... | ... |
@@ -430,14 +430,18 @@ static int parseHeader(struct cli_bc *bc, unsigned char *buffer) |
430 | 430 |
|
431 | 431 |
static int parseLSig(struct cli_bc *bc, unsigned char *buffer) |
432 | 432 |
{ |
433 |
- if (buffer[0] != 'L') { |
|
434 |
- cli_errmsg("Invalid logical signature header: %c\n", buffer[0]); |
|
435 |
- return CL_EMALFDB; |
|
436 |
- } |
|
437 |
- bc->lsig = NULL; |
|
438 |
- if (!buffer[1]) |
|
439 |
- return CL_SUCCESS; |
|
440 |
- bc->lsig = cli_strdup(buffer); |
|
433 |
+ const char *prefix; |
|
434 |
+ char *vnames, *vend = strchr(buffer, ';'); |
|
435 |
+ if (vend) { |
|
436 |
+ bc->lsig = cli_strdup(buffer); |
|
437 |
+ } else { |
|
438 |
+ /* Not a logical signature, but we still have a virusname */ |
|
439 |
+ bc->lsig = NULL; |
|
440 |
+ } |
|
441 |
+ *vend++ = '\0'; |
|
442 |
+ prefix = buffer; |
|
443 |
+ vnames = strchr(vend, '{'); |
|
444 |
+ |
|
441 | 445 |
return CL_SUCCESS; |
442 | 446 |
} |
443 | 447 |
|
... | ... |
@@ -24,10 +24,12 @@ |
24 | 24 |
|
25 | 25 |
#ifdef __CLAMBC__ |
26 | 26 |
#include "bytecode_execs.h" |
27 |
+//#include "bytecode_pe.h" |
|
27 | 28 |
#endif |
28 | 29 |
|
29 | 30 |
#ifndef __CLAMBC__ |
30 | 31 |
#include "execs.h" |
32 |
+#include "pe.h" |
|
31 | 33 |
#endif |
32 | 34 |
|
33 | 35 |
struct foo { |
... | ... |
@@ -46,8 +48,9 @@ enum BytecodeKind { |
46 | 46 |
|
47 | 47 |
extern const uint32_t __clambc_match_counts[64]; |
48 | 48 |
extern const struct cli_exe_info __clambc_exeinfo; |
49 |
+extern const struct cli_pe_hook_data __clambc_pedata; |
|
49 | 50 |
|
50 |
-const uint8_t __clambc_kind; |
|
51 |
+const uint16_t __clambc_kind; |
|
51 | 52 |
|
52 | 53 |
uint32_t test0(struct foo*, uint32_t); |
53 | 54 |
uint32_t test1(uint32_t, uint32_t); |
... | ... |
@@ -36,47 +36,51 @@ uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t, uint32_t); |
36 | 36 |
|
37 | 37 |
const struct cli_apiglobal cli_globals[] = { |
38 | 38 |
/* Bytecode globals BEGIN */ |
39 |
- {"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 72, |
|
39 |
+ {"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 73, |
|
40 | 40 |
((char*)&((struct cli_bc_ctx*)0)->hooks.match_counts - (char*)NULL)}, |
41 |
- {"__clambc_exeinfo", GLOBAL_EXEINFO, 69, |
|
41 |
+ {"__clambc_exeinfo", GLOBAL_EXEINFO, 70, |
|
42 | 42 |
((char*)&((struct cli_bc_ctx*)0)->hooks.exeinfo - (char*)NULL)}, |
43 |
- {"__clambc_kind", GLOBAL_KIND, 8, |
|
44 |
- ((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)} |
|
43 |
+ {"__clambc_kind", GLOBAL_KIND, 16, |
|
44 |
+ ((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)}, |
|
45 |
+ {"__clambc_pedata", GLOBAL_PEDATA, 69, |
|
46 |
+ ((char*)&((struct cli_bc_ctx*)0)->hooks.pedata - (char*)NULL)} |
|
45 | 47 |
/* Bytecode globals END */ |
46 | 48 |
}; |
47 | 49 |
const unsigned cli_apicall_maxglobal = _LAST_GLOBAL-1; |
48 |
-static uint16_t cli_tmp0[]={70, 32, 32, 16}; |
|
49 |
-static uint16_t cli_tmp1[]={71}; |
|
50 |
-static uint16_t cli_tmp2[]={32, 32, 32, 32, 32, 32, 32, 32, 32}; |
|
51 |
-static uint16_t cli_tmp3[]={32}; |
|
52 |
-static uint16_t cli_tmp4[]={32, 32, 32}; |
|
53 |
-static uint16_t cli_tmp5[]={32, 65, 32}; |
|
54 |
-static uint16_t cli_tmp6[]={32, 76, 32}; |
|
55 |
-static uint16_t cli_tmp7[]={77}; |
|
56 |
-static uint16_t cli_tmp8[]={76}; |
|
50 |
+static uint16_t cli_tmp0[]={}; |
|
51 |
+static uint16_t cli_tmp1[]={71, 32, 32, 16}; |
|
52 |
+static uint16_t cli_tmp2[]={72}; |
|
53 |
+static uint16_t cli_tmp3[]={32, 32, 32, 32, 32, 32, 32, 32, 32}; |
|
54 |
+static uint16_t cli_tmp4[]={32}; |
|
55 |
+static uint16_t cli_tmp5[]={32, 32, 32}; |
|
56 |
+static uint16_t cli_tmp6[]={32, 65, 32}; |
|
57 |
+static uint16_t cli_tmp7[]={32, 77, 32}; |
|
58 |
+static uint16_t cli_tmp8[]={78}; |
|
59 |
+static uint16_t cli_tmp9[]={77}; |
|
57 | 60 |
|
58 | 61 |
const struct cli_bc_type cli_apicall_types[]={ |
59 |
- {DStructType, cli_tmp0, 4, 0, 0}, |
|
60 |
- {DPointerType, cli_tmp1, 1, 0, 0}, |
|
61 |
- {DStructType, cli_tmp2, 9, 0, 0}, |
|
62 |
- {DArrayType, cli_tmp3, 64, 0, 0}, |
|
63 |
- {DFunctionType, cli_tmp4, 3, 0, 0}, |
|
62 |
+ {, cli_tmp0, , 0, 0}, |
|
63 |
+ {DStructType, cli_tmp1, 4, 0, 0}, |
|
64 |
+ {DPointerType, cli_tmp2, 1, 0, 0}, |
|
65 |
+ {DStructType, cli_tmp3, 9, 0, 0}, |
|
66 |
+ {DArrayType, cli_tmp4, 64, 0, 0}, |
|
64 | 67 |
{DFunctionType, cli_tmp5, 3, 0, 0}, |
65 | 68 |
{DFunctionType, cli_tmp6, 3, 0, 0}, |
66 |
- {DPointerType, cli_tmp7, 1, 0, 0}, |
|
67 |
- {DStructType, cli_tmp8, 1, 0, 0} |
|
69 |
+ {DFunctionType, cli_tmp7, 3, 0, 0}, |
|
70 |
+ {DPointerType, cli_tmp8, 1, 0, 0}, |
|
71 |
+ {DStructType, cli_tmp9, 1, 0, 0} |
|
68 | 72 |
}; |
69 | 73 |
|
70 | 74 |
const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]); |
71 | 75 |
const struct cli_apicall cli_apicalls[]={ |
72 | 76 |
/* Bytecode APIcalls BEGIN */ |
73 |
- {"test0", 6, 0, 1}, |
|
74 |
- {"test1", 4, 0, 0}, |
|
75 |
- {"read", 5, 1, 1}, |
|
76 |
- {"seek", 4, 1, 0}, |
|
77 |
- {"setvirusname", 5, 2, 1}, |
|
78 |
- {"debug_print_str", 5, 3, 1}, |
|
79 |
- {"debug_print_uint", 4, 2, 0} |
|
77 |
+ {"test0", 7, 0, 1}, |
|
78 |
+ {"test1", 5, 0, 0}, |
|
79 |
+ {"read", 6, 1, 1}, |
|
80 |
+ {"seek", 5, 1, 0}, |
|
81 |
+ {"setvirusname", 6, 2, 1}, |
|
82 |
+ {"debug_print_str", 6, 3, 1}, |
|
83 |
+ {"debug_print_uint", 5, 2, 0} |
|
80 | 84 |
/* Bytecode APIcalls END */ |
81 | 85 |
}; |
82 | 86 |
const cli_apicall_int2 cli_apicalls0[] = { |
... | ... |
@@ -24,8 +24,8 @@ |
24 | 24 |
|
25 | 25 |
struct cli_bc_hooks { |
26 | 26 |
const uint32_t* match_counts; |
27 |
- const struct cli_exe_info *exeinfo; |
|
28 |
- const struct cli_pe_hook_data *pedata; |
|
29 |
- const uint8_t kind; |
|
27 |
+ const struct cli_exe_info exeinfo; |
|
28 |
+ const uint16_t kind; |
|
29 |
+ const cli_pe_hook_data pedata; |
|
30 | 30 |
}; |
31 | 31 |
#endif |
... | ... |
@@ -1,11 +1,9 @@ |
1 |
-ClamBCaa`|``````|`bbaabp`clamcoincidencejb |
|
2 |
-L;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d |
|
3 |
-Tedebaeeb`eebodebndebmdebadebcdacb`bbadb`bdb`db`bdakahdagahdaiahdaeah |
|
4 |
-Eaeaaaebld|amcgefdgfgifbgegcgnfafmfef`` |
|
5 |
-Gd```hanbaeBafBafBbfBbf@`b`eBffBffBffBffBffBffBffBff@`baeBffB`cB`cBdf@`bodBafBafBcfBcfBefBef@`bndBdeBbgBofBjfBafBnfBnbBfdBodBod@`bad@@`bad@Aa`bad@Ab`bad@Ac`bad@Ad`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h` |
|
6 |
-A`b`bLacb`baa`Fafac |
|
7 |
-Bb`b`gbAj`aaaaeab`b`AbdTaaaaaaab |
|
8 |
-B```b`abTcab`b@d |
|
1 |
+ClamBCaa`|``````|`alaap`clamcoincidencejb |
|
2 |
+Trojan.Foo/A/B;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d |
|
3 |
+Tedebkdebjdebadebcdacb`bbadb`bdb`db`bdabah |
|
4 |
+Eaeaaaebid|amcgefdgfgifbgegcgnfafmfef`` |
|
5 |
+Gd```hahbkdBad@`bkdBbd@`bad@@`bad@Aa`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h` |
|
6 |
+A`b`bLaeb`baaaabadb`bFahac |
|
7 |
+Bb`b`gbAd`aaaaiab`b`AbdTaaaaabaa |
|
8 |
+Baaabeab`b`AbdbadacoaabAb`Ac`b`badabbaeac@dTcab`b@d |
|
9 | 9 |
BTcab`b@dE |
10 |
-A``Laab`bFabaa |
|
11 |
-Bb`b`abbaeAi`@dTdaE |