Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

bytecode: add icon match API.

Browse source
This commit is contained in:
Török Edvin 2010-08-02 17:04:35 +03:00
parent dc200c6b19
commit 1dae00ebf4
6 changed files with 119 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

1
libclamav/bytecode_api.c
View file

@ -1440,3 +1440,4 @@ int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx)
return -1; return -1;
return ctx->pdf_dumpedid; return ctx->pdf_dumpedid;
} }

11
libclamav/bytecode_api.h
View file

@ -829,6 +829,17 @@ int32_t pdf_get_phase(void);
/** Return the currently dumped obj id. /** Return the currently dumped obj id.
Valid only in PDF_PHASE_POSTDUMP */ Valid only in PDF_PHASE_POSTDUMP */
int32_t pdf_get_dumpedobjid(void); int32_t pdf_get_dumpedobjid(void);
/** Attempts to match current executable's icon against the specified icon
* groups.
* @param[in] group1 - same as GROUP1 in LDB signatures
* @param group1_len - length of \p group1
* @param[in] group2 - same as GROUP2 in LDB signatures
* @param group2_len - length of \p group2
*/
int32_t matchicon(const uint8_t* group1, int32_t group1_len,
const uint8_t* group2, int32_t group2_len);
/* ---------------- END 0.96.2 APIs ----------------------------------- */ /* ---------------- END 0.96.2 APIs ----------------------------------- */
#endif #endif
#endif #endif

149
libclamav/bytecode_api_decl.c
View file

@ -121,6 +121,7 @@ int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t, int32_t);
int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t); int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t);
int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx ); int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx );
int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx ); int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx );
int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t*, int32_t, const uint8_t*, int32_t);
const struct cli_apiglobal cli_globals[] = { const struct cli_apiglobal cli_globals[] = {
/* Bytecode globals BEGIN */ /* Bytecode globals BEGIN */
@ -145,12 +146,12 @@ static uint16_t cli_tmp4[]={16, 8, 8, 32, 32, 32, 32, 32, 32, 32, 32, 32, 16, 16
static uint16_t cli_tmp5[]={32, 16, 16, 32, 32, 32, 16, 16}; static uint16_t cli_tmp5[]={32, 16, 16, 32, 32, 32, 16, 16};
static uint16_t cli_tmp6[]={32}; static uint16_t cli_tmp6[]={32};
static uint16_t cli_tmp7[]={32}; static uint16_t cli_tmp7[]={32};
static uint16_t cli_tmp8[]={32}; static uint16_t cli_tmp8[]={32, 65, 32, 65, 32};
static uint16_t cli_tmp9[]={32, 32}; static uint16_t cli_tmp9[]={32};
static uint16_t cli_tmp10[]={32, 32, 32}; static uint16_t cli_tmp10[]={32, 32};
static uint16_t cli_tmp11[]={65, 32, 32}; static uint16_t cli_tmp11[]={32, 32, 32};
static uint16_t cli_tmp12[]={32, 32, 32, 32}; static uint16_t cli_tmp12[]={65, 32, 32};
static uint16_t cli_tmp13[]={32, 65, 32, 65, 32}; static uint16_t cli_tmp13[]={32, 32, 32, 32};
static uint16_t cli_tmp14[]={32, 65, 32, 32}; static uint16_t cli_tmp14[]={32, 65, 32, 32};
static uint16_t cli_tmp15[]={32, 85, 32}; static uint16_t cli_tmp15[]={32, 85, 32};
static uint16_t cli_tmp16[]={86}; static uint16_t cli_tmp16[]={86};
@ -178,12 +179,12 @@ const struct cli_bc_type cli_apicall_types[]={
{DStructType, cli_tmp5, 8, 0, 0}, {DStructType, cli_tmp5, 8, 0, 0},
{DArrayType, cli_tmp6, 1, 0, 0}, {DArrayType, cli_tmp6, 1, 0, 0},
{DArrayType, cli_tmp7, 64, 0, 0}, {DArrayType, cli_tmp7, 64, 0, 0},
{DFunctionType, cli_tmp8, 1, 0, 0}, {DFunctionType, cli_tmp8, 5, 0, 0},
{DFunctionType, cli_tmp9, 2, 0, 0}, {DFunctionType, cli_tmp9, 1, 0, 0},
{DFunctionType, cli_tmp10, 3, 0, 0}, {DFunctionType, cli_tmp10, 2, 0, 0},
{DFunctionType, cli_tmp11, 3, 0, 0}, {DFunctionType, cli_tmp11, 3, 0, 0},
{DFunctionType, cli_tmp12, 4, 0, 0}, {DFunctionType, cli_tmp12, 3, 0, 0},
{DFunctionType, cli_tmp13, 5, 0, 0}, {DFunctionType, cli_tmp13, 4, 0, 0},
{DFunctionType, cli_tmp14, 4, 0, 0}, {DFunctionType, cli_tmp14, 4, 0, 0},
{DFunctionType, cli_tmp15, 3, 0, 0}, {DFunctionType, cli_tmp15, 3, 0, 0},
{DPointerType, cli_tmp16, 1, 0, 0}, {DPointerType, cli_tmp16, 1, 0, 0},
@ -206,13 +207,13 @@ const struct cli_bc_type cli_apicall_types[]={
const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]); const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]);
const struct cli_apicall cli_apicalls[]={ const struct cli_apicall cli_apicalls[]={
/* Bytecode APIcalls BEGIN */ /* Bytecode APIcalls BEGIN */
{"test1", 10, 0, 0}, {"test1", 11, 0, 0},
{"read", 19, 0, 1}, {"read", 19, 0, 1},
{"write", 19, 1, 1}, {"write", 19, 1, 1},
{"seek", 10, 1, 0}, {"seek", 11, 1, 0},
{"setvirusname", 19, 2, 1}, {"setvirusname", 19, 2, 1},
{"debug_print_str", 19, 3, 1}, {"debug_print_str", 19, 3, 1},
{"debug_print_uint", 9, 0, 2}, {"debug_print_uint", 10, 0, 2},
{"disasm_x86", 25, 4, 1}, {"disasm_x86", 25, 4, 1},
{"trace_directory", 19, 5, 1}, {"trace_directory", 19, 5, 1},
{"trace_scope", 19, 6, 1}, {"trace_scope", 19, 6, 1},
@ -220,80 +221,81 @@ const struct cli_apicall cli_apicalls[]={
{"trace_op", 19, 8, 1}, {"trace_op", 19, 8, 1},
{"trace_value", 19, 9, 1}, {"trace_value", 19, 9, 1},
{"trace_ptr", 19, 10, 1}, {"trace_ptr", 19, 10, 1},
{"pe_rawaddr", 9, 1, 2}, {"pe_rawaddr", 10, 1, 2},
{"file_find", 19, 11, 1}, {"file_find", 19, 11, 1},
{"file_byteat", 9, 2, 2}, {"file_byteat", 10, 2, 2},
{"malloc", 24, 0, 3}, {"malloc", 24, 0, 3},
{"test2", 9, 3, 2}, {"test2", 10, 3, 2},
{"get_pe_section", 21, 12, 1}, {"get_pe_section", 21, 12, 1},
{"fill_buffer", 20, 0, 4}, {"fill_buffer", 20, 0, 4},
{"extract_new", 9, 4, 2}, {"extract_new", 10, 4, 2},
{"read_number", 9, 5, 2}, {"read_number", 10, 5, 2},
{"hashset_new", 8, 0, 5}, {"hashset_new", 9, 0, 5},
{"hashset_add", 10, 2, 0}, {"hashset_add", 11, 2, 0},
{"hashset_remove", 10, 3, 0}, {"hashset_remove", 11, 3, 0},
{"hashset_contains", 10, 4, 0}, {"hashset_contains", 11, 4, 0},
{"hashset_done", 9, 6, 2}, {"hashset_done", 10, 6, 2},
{"hashset_empty", 9, 7, 2}, {"hashset_empty", 10, 7, 2},
{"buffer_pipe_new", 9, 8, 2}, {"buffer_pipe_new", 10, 8, 2},
{"buffer_pipe_new_fromfile", 9, 9, 2}, {"buffer_pipe_new_fromfile", 10, 9, 2},
{"buffer_pipe_read_avail", 9, 10, 2}, {"buffer_pipe_read_avail", 10, 10, 2},
{"buffer_pipe_read_get", 11, 0, 6}, {"buffer_pipe_read_get", 12, 0, 6},
{"buffer_pipe_read_stopped", 10, 5, 0}, {"buffer_pipe_read_stopped", 11, 5, 0},
{"buffer_pipe_write_avail", 9, 11, 2}, {"buffer_pipe_write_avail", 10, 11, 2},
{"buffer_pipe_write_get", 11, 1, 6}, {"buffer_pipe_write_get", 12, 1, 6},
{"buffer_pipe_write_stopped", 10, 6, 0}, {"buffer_pipe_write_stopped", 11, 6, 0},
{"buffer_pipe_done", 9, 12, 2}, {"buffer_pipe_done", 10, 12, 2},
{"inflate_init", 12, 0, 7}, {"inflate_init", 13, 0, 7},
{"inflate_process", 9, 13, 2}, {"inflate_process", 10, 13, 2},
{"inflate_done", 9, 14, 2}, {"inflate_done", 10, 14, 2},
{"bytecode_rt_error", 9, 15, 2}, {"bytecode_rt_error", 10, 15, 2},
{"jsnorm_init", 9, 16, 2}, {"jsnorm_init", 10, 16, 2},
{"jsnorm_process", 9, 17, 2}, {"jsnorm_process", 10, 17, 2},
{"jsnorm_done", 9, 18, 2}, {"jsnorm_done", 10, 18, 2},
{"ilog2", 10, 7, 0}, {"ilog2", 11, 7, 0},
{"ipow", 12, 1, 7}, {"ipow", 13, 1, 7},
{"iexp", 12, 2, 7}, {"iexp", 13, 2, 7},
{"isin", 12, 3, 7}, {"isin", 13, 3, 7},
{"icos", 12, 4, 7}, {"icos", 13, 4, 7},
{"memstr", 13, 0, 8}, {"memstr", 8, 0, 8},
{"hex2ui", 10, 8, 0}, {"hex2ui", 11, 8, 0},
{"atoi", 19, 13, 1}, {"atoi", 19, 13, 1},
{"debug_print_str_start", 19, 14, 1}, {"debug_print_str_start", 19, 14, 1},
{"debug_print_str_nonl", 19, 15, 1}, {"debug_print_str_nonl", 19, 15, 1},
{"entropy_buffer", 19, 16, 1}, {"entropy_buffer", 19, 16, 1},
{"map_new", 10, 9, 0}, {"map_new", 11, 9, 0},
{"map_addkey", 14, 0, 9}, {"map_addkey", 14, 0, 9},
{"map_setvalue", 14, 1, 9}, {"map_setvalue", 14, 1, 9},
{"map_remove", 14, 2, 9}, {"map_remove", 14, 2, 9},
{"map_find", 14, 3, 9}, {"map_find", 14, 3, 9},
{"map_getvaluesize", 9, 19, 2}, {"map_getvaluesize", 10, 19, 2},
{"map_getvalue", 11, 2, 6}, {"map_getvalue", 12, 2, 6},
{"map_done", 9, 20, 2}, {"map_done", 10, 20, 2},
{"file_find_limit", 14, 4, 9}, {"file_find_limit", 14, 4, 9},
{"engine_functionality_level", 8, 1, 5}, {"engine_functionality_level", 9, 1, 5},
{"engine_dconf_level", 8, 2, 5}, {"engine_dconf_level", 9, 2, 5},
{"engine_scan_options", 8, 3, 5}, {"engine_scan_options", 9, 3, 5},
{"engine_db_options", 8, 4, 5}, {"engine_db_options", 9, 4, 5},
{"extract_set_container", 9, 21, 2}, {"extract_set_container", 10, 21, 2},
{"input_switch", 9, 22, 2}, {"input_switch", 10, 22, 2},
{"get_environment", 15, 17, 1}, {"get_environment", 15, 17, 1},
{"disable_bytecode_if", 14, 5, 9}, {"disable_bytecode_if", 14, 5, 9},
{"disable_jit_if", 14, 6, 9}, {"disable_jit_if", 14, 6, 9},
{"version_compare", 13, 1, 8}, {"version_compare", 8, 1, 8},
{"check_platform", 12, 5, 7}, {"check_platform", 13, 5, 7},
{"pdf_get_obj_num", 8, 5, 5}, {"pdf_get_obj_num", 9, 5, 5},
{"pdf_get_flags", 8, 6, 5}, {"pdf_get_flags", 9, 6, 5},
{"pdf_set_flags", 9, 23, 2}, {"pdf_set_flags", 10, 23, 2},
{"pdf_lookupobj", 9, 24, 2}, {"pdf_lookupobj", 10, 24, 2},
{"pdf_getobjsize", 9, 25, 2}, {"pdf_getobjsize", 10, 25, 2},
{"pdf_getobj", 11, 3, 6}, {"pdf_getobj", 12, 3, 6},
{"pdf_getobjid", 9, 26, 2}, {"pdf_getobjid", 10, 26, 2},
{"pdf_getobjflags", 9, 27, 2}, {"pdf_getobjflags", 10, 27, 2},
{"pdf_setobjflags", 10, 10, 0}, {"pdf_setobjflags", 11, 10, 0},
{"pdf_get_offset", 9, 28, 2}, {"pdf_get_offset", 10, 28, 2},
{"pdf_get_phase", 8, 7, 5}, {"pdf_get_phase", 9, 7, 5},
{"pdf_get_dumpedobjid", 8, 8, 5} {"pdf_get_dumpedobjid", 9, 8, 5},
{"matchicon", 8, 2, 8}
/* Bytecode APIcalls END */ /* Bytecode APIcalls END */
}; };
const cli_apicall_int2 cli_apicalls0[] = { const cli_apicall_int2 cli_apicalls0[] = {
@ -393,7 +395,8 @@ const cli_apicall_int3 cli_apicalls7[] = {
}; };
const cli_apicall_2bufs cli_apicalls8[] = { const cli_apicall_2bufs cli_apicalls8[] = {
(cli_apicall_2bufs)cli_bcapi_memstr, (cli_apicall_2bufs)cli_bcapi_memstr,
(cli_apicall_2bufs)cli_bcapi_version_compare (cli_apicall_2bufs)cli_bcapi_version_compare,
(cli_apicall_2bufs)cli_bcapi_matchicon
}; };
const cli_apicall_ptrbufid cli_apicalls9[] = { const cli_apicall_ptrbufid cli_apicalls9[] = {
(cli_apicall_ptrbufid)cli_bcapi_map_addkey, (cli_apicall_ptrbufid)cli_bcapi_map_addkey,

1
libclamav/bytecode_api_impl.h
View file

@ -119,5 +119,6 @@ int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t, int32_t);
int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t); int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t);
int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx ); int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx );
int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx ); int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx );
int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t*, int32_t, const uint8_t*, int32_t);
#endif #endif

1
libclamav/bytecode_priv.h
View file

@ -156,6 +156,7 @@ struct cli_bc_ctx {
fmap_t *save_map; fmap_t *save_map;
const char *virname; const char *virname;
struct cli_bc_hooks hooks; struct cli_bc_hooks hooks;
struct cli_exe_info exeinfo;
uint32_t pdf_nobjs; uint32_t pdf_nobjs;
struct pdf_obj *pdf_objs; struct pdf_obj *pdf_objs;
uint32_t* pdf_flags; uint32_t* pdf_flags;

29
libclamav/matcher.c
View file

@ -51,6 +51,8 @@
#include "regex/regex.h" #include "regex/regex.h"
#include "filtering.h" #include "filtering.h"
#include "perflogging.h" #include "perflogging.h"
#include "bytecode_priv.h"
#include "bytecode_api_impl.h"
#ifdef HAVE__INTERNAL__SHA_COLLECT #ifdef HAVE__INTERNAL__SHA_COLLECT
#include "sha256.h" #include "sha256.h"
@ -447,6 +449,33 @@ static int matchicon(cli_ctx *ctx, struct cli_exe_info *exeinfo, const char *grp
return cli_scanicon(&iconset, exeinfo->res_addr, ctx, exeinfo->section, exeinfo->nsections, exeinfo->hdr_size); return cli_scanicon(&iconset, exeinfo->res_addr, ctx, exeinfo->section, exeinfo->nsections, exeinfo->hdr_size);
} }
int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t* grp1, int32_t grp1len,
const uint8_t* grp2, int32_t grp2len)
{
struct cli_exe_info info;
char group1[128], group2[128];
if (ctx->bc->kind != BC_PE_UNPACKER) {
cli_dbgmsg("bytecode: matchicon only works with PE files\n");
return -1;
}
if (grp1len > sizeof(group1)-1 ||
grp2len > sizeof(group2)-1)
return -1;
memcpy(group1, grp1, grp1len);
memcpy(group2, grp2, grp2len);
group1[grp1len] = 0;
group2[grp1len] = 0;
if(le16_to_host(ctx->hooks.pedata->file_hdr.Characteristics) & 0x2000 ||
!ctx->hooks.pedata->dirs[2].Size)
info.res_addr = 0;
else
info.res_addr = le32_to_host(ctx->hooks.pedata->dirs[2].VirtualAddress);
info.section = ctx->sections;
info.nsections = ctx->hooks.pedata->nsections;
info.hdr_size = ctx->hooks.pedata->hdr_size;
return matchicon(ctx->ctx, &info, group1, group2);
}
int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres) int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres)
{ {