2009-09-04 12:09:17 +03:00
|
|
|
/*
|
|
|
|
|
* ClamAV bytecode API.
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2009 Sourcefire, Inc.
|
|
|
|
|
*
|
|
|
|
|
* Authors: Török Edvin
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
2009-11-24 14:53:15 +02:00
|
|
|
|
|
|
|
|
/** @file */
|
2009-10-02 17:33:11 +03:00
|
|
|
#ifndef BYTECODE_API_H
|
|
|
|
|
#define BYTECODE_API_H
|
2009-09-04 12:09:17 +03:00
|
|
|
|
2009-09-30 13:41:02 +03:00
|
|
|
#ifdef __CLAMBC__
|
|
|
|
|
#include "bytecode_execs.h"
|
2009-11-06 16:34:46 +02:00
|
|
|
#include "bytecode_pe.h"
|
|
|
|
|
#include "bytecode_disasm.h"
|
2009-09-30 13:41:02 +03:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifndef __CLAMBC__
|
|
|
|
|
#include "execs.h"
|
2009-11-06 16:34:46 +02:00
|
|
|
struct DISASM_RESULT;
|
2009-09-30 13:41:02 +03:00
|
|
|
#endif
|
2009-09-04 12:09:17 +03:00
|
|
|
|
2009-08-20 16:23:43 +03:00
|
|
|
struct foo {
|
|
|
|
|
struct foo *nxt;
|
|
|
|
|
};
|
|
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/** Bytecode trigger kind */
|
2009-10-02 17:33:11 +03:00
|
|
|
enum BytecodeKind {
|
2009-11-24 14:53:15 +02:00
|
|
|
/** generic bytecode, not tied a specific hook */
|
|
|
|
|
BC_GENERIC=0,
|
2009-10-02 17:33:11 +03:00
|
|
|
_BC_START_HOOKS=256,
|
2009-11-24 14:53:15 +02:00
|
|
|
/** triggered by a logical signature */
|
|
|
|
|
BC_LOGICAL=256,
|
|
|
|
|
/** a PE unpacker */
|
|
|
|
|
BC_PE_UNPACKER,
|
2009-10-02 17:33:11 +03:00
|
|
|
_BC_LAST_HOOK
|
|
|
|
|
};
|
|
|
|
|
|
2009-09-04 17:29:13 +03:00
|
|
|
#ifdef __CLAMBC__
|
|
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/** @brief Logical signature match counts
|
|
|
|
|
*
|
|
|
|
|
* This is a low-level variable, use the Macros in bytecode_local.h instead to
|
|
|
|
|
* access it.
|
|
|
|
|
* */
|
2009-09-30 13:41:02 +03:00
|
|
|
extern const uint32_t __clambc_match_counts[64];
|
2009-11-24 14:53:15 +02:00
|
|
|
/** Executable info, if this is a PE hook */
|
2009-09-30 13:41:02 +03:00
|
|
|
extern const struct cli_exe_info __clambc_exeinfo;
|
2009-11-24 14:53:15 +02:00
|
|
|
/** PE data, if this is a PE hook */
|
2009-10-06 17:32:38 +03:00
|
|
|
extern const struct cli_pe_hook_data __clambc_pedata;
|
2009-09-30 13:41:02 +03:00
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/** Kind of the bytecode */
|
2009-10-06 17:32:38 +03:00
|
|
|
const uint16_t __clambc_kind;
|
2009-09-30 13:41:02 +03:00
|
|
|
|
2009-09-04 16:24:52 +03:00
|
|
|
uint32_t test0(struct foo*, uint32_t);
|
|
|
|
|
uint32_t test1(uint32_t, uint32_t);
|
2009-09-04 17:29:13 +03:00
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/**
|
|
|
|
|
* @brief Reads specified amount of bytes from the current file
|
|
|
|
|
* into a buffer.
|
|
|
|
|
*
|
|
|
|
|
* @param[in] size amount of bytes to read
|
|
|
|
|
* @param[out] data pointer to buffer where data is read into
|
|
|
|
|
* @return amount read.
|
|
|
|
|
*/
|
2009-09-21 18:48:43 +03:00
|
|
|
int32_t read(uint8_t *data, int32_t size);
|
2009-09-04 17:29:13 +03:00
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
|
2009-09-04 17:29:13 +03:00
|
|
|
enum {
|
2009-11-24 14:53:15 +02:00
|
|
|
/**set file position to specified absolute position */
|
2009-09-04 17:29:13 +03:00
|
|
|
SEEK_SET=0,
|
2009-11-24 14:53:15 +02:00
|
|
|
/**set file position relative to current position */
|
2009-09-04 17:29:13 +03:00
|
|
|
SEEK_CUR,
|
2009-11-24 14:53:15 +02:00
|
|
|
/**set file position relative to file end*/
|
2009-09-04 17:29:13 +03:00
|
|
|
SEEK_END
|
|
|
|
|
};
|
|
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/**
|
|
|
|
|
* @brief Writes the specified amount of bytes from a buffer to the
|
|
|
|
|
* current temporary file.
|
|
|
|
|
* @param[in] data pointer to buffer of data to write
|
|
|
|
|
* @param[in] size amount of bytes to write
|
|
|
|
|
* \p size bytes to temporary file, from the buffer pointed to
|
|
|
|
|
* byte
|
|
|
|
|
* @return amount of bytes successfully written
|
|
|
|
|
*/
|
2009-11-06 16:34:46 +02:00
|
|
|
int32_t write(uint8_t *data, int32_t size);
|
2009-11-24 14:53:15 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief Changes the current file position to the specified one.
|
|
|
|
|
* @sa SEEK_SET, SEEK_CUR, SEEK_END
|
|
|
|
|
* @param[in] pos offset (absolute or relative depending on \p whence param)
|
|
|
|
|
* @param[in] whence one of \p SEEK_SET, \p SEEK_CUR, \p SEEK_END
|
|
|
|
|
* @return absolute position in file
|
|
|
|
|
*/
|
2009-09-04 17:29:13 +03:00
|
|
|
int32_t seek(int32_t pos, uint32_t whence);
|
|
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/**
|
|
|
|
|
* Sets the name of the virus found.
|
|
|
|
|
*
|
|
|
|
|
* @param[in] name the name of the virus
|
|
|
|
|
* @param[in] len length of the virusname
|
|
|
|
|
* @return 0
|
|
|
|
|
*/
|
2009-09-22 11:03:17 +03:00
|
|
|
uint32_t setvirusname(const uint8_t *name, uint32_t len);
|
|
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/**
|
|
|
|
|
* Prints a debug message.
|
|
|
|
|
*
|
|
|
|
|
* @param[in] str Message to print
|
|
|
|
|
* @param[in] len length of message to print
|
|
|
|
|
* @return 0
|
|
|
|
|
*/
|
2009-09-21 18:48:43 +03:00
|
|
|
uint32_t debug_print_str(const uint8_t *str, uint32_t len);
|
2009-11-24 14:53:15 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Prints a number as a debug message.
|
|
|
|
|
*
|
|
|
|
|
* @param[in] a number to print
|
|
|
|
|
* @param b unused
|
|
|
|
|
* @return 0
|
|
|
|
|
*/
|
2009-09-11 15:12:17 +03:00
|
|
|
uint32_t debug_print_uint(uint32_t a, uint32_t b);
|
|
|
|
|
|
2009-11-24 14:53:15 +02:00
|
|
|
/**
|
|
|
|
|
* Disassembles starting from current file position, the specified amount of
|
|
|
|
|
* bytes.
|
|
|
|
|
* @param[out] result pointer to struct holding result
|
|
|
|
|
* @param[in] len how many bytes to disassemble
|
|
|
|
|
* @return 0 for success
|
|
|
|
|
*
|
|
|
|
|
* You can use lseek to disassemble starting from a different location.
|
|
|
|
|
* This is a low-level API, the result is in ClamAV type-8 signature format
|
|
|
|
|
* (64 bytes/instruction).
|
|
|
|
|
* \sa DisassembleAt
|
|
|
|
|
* */
|
|
|
|
|
uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);
|
2009-09-04 17:29:13 +03:00
|
|
|
#endif
|
2009-10-02 17:33:11 +03:00
|
|
|
#endif
|
