clamav/libclamav/bytecode_api.h

256 lines
8.3 KiB
C
Raw Normal View History

2009-09-04 12:09:17 +03:00
/*
2010-02-02 14:03:32 +02:00
* Copyright (C) 2009-2010 Sourcefire, Inc.
* All rights reserved.
2009-09-04 12:09:17 +03:00
* Authors: Török Edvin
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
2009-09-04 12:09:17 +03:00
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
2009-09-04 12:09:17 +03:00
*/
2009-11-24 14:53:15 +02:00
/** @file */
2009-10-02 17:33:11 +03:00
#ifndef BYTECODE_API_H
#define BYTECODE_API_H
2009-09-04 12:09:17 +03:00
2009-09-30 13:41:02 +03:00
#ifdef __CLAMBC__
#include "bytecode_execs.h"
2009-11-06 16:34:46 +02:00
#include "bytecode_pe.h"
#include "bytecode_disasm.h"
2009-09-30 13:41:02 +03:00
#endif
#ifndef __CLAMBC__
#include "execs.h"
2009-11-06 16:34:46 +02:00
struct DISASM_RESULT;
2009-09-30 13:41:02 +03:00
#endif
2009-09-04 12:09:17 +03:00
2009-11-24 14:53:15 +02:00
/** Bytecode trigger kind */
2009-10-02 17:33:11 +03:00
enum BytecodeKind {
2009-11-24 14:53:15 +02:00
/** generic bytecode, not tied a specific hook */
BC_GENERIC=0,
2009-10-02 17:33:11 +03:00
_BC_START_HOOKS=256,
2009-11-24 14:53:15 +02:00
/** triggered by a logical signature */
BC_LOGICAL=256,
/** a PE unpacker */
BC_PE_UNPACKER,
2009-10-02 17:33:11 +03:00
_BC_LAST_HOOK
};
2010-01-18 19:31:59 +02:00
enum { PE_INVALID_RVA = 0xFFFFFFFF };
2009-09-04 17:29:13 +03:00
#ifdef __CLAMBC__
2009-11-24 14:53:15 +02:00
/** @brief Logical signature match counts
*
* This is a low-level variable, use the Macros in bytecode_local.h instead to
* access it.
* */
2009-09-30 13:41:02 +03:00
extern const uint32_t __clambc_match_counts[64];
2009-11-24 14:53:15 +02:00
/** PE data, if this is a PE hook */
2009-10-06 17:32:38 +03:00
extern const struct cli_pe_hook_data __clambc_pedata;
2010-01-18 19:31:59 +02:00
/** File size (max 4G) */
extern const uint32_t __clambc_filesize[1];
2009-09-30 13:41:02 +03:00
2009-11-24 14:53:15 +02:00
/** Kind of the bytecode */
2009-10-06 17:32:38 +03:00
const uint16_t __clambc_kind;
2009-09-30 13:41:02 +03:00
2009-09-04 16:24:52 +03:00
uint32_t test1(uint32_t, uint32_t);
2009-09-04 17:29:13 +03:00
2009-11-24 14:53:15 +02:00
/**
* @brief Reads specified amount of bytes from the current file
2010-01-21 16:48:56 +02:00
* into a buffer. Also moves current position in the file.
2009-11-24 14:53:15 +02:00
*
* @param[in] size amount of bytes to read
* @param[out] data pointer to buffer where data is read into
* @return amount read.
*/
2009-09-21 18:48:43 +03:00
int32_t read(uint8_t *data, int32_t size);
2009-09-04 17:29:13 +03:00
2009-11-24 14:53:15 +02:00
2009-09-04 17:29:13 +03:00
enum {
2009-11-24 14:53:15 +02:00
/**set file position to specified absolute position */
2009-09-04 17:29:13 +03:00
SEEK_SET=0,
2009-11-24 14:53:15 +02:00
/**set file position relative to current position */
2009-09-04 17:29:13 +03:00
SEEK_CUR,
2009-11-24 14:53:15 +02:00
/**set file position relative to file end*/
2009-09-04 17:29:13 +03:00
SEEK_END
};
2009-11-24 14:53:15 +02:00
/**
* @brief Writes the specified amount of bytes from a buffer to the
* current temporary file.
* @param[in] data pointer to buffer of data to write
* @param[in] size amount of bytes to write
* \p size bytes to temporary file, from the buffer pointed to
* byte
* @return amount of bytes successfully written
*/
2009-11-06 16:34:46 +02:00
int32_t write(uint8_t *data, int32_t size);
2009-11-24 14:53:15 +02:00
/**
* @brief Changes the current file position to the specified one.
* @sa SEEK_SET, SEEK_CUR, SEEK_END
* @param[in] pos offset (absolute or relative depending on \p whence param)
* @param[in] whence one of \p SEEK_SET, \p SEEK_CUR, \p SEEK_END
* @return absolute position in file
*/
2009-09-04 17:29:13 +03:00
int32_t seek(int32_t pos, uint32_t whence);
2009-11-24 14:53:15 +02:00
/**
* Sets the name of the virus found.
*
* @param[in] name the name of the virus
* @param[in] len length of the virusname
* @return 0
*/
2009-09-22 11:03:17 +03:00
uint32_t setvirusname(const uint8_t *name, uint32_t len);
2009-11-24 14:53:15 +02:00
/**
* Prints a debug message.
*
* @param[in] str Message to print
* @param[in] len length of message to print
* @return 0
*/
2009-09-21 18:48:43 +03:00
uint32_t debug_print_str(const uint8_t *str, uint32_t len);
2009-11-24 14:53:15 +02:00
/**
* Prints a number as a debug message.
*
* @param[in] a number to print
* @return 0
*/
uint32_t debug_print_uint(uint32_t a);
2009-09-11 15:12:17 +03:00
2009-11-24 14:53:15 +02:00
/**
* Disassembles starting from current file position, the specified amount of
* bytes.
* @param[out] result pointer to struct holding result
* @param[in] len how many bytes to disassemble
* @return 0 for success
*
* You can use lseek to disassemble starting from a different location.
* This is a low-level API, the result is in ClamAV type-8 signature format
* (64 bytes/instruction).
* \sa DisassembleAt
2010-01-18 19:31:59 +02:00
*/
2009-11-24 14:53:15 +02:00
uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);
/* tracing API */
/* a scope: lexical block, function, or compile unit */
uint32_t trace_directory(const uint8_t* directory, uint32_t dummy);
uint32_t trace_scope(const uint8_t* newscope, uint32_t scopeid);
uint32_t trace_source(const uint8_t* srcfile, uint32_t line);
uint32_t trace_op(const uint8_t* opname, uint32_t column);
uint32_t trace_value(const uint8_t* name, uint32_t v);
uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy);
2010-01-18 19:31:59 +02:00
/** Converts a RVA (Relative Virtual Address) to
* an absolute PE file offset.
* @param rva a rva address from the PE file
* @return absolute file offset mapped to the \p rva,
* or PE_INVALID_RVA if the \p rva is invalid.
*/
uint32_t pe_rawaddr(uint32_t rva);
2010-01-18 19:31:59 +02:00
2010-01-20 16:19:18 +02:00
/** Looks for the specified sequence of bytes in the current file.
* @param[in] data the sequence of bytes to look for
* @param len length of \p data, cannot be more than 1024
* @return offset in the current file if match is found, -1 otherwise */
2010-03-19 13:20:59 +02:00
int32_t file_find(const uint8_t* data, uint32_t len);
2010-01-20 16:19:18 +02:00
/** Read a single byte from current file
* @param offset file offset
* @return byte at offset \p off in the current file, or -1 if offset is
* invalid */
int32_t file_byteat(uint32_t offset);
/** Allocates memory. Currently this memory is freed automatically on exit
from the bytecode, and there is no way to free it sooner.
@param size amount of memory to allocate in bytes
@return pointer to allocated memory */
void* malloc(uint32_t size);
uint32_t test2(uint32_t a);
2010-01-20 16:19:18 +02:00
2010-03-19 13:20:59 +02:00
/** Gets information about the specified PE section.
* @param[out] section PE section information will be stored here
* @param[in] num PE section number */
2010-02-12 16:47:44 +02:00
int32_t get_pe_section(struct cli_exe_section *section, uint32_t num);
2010-03-19 13:20:59 +02:00
/** Fills the specified buffer with at least \p fill bytes.
* @param[out] buffer the buffer to fill
* @param[in] len length of buffer
* @param[in] filled how much of the buffer is currently filled
* @param[in] cursor position of cursor in buffer
* @param[in] fill amount of bytes to fill in (0 is valid)
* @return <0 on error,
* 0 on EOF,
* number bytes available in buffer (starting from 0)
* The character at the cursor will be at position 0 after this call.
*/
int32_t fill_buffer(uint8_t* buffer, uint32_t len, uint32_t filled, uint32_t cur, uint32_t fill);
2010-03-19 15:47:26 +02:00
/**
* Prepares for extracting a new file, if we've already extracted one it scans
* it.
* @param[in] id an id for the new file (for example position in container)
* @return 1 if previous extracted file was infected
*/
int32_t extract_new(int32_t id);
2010-03-19 22:20:55 +02:00
/**
* Reads a number in the specified radix starting from the current position.
* Non-numeric characters are ignored.
* @param[in] radix 10 or 16
* @return the number read
*/
int32_t read_number(uint32_t radix);
2010-03-20 21:18:54 +02:00
int32_t hashset_new(void);
int32_t hashset_add(int32_t hs, uint32_t key);
int32_t hashset_remove(int32_t hs, uint32_t key);
int32_t hashset_contains(int32_t hs, uint32_t key);
int32_t hashset_done(int32_t id);
2010-03-21 15:10:49 +02:00
int32_t hashset_empty(int32_t id);
2010-03-20 21:18:54 +02:00
2010-03-21 12:56:05 +02:00
int32_t buffer_pipe_new(uint32_t size);
int32_t buffer_pipe_new_fromfile(uint32_t pos);
uint32_t buffer_pipe_read_avail(int32_t id);
uint8_t *buffer_pipe_read_get(int32_t id, uint32_t amount);
int32_t buffer_pipe_read_stopped(int32_t id, uint32_t amount);
uint32_t buffer_pipe_write_avail(int32_t id);
uint8_t *buffer_pipe_write_get(int32_t id, uint32_t size);
int32_t buffer_pipe_write_stopped(int32_t id, uint32_t amount);
int32_t buffer_pipe_done(int32_t id);
int32_t inflate_init(int32_t from_buffer, int32_t to_buffer, int32_t windowBits);
int32_t inflate_process(int32_t id);
2010-03-20 21:18:54 +02:00
int32_t inflate_done(int32_t id);
2010-03-22 14:58:58 +02:00
int32_t bytecode_rt_error(int32_t locationid);
2010-03-31 10:53:11 +03:00
int32_t jsnorm_init(int32_t from_buffer);
int32_t jsnorm_process(int32_t id);
int32_t jsnorm_done(int32_t id);
2009-09-04 17:29:13 +03:00
#endif
2009-10-02 17:33:11 +03:00
#endif