Go to the source code of this file.
Data Structures | |
struct | DIS_mem_arg |
struct | DIS_arg |
struct | DIS_fixed |
Defines | |
#define | VIRUSNAME_PREFIX(name) const char __clambc_virusname_prefix[] = name; |
#define | VIRUSNAMES(...) const char *const __clambc_virusnames[] = {__VA_ARGS__}; |
#define | PE_UNPACKER_DECLARE const uint16_t __clambc_kind = BC_PE_UNPACKER; |
#define | PDF_HOOK_DECLARE const uint16_t __clambc_kind = BC_PDF; |
#define | BYTECODE_ABORT_HOOK 0xcea5e |
#define | PE_HOOK_DECLARE const uint16_t __clambc_kind = BC_PE_ALL; |
#define | SIGNATURES_DECL_BEGIN struct __Signatures { |
#define | DECLARE_SIGNATURE(name) |
#define | SIGNATURES_DECL_END }; |
#define | TARGET(tgt) const unsigned short __Target = (tgt); |
#define | COPYRIGHT(c) const char *const __Copyright = (c); |
#define | ICONGROUP1(group) const char *const __IconGroup1 = (group); |
#define | ICONGROUP2(group) const char *const __IconGroup2 = (group); |
#define | FUNCTIONALITY_LEVEL_MIN(m) const unsigned short __FuncMin = (m); |
#define | FUNCTIONALITY_LEVEL_MAX(m) const unsigned short __FuncMax = (m); |
#define | SIGNATURES_DEF_BEGIN |
#define | DEFINE_SIGNATURE(name, hex) |
#define | SIGNATURES_END };\ |
Functions | |
static force_inline void overloadable_func | debug (const char *str) |
static force_inline void overloadable_func | debug (const uint8_t *str) |
static force_inline void overloadable_func | debug (uint32_t a) |
void | debug (...) __attribute__((overloadable |
static force_inline uint32_t | count_match (__Signature sig) |
static force_inline uint32_t | matches (__Signature sig) |
static force_inline uint32_t | match_location (__Signature sig, uint32_t goback) |
static force_inline int32_t | match_location_check (__Signature sig, uint32_t goback, const char *static_start, uint32_t static_len) |
static force_inline overloadable_func void | foundVirus (const char *virusname) |
static force_inline void overloadable_func | foundVirus (void) |
static force_inline uint32_t | getFilesize (void) |
bool | __is_bigendian (void) __attribute__((const )) __attribute__((nothrow)) |
static uint32_t force_inline | le32_to_host (uint32_t v) |
static uint64_t force_inline | le64_to_host (uint64_t v) |
static uint16_t force_inline | le16_to_host (uint16_t v) |
static uint32_t force_inline | cli_readint32 (const void *buff) |
static uint16_t force_inline | cli_readint16 (const void *buff) |
static void force_inline | cli_writeint32 (void *offset, uint32_t v) |
static force_inline bool | hasExeInfo (void) |
static force_inline bool | hasPEInfo (void) |
static force_inline bool | isPE64 (void) |
static static force_inline force_inline uint8_t | getPEMajorLinkerVersion (void) |
static force_inline uint8_t | getPEMinorLinkerVersion (void) |
static force_inline uint32_t | getPESizeOfCode (void) |
static force_inline uint32_t | getPESizeOfInitializedData (void) |
static force_inline uint32_t | getPESizeOfUninitializedData (void) |
static force_inline uint32_t | getPEBaseOfCode (void) |
static force_inline uint32_t | getPEBaseOfData (void) |
static force_inline uint64_t | getPEImageBase (void) |
static force_inline uint32_t | getPESectionAlignment (void) |
static force_inline uint32_t | getPEFileAlignment (void) |
static force_inline uint16_t | getPEMajorOperatingSystemVersion (void) |
static force_inline uint16_t | getPEMinorOperatingSystemVersion (void) |
static force_inline uint16_t | getPEMajorImageVersion (void) |
static force_inline uint16_t | getPEMinorImageVersion (void) |
static force_inline uint16_t | getPEMajorSubsystemVersion (void) |
static force_inline uint16_t | getPEMinorSubsystemVersion (void) |
static force_inline uint32_t | getPEWin32VersionValue (void) |
static force_inline uint32_t | getPESizeOfImage (void) |
static force_inline uint32_t | getPESizeOfHeaders (void) |
static force_inline uint32_t | getPECheckSum (void) |
static force_inline uint16_t | getPESubsystem (void) |
static force_inline uint16_t | getPEDllCharacteristics (void) |
Return the PE DllCharacteristics. | |
static force_inline uint32_t | getPESizeOfStackReserve (void) |
static force_inline uint32_t | getPESizeOfStackCommit (void) |
static force_inline uint32_t | getPESizeOfHeapReserve (void) |
static force_inline uint32_t | getPESizeOfHeapCommit (void) |
static force_inline uint32_t | getPELoaderFlags (void) |
static force_inline uint16_t | getPEMachine () |
static force_inline uint32_t | getPETimeDateStamp () |
static force_inline uint32_t | getPEPointerToSymbolTable () |
static force_inline uint32_t | getPENumberOfSymbols () |
static force_inline uint16_t | getPESizeOfOptionalHeader () |
static force_inline uint16_t | getPECharacteristics () |
static force_inline bool | getPEisDLL () |
static force_inline uint32_t | getPEDataDirRVA (unsigned n) |
static force_inline uint32_t | getPEDataDirSize (unsigned n) |
static force_inline uint16_t | getNumberOfSections (void) |
static uint32_t | getPELFANew (void) |
static force_inline int | readPESectionName (unsigned char name[8], unsigned n) |
static force_inline uint32_t | getEntryPoint (void) |
static force_inline uint32_t | getExeOffset (void) |
static force_inline uint32_t | getImageBase (void) |
static uint32_t | getVirtualEntryPoint (void) |
static uint32_t | getSectionRVA (unsigned i) |
static uint32_t | getSectionVirtualSize (unsigned i) |
static force_inline bool | readRVA (uint32_t rva, void *buf, size_t bufsize) |
static void * | memchr (const void *s, int c, size_t n) |
void * | memset (void *src, int c, uintptr_t n) __attribute__((nothrow)) __attribute__((__nonnull__((1)))) |
void * | memmove (void *dst, const void *src, uintptr_t n) __attribute__((__nothrow__)) __attribute__((__nonnull__(1 |
void *void | memcpy (void *restrict dst, const void *restrict src, uintptr_t n) __attribute__((__nothrow__)) __attribute__((__nonnull__(1 |
void *void int | memcmp (const void *s1, const void *s2, uint32_t n) __attribute__((__nothrow__)) __attribute__((__pure__)) __attribute__((__nonnull__(1 |
static force_inline uint32_t | DisassembleAt (struct DIS_fixed *result, uint32_t offset, uint32_t len) |
static int32_t | ilog2_compat (uint32_t a, uint32_t b) |
#define BYTECODE_ABORT_HOOK 0xcea5e |
entrypoint() return code that tells hook invoker that it should skip executing, probably because it'd trigger a bug in it
#define COPYRIGHT | ( | c | ) | const char *const __Copyright = (c); |
Defines an alternative copyright for this bytecode.
#define DECLARE_SIGNATURE | ( | name | ) |
#define DEFINE_SIGNATURE | ( | name, | |
hex | |||
) |
.name##_sig = (hex),\ .name = {__COUNTER__ - __signature_bias},
Defines the pattern for a previously declared subsignature.
name | the name of a previously declared subsignature |
hex | the pattern for this subsignature |
#define FUNCTIONALITY_LEVEL_MAX | ( | m | ) | const unsigned short __FuncMax = (m); |
Define the maximum engine functionality level required for this bytecode/logical signature. Engines newer than this will skip loading the bytecode. You can use the 'enum FunctionalityLevels' constants here.
#define FUNCTIONALITY_LEVEL_MIN | ( | m | ) | const unsigned short __FuncMin = (m); |
Define the minimum engine functionality level required for this bytecode/logical signature. Engines older than this will skip loading the bytecode. You can use the 'enum FunctionalityLevels' constants here.
#define ICONGROUP1 | ( | group | ) | const char *const __IconGroup1 = (group); |
#define ICONGROUP2 | ( | group | ) | const char *const __IconGroup2 = (group); |
Define IconGroup2 for logical signature. See logical signature documentation for what it is.
#define PDF_HOOK_DECLARE const uint16_t __clambc_kind = BC_PDF; |
Make the current bytecode a PDF hook. Having a logical signature doesn't make sense here, since logical signature is evaluated AFTER these hooks run.
#define PE_HOOK_DECLARE const uint16_t __clambc_kind = BC_PE_ALL; |
Make the current bytecode a PE hook, i.e. it will be called once the logical signature trigger matches (or always if there is none), and you have access to all the PE information. By default you only have access to execs.h information, and not to PE field information (even for PE files).
#define PE_UNPACKER_DECLARE const uint16_t __clambc_kind = BC_PE_UNPACKER; |
Like PE_HOOK_DECLARE
, but it is not run for packed files that pe.c can unpack (only on the unpacked file).
#define SIGNATURES_DECL_BEGIN struct __Signatures { |
Marks the beginning of the subsignature name declaration section.
#define SIGNATURES_DECL_END }; |
Marks the end of the subsignature name declaration section.
#define SIGNATURES_DEF_BEGIN |
static const unsigned __signature_bias = __COUNTER__+1;\ const struct __Signatures Signatures = {\
Marks the beginning of subsignature pattern definitions.
#define SIGNATURES_END };\ |
Marks the end of the subsignature pattern definitions.
#define TARGET | ( | tgt | ) | const unsigned short __Target = (tgt); |
Defines the ClamAV file target.
tgt | ClamAV signature type (0 - raw, 1 - PE, etc.) |
#define VIRUSNAME_PREFIX | ( | name | ) | const char __clambc_virusname_prefix[] = name; |
Declares the virusname prefix.
name | the prefix common to all viruses reported by this bytecode |
#define VIRUSNAMES | ( | ... | ) | const char *const __clambc_virusnames[] = {__VA_ARGS__}; |
Declares all the virusnames that this bytecode can report.
... | a comma-separated list of strings interpreted as virusnames |
bool __is_bigendian | ( | void | ) | const |
Returns true if the bytecode is executing on a big-endian CPU.
This will be optimized away in libclamav, but it must be used when dealing with endianess for portability reasons. For example whenever you read a 32-bit integer from a file, it can be written in little-endian convention (x86 CPU for example), or big-endian convention (PowerPC CPU for example). If the file always contains little-endian integers, then conversion might be needed. ClamAV bytecodes by their nature must only handle known-endian integers, if endianness can change, then both situations must be taken into account (based on a 1-byte field for example).
static uint16_t force_inline cli_readint16 | ( | const void * | buff | ) | [static] |
Reads from the specified buffer a 16-bit of little-endian integer.
[in] | buff | pointer to buffer |
static uint32_t force_inline cli_readint32 | ( | const void * | buff | ) | [static] |
Reads from the specified buffer a 32-bit of little-endian integer.
[in] | buff | pointer to buffer |
static void force_inline cli_writeint32 | ( | void * | offset, |
uint32_t | v | ||
) | [static] |
Writes the specified value into the specified buffer in little-endian order
[out] | offset | pointer to buffer to write to |
[in] | v | value to write |
static force_inline uint32_t count_match | ( | __Signature | sig | ) | [static] |
Returns how many times the specified signature matched.
sig | name of subsignature queried |
This is a constant-time operation, the counts for all subsignatures are already computed.
void debug | ( | ... | ) |
debug is an overloaded function (yes clang supports that in C!), but it only works on strings, and integers. Give an error on any other type
static force_inline void overloadable_func debug | ( | const char * | str | ) | [static] |
Prints str
to clamscan's --debug output.
str | null terminated string |
static force_inline void overloadable_func debug | ( | const uint8_t * | str | ) | [static] |
Prints str
to clamscan's --debug output.
str | null terminated string |
static force_inline void overloadable_func debug | ( | uint32_t | a | ) | [static] |
Prints a
integer to clamscan's --debug output.
a | integer |
static force_inline uint32_t DisassembleAt | ( | struct DIS_fixed * | result, |
uint32_t | offset, | ||
uint32_t | len | ||
) | [static] |
Disassembles one X86 instruction starting at the specified offset.
[out] | result | disassembly result |
[in] | offset | start disassembling from this offset, in the current file |
[in] | len | max amount of bytes to disassemble |
static force_inline overloadable_func void foundVirus | ( | const char * | virusname | ) | [static] |
Sets the specified virusname as the virus detected by this bytecode.
virusname | the name of the virus, excluding the prefix, must be one of the virusnames declared in VIRUSNAMES . |
static force_inline void overloadable_func foundVirus | ( | void | ) | [static] |
Like foundVirus() but just use the prefix as virusname
static force_inline uint32_t getEntryPoint | ( | void | ) | [static] |
Returns the offset of the EntryPoint in the executable file.
static force_inline uint32_t getExeOffset | ( | void | ) | [static] |
Returns the offset of the executable in the file.
static force_inline uint32_t getFilesize | ( | void | ) | [static] |
Returns the currently scanned file's size.
static force_inline uint32_t getImageBase | ( | void | ) | [static] |
Returns the ImageBase with the correct endian conversion. Only works if the bytecode is a PE hook (i.e. you invoked PE_UNPACKER_DECLARE)
static force_inline uint16_t getNumberOfSections | ( | void | ) | [static] |
Returns the number of sections in this executable file.
static force_inline uint32_t getPEBaseOfCode | ( | void | ) | [static] |
static force_inline uint32_t getPEBaseOfData | ( | void | ) | [static] |
static force_inline uint16_t getPECharacteristics | ( | ) | [static] |
Returns PE characteristics. For example you can use this to check whether it is a DLL (0x2000).
static force_inline uint32_t getPECheckSum | ( | void | ) | [static] |
static force_inline uint32_t getPEDataDirRVA | ( | unsigned | n | ) | [static] |
Gets the virtual address of specified image data directory.
n | image directory requested |
static force_inline uint32_t getPEDataDirSize | ( | unsigned | n | ) | [static] |
Gets the size of the specified image data directory.
n | image directory requested |
static force_inline uint16_t getPEDllCharacteristics | ( | void | ) | [static] |
static force_inline uint32_t getPEFileAlignment | ( | void | ) | [static] |
static force_inline uint64_t getPEImageBase | ( | void | ) | [static] |
Return the PE ImageBase as 64-bit integer.
static force_inline bool getPEisDLL | ( | ) | [static] |
Returns whether this is a DLL. Use this only in a PE hook!
static uint32_t getPELFANew | ( | void | ) | [static] |
static force_inline uint32_t getPELoaderFlags | ( | void | ) | [static] |
static force_inline uint16_t getPEMachine | ( | ) | [static] |
Returns the CPU this executable runs on, see libclamav/pe.c for possible values.
static force_inline uint16_t getPEMajorImageVersion | ( | void | ) | [static] |
static static force_inline force_inline uint8_t getPEMajorLinkerVersion | ( | void | ) | [static] |
Returns MajorLinkerVersion for this PE file.
static force_inline uint16_t getPEMajorOperatingSystemVersion | ( | void | ) | [static] |
Return the PE MajorOperatingSystemVersion.
static force_inline uint16_t getPEMajorSubsystemVersion | ( | void | ) | [static] |
static force_inline uint16_t getPEMinorImageVersion | ( | void | ) | [static] |
static force_inline uint8_t getPEMinorLinkerVersion | ( | void | ) | [static] |
Returns MinorLinkerVersion for this PE file.
static force_inline uint16_t getPEMinorOperatingSystemVersion | ( | void | ) | [static] |
Return the PE MinorOperatingSystemVersion.
static force_inline uint16_t getPEMinorSubsystemVersion | ( | void | ) | [static] |
static force_inline uint32_t getPENumberOfSymbols | ( | ) | [static] |
static force_inline uint32_t getPEPointerToSymbolTable | ( | ) | [static] |
Returns pointer to the PE debug symbol table
static force_inline uint32_t getPESectionAlignment | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfCode | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfHeaders | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfHeapCommit | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfHeapReserve | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfImage | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfInitializedData | ( | void | ) | [static] |
static force_inline uint16_t getPESizeOfOptionalHeader | ( | ) | [static] |
Returns the size of PE optional header.
static force_inline uint32_t getPESizeOfStackCommit | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfStackReserve | ( | void | ) | [static] |
static force_inline uint32_t getPESizeOfUninitializedData | ( | void | ) | [static] |
Return the PE SizeofUninitializedData.
static force_inline uint16_t getPESubsystem | ( | void | ) | [static] |
static force_inline uint32_t getPETimeDateStamp | ( | ) | [static] |
static force_inline uint32_t getPEWin32VersionValue | ( | void | ) | [static] |
static uint32_t getSectionRVA | ( | unsigned | i | ) | [static] |
Return the RVA of the specified section
i | section index (from 0) |
static uint32_t getSectionVirtualSize | ( | unsigned | i | ) | [static] |
Return the virtual size of the specified section.
i | section index (from 0) |
static uint32_t getVirtualEntryPoint | ( | void | ) | [static] |
The address of the EntryPoint. Use this for matching EP against sections.
static force_inline bool hasExeInfo | ( | void | ) | [static] |
Returns whether the current file has executable information.
static force_inline bool hasPEInfo | ( | void | ) | [static] |
Returns whether PE information is available
static int32_t ilog2_compat | ( | uint32_t | a, |
uint32_t | b | ||
) | [inline, static] |
ilog2_compat for 0.96 compatibility, you should use ilog2() 0.96.1 API instead of this one!
static force_inline bool isPE64 | ( | void | ) | [static] |
static uint16_t force_inline le16_to_host | ( | uint16_t | v | ) | [static] |
Converts the specified value if needed, knowing it is in little endian order.
[in] | v | 16-bit integer as read from a file |
static uint32_t force_inline le32_to_host | ( | uint32_t | v | ) | [static] |
Converts the specified value if needed, knowing it is in little endian order.
[in] | v | 32-bit integer as read from a file |
static uint64_t force_inline le64_to_host | ( | uint64_t | v | ) | [static] |
Converts the specified value if needed, knowing it is in little endian order.
[in] | v | 64-bit integer as read from a file |
static force_inline uint32_t match_location | ( | __Signature | sig, |
uint32_t | goback | ||
) | [static] |
Returns the offset of the match.
sig | - Signature |
goback | - max length of signature |
static force_inline int32_t match_location_check | ( | __Signature | sig, |
uint32_t | goback, | ||
const char * | static_start, | ||
uint32_t | static_len | ||
) | [static] |
Like match_location(), but also checks that the match starts with the specified hex string.
sig | - signature |
goback | - maximum length of signature (till start of last subsig) |
static_start | - static string that sig must begin with |
static_len | - static string that sig must begin with - length |
static force_inline uint32_t matches | ( | __Signature | sig | ) | [static] |
Returns whether the specified subsignature has matched at least once.
sig | name of subsignature queried |
static void* memchr | ( | const void * | s, |
int | c, | ||
size_t | n | ||
) | [static] |
Scan the first n
bytes of the buffer s
, for the character c
.
[in] | s | buffer to scan |
c | character to look for | |
n | size of buffer |
void* void int memcmp | ( | const void * | s1, |
const void * | s2, | ||
uint32_t | n | ||
) |
Compares two memory buffers.
[in] | s1 | buffer one |
[in] | s2 | buffer two |
[in] | n | amount of bytes to copy |
n
bytes of s1
are found, respectively, to be less than, to match, or be greater than the first n
bytes of s2
. void* void memcpy | ( | void *restrict | dst, |
const void *restrict | src, | ||
uintptr_t | n | ||
) |
Copies data between two non-overlapping buffers.
[out] | dst | destination buffer |
[in] | src | source buffer |
[in] | n | amount of bytes to copy |
void* memmove | ( | void * | dst, |
const void * | src, | ||
uintptr_t | n | ||
) |
Copies data between two possibly overlapping buffers.
[out] | dst | destination buffer |
[in] | src | source buffer |
[in] | n | amount of bytes to copy |
void* memset | ( | void * | src, |
int | c, | ||
uintptr_t | n | ||
) |
Fills the specified buffer to the specified value.
[out] | src | pointer to buffer |
[in] | c | character to fill buffer with |
[in] | n | length of buffer |
src
static force_inline int readPESectionName | ( | unsigned char | name[8], |
unsigned | n | ||
) | [static] |
Read name of requested PE section.
[out] | name | name of PE section |
[in] | n | PE section requested |
static force_inline bool readRVA | ( | uint32_t | rva, |
void * | buf, | ||
size_t | bufsize | ||
) | [static] |
read the specified amount of bytes from the PE file, starting at the address specified by RVA.
rva | the Relative Virtual Address you want to read from (will be converted to file offset) | |
[out] | buf | destination buffer |
bufsize | size of buffer |