Browse code
WiP
Török Edvin authored on 2009/10/06 23:32:38Showing 12 changed files
- libclamav/bytecode.c
- libclamav/bytecode.h
- libclamav/bytecode_api.h
- libclamav/bytecode_api_decl.c
- libclamav/bytecode_hooks.h
- libclamav/clambc.h
- unit_tests/input/apicalls.cbc
- unit_tests/input/apicalls2.cbc
- unit_tests/input/arith.cbc
- unit_tests/input/div0.cbc
- unit_tests/input/lsig.cbc
- unit_tests/input/retmagic.cbc
| ... | ... |
@@ -430,14 +430,18 @@ static int parseHeader(struct cli_bc *bc, unsigned char *buffer) |
| 430 | 430 |
|
| 431 | 431 |
static int parseLSig(struct cli_bc *bc, unsigned char *buffer) |
| 432 | 432 |
{
|
| 433 |
- if (buffer[0] != 'L') {
|
|
| 434 |
- cli_errmsg("Invalid logical signature header: %c\n", buffer[0]);
|
|
| 435 |
- return CL_EMALFDB; |
|
| 436 |
- } |
|
| 437 |
- bc->lsig = NULL; |
|
| 438 |
- if (!buffer[1]) |
|
| 439 |
- return CL_SUCCESS; |
|
| 440 |
- bc->lsig = cli_strdup(buffer); |
|
| 433 |
+ const char *prefix; |
|
| 434 |
+ char *vnames, *vend = strchr(buffer, ';'); |
|
| 435 |
+ if (vend) {
|
|
| 436 |
+ bc->lsig = cli_strdup(buffer); |
|
| 437 |
+ } else {
|
|
| 438 |
+ /* Not a logical signature, but we still have a virusname */ |
|
| 439 |
+ bc->lsig = NULL; |
|
| 440 |
+ } |
|
| 441 |
+ *vend++ = '\0'; |
|
| 442 |
+ prefix = buffer; |
|
| 443 |
+ vnames = strchr(vend, '{');
|
|
| 444 |
+ |
|
| 441 | 445 |
return CL_SUCCESS; |
| 442 | 446 |
} |
| 443 | 447 |
|
| ... | ... |
@@ -24,10 +24,12 @@ |
| 24 | 24 |
|
| 25 | 25 |
#ifdef __CLAMBC__ |
| 26 | 26 |
#include "bytecode_execs.h" |
| 27 |
+//#include "bytecode_pe.h" |
|
| 27 | 28 |
#endif |
| 28 | 29 |
|
| 29 | 30 |
#ifndef __CLAMBC__ |
| 30 | 31 |
#include "execs.h" |
| 32 |
+#include "pe.h" |
|
| 31 | 33 |
#endif |
| 32 | 34 |
|
| 33 | 35 |
struct foo {
|
| ... | ... |
@@ -46,8 +48,9 @@ enum BytecodeKind {
|
| 46 | 46 |
|
| 47 | 47 |
extern const uint32_t __clambc_match_counts[64]; |
| 48 | 48 |
extern const struct cli_exe_info __clambc_exeinfo; |
| 49 |
+extern const struct cli_pe_hook_data __clambc_pedata; |
|
| 49 | 50 |
|
| 50 |
-const uint8_t __clambc_kind; |
|
| 51 |
+const uint16_t __clambc_kind; |
|
| 51 | 52 |
|
| 52 | 53 |
uint32_t test0(struct foo*, uint32_t); |
| 53 | 54 |
uint32_t test1(uint32_t, uint32_t); |
| ... | ... |
@@ -36,47 +36,51 @@ uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t, uint32_t); |
| 36 | 36 |
|
| 37 | 37 |
const struct cli_apiglobal cli_globals[] = {
|
| 38 | 38 |
/* Bytecode globals BEGIN */ |
| 39 |
- {"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 72,
|
|
| 39 |
+ {"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 73,
|
|
| 40 | 40 |
((char*)&((struct cli_bc_ctx*)0)->hooks.match_counts - (char*)NULL)}, |
| 41 |
- {"__clambc_exeinfo", GLOBAL_EXEINFO, 69,
|
|
| 41 |
+ {"__clambc_exeinfo", GLOBAL_EXEINFO, 70,
|
|
| 42 | 42 |
((char*)&((struct cli_bc_ctx*)0)->hooks.exeinfo - (char*)NULL)}, |
| 43 |
- {"__clambc_kind", GLOBAL_KIND, 8,
|
|
| 44 |
- ((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)} |
|
| 43 |
+ {"__clambc_kind", GLOBAL_KIND, 16,
|
|
| 44 |
+ ((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)}, |
|
| 45 |
+ {"__clambc_pedata", GLOBAL_PEDATA, 69,
|
|
| 46 |
+ ((char*)&((struct cli_bc_ctx*)0)->hooks.pedata - (char*)NULL)} |
|
| 45 | 47 |
/* Bytecode globals END */ |
| 46 | 48 |
}; |
| 47 | 49 |
const unsigned cli_apicall_maxglobal = _LAST_GLOBAL-1; |
| 48 |
-static uint16_t cli_tmp0[]={70, 32, 32, 16};
|
|
| 49 |
-static uint16_t cli_tmp1[]={71};
|
|
| 50 |
-static uint16_t cli_tmp2[]={32, 32, 32, 32, 32, 32, 32, 32, 32};
|
|
| 51 |
-static uint16_t cli_tmp3[]={32};
|
|
| 52 |
-static uint16_t cli_tmp4[]={32, 32, 32};
|
|
| 53 |
-static uint16_t cli_tmp5[]={32, 65, 32};
|
|
| 54 |
-static uint16_t cli_tmp6[]={32, 76, 32};
|
|
| 55 |
-static uint16_t cli_tmp7[]={77};
|
|
| 56 |
-static uint16_t cli_tmp8[]={76};
|
|
| 50 |
+static uint16_t cli_tmp0[]={};
|
|
| 51 |
+static uint16_t cli_tmp1[]={71, 32, 32, 16};
|
|
| 52 |
+static uint16_t cli_tmp2[]={72};
|
|
| 53 |
+static uint16_t cli_tmp3[]={32, 32, 32, 32, 32, 32, 32, 32, 32};
|
|
| 54 |
+static uint16_t cli_tmp4[]={32};
|
|
| 55 |
+static uint16_t cli_tmp5[]={32, 32, 32};
|
|
| 56 |
+static uint16_t cli_tmp6[]={32, 65, 32};
|
|
| 57 |
+static uint16_t cli_tmp7[]={32, 77, 32};
|
|
| 58 |
+static uint16_t cli_tmp8[]={78};
|
|
| 59 |
+static uint16_t cli_tmp9[]={77};
|
|
| 57 | 60 |
|
| 58 | 61 |
const struct cli_bc_type cli_apicall_types[]={
|
| 59 |
- {DStructType, cli_tmp0, 4, 0, 0},
|
|
| 60 |
- {DPointerType, cli_tmp1, 1, 0, 0},
|
|
| 61 |
- {DStructType, cli_tmp2, 9, 0, 0},
|
|
| 62 |
- {DArrayType, cli_tmp3, 64, 0, 0},
|
|
| 63 |
- {DFunctionType, cli_tmp4, 3, 0, 0},
|
|
| 62 |
+ {, cli_tmp0, , 0, 0},
|
|
| 63 |
+ {DStructType, cli_tmp1, 4, 0, 0},
|
|
| 64 |
+ {DPointerType, cli_tmp2, 1, 0, 0},
|
|
| 65 |
+ {DStructType, cli_tmp3, 9, 0, 0},
|
|
| 66 |
+ {DArrayType, cli_tmp4, 64, 0, 0},
|
|
| 64 | 67 |
{DFunctionType, cli_tmp5, 3, 0, 0},
|
| 65 | 68 |
{DFunctionType, cli_tmp6, 3, 0, 0},
|
| 66 |
- {DPointerType, cli_tmp7, 1, 0, 0},
|
|
| 67 |
- {DStructType, cli_tmp8, 1, 0, 0}
|
|
| 69 |
+ {DFunctionType, cli_tmp7, 3, 0, 0},
|
|
| 70 |
+ {DPointerType, cli_tmp8, 1, 0, 0},
|
|
| 71 |
+ {DStructType, cli_tmp9, 1, 0, 0}
|
|
| 68 | 72 |
}; |
| 69 | 73 |
|
| 70 | 74 |
const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]); |
| 71 | 75 |
const struct cli_apicall cli_apicalls[]={
|
| 72 | 76 |
/* Bytecode APIcalls BEGIN */ |
| 73 |
- {"test0", 6, 0, 1},
|
|
| 74 |
- {"test1", 4, 0, 0},
|
|
| 75 |
- {"read", 5, 1, 1},
|
|
| 76 |
- {"seek", 4, 1, 0},
|
|
| 77 |
- {"setvirusname", 5, 2, 1},
|
|
| 78 |
- {"debug_print_str", 5, 3, 1},
|
|
| 79 |
- {"debug_print_uint", 4, 2, 0}
|
|
| 77 |
+ {"test0", 7, 0, 1},
|
|
| 78 |
+ {"test1", 5, 0, 0},
|
|
| 79 |
+ {"read", 6, 1, 1},
|
|
| 80 |
+ {"seek", 5, 1, 0},
|
|
| 81 |
+ {"setvirusname", 6, 2, 1},
|
|
| 82 |
+ {"debug_print_str", 6, 3, 1},
|
|
| 83 |
+ {"debug_print_uint", 5, 2, 0}
|
|
| 80 | 84 |
/* Bytecode APIcalls END */ |
| 81 | 85 |
}; |
| 82 | 86 |
const cli_apicall_int2 cli_apicalls0[] = {
|
| ... | ... |
@@ -24,8 +24,8 @@ |
| 24 | 24 |
|
| 25 | 25 |
struct cli_bc_hooks {
|
| 26 | 26 |
const uint32_t* match_counts; |
| 27 |
- const struct cli_exe_info *exeinfo; |
|
| 28 |
- const struct cli_pe_hook_data *pedata; |
|
| 29 |
- const uint8_t kind; |
|
| 27 |
+ const struct cli_exe_info exeinfo; |
|
| 28 |
+ const uint16_t kind; |
|
| 29 |
+ const cli_pe_hook_data pedata; |
|
| 30 | 30 |
}; |
| 31 | 31 |
#endif |
| ... | ... |
@@ -1,11 +1,9 @@ |
| 1 |
-ClamBCaa`|``````|`bbaabp`clamcoincidencejb |
|
| 2 |
-L;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d |
|
| 3 |
-Tedebaeeb`eebodebndebmdebadebcdacb`bbadb`bdb`db`bdakahdagahdaiahdaeah |
|
| 4 |
-Eaeaaaebld|amcgefdgfgifbgegcgnfafmfef`` |
|
| 5 |
-Gd```hanbaeBafBafBbfBbf@`b`eBffBffBffBffBffBffBffBff@`baeBffB`cB`cBdf@`bodBafBafBcfBcfBefBef@`bndBdeBbgBofBjfBafBnfBnbBfdBodBod@`bad@@`bad@Aa`bad@Ab`bad@Ac`bad@Ad`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h` |
|
| 6 |
-A`b`bLacb`baa`Fafac |
|
| 7 |
-Bb`b`gbAj`aaaaeab`b`AbdTaaaaaaab |
|
| 8 |
-B```b`abTcab`b@d |
|
| 1 |
+ClamBCaa`|``````|`alaap`clamcoincidencejb |
|
| 2 |
+Trojan.Foo/A/B;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d |
|
| 3 |
+Tedebkdebjdebadebcdacb`bbadb`bdb`db`bdabah |
|
| 4 |
+Eaeaaaebid|amcgefdgfgifbgegcgnfafmfef`` |
|
| 5 |
+Gd```hahbkdBad@`bkdBbd@`bad@@`bad@Aa`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h` |
|
| 6 |
+A`b`bLaeb`baaaabadb`bFahac |
|
| 7 |
+Bb`b`gbAd`aaaaiab`b`AbdTaaaaabaa |
|
| 8 |
+Baaabeab`b`AbdbadacoaabAb`Ac`b`badabbaeac@dTcab`b@d |
|
| 9 | 9 |
BTcab`b@dE |
| 10 |
-A``Laab`bFabaa |
|
| 11 |
-Bb`b`abbaeAi`@dTdaE |