2009-08-20 16:23:43 +03:00
|
|
|
/*
|
|
|
|
|
* ClamAV bytecode internal API
|
|
|
|
|
*
|
2010-02-02 14:03:32 +02:00
|
|
|
* Copyright (C) 2009-2010 Sourcefire, Inc.
|
2009-08-20 16:23:43 +03:00
|
|
|
*
|
2009-09-04 16:24:52 +03:00
|
|
|
* Authors: Török Edvin
|
|
|
|
|
*
|
2009-08-20 16:23:43 +03:00
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
2009-12-11 20:57:41 +02:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_UNISTD_H
|
2009-09-07 18:01:43 +03:00
|
|
|
#include <unistd.h>
|
2009-12-11 20:57:41 +02:00
|
|
|
#endif
|
2009-09-04 17:29:13 +03:00
|
|
|
#include <stdlib.h>
|
2009-12-02 17:13:07 +02:00
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <errno.h>
|
2010-01-20 16:19:18 +02:00
|
|
|
#include <string.h>
|
2009-08-20 16:23:43 +03:00
|
|
|
#include "cltypes.h"
|
2009-09-04 17:29:13 +03:00
|
|
|
#include "clambc.h"
|
2009-12-09 16:50:55 +02:00
|
|
|
#include "bytecode.h"
|
2009-09-04 17:29:13 +03:00
|
|
|
#include "bytecode_priv.h"
|
2009-08-20 16:23:43 +03:00
|
|
|
#include "type_desc.h"
|
|
|
|
|
#include "bytecode_api.h"
|
2009-09-04 16:24:52 +03:00
|
|
|
#include "bytecode_api_impl.h"
|
2009-09-11 15:12:17 +03:00
|
|
|
#include "others.h"
|
2010-01-18 19:31:59 +02:00
|
|
|
#include "pe.h"
|
2010-01-20 17:16:27 +02:00
|
|
|
#include "disasm.h"
|
2009-08-20 16:23:43 +03:00
|
|
|
|
2009-09-04 16:24:52 +03:00
|
|
|
uint32_t cli_bcapi_test1(struct cli_bc_ctx *ctx, uint32_t a, uint32_t b)
|
2009-08-20 16:23:43 +03:00
|
|
|
{
|
|
|
|
|
return (a==0xf00dbeef && b==0xbeeff00d) ? 0x12345678 : 0x55;
|
|
|
|
|
}
|
2009-09-04 17:29:13 +03:00
|
|
|
|
2010-01-20 20:04:01 +02:00
|
|
|
uint32_t cli_bcapi_test2(struct cli_bc_ctx *ctx, uint32_t a)
|
|
|
|
|
{
|
|
|
|
|
return a == 0xf00d ? 0xd00f : 0x5555;
|
|
|
|
|
}
|
|
|
|
|
|
2009-09-04 17:29:13 +03:00
|
|
|
int32_t cli_bcapi_read(struct cli_bc_ctx* ctx, uint8_t *data, int32_t size)
|
|
|
|
|
{
|
2010-01-21 16:48:56 +02:00
|
|
|
int n;
|
2009-12-03 11:37:38 +02:00
|
|
|
if (!ctx->fmap)
|
2009-09-04 17:29:13 +03:00
|
|
|
return -1;
|
2010-03-19 13:20:59 +02:00
|
|
|
if (size < 0 || size > CLI_MAX_ALLOCATION) {
|
2010-01-21 16:48:56 +02:00
|
|
|
cli_errmsg("bytecode: negative read size: %d\n", size);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2010-03-19 13:20:59 +02:00
|
|
|
/* cli_dbgmsg("read data at %d\n", ctx->off);*/
|
2010-01-21 16:48:56 +02:00
|
|
|
n = fmap_readn(ctx->fmap, data, ctx->off, size);
|
|
|
|
|
if (n <= 0)
|
|
|
|
|
return n;
|
|
|
|
|
ctx->off += n;
|
|
|
|
|
return n;
|
2009-09-04 17:29:13 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int32_t cli_bcapi_seek(struct cli_bc_ctx* ctx, int32_t pos, uint32_t whence)
|
|
|
|
|
{
|
|
|
|
|
off_t off;
|
2009-12-03 11:37:38 +02:00
|
|
|
if (!ctx->fmap)
|
2009-09-08 22:25:33 +03:00
|
|
|
return -1;
|
2009-09-04 17:29:13 +03:00
|
|
|
switch (whence) {
|
|
|
|
|
case 0:
|
|
|
|
|
off = pos;
|
|
|
|
|
break;
|
|
|
|
|
case 1:
|
|
|
|
|
off = ctx->off + pos;
|
|
|
|
|
break;
|
|
|
|
|
case 2:
|
|
|
|
|
off = ctx->file_size + pos;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (off < 0 || off > ctx->file_size)
|
|
|
|
|
return -1;
|
|
|
|
|
ctx->off = off;
|
|
|
|
|
return off;
|
|
|
|
|
}
|
2009-09-11 15:12:17 +03:00
|
|
|
|
2009-09-21 18:48:43 +03:00
|
|
|
uint32_t cli_bcapi_debug_print_str(struct cli_bc_ctx *ctx, const uint8_t *str, uint32_t len)
|
2009-09-11 15:12:17 +03:00
|
|
|
{
|
|
|
|
|
cli_dbgmsg("bytecode debug: %s\n", str);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-20 20:04:01 +02:00
|
|
|
uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t a)
|
2009-09-11 15:12:17 +03:00
|
|
|
{
|
|
|
|
|
cli_dbgmsg("bytecode debug: %u\n", a);
|
2009-10-02 12:27:52 +03:00
|
|
|
return 0;
|
2009-09-11 15:12:17 +03:00
|
|
|
}
|
2009-09-22 11:03:17 +03:00
|
|
|
|
|
|
|
|
/*TODO: compiler should make sure that only constants are passed here, and not
|
|
|
|
|
* pointers to arbitrary locations that may not be valid when bytecode finishes
|
|
|
|
|
* executing */
|
|
|
|
|
uint32_t cli_bcapi_setvirusname(struct cli_bc_ctx* ctx, const uint8_t *name, uint32_t len)
|
|
|
|
|
{
|
|
|
|
|
ctx->virname = name;
|
2009-10-02 12:27:52 +03:00
|
|
|
return 0;
|
2009-09-22 11:03:17 +03:00
|
|
|
}
|
2009-11-06 16:34:46 +02:00
|
|
|
|
|
|
|
|
uint32_t cli_bcapi_disasm_x86(struct cli_bc_ctx *ctx, struct DISASM_RESULT *res, uint32_t len)
|
|
|
|
|
{
|
2010-01-20 17:16:27 +02:00
|
|
|
int n;
|
|
|
|
|
const char *buf;
|
|
|
|
|
const char* next;
|
|
|
|
|
if (!res || !ctx->fmap || ctx->off >= ctx->fmap->len)
|
|
|
|
|
return -1;
|
2010-01-20 18:20:53 +02:00
|
|
|
/* 32 should be longest instr we support decoding.
|
|
|
|
|
* When we'll support mmx/sse instructions this should be updated! */
|
|
|
|
|
n = MIN(32, ctx->fmap->len - ctx->off);
|
2010-01-20 17:16:27 +02:00
|
|
|
buf = fmap_need_off_once(ctx->fmap, ctx->off, n);
|
|
|
|
|
next = cli_disasm_one(buf, n, res, 0);
|
|
|
|
|
if (!next)
|
|
|
|
|
return -1;
|
|
|
|
|
return ctx->off + next - buf;
|
2009-11-06 16:34:46 +02:00
|
|
|
}
|
|
|
|
|
|
2009-12-08 23:02:49 +02:00
|
|
|
/* TODO: field in ctx, id of last bytecode that called magicscandesc, reset
|
|
|
|
|
* after hooks/other bytecodes are run. TODO: need a more generic solution
|
|
|
|
|
* to avoid uselessly recursing on bytecode-unpacked files, but also a way to
|
|
|
|
|
* override the limit if we need it in a special situation */
|
2009-11-06 16:34:46 +02:00
|
|
|
int32_t cli_bcapi_write(struct cli_bc_ctx *ctx, uint8_t*data, int32_t len)
|
|
|
|
|
{
|
2009-12-02 17:13:07 +02:00
|
|
|
int32_t res;
|
|
|
|
|
cli_ctx *cctx = (cli_ctx*)ctx->ctx;
|
|
|
|
|
if (len < 0) {
|
|
|
|
|
cli_warnmsg("Bytecode API: called with negative length!\n");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2010-03-19 15:47:26 +02:00
|
|
|
if (!ctx->outfd) {
|
2009-12-02 17:13:07 +02:00
|
|
|
ctx->tempfile = cli_gentemp(cctx ? cctx->engine->tmpdir : NULL);
|
|
|
|
|
if (!ctx->tempfile) {
|
|
|
|
|
cli_dbgmsg("Bytecode API: Unable to allocate memory for tempfile\n");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
ctx->outfd = open(ctx->tempfile, O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_BINARY, 0600);
|
|
|
|
|
if (ctx->outfd == -1) {
|
2010-03-19 15:47:26 +02:00
|
|
|
ctx->outfd = 0;
|
2009-12-02 17:13:07 +02:00
|
|
|
cli_warnmsg("Bytecode API: Can't create file %s\n", ctx->tempfile);
|
|
|
|
|
free(ctx->tempfile);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2010-03-19 15:47:26 +02:00
|
|
|
cli_dbgmsg("bytecode opened new tempfile: %s\n", ctx->tempfile);
|
2009-12-02 17:13:07 +02:00
|
|
|
}
|
|
|
|
|
if (cli_checklimits("bytecode api", cctx, ctx->written + len, 0, 0))
|
|
|
|
|
return -1;
|
|
|
|
|
res = cli_writen(ctx->outfd, data, len);
|
|
|
|
|
if (res > 0) ctx->written += res;
|
|
|
|
|
if (res == -1)
|
2009-12-11 20:43:58 +02:00
|
|
|
cli_dbgmsg("Bytecode API: write failed: %d\n", errno);
|
2009-12-02 17:13:07 +02:00
|
|
|
return res;
|
2009-11-06 16:34:46 +02:00
|
|
|
}
|
|
|
|
|
|
2009-12-12 14:45:55 +02:00
|
|
|
void cli_bytecode_context_set_trace(struct cli_bc_ctx* ctx, unsigned level,
|
2009-12-09 16:50:55 +02:00
|
|
|
bc_dbg_callback_trace trace,
|
|
|
|
|
bc_dbg_callback_trace_op trace_op,
|
2009-12-17 17:40:35 +02:00
|
|
|
bc_dbg_callback_trace_val trace_val,
|
|
|
|
|
bc_dbg_callback_trace_ptr trace_ptr)
|
2009-12-09 16:50:55 +02:00
|
|
|
{
|
|
|
|
|
ctx->trace = trace;
|
|
|
|
|
ctx->trace_op = trace_op;
|
|
|
|
|
ctx->trace_val = trace_val;
|
2009-12-17 17:40:35 +02:00
|
|
|
ctx->trace_ptr = trace_ptr;
|
2009-12-09 16:50:55 +02:00
|
|
|
ctx->trace_level = level;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-27 11:04:34 +02:00
|
|
|
uint32_t cli_bcapi_trace_scope(struct cli_bc_ctx *ctx, const uint8_t *scope, uint32_t scopeid)
|
2009-12-08 23:02:49 +02:00
|
|
|
{
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(!ctx->trace_level))
|
2009-12-08 23:02:49 +02:00
|
|
|
return 0;
|
2009-12-09 16:50:55 +02:00
|
|
|
if (ctx->scope != (const char*)scope) {
|
|
|
|
|
ctx->scope = (const char*)scope ? (const char*)scope : "?";
|
2009-12-08 23:02:49 +02:00
|
|
|
ctx->scopeid = scopeid;
|
2009-12-09 16:50:55 +02:00
|
|
|
ctx->trace_level |= 0x80;/* temporarely increase level to print params */
|
|
|
|
|
} else if ((ctx->trace_level >= trace_scope) && ctx->scopeid != scopeid) {
|
|
|
|
|
ctx->scopeid = scopeid;
|
|
|
|
|
ctx->trace_level |= 0x40;/* temporarely increase level to print location */
|
2009-12-08 23:02:49 +02:00
|
|
|
}
|
2009-12-09 16:50:55 +02:00
|
|
|
return 0;
|
2009-12-08 23:02:49 +02:00
|
|
|
}
|
|
|
|
|
|
2010-01-27 11:04:34 +02:00
|
|
|
uint32_t cli_bcapi_trace_directory(struct cli_bc_ctx *ctx, const uint8_t* dir, uint32_t dummy)
|
2009-12-08 23:02:49 +02:00
|
|
|
{
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(!ctx->trace_level))
|
2009-12-08 23:02:49 +02:00
|
|
|
return 0;
|
2009-12-09 16:50:55 +02:00
|
|
|
ctx->directory = (const char*)dir ? (const char*)dir : "";
|
2009-12-08 23:02:49 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-27 11:04:34 +02:00
|
|
|
uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const uint8_t *file, uint32_t line)
|
2009-12-08 23:02:49 +02:00
|
|
|
{
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(ctx->trace_level < trace_line))
|
2009-12-08 23:02:49 +02:00
|
|
|
return 0;
|
2009-12-09 16:50:55 +02:00
|
|
|
if (ctx->file != (const char*)file || ctx->line != line) {
|
|
|
|
|
ctx->col = 0;
|
|
|
|
|
ctx->file =(const char*)file ? (const char*)file : "??";
|
|
|
|
|
ctx->line = line;
|
2009-12-08 23:02:49 +02:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-27 11:04:34 +02:00
|
|
|
uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const uint8_t *op, uint32_t col)
|
2009-12-08 23:02:49 +02:00
|
|
|
{
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(ctx->trace_level < trace_col))
|
2009-12-09 11:41:20 +02:00
|
|
|
return 0;
|
2009-12-09 16:50:55 +02:00
|
|
|
if (ctx->trace_level&0xc0) {
|
|
|
|
|
ctx->col = col;
|
|
|
|
|
/* func/scope changed and they needed param/location event */
|
|
|
|
|
ctx->trace(ctx, (ctx->trace_level&0x80) ? trace_func : trace_scope);
|
|
|
|
|
ctx->trace_level &= ~0xc0;
|
2009-12-09 11:41:20 +02:00
|
|
|
}
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(ctx->trace_level < trace_col))
|
|
|
|
|
return 0;
|
|
|
|
|
if (ctx->col != col) {
|
|
|
|
|
ctx->col = col;
|
|
|
|
|
ctx->trace(ctx, trace_col);
|
|
|
|
|
} else {
|
|
|
|
|
ctx->trace(ctx, trace_line);
|
2009-12-08 23:02:49 +02:00
|
|
|
}
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(ctx->trace_level < trace_op))
|
|
|
|
|
return 0;
|
|
|
|
|
if (ctx->trace_op && op)
|
|
|
|
|
ctx->trace_op(ctx, (const char*)op);
|
2009-12-08 23:02:49 +02:00
|
|
|
return 0;
|
|
|
|
|
}
|
2009-11-06 16:34:46 +02:00
|
|
|
|
2010-01-27 11:04:34 +02:00
|
|
|
uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const uint8_t* name, uint32_t value)
|
2009-12-08 23:02:49 +02:00
|
|
|
{
|
2009-12-09 16:50:55 +02:00
|
|
|
if (LIKELY(ctx->trace_level < trace_val))
|
2009-12-08 23:02:49 +02:00
|
|
|
return 0;
|
2009-12-09 16:50:55 +02:00
|
|
|
if (ctx->trace_level&0x80) {
|
|
|
|
|
if ((ctx->trace_level&0x7f) < trace_param)
|
|
|
|
|
return 0;
|
|
|
|
|
ctx->trace(ctx, trace_param);
|
|
|
|
|
}
|
|
|
|
|
if (ctx->trace_val && name)
|
|
|
|
|
ctx->trace_val(ctx, name, value);
|
|
|
|
|
return 0;
|
2009-12-08 23:02:49 +02:00
|
|
|
}
|
2009-12-17 17:40:35 +02:00
|
|
|
|
2010-01-27 11:04:34 +02:00
|
|
|
uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const uint8_t* ptr, uint32_t dummy)
|
2009-12-17 17:40:35 +02:00
|
|
|
{
|
|
|
|
|
if (LIKELY(ctx->trace_level < trace_val))
|
|
|
|
|
return 0;
|
|
|
|
|
if (ctx->trace_level&0x80) {
|
|
|
|
|
if ((ctx->trace_level&0x7f) < trace_param)
|
|
|
|
|
return 0;
|
|
|
|
|
ctx->trace(ctx, trace_param);
|
|
|
|
|
}
|
|
|
|
|
if (ctx->trace_ptr)
|
|
|
|
|
ctx->trace_ptr(ctx, ptr);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2010-01-18 19:31:59 +02:00
|
|
|
|
2010-01-20 20:04:01 +02:00
|
|
|
uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t rva)
|
2010-01-18 19:31:59 +02:00
|
|
|
{
|
|
|
|
|
uint32_t ret;
|
|
|
|
|
int err = 0;
|
|
|
|
|
const struct cli_pe_hook_data *pe = ctx->hooks.pedata;
|
2010-02-12 16:47:44 +02:00
|
|
|
ret = cli_rawaddr(rva, ctx->sections, pe->nsections, &err,
|
2010-01-18 19:31:59 +02:00
|
|
|
ctx->file_size, pe->hdr_size);
|
|
|
|
|
if (err)
|
|
|
|
|
return PE_INVALID_RVA;
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2010-01-20 16:19:18 +02:00
|
|
|
|
|
|
|
|
static inline const char* cli_memmem(const char *haystack, unsigned hlen,
|
|
|
|
|
const unsigned char *needle, unsigned nlen)
|
|
|
|
|
{
|
|
|
|
|
const char *p;
|
|
|
|
|
unsigned char c;
|
|
|
|
|
if (!needle || !haystack)
|
|
|
|
|
return NULL;
|
|
|
|
|
c = *needle++;
|
|
|
|
|
if (nlen == 1)
|
|
|
|
|
return memchr(haystack, c, hlen);
|
|
|
|
|
|
|
|
|
|
while (hlen >= nlen) {
|
|
|
|
|
p = haystack;
|
|
|
|
|
haystack = memchr(haystack, c, hlen - nlen + 1);
|
|
|
|
|
if (!haystack)
|
|
|
|
|
return NULL;
|
|
|
|
|
p = haystack + 1;
|
|
|
|
|
if (!memcmp(p, needle, nlen-1))
|
|
|
|
|
return haystack;
|
|
|
|
|
hlen -= p - haystack;
|
|
|
|
|
haystack = p;
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int32_t cli_bcapi_file_find(struct cli_bc_ctx *ctx, const uint8_t* data, uint32_t len)
|
|
|
|
|
{
|
|
|
|
|
char buf[4096];
|
|
|
|
|
fmap_t *map = ctx->fmap;
|
|
|
|
|
uint32_t off = ctx->off, newoff;
|
|
|
|
|
int n;
|
|
|
|
|
|
|
|
|
|
if (!map || len > sizeof(buf)/4 || len <= 0)
|
|
|
|
|
return -1;
|
|
|
|
|
for (;;) {
|
|
|
|
|
const char *p;
|
|
|
|
|
n = fmap_readn(map, buf, off, sizeof(buf));
|
|
|
|
|
if ((unsigned)n < len)
|
|
|
|
|
return -1;
|
|
|
|
|
p = cli_memmem(buf, n, data, len);
|
|
|
|
|
if (p)
|
|
|
|
|
return off + p - buf;
|
|
|
|
|
off += n-len;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2010-01-20 20:04:01 +02:00
|
|
|
int32_t cli_bcapi_file_byteat(struct cli_bc_ctx *ctx, uint32_t off)
|
2010-01-20 16:19:18 +02:00
|
|
|
{
|
|
|
|
|
unsigned char c;
|
|
|
|
|
if (!ctx->fmap)
|
|
|
|
|
return -1;
|
|
|
|
|
if (fmap_readn(ctx->fmap, &c, off, 1) != 1)
|
|
|
|
|
return -1;
|
|
|
|
|
return c;
|
|
|
|
|
}
|
2010-01-20 20:04:01 +02:00
|
|
|
|
|
|
|
|
uint8_t* cli_bcapi_malloc(struct cli_bc_ctx *ctx, uint32_t size)
|
|
|
|
|
{
|
|
|
|
|
#if USE_MPOOL
|
|
|
|
|
if (!ctx->mpool) {
|
|
|
|
|
ctx->mpool = mpool_create();
|
|
|
|
|
if (!ctx->mpool) {
|
|
|
|
|
cli_dbgmsg("bytecode: mpool_create failed!\n");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return mpool_malloc(ctx->mpool, size);
|
|
|
|
|
#else
|
|
|
|
|
/* TODO: implement using a list of pointers we allocated! */
|
|
|
|
|
cli_errmsg("cli_bcapi_malloc not implemented for systems without mmap yet!\n");
|
2010-01-25 15:06:30 +02:00
|
|
|
return cli_malloc(size);
|
2010-01-20 20:04:01 +02:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-12 16:47:44 +02:00
|
|
|
int32_t cli_bcapi_get_pe_section(struct cli_bc_ctx *ctx, struct cli_exe_section* section, uint32_t num)
|
|
|
|
|
{
|
|
|
|
|
if (num < ctx->hooks.pedata->nsections) {
|
|
|
|
|
memcpy(section, &ctx->sections[num], sizeof(*section));
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2010-03-19 13:20:59 +02:00
|
|
|
|
|
|
|
|
int32_t cli_bcapi_fill_buffer(struct cli_bc_ctx *ctx, uint8_t* buf,
|
|
|
|
|
uint32_t buflen, uint32_t filled,
|
|
|
|
|
uint32_t pos, uint32_t fill)
|
|
|
|
|
{
|
|
|
|
|
int32_t res, remaining, tofill;
|
2010-03-19 15:47:26 +02:00
|
|
|
if (!buf || !buflen || buflen > CLI_MAX_ALLOCATION || filled > buflen) {
|
|
|
|
|
cli_dbgmsg("fill_buffer1\n");
|
2010-03-19 13:20:59 +02:00
|
|
|
return -1;
|
2010-03-19 15:47:26 +02:00
|
|
|
}
|
|
|
|
|
if (ctx->off >= ctx->file_size) {
|
|
|
|
|
cli_dbgmsg("fill_buffer2\n");
|
2010-03-19 13:20:59 +02:00
|
|
|
return 0;
|
2010-03-19 15:47:26 +02:00
|
|
|
}
|
2010-03-19 13:20:59 +02:00
|
|
|
remaining = filled - pos;
|
|
|
|
|
if (remaining) {
|
2010-03-19 15:47:26 +02:00
|
|
|
if (!CLI_ISCONTAINED(buf, buflen, buf+pos, remaining)) {
|
|
|
|
|
cli_dbgmsg("fill_buffer3\n");
|
2010-03-19 13:20:59 +02:00
|
|
|
return -1;
|
2010-03-19 15:47:26 +02:00
|
|
|
}
|
2010-03-19 13:20:59 +02:00
|
|
|
memmove(buf, buf+pos, remaining);
|
|
|
|
|
}
|
|
|
|
|
tofill = buflen - remaining;
|
2010-03-19 15:47:26 +02:00
|
|
|
if (!CLI_ISCONTAINED(buf, buflen, buf+remaining, tofill)) {
|
|
|
|
|
cli_dbgmsg("fill_buffer4\n");
|
2010-03-19 13:20:59 +02:00
|
|
|
return -1;
|
2010-03-19 15:47:26 +02:00
|
|
|
}
|
2010-03-19 13:20:59 +02:00
|
|
|
res = cli_bcapi_read(ctx, buf+remaining, tofill);
|
|
|
|
|
if (res <= 0)
|
|
|
|
|
return res;
|
|
|
|
|
return remaining + res;
|
|
|
|
|
}
|
2010-03-19 15:47:26 +02:00
|
|
|
|
|
|
|
|
int32_t cli_bcapi_extract_new(struct cli_bc_ctx *ctx, int32_t id)
|
|
|
|
|
{
|
|
|
|
|
cli_ctx *cctx;
|
|
|
|
|
int res;
|
|
|
|
|
cli_dbgmsg("previous tempfile had %u bytes\n", ctx->written);
|
|
|
|
|
if (!ctx->written)
|
|
|
|
|
return 0;
|
|
|
|
|
if (cli_updatelimits(ctx->ctx, ctx->written))
|
|
|
|
|
return -1;
|
|
|
|
|
ctx->written = 0;
|
|
|
|
|
lseek(ctx->outfd, 0, SEEK_SET);
|
|
|
|
|
cli_dbgmsg("bytecode: scanning extracted file %s\n", ctx->tempfile);
|
|
|
|
|
res = cli_magic_scandesc(ctx->outfd, ctx->ctx);
|
|
|
|
|
if (res == CL_VIRUS)
|
|
|
|
|
ctx->found = 1;
|
|
|
|
|
cctx = (cli_ctx*)ctx->ctx;
|
|
|
|
|
if ((cctx && cctx->engine->keeptmp) ||
|
|
|
|
|
(ftruncate(ctx->outfd, 0) == -1)) {
|
|
|
|
|
|
|
|
|
|
close(ctx->outfd);
|
2010-03-19 22:20:55 +02:00
|
|
|
if (!(cctx && cctx->engine->keeptmp) && ctx->tempfile)
|
2010-03-19 15:47:26 +02:00
|
|
|
cli_unlink(ctx->tempfile);
|
|
|
|
|
free(ctx->tempfile);
|
|
|
|
|
ctx->tempfile = NULL;
|
|
|
|
|
ctx->outfd = 0;
|
|
|
|
|
}
|
|
|
|
|
cli_dbgmsg("bytecode: extracting new file with id %u\n", id);
|
|
|
|
|
return res;
|
|
|
|
|
}
|
2010-03-19 22:20:55 +02:00
|
|
|
|
|
|
|
|
#define BUF 16
|
|
|
|
|
int32_t cli_bcapi_read_number(struct cli_bc_ctx *ctx, uint32_t radix)
|
|
|
|
|
{
|
|
|
|
|
unsigned char number[16];
|
|
|
|
|
unsigned i;
|
|
|
|
|
unsigned char *p;
|
|
|
|
|
int32_t result;
|
|
|
|
|
|
|
|
|
|
if (radix != 10 && radix != 16 || !ctx->fmap)
|
|
|
|
|
return -1;
|
|
|
|
|
while ((p = fmap_need_off_once(ctx->fmap, ctx->off, BUF))) {
|
|
|
|
|
for (i=0;i<BUF;i++) {
|
|
|
|
|
if (p[i] >= '0' && p[i] <= '9') {
|
|
|
|
|
unsigned char *endptr;
|
|
|
|
|
p = fmap_need_ptr_once(ctx->fmap, p+i, 16);
|
|
|
|
|
if (!p)
|
|
|
|
|
return -1;
|
|
|
|
|
result = strtoul(p, &endptr, radix);
|
|
|
|
|
ctx->off += i + (endptr - p);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ctx->off += BUF;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
