunc->allinsts[inst.u.binop[0]].type;

+		inst.type = bcfunc->types[inst.u.binop[0]];

 		break;

 	}

 	BB->insts[BB->numInsts++] = inst;

@@ -540,7 +542,6 @@ static int parseBB(struct cli_bc *bc, unsigned func, unsigned bb, unsigned char

 	}

 	offset++;

     }

-    cli_dbgmsg("Parsed %d instructions\n", BB->numInsts);

     if (offset != len) {

 	cli_errmsg("Trailing garbage in basicblock: %d extra bytes\n",

 		   len-offset);

@@ -598,6 +599,8 @@ int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio)

 		    return rc;

 		}

 		if (bb >= bc->funcs[current_func].numBB) {

+		    cli_dbgmsg("Parsed %u BBs, %u instructions\n",

+			       bb, bc->funcs[current_func].numInsts);

 		    state = PARSE_FUNC_HEADER;

 		    current_func++;

 		}

@@ -613,7 +616,7 @@ int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio)

     return CL_SUCCESS;

 }

-int cli_bytecode_run(struct cli_bc *bc, struct cli_bc_ctx *ctx)

+int cli_bytecode_run(const struct cli_bc *bc, struct cli_bc_ctx *ctx)

 {

     struct cli_bc_inst inst;

     struct cli_bc_func func;

@@ -40,7 +40,7 @@ struct cli_bc {

 };

 struct cli_bc_ctx *cli_bytecode_context_alloc(void);

-int cli_bytecode_context_setfuncid(struct cli_bc_ctx *ctx, struct cli_bc *bc, unsigned funcid);

+int cli_bytecode_context_setfuncid(struct cli_bc_ctx *ctx, const struct cli_bc *bc, unsigned funcid);

 int cli_bytecode_context_setparam_int(struct cli_bc_ctx *ctx, unsigned i, uint64_t c);

 int cli_bytecode_context_setparam_ptr(struct cli_bc_ctx *ctx, unsigned i, void *data, unsigned datalen);

 int cli_bytecode_context_clear(struct cli_bc_ctx *ctx);

@@ -48,7 +48,7 @@ uint64_t cli_bytecode_context_getresult_int(struct cli_bc_ctx *ctx);

 void cli_bytecode_context_destroy(struct cli_bc_ctx *ctx);

 int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio);

-int cli_bytecode_run(struct cli_bc *bc, struct cli_bc_ctx *ctx);

+int cli_bytecode_run(const struct cli_bc *bc, struct cli_bc_ctx *ctx);

 void cli_bytecode_destroy(struct cli_bc *bc);

 #endif

@@ -86,8 +86,8 @@ struct cli_bc_func {

 struct cli_bc_ctx {

     /* id and params of toplevel function called */

-    struct cli_bc *bc;

-    struct cli_bc_func *func;

+    const struct cli_bc *bc;

+    const struct cli_bc_func *func;

     struct cli_bc_value *values;

     operand_t *operands;

     uint16_t funcid;

@@ -50,15 +50,6 @@ static int bcfail(const char *msg, long a, long b,

 #define CHECK_GT(a,b)

 #endif

-struct stack_entry {

-    const struct cli_bc_func *func;

-    struct cli_bc_value *ret;

-    struct cli_bc_value *values;

-    struct cli_bc_bb *bb;

-    unsigned bb_inst;

-};

-

-

 /* Get the operand of a binary operator, upper bits

  * (beyond the size of the operand) may have random values.

  * Use this when the active bits of the result of a binop are the same

@@ -70,17 +61,23 @@ struct stack_entry {

 #define UNOPNOMOD(i) (values[inst->u.binop[i]].v)

 /* get the operand of a binary operator, upper bits are cleared */

-#define BINOP(i) (BINOPNOMOD(i)&((1 << inst->type)-1))

-#define UNOP(x) (UNOPNOMOD(i)&((1 << inst->type)-1))

+#define type2mask(t) (inst->type == 64 ? ~0ull : (1ull << inst->type)-1)

+#define BINOP(i) (BINOPNOMOD(i)&type2mask(inst->type))

+#define UNOP(x) (UNOPNOMOD(i)&typemask(inst->type))

 /* get the operand as a signed value.

  * Warning: this assumes that result type is same as operand type.

  * This is usually true, except for icmp_* and select.

  * For icmp_* we fix it up in the loader. */

-#define SIGNEXT(a) CLI_SRS(((int64_t)(a)) << (64-inst->type), (64-inst->type))

-#define BINOPS(i) SIGNEXT(BINOPNOMOD(i))

+#define SIGNEXT(a, from) CLI_SRS(((int64_t)(a)) << (64-(from)), (64-(from)))

+#define BINOPS(i) SIGNEXT(BINOPNOMOD(i), inst->type)

+

+#define CASTOP (values[inst->u.cast.source].v& inst->u.cast.mask)

-static int jump(const struct cli_bc_func *func, uint16_t bbid, struct cli_bc_bb **bb, const struct cli_bc_inst **inst,

+#undef always_inline

+#define always_inline

+

+static always_inline int jump(const struct cli_bc_func *func, uint16_t bbid, struct cli_bc_bb **bb, const struct cli_bc_inst **inst,

 		unsigned *bb_inst)

 {

     CHECK_GT(func->numBB, bbid);

@@ -90,26 +87,164 @@ static int jump(const struct cli_bc_func *func, uint16_t bbid, struct cli_bc_bb

     return 0;

 }

-static struct cli_bc_value *allocate_stack(const struct cli_bc_func *func)

+#define STACK_CHUNKSIZE 16384

+

+struct stack_chunk {

+    struct stack_chunk *prev;

+    unsigned used;

+    union {

+	void *align;

+	char data[STACK_CHUNKSIZE];

+    } u;

+};

+

+struct stack {

+    struct stack_chunk* chunk;

+    uint16_t last_size;

+};

+

+static always_inline void* cli_stack_alloc(struct stack *stack, unsigned bytes)

+{

+    struct stack_chunk *chunk = stack->chunk;

+    uint16_t last_size_off;

+

+    /* last_size is stored after data */

+    /* align bytes to pointer size */

+    bytes = (bytes + sizeof(uint16_t) + sizeof(void*)) & ~(sizeof(void*)-1);

+    last_size_off = bytes - 2;

+

+    if (chunk && (chunk->used + bytes <= STACK_CHUNKSIZE)) {

+	/* there is still room in this chunk */

+	void *ret;

+

+	*(uint16_t*)&chunk->u.data[chunk->used + last_size_off] = stack->last_size;

+	stack->last_size = bytes/sizeof(void*);

+

+	ret = chunk->u.data + chunk->used;

+	chunk->used += bytes;

+	return ret;

+    }

+

+    if(bytes >= STACK_CHUNKSIZE) {

+	cli_errmsg("cli_stack_alloc: Attempt to allocate more than STACK_CHUNKSIZE bytes!\n");

+	return NULL;

+    }

+    /* not enough room here, allocate new chunk */

+    chunk = cli_malloc(sizeof(*stack->chunk));

+    if (!chunk)

+	return NULL;

+

+    *(uint16_t*)&chunk->u.data[last_size_off] = stack->last_size;

+    stack->last_size = bytes/sizeof(void*);

+

+    chunk->used = bytes;

+    chunk->prev = stack->chunk;

+    stack->chunk = chunk;

+    return chunk->u.data;

+}

+

+static always_inline void cli_stack_free(struct stack *stack, void *data)

+{

+    uint16_t last_size;

+    struct stack_chunk *chunk = stack->chunk;

+    if (!chunk) {

+	cli_errmsg("cli_stack_free: stack empty!\n");

+	return;

+    }

+    if ((chunk->u.data + chunk->used) != ((char*)data + stack->last_size*sizeof(void*))) {

+	cli_errmsg("cli_stack_free: wrong free order: %p, expected %p\n",

+		   data, chunk->u.data + chunk->used - stack->last_size*sizeof(void*));

+	return;

+    }

+    last_size = *(uint16_t*)&chunk->u.data[chunk->used-2];

+    if (chunk->used < stack->last_size*sizeof(void*)) {

+	cli_errmsg("cli_stack_free: last_size is corrupt!\n");

+	return;

+    }

+    chunk->used -= stack->last_size*sizeof(void*);

+    stack->last_size = last_size;

+    if (!chunk->used) {

+	stack->chunk = chunk->prev;

+	free(chunk);

+    }

+}

+

+static void cli_stack_destroy(struct stack *stack)

+{

+    struct stack_chunk *chunk = stack->chunk;

+    while (chunk) {

+	stack->chunk = chunk->prev;

+	free(chunk);

+	chunk = stack->chunk;

+    }

+}

+

+struct stack_entry {

+    struct stack_entry *prev;

+    const struct cli_bc_func *func;

+    struct cli_bc_value *ret;

+    struct cli_bc_bb *bb;

+    unsigned bb_inst;

+    struct cli_bc_value *values;

+};

+

+static always_inline struct stack_entry *allocate_stack(struct stack *stack,

+							struct stack_entry *prev,

+							const struct cli_bc_func *func,

+							const struct cli_bc_func *func_old,

+							struct cli_bc_value *ret,

+							struct cli_bc_bb *bb,

+							unsigned bb_inst)

 {

     unsigned i;

-    struct cli_bc_value *values = cli_malloc((func->numValues+func->numConstants)*sizeof(*values));

-    if (!values)

+    struct cli_bc_value *values;

+    const unsigned numValues = func->numValues + func->numConstants;

+    struct stack_entry *entry = cli_stack_alloc(stack, sizeof(*entry) + sizeof(*values)*numValues);

+    if (!entry)

 	return NULL;

-    for (i=func->numValues;i<func->numValues+func->numConstants;i++)

-	values[i] = func->constants[i-func->numValues];

-    return values;

+    entry->prev = prev;

+    entry->func = func_old;

+    entry->ret = ret;

+    entry->bb = bb;

+    entry->bb_inst = bb_inst;

+    /* we allocated room for values right after stack_entry! */

+    entry->values = values = (struct cli_bc_value*)&entry[1];

+

+    memcpy(&values[func->numValues], func->constants,

+	   sizeof(*values)*func->numConstants);

+    return entry;

+}

+

+static always_inline struct stack_entry *pop_stack(struct stack *stack,

+						   struct stack_entry *stack_entry,

+						   const struct cli_bc_func **func,

+						   struct cli_bc_value **ret,

+						   struct cli_bc_bb **bb,

+						   unsigned *bb_inst)

+{

+    void *data;

+    *func = stack_entry->func;

+    *ret = stack_entry->ret;

+    *bb = stack_entry->bb;

+    *bb_inst = stack_entry->bb_inst;

+    data = stack_entry;

+    stack_entry = stack_entry->prev;

+    cli_stack_free(stack, data);

+    return stack_entry;

 }

 int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct cli_bc_func *func, const struct cli_bc_inst *inst)

 {

-    unsigned i, stack_depth=0, bb_inst=0, stop=0, stack_max_depth=0;

+    uint64_t tmp;

+    unsigned i, stack_depth=0, bb_inst=0, stop=0 ;

     struct cli_bc_func *func2;

-    struct stack_entry *stack = NULL;

+    struct stack stack;

+    struct stack_entry *stack_entry = NULL;

     struct cli_bc_bb *bb = NULL;

     struct cli_bc_value *values = ctx->values;

     struct cli_bc_value *value, *old_values;

+    memset(&stack, 0, sizeof(stack));

     do {

 	value = &values[inst->dest];

 	CHECK_GT(func->numValues+func->numConstants, value - values);

@@ -126,8 +261,10 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 	    case OP_UDIV:

 		{

 		    uint64_t d = BINOP(1);

-		    if (UNLIKELY(!d))

+		    if (UNLIKELY(!d)) {

+			cli_dbgmsg("bytecode attempted to execute udiv#0\n");

 			return CL_EBYTECODE;

+		    }

 		    value->v = BINOP(0) / d;

 		    break;

 		}

@@ -135,16 +272,20 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 		{

 		    int64_t a = BINOPS(0);

 		    int64_t b = BINOPS(1);

-		    if (UNLIKELY(b == 0 || (b == -1 && a == (-9223372036854775807LL-1LL))))

+		    if (UNLIKELY(b == 0 || (b == -1 && a == (-9223372036854775807LL-1LL)))) {

+			cli_dbgmsg("bytecode attempted to execute sdiv#0\n");

 			return CL_EBYTECODE;

+		    }

 		    value->v = a / b;

 		    break;

 		}

 	    case OP_UREM:

 		{

 		    uint64_t d = BINOP(1);

-		    if (UNLIKELY(!d))

+		    if (UNLIKELY(!d)) {

+			cli_dbgmsg("bytecode attempted to execute urem#0\n");

 			return CL_EBYTECODE;

+		    }

 		    value->v = BINOP(0) % d;

 		    break;

 		}

@@ -152,8 +293,10 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 		{

 		    int64_t a = BINOPS(0);

 		    int64_t b = BINOPS(1);

-		    if (UNLIKELY(b == 0 || (b == -1 && (a == -9223372036854775807LL-1LL))))

+		    if (UNLIKELY(b == 0 || (b == -1 && (a == -9223372036854775807LL-1LL)))) {

+			cli_dbgmsg("bytecode attempted to execute srem#0\n");

 			return CL_EBYTECODE;

+		    }

 		    value->v = a % b;

 		    break;

 		}

@@ -179,12 +322,13 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 		value->v = BINOPNOMOD(0) ^ BINOPNOMOD(1);

 		break;

 	    case OP_SEXT:

-		value->v = SIGNEXT(values[inst->u.cast.source].v);

+		/* mask is number of src bits here, not a mask! */

+		value->v = SIGNEXT(values[inst->u.cast.source].v, inst->u.cast.mask);

 		break;

 	    case OP_TRUNC:

 		/* fall-through */

 	    case OP_ZEXT:

-		value->v = values[inst->u.cast.source].v & values[inst->u.cast.mask].v;

+		value->v = CASTOP;

 		break;

 	    case OP_BRANCH:

 		stop = jump(func, (values[inst->u.branch.condition].v&1) ?

@@ -196,31 +340,13 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 		continue;

 	    case OP_RET:

 		CHECK_GT(stack_depth, 0);

-		stack_depth--;

-		value = stack[stack_depth].ret;

-		func = stack[stack_depth].func;

-		value->v = values[inst->u.unaryop].v;

-		old_values = values;

-		values = stack[stack_depth].values;

-		stack[stack_depth].values = old_values;

+		tmp = values[inst->u.unaryop].v;

+		stack_entry = pop_stack(&stack, stack_entry, &func, &value, &bb,

+					&bb_inst);

+		values = stack_entry ? stack_entry->values : ctx->values;

 		CHECK_GT(func->numValues+func->numConstants, value-values);

 		CHECK_GT(value-values, -1);

-		bb = stack[stack_depth].bb;

-		bb_inst = stack[stack_depth].bb_inst;

-		if ((stack_depth < stack_max_depth*3/4) || !stack_depth) {

-		    for (i=stack_depth;i<stack_max_depth;i++) {

-			free(stack[i].values);

-		    }

-		    if (!stack_depth) {

-			free(stack);

-			stack = 0;

-		    } else {

-			stack = cli_realloc2(stack, sizeof(*stack)*stack_depth);

-			if (!stack)

-			    return CL_EMEM;

-		    }

-		    stack_max_depth = stack_depth;

-		}

+		value->v = tmp;

 		if (!bb) {

 		    stop = CL_BREAK;

 		    continue;

@@ -266,29 +392,16 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 		func2 = &bc->funcs[inst->u.ops.funcid];

 		CHECK_EQ(func2->numArgs, inst->u.ops.numOps);

 		old_values = values;

-		if (stack_depth+1 > stack_max_depth) {

-		    stack = cli_realloc2(stack, sizeof(*stack)*(stack_depth+1));

-		    if (!stack)

-			return CL_EMEM;

-		    stack_max_depth = stack_depth+1;

-		    values = allocate_stack(func2);

-		    if (!values)

-			return CL_EMEM;

-		} else {

-		    values = stack[stack_depth].values;

-		}

-		stack[stack_depth].func = func;

-		stack[stack_depth].ret = value;

-		stack[stack_depth].bb = bb;

-		stack[stack_depth].bb_inst = bb_inst;

-		stack[stack_depth].values = old_values;

-		stack_depth++;

-//cli_dbgmsg("Executing %d\n", inst->u.ops.funcid);

+		stack_entry = allocate_stack(&stack, stack_entry, func2, func, value,

+					     bb, bb_inst);

+		values = stack_entry->values;

+//		cli_dbgmsg("Executing %d\n", inst->u.ops.funcid);

 		for (i=0;i<func2->numArgs;i++)

 		    values[i] = old_values[inst->u.ops.ops[i]];

 		func = func2;

 		CHECK_GT(func->numBB, 0);

 		stop = jump(func, 0, &bb, &inst, &bb_inst);

+		stack_depth++;

 		continue;

 	    case OP_COPY:

 		BINOPNOMOD(1) = BINOPNOMOD(0);

@@ -303,6 +416,6 @@ int cli_vm_execute(const struct cli_bc *bc, struct cli_bc_ctx *ctx, const struct

 	CHECK_GT(bb->numInsts, bb_inst);

     } while (stop == CL_SUCCESS);

-    free(stack);

+    cli_stack_destroy(&stack);

     return stop == CL_BREAK ? CL_SUCCESS : stop;

 }

@@ -80,70 +80,7 @@ struct cpio_hdr_newc {

     char check[8];

 };

-#ifndef O_BINARY

-#define O_BINARY    0

-#endif

-

-static int cpio_scanfile(int fd, uint32_t size, cli_ctx *ctx)

-{

-	int newfd, bread, sum = 0, ret;

-	char buff[FILEBUFF];

-	char *name;

-

-

-    if(!(name = cli_gentemp(ctx->engine->tmpdir)))

-	return CL_EMEM;

-

-    if((newfd = open(name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) {

-	cli_errmsg("cpio_scanfile: Can't create file %s\n", name);

-	free(name);

-	return CL_ECREAT;

-    }

-

-    while((bread = cli_readn(fd, buff, FILEBUFF)) > 0) {

-	if((uint32_t) (sum + bread) >= size) {

-	    if(write(newfd, buff, size - sum) == -1) {

-		cli_errmsg("cpio_scanfile: Can't write to %s\n", name);

-		cli_unlink(name);

-		free(name);

-		close(newfd);

-		return CL_EWRITE;

-	    }

-	    break;

-	} else {

-	    if(write(newfd, buff, bread) == -1) {

-		cli_errmsg("cpio_scanfile: Can't write to %s\n", name);

-		cli_unlink(name);

-		free(name);

-		close(newfd);

-		return CL_EWRITE;

-	    }

-	}

-	sum += bread;

-    }

-    cli_dbgmsg("CPIO: Extracted to %s\n", name);

-    lseek(newfd, 0, SEEK_SET);

-    if((ret = cli_magic_scandesc(newfd, ctx)) == CL_VIRUS)

-	cli_dbgmsg("cpio_scanfile: Infected with %s\n", *ctx->virname);

-

-    close(newfd);

-    if(!ctx->engine->keeptmp) {

-	if(cli_unlink(name)) {

-	    free(name);

-	    return CL_EUNLINK;

-	}

-    }

-    free(name);

-    return ret;

-}

-

-static inline uint16_t EC16(uint16_t v, int c)

-{

-    if(!c)

-	return v;

-    else

-	return ((v >> 8) + (v << 8));

-}

+#define EC16(v, conv)   (conv ? cbswap16(v) : v)

 static void sanitname(char *name)

 {

@@ -213,7 +150,7 @@ int cli_scancpio_old(int fd, cli_ctx *ctx)

 	    if(ret == CL_EMAXFILES) {

 		return ret;

 	    } else if(ret == CL_SUCCESS) {

-		ret = cpio_scanfile(fd, filesize, ctx);

+		ret = cli_dumpscan(fd, 0, filesize, ctx);

 		if(ret == CL_VIRUS)

 		    return ret;

 	    }

@@ -287,7 +224,7 @@ int cli_scancpio_odc(int fd, cli_ctx *ctx)

 	if(ret == CL_EMAXFILES) {

 	    return ret;

 	} else if(ret == CL_SUCCESS) {

-	    ret = cpio_scanfile(fd, filesize, ctx);

+	    ret = cli_dumpscan(fd, 0, filesize, ctx);

 	    if(ret == CL_VIRUS)

 		return ret;

 	}

@@ -363,7 +300,7 @@ int cli_scancpio_newc(int fd, cli_ctx *ctx, int crc)

 	if(ret == CL_EMAXFILES) {

 	    return ret;

 	} else if(ret == CL_SUCCESS) {

-	    ret = cpio_scanfile(fd, filesize, ctx);

+	    ret = cli_dumpscan(fd, 0, filesize, ctx);

 	    if(ret == CL_VIRUS)

 		return ret;

 	}

@@ -39,21 +39,8 @@

 #include "execs.h"

 #include "matcher.h"

-static inline uint16_t EC16(uint16_t v, uint8_t c)

-{

-    if(!c)

-	return v;

-    else

-	return ((v >> 8) + (v << 8));

-}

-

-static inline uint32_t EC32(uint32_t v, uint8_t c)

-{

-    if(!c)

-	return v;

-    else

-	return ((v >> 24) | ((v & 0x00FF0000) >> 8) | ((v & 0x0000FF00) << 8) | (v << 24));

-}

+#define EC16(v, conv)   (conv ? cbswap16(v) : v)

+#define EC32(v, conv)   (conv ? cbswap32(v) : v)

 static uint32_t cli_rawaddr(uint32_t vaddr, struct elf_program_hdr32 *ph, uint16_t phnum, uint8_t conv, uint8_t *err)

 {

@@ -57,6 +57,7 @@ static const struct ftmap_s {

     { "CL_TYPE_MSEXE",		CL_TYPE_MSEXE		},

     { "CL_TYPE_ELF",		CL_TYPE_ELF		},

     { "CL_TYPE_MACHO",		CL_TYPE_MACHO		},

+    { "CL_TYPE_MACHO_UNIBIN",	CL_TYPE_MACHO_UNIBIN	},

     { "CL_TYPE_POSIX_TAR",	CL_TYPE_POSIX_TAR	},

     { "CL_TYPE_OLD_TAR",	CL_TYPE_OLD_TAR		},

     { "CL_TYPE_CPIO_OLD",	CL_TYPE_CPIO_OLD	},

@@ -42,6 +42,7 @@ typedef enum {

     CL_TYPE_PE_DISASM,

     CL_TYPE_ELF,

     CL_TYPE_MACHO,

+    CL_TYPE_MACHO_UNIBIN,

     CL_TYPE_POSIX_TAR,

     CL_TYPE_OLD_TAR,

     CL_TYPE_CPIO_OLD,

@@ -149,6 +149,7 @@ static const char *ftypes_int[] = {

   "0:0:feedface:Mach-O BE:CL_TYPE_ANY:CL_TYPE_MACHO:45",

   "0:0:feedfacf:Mach-O BE 64-bit:CL_TYPE_ANY:CL_TYPE_MACHO:45",

   "1:*:496e7374616c6c536869656c6400{292}0600000000000000{8}0000000001:ISHIELD-MSI:CL_TYPE_ANY:CL_TYPE_ISHIELD_MSI:45",

+  "0:0:cafebabe:Universal Binary:CL_TYPE_ANY:CL_TYPE_MACHO_UNIBIN:46",

   NULL

 };

@@ -18,14 +18,10 @@

  *  MA 02110-1301, USA.

  */

-/* TODO:

- *  - handle LC_THREAD

- *  - integrate with the matcher

- */

-

 #include <stdio.h>

 #include <string.h>

 #include <unistd.h>

+#include <stdlib.h>

 #include <sys/types.h>

 #include <sys/stat.h>

 #include <fcntl.h>

@@ -112,7 +108,98 @@ struct macho_section64

     uint32_t res2;

 };

-int cli_scanmacho(int fd, cli_ctx *ctx)

+struct macho_thread_state_ppc

+{

+    uint32_t srr0; /* PC */

+    uint32_t srr1;

+    uint32_t reg[32];

+    uint32_t cr;

+    uint32_t xer;

+    uint32_t lr;

+    uint32_t ctr;

+    uint32_t mq;

+    uint32_t vrsave;

+};

+

+struct macho_thread_state_ppc64

+{

+    uint64_t srr0; /* PC */

+    uint64_t srr1;

+    uint64_t reg[32];

+    uint32_t cr;

+    uint64_t xer;

+    uint64_t lr;

+    uint64_t ctr;

+    uint32_t vrsave;

+};

+

+struct macho_thread_state_x86

+{

+    uint32_t eax;

+    uint32_t ebx;

+    uint32_t ecx;

+    uint32_t edx;

+    uint32_t edi;

+    uint32_t esi;

+    uint32_t ebp;

+    uint32_t esp;

+    uint32_t ss;

+    uint32_t eflags;

+    uint32_t eip;

+    uint32_t cs;

+    uint32_t ds;

+    uint32_t es;

+    uint32_t fs;

+    uint32_t gs;

+};

+

+struct macho_fat_header

+{

+    uint32_t magic;

+    uint32_t nfats;

+};

+

+struct macho_fat_arch

+{

+    uint32_t cputype;

+    uint32_t cpusubtype;

+    uint32_t offset;

+    uint32_t size;

+    uint32_t align;

+};

+

+#define RETURN_BROKEN					    \

+    if(matcher)						    \

+	return -1;					    \

+    if(DETECT_BROKEN) {					    \

+	if(ctx->virname)				    \

+	    *ctx->virname = "Broken.Executable";	    \

+	return cli_checkfp(fd, ctx) ? CL_CLEAN : CL_VIRUS;  \

+    }							    \

+    return CL_EFORMAT

+

+

+static uint32_t cli_rawaddr(uint32_t vaddr, struct cli_exe_section *sects, uint16_t nsects, unsigned int *err)

+{

+	unsigned int i, found = 0;

+

+    for(i = 0; i < nsects; i++) {

+	if(sects[i].rva <= vaddr && sects[i].rva + sects[i].vsz > vaddr) {

+	    found = 1;

+	    break;

+	}

+    }

+

+    if(!found) {

+	*err = 1;

+	return 0;

+    }

+

+    *err = 0;

+    return vaddr - sects[i].rva + sects[i].raw;

+}

+

+int cli_scanmacho(int fd, cli_ctx *ctx, struct cli_exe_info *fileinfo)

 {

 	struct macho_hdr hdr;

 	struct macho_load_cmd load_cmd;

@@ -120,12 +207,17 @@ int cli_scanmacho(int fd, cli_ctx *ctx)

 	struct macho_segment_cmd64 segment_cmd64;

 	struct macho_section section;

 	struct macho_section64 section64;

-	unsigned int i, j, sect = 0, conv, m64, nsects, vaddr, vsize, offset;

+	unsigned int i, j, sect = 0, conv, m64, nsects, matcher = 0;

+	unsigned int arch = 0, ep = 0, err;

+	struct cli_exe_section *sections = NULL;

 	char name[16];

+    if(fileinfo)

+	matcher = 1;

+

     if(read(fd, &hdr, sizeof(hdr)) != sizeof(hdr)) {

 	cli_dbgmsg("cli_scanmacho: Can't read header\n");

-	return CL_EFORMAT;

+	return matcher ? -1 : CL_EFORMAT;

     }

     if(hdr.magic == 0xfeedface) {

@@ -142,34 +234,44 @@ int cli_scanmacho(int fd, cli_ctx *ctx)

 	m64 = 1;

     } else {

 	cli_dbgmsg("cli_scanmacho: Incorrect magic\n");

-	return CL_EFORMAT;

+	return matcher ? -1 : CL_EFORMAT;

     }

     switch(EC32(hdr.cpu_type, conv)) {

 	case 7:

-	    cli_dbgmsg("MACHO: CPU Type: Intel 32-bit\n");

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: Intel 32-bit\n");

+	    arch = 1;

 	    break;

 	case 7 | 0x1000000:

-	    cli_dbgmsg("MACHO: CPU Type: Intel 64-bit\n");

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: Intel 64-bit\n");

 	    break;

 	case 12:

-	    cli_dbgmsg("MACHO: CPU Type: ARM\n");

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: ARM\n");

 	    break;

 	case 14:

-	    cli_dbgmsg("MACHO: CPU Type: SPARC\n");

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: SPARC\n");

 	    break;

 	case 18:

-	    cli_dbgmsg("MACHO: CPU Type: POWERPC 32-bit\n");

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: POWERPC 32-bit\n");

+	    arch = 2;

 	    break;

 	case 18 | 0x1000000:

-	    cli_dbgmsg("MACHO: CPU Type: POWERPC 64-bit\n");

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: POWERPC 64-bit\n");

+	    arch = 3;

 	    break;

 	default:

-	    cli_dbgmsg("MACHO: CPU Type: ** UNKNOWN ** (%u)\n", EC32(hdr.cpu_type, conv));

+	    if(!matcher)

+		cli_dbgmsg("MACHO: CPU Type: ** UNKNOWN ** (%u)\n", EC32(hdr.cpu_type, conv));

 	    break;

     }

-    switch(EC32(hdr.filetype, conv)) {

+    if(!matcher) switch(EC32(hdr.filetype, conv)) {

 	case 0x1: /* MH_OBJECT */

 	    cli_dbgmsg("MACHO: Filetype: Relocatable object file\n");

 	    break;

@@ -201,198 +303,246 @@ int cli_scanmacho(int fd, cli_ctx *ctx)

 	    cli_dbgmsg("MACHO: Filetype: ** UNKNOWN ** (0x%x)\n", EC32(hdr.filetype, conv));

     }

-    cli_dbgmsg("MACHO: Number of load commands: %u\n", EC32(hdr.ncmds, conv));

-    cli_dbgmsg("MACHO: Size of load commands: %u\n", EC32(hdr.sizeofcmds, conv));

-

-    if((m64 && EC32(load_cmd.cmdsize, conv) % 8) || (!m64 && EC32(load_cmd.cmdsize, conv) % 4)) {

-	cli_dbgmsg("cli_scanmacho: Invalid command size (%u)\n", EC32(load_cmd.cmdsize, conv));

-        if(DETECT_BROKEN) {

-	    if(ctx->virname)

-		*ctx->virname = "Broken.Executable";