bytecode: add icon match API.

2025-10-19 18:33:16 +00:00 · 2010-08-02 17:04:35 +03:00 · 2010-08-02 17:04:35 +03:00 · 1dae00ebf4
commit 1dae00ebf4
parent dc200c6b19
6 changed files with 119 additions and 73 deletions
--- a/libclamav/bytecode_api.c
+++ b/libclamav/bytecode_api.c
@ -1440,3 +1440,4 @@ int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx)
 	return -1;
    return ctx->pdf_dumpedid;
 }
+
--- a/libclamav/bytecode_api.h
+++ b/libclamav/bytecode_api.h
@ -829,6 +829,17 @@ int32_t pdf_get_phase(void);
 /** Return the currently dumped obj id.
  Valid only in PDF_PHASE_POSTDUMP */
 int32_t pdf_get_dumpedobjid(void);
+
+/** Attempts to match current executable's icon against the specified icon
+ * groups.
+ * @param[in] group1 - same as GROUP1 in LDB signatures
+ * @param group1_len - length of \p group1
+ * @param[in] group2 - same as GROUP2 in LDB signatures
+ * @param group2_len - length of \p group2
+ */
+
+int32_t matchicon(const uint8_t* group1, int32_t group1_len,
+                  const uint8_t* group2, int32_t group2_len);
 /* ---------------- END 0.96.2 APIs   ----------------------------------- */
 #endif
 #endif
--- a/libclamav/bytecode_api_decl.c
+++ b/libclamav/bytecode_api_decl.c
@ -121,6 +121,7 @@ int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t, int32_t);
 int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t);
 int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx );
 int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx );
+int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t*, int32_t, const uint8_t*, int32_t);

 const struct cli_apiglobal cli_globals[] = {
 /* Bytecode globals BEGIN */
@ -145,12 +146,12 @@ static uint16_t cli_tmp4[]={16, 8, 8, 32, 32, 32, 32, 32, 32, 32, 32, 32, 16, 16
 static uint16_t cli_tmp5[]={32, 16, 16, 32, 32, 32, 16, 16};
 static uint16_t cli_tmp6[]={32};
 static uint16_t cli_tmp7[]={32};
-static uint16_t cli_tmp8[]={32};
-static uint16_t cli_tmp9[]={32, 32};
-static uint16_t cli_tmp10[]={32, 32, 32};
-static uint16_t cli_tmp11[]={65, 32, 32};
-static uint16_t cli_tmp12[]={32, 32, 32, 32};
-static uint16_t cli_tmp13[]={32, 65, 32, 65, 32};
+static uint16_t cli_tmp8[]={32, 65, 32, 65, 32};
+static uint16_t cli_tmp9[]={32};
+static uint16_t cli_tmp10[]={32, 32};
+static uint16_t cli_tmp11[]={32, 32, 32};
+static uint16_t cli_tmp12[]={65, 32, 32};
+static uint16_t cli_tmp13[]={32, 32, 32, 32};
 static uint16_t cli_tmp14[]={32, 65, 32, 32};
 static uint16_t cli_tmp15[]={32, 85, 32};
 static uint16_t cli_tmp16[]={86};
@ -178,12 +179,12 @@ const struct cli_bc_type cli_apicall_types[]={
 	{DStructType, cli_tmp5, 8, 0, 0},
 	{DArrayType, cli_tmp6, 1, 0, 0},
 	{DArrayType, cli_tmp7, 64, 0, 0},
-	{DFunctionType, cli_tmp8, 1, 0, 0},
-	{DFunctionType, cli_tmp9, 2, 0, 0},
-	{DFunctionType, cli_tmp10, 3, 0, 0},
+	{DFunctionType, cli_tmp8, 5, 0, 0},
+	{DFunctionType, cli_tmp9, 1, 0, 0},
+	{DFunctionType, cli_tmp10, 2, 0, 0},
 	{DFunctionType, cli_tmp11, 3, 0, 0},
-	{DFunctionType, cli_tmp12, 4, 0, 0},
-	{DFunctionType, cli_tmp13, 5, 0, 0},
+	{DFunctionType, cli_tmp12, 3, 0, 0},
+	{DFunctionType, cli_tmp13, 4, 0, 0},
 	{DFunctionType, cli_tmp14, 4, 0, 0},
 	{DFunctionType, cli_tmp15, 3, 0, 0},
 	{DPointerType, cli_tmp16, 1, 0, 0},
@ -206,13 +207,13 @@ const struct cli_bc_type cli_apicall_types[]={
 const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]);
 const struct cli_apicall cli_apicalls[]={
 /* Bytecode APIcalls BEGIN */
-	{"test1", 10, 0, 0},
+	{"test1", 11, 0, 0},
 	{"read", 19, 0, 1},
 	{"write", 19, 1, 1},
-	{"seek", 10, 1, 0},
+	{"seek", 11, 1, 0},
 	{"setvirusname", 19, 2, 1},
 	{"debug_print_str", 19, 3, 1},
-	{"debug_print_uint", 9, 0, 2},
+	{"debug_print_uint", 10, 0, 2},
 	{"disasm_x86", 25, 4, 1},
 	{"trace_directory", 19, 5, 1},
 	{"trace_scope", 19, 6, 1},
@ -220,80 +221,81 @@ const struct cli_apicall cli_apicalls[]={
 	{"trace_op", 19, 8, 1},
 	{"trace_value", 19, 9, 1},
 	{"trace_ptr", 19, 10, 1},
-	{"pe_rawaddr", 9, 1, 2},
+	{"pe_rawaddr", 10, 1, 2},
 	{"file_find", 19, 11, 1},
-	{"file_byteat", 9, 2, 2},
+	{"file_byteat", 10, 2, 2},
 	{"malloc", 24, 0, 3},
-	{"test2", 9, 3, 2},
+	{"test2", 10, 3, 2},
 	{"get_pe_section", 21, 12, 1},
 	{"fill_buffer", 20, 0, 4},
-	{"extract_new", 9, 4, 2},
-	{"read_number", 9, 5, 2},
-	{"hashset_new", 8, 0, 5},
-	{"hashset_add", 10, 2, 0},
-	{"hashset_remove", 10, 3, 0},
-	{"hashset_contains", 10, 4, 0},
-	{"hashset_done", 9, 6, 2},
-	{"hashset_empty", 9, 7, 2},
-	{"buffer_pipe_new", 9, 8, 2},
-	{"buffer_pipe_new_fromfile", 9, 9, 2},
-	{"buffer_pipe_read_avail", 9, 10, 2},
-	{"buffer_pipe_read_get", 11, 0, 6},
-	{"buffer_pipe_read_stopped", 10, 5, 0},
-	{"buffer_pipe_write_avail", 9, 11, 2},
-	{"buffer_pipe_write_get", 11, 1, 6},
-	{"buffer_pipe_write_stopped", 10, 6, 0},
-	{"buffer_pipe_done", 9, 12, 2},
-	{"inflate_init", 12, 0, 7},
-	{"inflate_process", 9, 13, 2},
-	{"inflate_done", 9, 14, 2},
-	{"bytecode_rt_error", 9, 15, 2},
-	{"jsnorm_init", 9, 16, 2},
-	{"jsnorm_process", 9, 17, 2},
-	{"jsnorm_done", 9, 18, 2},
-	{"ilog2", 10, 7, 0},
-	{"ipow", 12, 1, 7},
-	{"iexp", 12, 2, 7},
-	{"isin", 12, 3, 7},
-	{"icos", 12, 4, 7},
-	{"memstr", 13, 0, 8},
-	{"hex2ui", 10, 8, 0},
+	{"extract_new", 10, 4, 2},
+	{"read_number", 10, 5, 2},
+	{"hashset_new", 9, 0, 5},
+	{"hashset_add", 11, 2, 0},
+	{"hashset_remove", 11, 3, 0},
+	{"hashset_contains", 11, 4, 0},
+	{"hashset_done", 10, 6, 2},
+	{"hashset_empty", 10, 7, 2},
+	{"buffer_pipe_new", 10, 8, 2},
+	{"buffer_pipe_new_fromfile", 10, 9, 2},
+	{"buffer_pipe_read_avail", 10, 10, 2},
+	{"buffer_pipe_read_get", 12, 0, 6},
+	{"buffer_pipe_read_stopped", 11, 5, 0},
+	{"buffer_pipe_write_avail", 10, 11, 2},
+	{"buffer_pipe_write_get", 12, 1, 6},
+	{"buffer_pipe_write_stopped", 11, 6, 0},
+	{"buffer_pipe_done", 10, 12, 2},
+	{"inflate_init", 13, 0, 7},
+	{"inflate_process", 10, 13, 2},
+	{"inflate_done", 10, 14, 2},
+	{"bytecode_rt_error", 10, 15, 2},
+	{"jsnorm_init", 10, 16, 2},
+	{"jsnorm_process", 10, 17, 2},
+	{"jsnorm_done", 10, 18, 2},
+	{"ilog2", 11, 7, 0},
+	{"ipow", 13, 1, 7},
+	{"iexp", 13, 2, 7},
+	{"isin", 13, 3, 7},
+	{"icos", 13, 4, 7},
+	{"memstr", 8, 0, 8},
+	{"hex2ui", 11, 8, 0},
 	{"atoi", 19, 13, 1},
 	{"debug_print_str_start", 19, 14, 1},
 	{"debug_print_str_nonl", 19, 15, 1},
 	{"entropy_buffer", 19, 16, 1},
-	{"map_new", 10, 9, 0},
+	{"map_new", 11, 9, 0},
 	{"map_addkey", 14, 0, 9},
 	{"map_setvalue", 14, 1, 9},
 	{"map_remove", 14, 2, 9},
 	{"map_find", 14, 3, 9},
-	{"map_getvaluesize", 9, 19, 2},
-	{"map_getvalue", 11, 2, 6},
-	{"map_done", 9, 20, 2},
+	{"map_getvaluesize", 10, 19, 2},
+	{"map_getvalue", 12, 2, 6},
+	{"map_done", 10, 20, 2},
 	{"file_find_limit", 14, 4, 9},
-	{"engine_functionality_level", 8, 1, 5},
-	{"engine_dconf_level", 8, 2, 5},
-	{"engine_scan_options", 8, 3, 5},
-	{"engine_db_options", 8, 4, 5},
-	{"extract_set_container", 9, 21, 2},
-	{"input_switch", 9, 22, 2},
+	{"engine_functionality_level", 9, 1, 5},
+	{"engine_dconf_level", 9, 2, 5},
+	{"engine_scan_options", 9, 3, 5},
+	{"engine_db_options", 9, 4, 5},
+	{"extract_set_container", 10, 21, 2},
+	{"input_switch", 10, 22, 2},
 	{"get_environment", 15, 17, 1},
 	{"disable_bytecode_if", 14, 5, 9},
 	{"disable_jit_if", 14, 6, 9},
-	{"version_compare", 13, 1, 8},
-	{"check_platform", 12, 5, 7},
-	{"pdf_get_obj_num", 8, 5, 5},
-	{"pdf_get_flags", 8, 6, 5},
-	{"pdf_set_flags", 9, 23, 2},
-	{"pdf_lookupobj", 9, 24, 2},
-	{"pdf_getobjsize", 9, 25, 2},
-	{"pdf_getobj", 11, 3, 6},
-	{"pdf_getobjid", 9, 26, 2},
-	{"pdf_getobjflags", 9, 27, 2},
-	{"pdf_setobjflags", 10, 10, 0},
-	{"pdf_get_offset", 9, 28, 2},
-	{"pdf_get_phase", 8, 7, 5},
-	{"pdf_get_dumpedobjid", 8, 8, 5}
+	{"version_compare", 8, 1, 8},
+	{"check_platform", 13, 5, 7},
+	{"pdf_get_obj_num", 9, 5, 5},
+	{"pdf_get_flags", 9, 6, 5},
+	{"pdf_set_flags", 10, 23, 2},
+	{"pdf_lookupobj", 10, 24, 2},
+	{"pdf_getobjsize", 10, 25, 2},
+	{"pdf_getobj", 12, 3, 6},
+	{"pdf_getobjid", 10, 26, 2},
+	{"pdf_getobjflags", 10, 27, 2},
+	{"pdf_setobjflags", 11, 10, 0},
+	{"pdf_get_offset", 10, 28, 2},
+	{"pdf_get_phase", 9, 7, 5},
+	{"pdf_get_dumpedobjid", 9, 8, 5},
+	{"matchicon", 8, 2, 8}
 /* Bytecode APIcalls END */
 };
 const cli_apicall_int2 cli_apicalls0[] = {
@ -393,7 +395,8 @@ const cli_apicall_int3 cli_apicalls7[] = {
 };
 const cli_apicall_2bufs cli_apicalls8[] = {
 	(cli_apicall_2bufs)cli_bcapi_memstr,
-	(cli_apicall_2bufs)cli_bcapi_version_compare
+	(cli_apicall_2bufs)cli_bcapi_version_compare,
+	(cli_apicall_2bufs)cli_bcapi_matchicon
 };
 const cli_apicall_ptrbufid cli_apicalls9[] = {
 	(cli_apicall_ptrbufid)cli_bcapi_map_addkey,
--- a/libclamav/bytecode_api_impl.h
+++ b/libclamav/bytecode_api_impl.h
@ -119,5 +119,6 @@ int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t, int32_t);
 int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t);
 int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx );
 int32_t cli_bcapi_pdf_get_dumpedobjid(struct cli_bc_ctx *ctx );
+int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t*, int32_t, const uint8_t*, int32_t);

 #endif
--- a/libclamav/bytecode_priv.h
+++ b/libclamav/bytecode_priv.h
@ -156,6 +156,7 @@ struct cli_bc_ctx {
    fmap_t *save_map;
    const char *virname;
    struct cli_bc_hooks hooks;
+    struct cli_exe_info exeinfo;
    uint32_t pdf_nobjs;
    struct pdf_obj *pdf_objs;
    uint32_t* pdf_flags;
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@ -51,6 +51,8 @@
 #include "regex/regex.h"
 #include "filtering.h"
 #include "perflogging.h"
+#include "bytecode_priv.h"
+#include "bytecode_api_impl.h"

 #ifdef HAVE__INTERNAL__SHA_COLLECT
 #include "sha256.h"
@ -447,6 +449,33 @@ static int matchicon(cli_ctx *ctx, struct cli_exe_info *exeinfo, const char *grp
    return cli_scanicon(&iconset, exeinfo->res_addr, ctx, exeinfo->section, exeinfo->nsections, exeinfo->hdr_size);
 }

+int32_t cli_bcapi_matchicon(struct cli_bc_ctx *ctx , const uint8_t* grp1, int32_t grp1len,
+			    const uint8_t* grp2, int32_t grp2len)
+{
+    struct cli_exe_info info;
+    char group1[128], group2[128];
+    if (ctx->bc->kind != BC_PE_UNPACKER) {
+	cli_dbgmsg("bytecode: matchicon only works with PE files\n");
+	return -1;
+    }
+    if (grp1len > sizeof(group1)-1 ||
+	grp2len > sizeof(group2)-1)
+	return -1;
+    memcpy(group1, grp1, grp1len);
+    memcpy(group2, grp2, grp2len);
+    group1[grp1len] = 0;
+    group2[grp1len] = 0;
+    if(le16_to_host(ctx->hooks.pedata->file_hdr.Characteristics) & 0x2000 ||
+       !ctx->hooks.pedata->dirs[2].Size)
+	info.res_addr = 0;
+    else
+	info.res_addr = le32_to_host(ctx->hooks.pedata->dirs[2].VirtualAddress);
+    info.section = ctx->sections;
+    info.nsections = ctx->hooks.pedata->nsections;
+    info.hdr_size = ctx->hooks.pedata->hdr_size;
+    return matchicon(ctx->ctx, &info, group1, group2);
+}
+

 int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struct cli_matched_type **ftoffset, unsigned int acmode, struct cli_ac_result **acres)
 {