mirror of
https://github.com/Cisco-Talos/clamav.git
synced 2025-10-19 10:23:17 +00:00
WiP
This commit is contained in:
Török Edvin
parent
ab63657088
commit
ec41017bba
12 changed files with 66 additions and 53 deletions
|
|
@ -430,14 +430,18 @@ static int parseHeader(struct cli_bc *bc, unsigned char *buffer)
|
|||
|
||||
static int parseLSig(struct cli_bc *bc, unsigned char *buffer)
|
||||
{
|
||||
if (buffer[0] != 'L') {
|
||||
cli_errmsg("Invalid logical signature header: %c\n", buffer[0]);
|
||||
return CL_EMALFDB;
|
||||
const char *prefix;
|
||||
char *vnames, *vend = strchr(buffer, ';');
|
||||
if (vend) {
|
||||
bc->lsig = cli_strdup(buffer);
|
||||
} else {
|
||||
/* Not a logical signature, but we still have a virusname */
|
||||
bc->lsig = NULL;
|
||||
}
|
||||
bc->lsig = NULL;
|
||||
if (!buffer[1])
|
||||
return CL_SUCCESS;
|
||||
bc->lsig = cli_strdup(buffer);
|
||||
*vend++ = '\0';
|
||||
prefix = buffer;
|
||||
vnames = strchr(vend, '{');
|
||||
|
||||
return CL_SUCCESS;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -58,6 +58,9 @@ struct cli_bc {
|
|||
uint16_t start_tid;
|
||||
struct bitset_tag *uses_apis;
|
||||
char *lsig;
|
||||
char *vnameprefix;
|
||||
char **vnames;
|
||||
unsigned vnames_cnt;
|
||||
};
|
||||
|
||||
struct cli_all_bc {
|
||||
|
|
|
|||
|
|
@ -24,10 +24,12 @@
|
|||
|
||||
#ifdef __CLAMBC__
|
||||
#include "bytecode_execs.h"
|
||||
//#include "bytecode_pe.h"
|
||||
#endif
|
||||
|
||||
#ifndef __CLAMBC__
|
||||
#include "execs.h"
|
||||
#include "pe.h"
|
||||
#endif
|
||||
|
||||
struct foo {
|
||||
|
|
@ -46,8 +48,9 @@ enum BytecodeKind {
|
|||
|
||||
extern const uint32_t __clambc_match_counts[64];
|
||||
extern const struct cli_exe_info __clambc_exeinfo;
|
||||
extern const struct cli_pe_hook_data __clambc_pedata;
|
||||
|
||||
const uint8_t __clambc_kind;
|
||||
const uint16_t __clambc_kind;
|
||||
|
||||
uint32_t test0(struct foo*, uint32_t);
|
||||
uint32_t test1(uint32_t, uint32_t);
|
||||
|
|
|
|||
|
|
@ -36,47 +36,51 @@ uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
|
|||
|
||||
const struct cli_apiglobal cli_globals[] = {
|
||||
/* Bytecode globals BEGIN */
|
||||
{"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 72,
|
||||
{"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 73,
|
||||
((char*)&((struct cli_bc_ctx*)0)->hooks.match_counts - (char*)NULL)},
|
||||
{"__clambc_exeinfo", GLOBAL_EXEINFO, 69,
|
||||
{"__clambc_exeinfo", GLOBAL_EXEINFO, 70,
|
||||
((char*)&((struct cli_bc_ctx*)0)->hooks.exeinfo - (char*)NULL)},
|
||||
{"__clambc_kind", GLOBAL_KIND, 8,
|
||||
((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)}
|
||||
{"__clambc_kind", GLOBAL_KIND, 16,
|
||||
((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)},
|
||||
{"__clambc_pedata", GLOBAL_PEDATA, 69,
|
||||
((char*)&((struct cli_bc_ctx*)0)->hooks.pedata - (char*)NULL)}
|
||||
/* Bytecode globals END */
|
||||
};
|
||||
const unsigned cli_apicall_maxglobal = _LAST_GLOBAL-1;
|
||||
static uint16_t cli_tmp0[]={70, 32, 32, 16};
|
||||
static uint16_t cli_tmp1[]={71};
|
||||
static uint16_t cli_tmp2[]={32, 32, 32, 32, 32, 32, 32, 32, 32};
|
||||
static uint16_t cli_tmp3[]={32};
|
||||
static uint16_t cli_tmp4[]={32, 32, 32};
|
||||
static uint16_t cli_tmp5[]={32, 65, 32};
|
||||
static uint16_t cli_tmp6[]={32, 76, 32};
|
||||
static uint16_t cli_tmp7[]={77};
|
||||
static uint16_t cli_tmp8[]={76};
|
||||
static uint16_t cli_tmp0[]={};
|
||||
static uint16_t cli_tmp1[]={71, 32, 32, 16};
|
||||
static uint16_t cli_tmp2[]={72};
|
||||
static uint16_t cli_tmp3[]={32, 32, 32, 32, 32, 32, 32, 32, 32};
|
||||
static uint16_t cli_tmp4[]={32};
|
||||
static uint16_t cli_tmp5[]={32, 32, 32};
|
||||
static uint16_t cli_tmp6[]={32, 65, 32};
|
||||
static uint16_t cli_tmp7[]={32, 77, 32};
|
||||
static uint16_t cli_tmp8[]={78};
|
||||
static uint16_t cli_tmp9[]={77};
|
||||
|
||||
const struct cli_bc_type cli_apicall_types[]={
|
||||
{DStructType, cli_tmp0, 4, 0, 0},
|
||||
{DPointerType, cli_tmp1, 1, 0, 0},
|
||||
{DStructType, cli_tmp2, 9, 0, 0},
|
||||
{DArrayType, cli_tmp3, 64, 0, 0},
|
||||
{DFunctionType, cli_tmp4, 3, 0, 0},
|
||||
{, cli_tmp0, , 0, 0},
|
||||
{DStructType, cli_tmp1, 4, 0, 0},
|
||||
{DPointerType, cli_tmp2, 1, 0, 0},
|
||||
{DStructType, cli_tmp3, 9, 0, 0},
|
||||
{DArrayType, cli_tmp4, 64, 0, 0},
|
||||
{DFunctionType, cli_tmp5, 3, 0, 0},
|
||||
{DFunctionType, cli_tmp6, 3, 0, 0},
|
||||
{DPointerType, cli_tmp7, 1, 0, 0},
|
||||
{DStructType, cli_tmp8, 1, 0, 0}
|
||||
{DFunctionType, cli_tmp7, 3, 0, 0},
|
||||
{DPointerType, cli_tmp8, 1, 0, 0},
|
||||
{DStructType, cli_tmp9, 1, 0, 0}
|
||||
};
|
||||
|
||||
const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall_types[0]);
|
||||
const struct cli_apicall cli_apicalls[]={
|
||||
/* Bytecode APIcalls BEGIN */
|
||||
{"test0", 6, 0, 1},
|
||||
{"test1", 4, 0, 0},
|
||||
{"read", 5, 1, 1},
|
||||
{"seek", 4, 1, 0},
|
||||
{"setvirusname", 5, 2, 1},
|
||||
{"debug_print_str", 5, 3, 1},
|
||||
{"debug_print_uint", 4, 2, 0}
|
||||
{"test0", 7, 0, 1},
|
||||
{"test1", 5, 0, 0},
|
||||
{"read", 6, 1, 1},
|
||||
{"seek", 5, 1, 0},
|
||||
{"setvirusname", 6, 2, 1},
|
||||
{"debug_print_str", 6, 3, 1},
|
||||
{"debug_print_uint", 5, 2, 0}
|
||||
/* Bytecode APIcalls END */
|
||||
};
|
||||
const cli_apicall_int2 cli_apicalls0[] = {
|
||||
|
|
|
|||
|
|
@ -24,8 +24,8 @@
|
|||
|
||||
struct cli_bc_hooks {
|
||||
const uint32_t* match_counts;
|
||||
const struct cli_exe_info *exeinfo;
|
||||
const struct cli_pe_hook_data *pedata;
|
||||
const uint8_t kind;
|
||||
const struct cli_exe_info exeinfo;
|
||||
const uint16_t kind;
|
||||
const cli_pe_hook_data pedata;
|
||||
};
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -101,6 +101,7 @@ enum bc_global {
|
|||
_FIRST_GLOBAL = 0x8000,
|
||||
GLOBAL_MATCH_COUNTS = 0x8000,
|
||||
GLOBAL_KIND,
|
||||
GLOBAL_VIRUSNAMES,
|
||||
GLOBAL_EXEINFO,
|
||||
_LAST_GLOBAL
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
ClamBCaa`|``````|`afafp`clamcoincidencejb
|
||||
L
|
||||
|
||||
Tedacb`bb`bb`b
|
||||
Eabaaabbed|afdgefcgdgac``
|
||||
G``
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
ClamBCaa`|``````|`ajafp`clamcoincidencejb
|
||||
L
|
||||
|
||||
Tedcabidebidacb`bbidb`bacb`bb`bb`bebed
|
||||
Eababaabgd|afdgefcgdg`c``abbhd|afdgefcgdgac``
|
||||
G``
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
ClamBCaa`|``````|`aebbep`clamcoincidencejb
|
||||
L
|
||||
|
||||
Ted
|
||||
E``
|
||||
G``
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
ClamBCaa`|``````|`aeabp`clamcoincidencejb
|
||||
L
|
||||
|
||||
Ted
|
||||
E``
|
||||
G``
|
||||
|
|
|
|||
|
|
@ -1,11 +1,9 @@
|
|||
ClamBCaa`|``````|`bbaabp`clamcoincidencejb
|
||||
L;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d
|
||||
Tedebaeeb`eebodebndebmdebadebcdacb`bbadb`bdb`db`bdakahdagahdaiahdaeah
|
||||
Eaeaaaebld|amcgefdgfgifbgegcgnfafmfef``
|
||||
Gd```hanbaeBafBafBbfBbf@`b`eBffBffBffBffBffBffBffBff@`baeBffB`cB`cBdf@`bodBafBafBcfBcfBefBef@`bndBdeBbgBofBjfBafBnfBnbBfdBodBod@`bad@@`bad@Aa`bad@Ab`bad@Ac`bad@Ad`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h`
|
||||
A`b`bLacb`baa`Fafac
|
||||
Bb`b`gbAj`aaaaeab`b`AbdTaaaaaaab
|
||||
B```b`abTcab`b@d
|
||||
ClamBCaa`|``````|`alaap`clamcoincidencejb
|
||||
Trojan.Foo/A/B;Target:0;((0|1|2)=42,2);aabb;ffffffff;aaccee;f00d
|
||||
Tedebkdebjdebadebcdacb`bbadb`bdb`db`bdabah
|
||||
Eaeaaaebid|amcgefdgfgifbgegcgnfafmfef``
|
||||
Gd```hahbkdBad@`bkdBbd@`bad@@`bad@Aa`bcdAcD```h`bcdAbD```h`bcd@D```h`bcdAaD```h`
|
||||
A`b`bLaeb`baaaabadb`bFahac
|
||||
Bb`b`gbAd`aaaaiab`b`AbdTaaaaabaa
|
||||
Baaabeab`b`AbdbadacoaabAb`Ac`b`badabbaeac@dTcab`b@d
|
||||
BTcab`b@dE
|
||||
A``Laab`bFabaa
|
||||
Bb`b`abbaeAi`@dTdaE
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
ClamBCaa`|``````|`aeaap`clamcoincidencejb
|
||||
L
|
||||
|
||||
Ted
|
||||
E``
|
||||
G``
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue