Go to the source code of this file.
Enumerations | |
enum | BytecodeKind { BC_GENERIC = 0 , BC_LOGICAL = 256, BC_PE_UNPACKER } |
enum | { PE_INVALID_RVA = 0xFFFFFFFF } |
enum | FunctionalityLevels |
enum | pdf_phase |
enum | pdf_flag |
enum | pdf_objflags |
enum | { SEEK_SET = 0, SEEK_CUR, SEEK_END } |
Functions | |
uint32_t | test1 (uint32_t a, uint32_t b) |
int32_t | read (uint8_t *data, int32_t size) |
Reads specified amount of bytes from the current file into a buffer. Also moves current position in the file. | |
int32_t | write (uint8_t *data, int32_t size) |
Writes the specified amount of bytes from a buffer to the current temporary file. | |
int32_t | seek (int32_t pos, uint32_t whence) |
Changes the current file position to the specified one. | |
uint32_t | setvirusname (const uint8_t *name, uint32_t len) |
uint32_t | debug_print_str (const uint8_t *str, uint32_t len) |
uint32_t | debug_print_uint (uint32_t a) |
uint32_t | disasm_x86 (struct DISASM_RESULT *result, uint32_t len) |
uint32_t | pe_rawaddr (uint32_t rva) |
int32_t | file_find (const uint8_t *data, uint32_t len) |
int32_t | file_byteat (uint32_t offset) |
void * | malloc (uint32_t size) |
uint32_t | test2 (uint32_t a) |
int32_t | get_pe_section (struct cli_exe_section *section, uint32_t num) |
int32_t | fill_buffer (uint8_t *buffer, uint32_t len, uint32_t filled, uint32_t cursor, uint32_t fill) |
int32_t | extract_new (int32_t id) |
int32_t | read_number (uint32_t radix) |
int32_t | hashset_new (void) |
int32_t | hashset_add (int32_t hs, uint32_t key) |
int32_t | hashset_remove (int32_t hs, uint32_t key) |
int32_t | hashset_contains (int32_t hs, uint32_t key) |
int32_t | hashset_done (int32_t id) |
int32_t | hashset_empty (int32_t id) |
int32_t | buffer_pipe_new (uint32_t size) |
int32_t | buffer_pipe_new_fromfile (uint32_t pos) |
uint32_t | buffer_pipe_read_avail (int32_t id) |
uint8_t * | buffer_pipe_read_get (int32_t id, uint32_t amount) |
int32_t | buffer_pipe_read_stopped (int32_t id, uint32_t amount) |
uint32_t | buffer_pipe_write_avail (int32_t id) |
uint8_t * | buffer_pipe_write_get (int32_t id, uint32_t size) |
int32_t | buffer_pipe_write_stopped (int32_t id, uint32_t amount) |
int32_t | buffer_pipe_done (int32_t id) |
int32_t | inflate_init (int32_t from_buffer, int32_t to_buffer, int32_t windowBits) |
int32_t | inflate_process (int32_t id) |
int32_t | inflate_done (int32_t id) |
int32_t | bytecode_rt_error (int32_t locationid) |
int32_t | jsnorm_init (int32_t from_buffer) |
int32_t | jsnorm_process (int32_t id) |
int32_t | jsnorm_done (int32_t id) |
int32_t | ilog2 (uint32_t a, uint32_t b) |
int32_t | ipow (int32_t a, int32_t b, int32_t c) |
uint32_t | iexp (int32_t a, int32_t b, int32_t c) |
int32_t | isin (int32_t a, int32_t b, int32_t c) |
int32_t | icos (int32_t a, int32_t b, int32_t c) |
int32_t | memstr (const uint8_t *haystack, int32_t haysize, const uint8_t *needle, int32_t needlesize) |
int32_t | hex2ui (uint32_t hex1, uint32_t hex2) |
int32_t | atoi (const uint8_t *str, int32_t size) |
uint32_t | debug_print_str_start (const uint8_t *str, uint32_t len) |
uint32_t | debug_print_str_nonl (const uint8_t *str, uint32_t len) |
uint32_t | entropy_buffer (uint8_t *buffer, int32_t size) |
int32_t | map_new (int32_t keysize, int32_t valuesize) |
int32_t | map_addkey (const uint8_t *key, int32_t ksize, int32_t id) |
int32_t | map_setvalue (const uint8_t *value, int32_t vsize, int32_t id) |
int32_t | map_remove (const uint8_t *key, int32_t ksize, int32_t id) |
int32_t | map_find (const uint8_t *key, int32_t ksize, int32_t id) |
int32_t | map_getvaluesize (int32_t id) |
uint8_t * | map_getvalue (int32_t id, int32_t size) |
int32_t | map_done (int32_t id) |
int32_t | file_find_limit (const uint8_t *data, uint32_t len, int32_t maxpos) |
uint32_t | engine_functionality_level (void) |
uint32_t | engine_dconf_level (void) |
uint32_t | engine_scan_options (void) |
uint32_t | engine_db_options (void) |
int32_t | extract_set_container (uint32_t container) |
int32_t | input_switch (int32_t extracted_file) |
uint32_t | get_environment (struct cli_environment *env, uint32_t len) |
uint32_t | disable_bytecode_if (const int8_t *reason, uint32_t len, uint32_t cond) |
uint32_t | disable_jit_if (const int8_t *reason, uint32_t len, uint32_t cond) |
int32_t | version_compare (const uint8_t *lhs, uint32_t lhs_len, const uint8_t *rhs, uint32_t rhs_len) |
uint32_t | check_platform (uint32_t a, uint32_t b, uint32_t c) |
int32_t | pdf_get_obj_num (void) |
int32_t | pdf_get_flags (void) |
int32_t | pdf_set_flags (int32_t flags) |
int32_t | pdf_lookupobj (uint32_t id) |
uint32_t | pdf_getobjsize (int32_t objidx) |
uint8_t * | pdf_getobj (int32_t objidx, uint32_t amount) |
int32_t | pdf_get_phase (void) |
int32_t | pdf_get_dumpedobjid (void) |
int32_t | matchicon (const uint8_t *group1, int32_t group1_len, const uint8_t *group2, int32_t group2_len) |
Variables | |
const uint32_t | __clambc_match_counts [64] |
Logical signature match counts. | |
const uint32_t | __clambc_match_offsets [64] |
Logical signature match offsets This is a low-level variable, use the Macros in bytecode_local.h instead to access it. | |
struct cli_pe_hook_data | __clambc_pedata |
const uint32_t | __clambc_filesize [1] |
const uint16_t | __clambc_kind |
anonymous enum |
enum BytecodeKind |
enum FunctionalityLevels |
LibClamAV functionality level constants
enum pdf_flag |
PDF flags
enum pdf_objflags |
PDF obj flags
enum pdf_phase |
Phase of PDF parsing
int32_t atoi | ( | const uint8_t * | str, |
int32_t | size | ||
) |
Converts string to positive number.
str | buffer |
size | size of str |
int32_t buffer_pipe_done | ( | int32_t | id | ) |
Deallocate memory used by buffer.
id | ID of buffer_pipe |
int32_t buffer_pipe_new | ( | uint32_t | size | ) |
Creates a new pipe with the specified buffer size
size | size of buffer |
int32_t buffer_pipe_new_fromfile | ( | uint32_t | pos | ) |
Same as buffer_pipe_new, except the pipe's input is tied
pos | starting position of pipe input in current file |
uint32_t buffer_pipe_read_avail | ( | int32_t | id | ) |
Returns the amount of bytes available to read.
id | ID of buffer_pipe |
uint8_t* buffer_pipe_read_get | ( | int32_t | id, |
uint32_t | amount | ||
) |
Returns a pointer to the buffer for reading.
id | ID of buffer_pipe |
amount | to read |
int32_t buffer_pipe_read_stopped | ( | int32_t | id, |
uint32_t | amount | ||
) |
id | ID of buffer_pipe |
amount | amount of bytes to move read cursor |
uint32_t buffer_pipe_write_avail | ( | int32_t | id | ) |
Returns the amount of bytes available for writing.
id | ID of buffer_pipe |
uint8_t* buffer_pipe_write_get | ( | int32_t | id, |
uint32_t | size | ||
) |
id | ID of buffer_pipe |
size | amount of bytes to write |
int32_t buffer_pipe_write_stopped | ( | int32_t | id, |
uint32_t | amount | ||
) |
Updates the write cursor in buffer_pipe.
id | ID of buffer_pipe |
amount | amount of bytes to move write cursor |
int32_t bytecode_rt_error | ( | int32_t | locationid | ) |
Report a runtime error at the specified locationID.
locationid | (line << 8) | (column&0xff) |
uint32_t check_platform | ( | uint32_t | a, |
uint32_t | b, | ||
uint32_t | c | ||
) |
Disables the JIT if the platform id matches. 0xff can be used instead of a field to mark ANY.
a | - os_category << 24 | arch << 20 | compiler << 16 | flevel << 8 | dconf |
b | - big_endian << 28 | sizeof_ptr << 24 | cpp_version |
c | - os_features << 24 | c_version |
uint32_t debug_print_str | ( | const uint8_t * | str, |
uint32_t | len | ||
) |
Prints a debug message.
[in] | str | Message to print |
[in] | len | length of message to print |
uint32_t debug_print_str_nonl | ( | const uint8_t * | str, |
uint32_t | len | ||
) |
Prints a debug message with a trailing newline, and not preceded by 'LibClamAV debug'.
str | the string |
len | length of str |
uint32_t debug_print_str_start | ( | const uint8_t * | str, |
uint32_t | len | ||
) |
Prints a debug message with a trailing newline, but preceded by 'LibClamAV debug'.
str | the string |
len | length of str |
uint32_t debug_print_uint | ( | uint32_t | a | ) |
Prints a number as a debug message. This is like debug_print_str_nonl!
[in] | a | number to print |
uint32_t disable_bytecode_if | ( | const int8_t * | reason, |
uint32_t | len, | ||
uint32_t | cond | ||
) |
Disables the bytecode completely if condition is true. Can only be called from the BC_STARTUP bytecode.
reason | - why the bytecode had to be disabled |
len | - length of reason |
cond | - condition |
uint32_t disable_jit_if | ( | const int8_t * | reason, |
uint32_t | len, | ||
uint32_t | cond | ||
) |
Disables the JIT completely if condition is true. Can only be called from the BC_STARTUP bytecode.
reason | - why the JIT had to be disabled |
len | - length of reason |
cond | - condition |
uint32_t disasm_x86 | ( | struct DISASM_RESULT * | result, |
uint32_t | len | ||
) |
Disassembles starting from current file position, the specified amount of bytes.
[out] | result | pointer to struct holding result |
[in] | len | how many bytes to disassemble |
You can use lseek to disassemble starting from a different location. This is a low-level API, the result is in ClamAV type-8 signature format (64 bytes/instruction).
uint32_t engine_db_options | ( | void | ) |
uint32_t engine_dconf_level | ( | void | ) |
Returns the current engine (dconf) functionality level. Usually identical to engine_functionality_level(), unless distro backported patches. Compare with FunctionalityLevels.
uint32_t engine_functionality_level | ( | void | ) |
Returns the current engine (feature) functionality level. To map these to ClamAV releases, compare it with FunctionalityLevels.
uint32_t engine_scan_options | ( | void | ) |
uint32_t entropy_buffer | ( | uint8_t * | buffer, |
int32_t | size | ||
) |
Returns an approximation for the entropy of buffer
.
buffer | input buffer |
size | size of buffer |
int32_t extract_new | ( | int32_t | id | ) |
Prepares for extracting a new file, if we've already extracted one it scans it.
[in] | id | an id for the new file (for example position in container) |
int32_t extract_set_container | ( | uint32_t | container | ) |
Sets the container type for the currently extracted file.
container | container type (CL_TYPE_*) |
int32_t file_byteat | ( | uint32_t | offset | ) |
Read a single byte from current file
offset | file offset |
off
in the current file, or -1 if offset is invalid int32_t file_find | ( | const uint8_t * | data, |
uint32_t | len | ||
) |
Looks for the specified sequence of bytes in the current file.
[in] | data | the sequence of bytes to look for |
len | length of data , cannot be more than 1024 |
int32_t file_find_limit | ( | const uint8_t * | data, |
uint32_t | len, | ||
int32_t | maxpos | ||
) |
Looks for the specified sequence of bytes in the current file, up to the specified position.
[in] | data | the sequence of bytes to look for |
len | length of data , cannot be more than 1024 | |
maxpos | maximum position to look for a match, note that this is 1 byte after the end of last possible match: match_pos + len < maxpos |
int32_t fill_buffer | ( | uint8_t * | buffer, |
uint32_t | len, | ||
uint32_t | filled, | ||
uint32_t | cursor, | ||
uint32_t | fill | ||
) |
Fills the specified buffer with at least fill
bytes.
[out] | buffer | the buffer to fill |
[in] | len | length of buffer |
[in] | filled | how much of the buffer is currently filled |
[in] | cursor | position of cursor in buffer |
[in] | fill | amount of bytes to fill in (0 is valid) |
uint32_t get_environment | ( | struct cli_environment * | env, |
uint32_t | len | ||
) |
Queries the environment this bytecode runs in. Used by BC_STARTUP to disable bytecode when bugs are known for the current platform.
[out] | env | - the full environment |
len | - size of env |
int32_t get_pe_section | ( | struct cli_exe_section * | section, |
uint32_t | num | ||
) |
Gets information about the specified PE section.
[out] | section | PE section information will be stored here |
[in] | num | PE section number |
int32_t hashset_add | ( | int32_t | hs, |
uint32_t | key | ||
) |
Add a new 32-bit key to the hashset.
hs | ID of hashset (from hashset_new) |
key | the key to add |
int32_t hashset_contains | ( | int32_t | hs, |
uint32_t | key | ||
) |
Returns whether the hashset contains the specified key.
hs | ID of hashset (from hashset_new) |
key | the key to lookup |
int32_t hashset_done | ( | int32_t | id | ) |
Deallocates the memory used by the specified hashset.
id | ID of hashset (from hashset_new) |
int32_t hashset_empty | ( | int32_t | id | ) |
Returns whether the hashset is empty.
id | of hashset (from hashset_new) |
int32_t hashset_new | ( | void | ) |
int32_t hashset_remove | ( | int32_t | hs, |
uint32_t | key | ||
) |
Remove a 32-bit key from the hashset.
hs | ID of hashset (from hashset_new) |
key | the key to add |
int32_t hex2ui | ( | uint32_t | hex1, |
uint32_t | hex2 | ||
) |
Returns hexadecimal characters hex1
and hex2
converted to 8-bit number.
hex1 | hexadecimal character |
hex2 | hexadecimal character |
int32_t icos | ( | int32_t | a, |
int32_t | b, | ||
int32_t | c | ||
) |
uint32_t iexp | ( | int32_t | a, |
int32_t | b, | ||
int32_t | c | ||
) |
int32_t ilog2 | ( | uint32_t | a, |
uint32_t | b | ||
) |
int32_t inflate_done | ( | int32_t | id | ) |
Deallocates inflate data structure. Using the inflate data structure after this will result in an error. All inflate data structures are automatically deallocated when bytecode finishes execution.
id | ID of inflate data structure |
int32_t inflate_init | ( | int32_t | from_buffer, |
int32_t | to_buffer, | ||
int32_t | windowBits | ||
) |
Initializes inflate data structures for decompressing data
from_buffer | ID of buffer_pipe to read compressed data from |
to_buffer | ID of buffer_pipe to write decompressed data to |
windowBits | (see zlib documentation) |
int32_t inflate_process | ( | int32_t | id | ) |
Inflate all available data in the input buffer, and write to output buffer. Stops when the input buffer becomes empty, or write buffer becomes full. Also attempts to recover from corrupted inflate stream (via inflateSync). This function can be called repeatedly on success after filling the input buffer, and flushing the output buffer. The inflate stream is done processing when 0 bytes are available from output buffer, and input buffer is not empty.
id | ID of inflate data structure |
int32_t input_switch | ( | int32_t | extracted_file | ) |
Toggles the read/seek API to read from the currently extracted file, and back. You must call seek after switching inputs to position the cursor to a valid position.
extracted_file | 1 - switch to reading from extracted file, 0 - switch back to original input |
int32_t ipow | ( | int32_t | a, |
int32_t | b, | ||
int32_t | c | ||
) |
int32_t isin | ( | int32_t | a, |
int32_t | b, | ||
int32_t | c | ||
) |
int32_t jsnorm_done | ( | int32_t | id | ) |
Flushes JS normalizer.
id | ID of js normalizer to flush |
int32_t jsnorm_init | ( | int32_t | from_buffer | ) |
Initializes JS normalizer for reading 'from_buffer'. Normalized JS will be written to a single tempfile, one normalized JS per line, and automatically scanned when the bytecode finishes execution.
from_buffer | ID of buffer_pipe to read javascript from |
int32_t jsnorm_process | ( | int32_t | id | ) |
Normalize all javascript from the input buffer, and write to tempfile. You can call this function repeatedly on success, if you (re)fill the input buffer.
id | ID of JS normalizer |
void* malloc | ( | uint32_t | size | ) |
Allocates memory. Currently this memory is freed automatically on exit from the bytecode, and there is no way to free it sooner.
size | amount of memory to allocate in bytes |
int32_t map_addkey | ( | const uint8_t * | key, |
int32_t | ksize, | ||
int32_t | id | ||
) |
Inserts the specified key/value pair into the map.
id | id of table |
key | key |
ksize | size of key |
int32_t map_done | ( | int32_t | id | ) |
Deallocates the memory used by the specified map. Trying to use the map after this will result in an error. All maps are automatically deallocated when the bytecode finishes execution.
id | id of map |
int32_t map_find | ( | const uint8_t * | key, |
int32_t | ksize, | ||
int32_t | id | ||
) |
Looks up key in map. The map remember the last looked up key (so you can retrieve the value).
id | id of map |
key | key |
ksize | size of key |
uint8_t* map_getvalue | ( | int32_t | id, |
int32_t | size | ||
) |
Returns the value obtained during last map_find.
id | id of map. |
size | size of value (obtained from map_getvaluesize) |
int32_t map_getvaluesize | ( | int32_t | id | ) |
Returns the size of value obtained during last map_find.
id | id of map. |
int32_t map_new | ( | int32_t | keysize, |
int32_t | valuesize | ||
) |
Creates a new map and returns its id.
keysize | size of key |
valuesize | size of value, if 0 then value is allocated separately |
int32_t map_remove | ( | const uint8_t * | key, |
int32_t | ksize, | ||
int32_t | id | ||
) |
Remove an element from the map.
id | id of map |
key | key |
ksize | size of key |
int32_t map_setvalue | ( | const uint8_t * | value, |
int32_t | vsize, | ||
int32_t | id | ||
) |
Sets the value for the last inserted key with map_addkey.
id | id of table |
value | value |
vsize | size of value |
int32_t matchicon | ( | const uint8_t * | group1, |
int32_t | group1_len, | ||
const uint8_t * | group2, | ||
int32_t | group2_len | ||
) |
Attempts to match current executable's icon against the specified icon groups.
[in] | group1 | - same as GROUP1 in LDB signatures |
group1_len | - length of group1 | |
[in] | group2 | - same as GROUP2 in LDB signatures |
group2_len | - length of group2 |
int32_t memstr | ( | const uint8_t * | haystack, |
int32_t | haysize, | ||
const uint8_t * | needle, | ||
int32_t | needlesize | ||
) |
Return position of match, -1 otherwise.
haystack | buffer to search |
haysize | size of haystack |
needle | substring to search |
needlesize | size of needle |
int32_t pdf_get_dumpedobjid | ( | void | ) |
Return the currently dumped obj index.
int32_t pdf_get_flags | ( | void | ) |
Return the flags for the entire PDF (as set so far).
int32_t pdf_get_obj_num | ( | void | ) |
Return number of pdf objects
int32_t pdf_get_phase | ( | void | ) |
uint8_t* pdf_getobj | ( | int32_t | objidx, |
uint32_t | amount | ||
) |
Return the undecoded object.
objidx | - object index (from 0), not object id! |
amount | - size returned by pdf_getobjsize (or smaller) |
uint32_t pdf_getobjsize | ( | int32_t | objidx | ) |
Return the size of the specified PDF obj.
objidx | - object index (from 0), not object id! |
int32_t pdf_lookupobj | ( | uint32_t | id | ) |
Lookup pdf object with specified id.
id | - pdf id (objnumber << 8 | generationid) |
int32_t pdf_set_flags | ( | int32_t | flags | ) |
Sets the flags for the entire PDF. It is recommended that you retrieve old flags, and just add new ones.
flags | - flags to set. |
uint32_t pe_rawaddr | ( | uint32_t | rva | ) |
Converts a RVA (Relative Virtual Address) to an absolute PE file offset.
rva | a rva address from the PE file |
rva
, or PE_INVALID_RVA if the rva
is invalid. int32_t read | ( | uint8_t * | data, |
int32_t | size | ||
) |
Reads specified amount of bytes from the current file into a buffer. Also moves current position in the file.
[in] | size | amount of bytes to read |
[out] | data | pointer to buffer where data is read into |
int32_t read_number | ( | uint32_t | radix | ) |
Reads a number in the specified radix starting from the current position.
[in] | radix | 10 or 16 |
int32_t seek | ( | int32_t | pos, |
uint32_t | whence | ||
) |
Changes the current file position to the specified one.
[in] | pos | offset (absolute or relative depending on whence param) |
[in] | whence | one of SEEK_SET , SEEK_CUR , SEEK_END |
uint32_t setvirusname | ( | const uint8_t * | name, |
uint32_t | len | ||
) |
Sets the name of the virus found.
[in] | name | the name of the virus |
[in] | len | length of the virusname |
uint32_t test1 | ( | uint32_t | a, |
uint32_t | b | ||
) |
Test api.
a | 0xf00dbeef |
b | 0xbeeff00d |
uint32_t test2 | ( | uint32_t | a | ) |
Test api2.
a | 0xf00d |
int32_t version_compare | ( | const uint8_t * | lhs, |
uint32_t | lhs_len, | ||
const uint8_t * | rhs, | ||
uint32_t | rhs_len | ||
) |
Compares two version numbers.
[in] | lhs | - left hand side of comparison |
lhs_len | - length of lhs | |
[in] | rhs | - right hand side of comparison |
rhs_len | - length of rhs |
int32_t write | ( | uint8_t * | data, |
int32_t | size | ||
) |
Writes the specified amount of bytes from a buffer to the current temporary file.
[in] | data | pointer to buffer of data to write |
[in] | size | amount of bytes to write size bytes to temporary file, from the buffer pointed to byte |
const uint32_t __clambc_filesize[1] |
File size (max 4G).
const uint16_t __clambc_kind |
Kind of the bytecode
const uint32_t __clambc_match_counts[64] |
Logical signature match counts.
This is a low-level variable, use the Macros in bytecode_local.h instead to access it.
const uint32_t __clambc_match_offsets[64] |
Logical signature match offsets This is a low-level variable, use the Macros in bytecode_local.h instead to access it.
struct cli_pe_hook_data __clambc_pedata |
PE data, if this is a PE hook.