...
|
...
|
@@ -1,6 +1,7 @@
|
1
|
1
|
# Creating signatures for ClamAV
|
2
|
2
|
|
3
|
3
|
Table of Contents
|
|
4
|
+
|
4
|
5
|
- [Creating signatures for ClamAV](#creating-signatures-for-clamav)
|
5
|
6
|
- [Introduction](#introduction)
|
6
|
7
|
- [Debug information from libclamav](#debug-information-from-libclamav)
|
...
|
...
|
@@ -21,6 +22,7 @@ Table of Contents
|
21
|
21
|
- [Subsignature Modifiers](#subsignature-modifiers)
|
22
|
22
|
- [Special Subsignature Types](#special-subsignature-types)
|
23
|
23
|
- [Macro subsignatures (clamav-0.96) : `${min-max}MACROID$`](#macro-subsignatures-clamav-096--min-maxmacroid)
|
|
24
|
+ - [Byte Compare Subsignatures (clamav-0.101) : `subsigid_trigger(offset#byte_options#comparisons)`](#byte-compare-subsignatures-clamav-0101--subsigid_triggeroffsetbyte_optionscomparisons)
|
24
|
25
|
- [PCRE subsignatures (clamav-0.99) : `Trigger/PCRE/[Flags]`](#pcre-subsignatures-clamav-099--triggerpcreflags)
|
25
|
26
|
- [Icon signatures for PE files](#icon-signatures-for-pe-files)
|
26
|
27
|
- [Signatures for Version Information metadata in PE files](#signatures-for-version-information-metadata-in-pe-files)
|
...
|
...
|
@@ -597,27 +599,33 @@ to:
|
597
|
597
|
|
598
|
598
|
- For more information and examples please see <https://bugzilla.clamav.net/show_bug.cgi?id=164>.
|
599
|
599
|
|
600
|
|
-### Byte Compare Subsignatures (clamav-0.101) : <span class="nodecor">`ref_subsig([offset_shift]offset#[options]byte_length#[comparison_symbol]comparison_value)`</span>
|
|
600
|
+### Byte Compare Subsignatures (clamav-0.101) : <span class="nodecor">`subsigid_trigger(offset#byte_options#comparisons)`</span>
|
601
|
601
|
|
602
|
602
|
Byte compare subsignatures can be used to evaluate a numeric value at a given offset from the start of another (matched) subsignature within the same logical signature. These are executed after all other subsignatures within the logical subsignature are fired, with the exception of PCRE subsignatures. They can evaluate offsets only from a single referenced subsignature, and that subsignature must give a valid match for the evaluation to occur.
|
603
|
603
|
|
604
|
|
-- `ref_subsig` is a required field and may refer to any single non-PCRE subsignature within the lsig. The byte compare subsig will evaluate if `ref_subsig` matches. Multiple referenced subsigs or logic based referencing is not currently supported.
|
|
604
|
+- `subsigid_trigger` is a required field and may refer to any single non-PCRE, non-Byte Compare subsignature within the lsig. The byte compare subsig will evaluate if `subsigid_trigger` matches. Triggering on multiple subsigs or logic based triggering is not currently supported.
|
|
605
|
+
|
|
606
|
+- `offset` is a required field that consists of an `offset_modifier` and a numeric `offset` (hex or decimal offsets are okay).
|
605
|
607
|
|
606
|
|
-- `offset_shift` is a required field that can be either `>>` or `<<` where the former denotes a positive offset and the latter denotes a negative offset. The offset is calculated from the start of ref_subsigid, which allows for byte extraction before the specified match, after the match, and within the match itself.
|
|
608
|
+ - `offset_modifier` can be either `>>` or `<<` where the former denotes a positive offset and the latter denotes a negative offset. The offset is calculated from the start of `subsigid_trigger`, which allows for byte extraction before the specified match, after the match, and within the match itself.
|
607
|
609
|
|
608
|
|
-- `offset` is a required field that must be a positive hex or decimal value. This will be the number of bytes from the start of the referenced subsig match within the file buffer to begin the comparison
|
|
610
|
+ - `offset` must be a positive hex or decimal value. This will be the number of bytes from the start of the referenced `subsigid_trigger` match within the file buffer to begin the comparison.
|
609
|
611
|
|
610
|
|
-- `options` are a required field which specify the numeric type and endianess of the extracted byte sequence in that order. This field follows the form `[h|d][l|b]`
|
|
612
|
+- `byte_options` are used to specify the numeric type and endianess of the extracted byte sequence in that order as well as the number of bytes to be read. By default ClamAV will attempt to matchup up to the number of byte specified, unless the `e` (exact) option is specified or the numeric type is `b` (binary). This field follows the form `[h|d|i][l|b][e]num_bytes`
|
611
|
613
|
|
612
|
|
- - `h|d` where `h` specifies the byte sequence will be in hex and `d` decimal
|
|
614
|
+ - `h|d|i` where `h` specifies the byte sequence will be in hex, `d` decimal, and `i` signifies raw binary data.
|
613
|
615
|
|
614
|
616
|
- `l|b` where `l` specifies the byte sequence will be in little endian order and `b` big endian.
|
615
|
617
|
|
616
|
|
-- `byte_length` is a required field which species the exact number of bytes to extract during the evaluation. If any invalid characters are found within the specified length, the evaluation will return a clean finding.
|
|
618
|
+ - `e` specifies that ClamAV will only evaluate the comparison if it can extract the exact number of bytes specified. This option is implicitly declared when using the `i` flag.
|
|
619
|
+
|
|
620
|
+ - `num_bytes` specifies the number of bytes to extract. This can be a hex or decimal value. If `i` is specified only 1, 2, 4, and 8 are valid options.
|
|
621
|
+
|
|
622
|
+- `comparisons` are a required field which denotes how to evaluate the extracted byte sequence. Each Byte Compare signature can have one or two `comparison_sets` separated by a comma. Each `comparison_set` consists of a `Comparison_symbol` and a `Comparison_value` and takes the form `Comparison_symbolComparison_value`. Thus, `comparisons` takes the form `comparison_set[,comparison_set]`
|
617
|
623
|
|
618
|
|
-- `comparison_symbol` is a required field which denotes how to evaluate the extracted byte sequence. The supported comparison symbols are `<`, `>`, `=`.
|
|
624
|
+ - `Comparison_symbol` denotes the type of comparison to be done. The supported comparison symbols are `<`, `>`, `=`.
|
619
|
625
|
|
620
|
|
-- `comparison_value` is a required field which must be a numeric hex or decimal value. If all other conditions are met, the byte compare subsig will evalutate the extracted byte sequence against this number based on the provided `comparison_symbol`.
|
|
626
|
+ - `Comparison_value` is a required field which must be a numeric hex or decimal value. If all other conditions are met, the byte compare subsig will evalutate the extracted byte sequence against this number based on the provided `comparison_symbol`.
|
621
|
627
|
|
622
|
628
|
|
623
|
629
|
### PCRE subsignatures (clamav-0.99) : <span class="nodecor">`Trigger/PCRE/[Flags]`</span>
|