Browse code
bcomp - updating signatures.md with byte compare info
Mickey Sola authored on 2018/09/22 08:01:40Showing 1 changed files
| ... | ... |
@@ -597,6 +597,29 @@ to: |
| 597 | 597 |
|
| 598 | 598 |
- For more information and examples please see <https://bugzilla.clamav.net/show_bug.cgi?id=164>. |
| 599 | 599 |
|
| 600 |
+### Byte Compare Subsignatures (clamav-0.101) : <span class="nodecor">`ref_subsig([offset_shift]offset#[options]byte_length#[comparison_symbol]comparison_value)`</span> |
|
| 601 |
+ |
|
| 602 |
+Byte compare subsignatures can be used to evaluate a numeric value at a given offset from the start of another (matched) subsignature within the same logical signature. These are executed after all other subsignatures within the logical subsignature are fired, with the exception of PCRE subsignatures. They can evaluate offsets only from a single referenced subsignature, and that subsignature must give a valid match for the evaluation to occur. |
|
| 603 |
+ |
|
| 604 |
+- `ref_subsig` is a required field and may refer to any single non-PCRE subsignature within the lsig. The byte compare subsig will evaluate if `ref_subsig` matches. Multiple referenced subsigs or logic based referencing is not currently supported. |
|
| 605 |
+ |
|
| 606 |
+- `offset_shift` is a required field that can be either `>>` or `<<` where the former denotes a positive offset and the latter denotes a negative offset. The offset is calculated from the start of ref_subsigid, which allows for byte extraction before the specified match, after the match, and within the match itself. |
|
| 607 |
+ |
|
| 608 |
+- `offset` is a required field that must be a positive hex or decimal value. This will be the number of bytes from the start of the referenced subsig match within the file buffer to begin the comparison |
|
| 609 |
+ |
|
| 610 |
+- `options` are a required field which specify the numeric type and endianess of the extracted byte sequence in that order. This field follows the form `[h|d][l|b]` |
|
| 611 |
+ |
|
| 612 |
+ - `h|d` where `h` specifies the byte sequence will be in hex and `d` decimal |
|
| 613 |
+ |
|
| 614 |
+ - `l|b` where `l` specifies the byte sequence will be in little endian order and `b` big endian. |
|
| 615 |
+ |
|
| 616 |
+- `byte_length` is a required field which species the exact number of bytes to extract during the evaluation. If any invalid characters are found within the specified length, the evaluation will return a clean finding. |
|
| 617 |
+ |
|
| 618 |
+- `comparison_symbol` is a required field which denotes how to evaluate the extracted byte sequence. The supported comparison symbols are `<`, `>`, `=`. |
|
| 619 |
+ |
|
| 620 |
+- `comparison_value` is a required field which must be a numeric hex or decimal value. If all other conditions are met, the byte compare subsig will evalutate the extracted byte sequence against this number based on the provided `comparison_symbol`. |
|
| 621 |
+ |
|
| 622 |
+ |
|
| 600 | 623 |
### PCRE subsignatures (clamav-0.99) : <span class="nodecor">`Trigger/PCRE/[Flags]`</span> |
| 601 | 624 |
|
| 602 | 625 |
PCRE subsignatures are used within a logical signature (`.ldb`) to specify regex matches that execute once triggered by a conditional based on preceding subsignatures. Signatures using PCRE subsignatures require `Engine:81-255` for backwards-compatibility. |