bytecode_api.h
Go to the documentation of this file.
00001 /*
00002  *  Copyright (C) 2009-2010 Sourcefire, Inc.
00003  *  All rights reserved.
00004  *  Authors: Török Edvin
00005  *
00006  * Redistribution and use in source and binary forms, with or without
00007  * modification, are permitted provided that the following conditions
00008  * are met:
00009  * 1. Redistributions of source code must retain the above copyright
00010  *    notice, this list of conditions and the following disclaimer.
00011  * 2. Redistributions in binary form must reproduce the above copyright
00012  *    notice, this list of conditions and the following disclaimer in the
00013  *    documentation and/or other materials provided with the distribution.
00014  *
00015  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
00016  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
00017  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
00018  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
00019  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
00020  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
00021  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
00022  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
00023  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
00024  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
00025  * SUCH DAMAGE.
00026  */
00027 
00029 #ifndef BYTECODE_API_H
00030 #define BYTECODE_API_H
00031 
00032 #ifdef __CLAMBC__
00033 #include "bytecode_execs.h"
00034 #include "bytecode_pe.h"
00035 #include "bytecode_disasm.h"
00036 #include "bytecode_detect.h"
00037 #endif
00038 
00039 #ifndef __CLAMBC__
00040 struct cli_exe_section;
00041 struct DISASM_RESULT;
00042 #endif
00043 
00045 enum BytecodeKind {
00047     BC_GENERIC=0,
00048     BC_STARTUP=1,
00049     _BC_START_HOOKS=256,
00051     BC_LOGICAL=256,
00053     BC_PE_UNPACKER,
00054     /* PDF hook */
00055     BC_PDF,
00056     BC_PE_ALL,/* both packed and unpacked files */
00057     _BC_LAST_HOOK
00058 };
00059 
00060 enum {
00062   PE_INVALID_RVA = 0xFFFFFFFF
00063 };
00064 
00066 enum FunctionalityLevels {
00067     FUNC_LEVEL_096 = 51,
00068     FUNC_LEVEL_096_dev,
00069     FUNC_LEVEL_096_1,
00070     FUNC_LEVEL_096_1_dev=54,
00071     FUNC_LEVEL_096_2=54,
00072     FUNC_LEVEL_096_2_dev,/* 0.93 too */
00073     FUNC_LEVEL_096_4=56,
00074     FUNC_LEVEL_097=57,
00075     FUNC_LEVEL_097_1=61,
00076     FUNC_LEVEL_097_2=62,
00077     FUNC_LEVEL_097_3=63,
00078 };
00079 
00081 enum pdf_phase {
00082     PDF_PHASE_NONE /* not a PDF */,
00083     PDF_PHASE_PARSED, /* after parsing a PDF, object flags can be set etc. */
00084     PDF_PHASE_POSTDUMP, /* after an obj was dumped and scanned */
00085     PDF_PHASE_END, /* after the pdf scan finished */
00086     PDF_PHASE_PRE /* before pdf is parsed at all */
00087 };
00088 
00090 enum pdf_flag {
00091     BAD_PDF_VERSION=0,
00092     BAD_PDF_HEADERPOS,
00093     BAD_PDF_TRAILER,
00094     BAD_PDF_TOOMANYOBJS,
00095     BAD_STREAM_FILTERS,
00096     BAD_FLATE,
00097     BAD_FLATESTART,
00098     BAD_STREAMSTART,
00099     BAD_ASCIIDECODE,
00100     BAD_INDOBJ,
00101     UNTERMINATED_OBJ_DICT,
00102     ESCAPED_COMMON_PDFNAME,
00103     HEX_JAVASCRIPT,
00104     UNKNOWN_FILTER,
00105     MANY_FILTERS,
00106     HAS_OPENACTION,
00107     BAD_STREAMLEN,
00108     ENCRYPTED_PDF,
00109     LINEARIZED_PDF, /* not bad, just as flag */
00110     DECRYPTABLE_PDF,
00111     HAS_LAUNCHACTION
00112 };
00113 
00115 enum pdf_objflags {
00116     OBJ_STREAM=0,
00117     OBJ_DICT,
00118     OBJ_EMBEDDED_FILE,
00119     OBJ_FILTER_AH,
00120     OBJ_FILTER_A85,
00121     OBJ_FILTER_FLATE,
00122     OBJ_FILTER_LZW,
00123     OBJ_FILTER_RL,
00124     OBJ_FILTER_FAX,
00125     OBJ_FILTER_JBIG2,
00126     OBJ_FILTER_DCT,
00127     OBJ_FILTER_JPX,
00128     OBJ_FILTER_CRYPT,
00129     OBJ_FILTER_UNKNOWN,
00130     OBJ_JAVASCRIPT,
00131     OBJ_OPENACTION,
00132     OBJ_HASFILTERS,
00133     OBJ_SIGNED,
00134     OBJ_IMAGE,
00135     OBJ_TRUNCATED,
00136     OBJ_FORCEDUMP,
00137     OBJ_FILTER_STANDARD,
00138     OBJ_LAUNCHACTION
00139 };
00140 
00141 #ifdef __CLAMBC__
00142 
00143 /* --------------- BEGIN GLOBALS -------------------------------------------- */
00150 extern const uint32_t __clambc_match_counts[64];
00151 
00157 extern const uint32_t __clambc_match_offsets[64];
00158 
00161 extern const struct cli_pe_hook_data __clambc_pedata;
00164 extern const uint32_t __clambc_filesize[1];
00165 
00169 const uint16_t __clambc_kind;
00170 /* ---------------- END GLOBALS --------------------------------------------- */
00171 /* ---------------- BEGIN 0.96 APIs (don't touch) --------------------------- */
00177 uint32_t test1(uint32_t a, uint32_t b);
00178 
00188 int32_t read(uint8_t *data, int32_t size);
00189 
00190 enum {
00192     SEEK_SET=0,
00194     SEEK_CUR,
00196     SEEK_END
00197 };
00198 
00209 int32_t write(uint8_t *data, int32_t size);
00210 
00219 int32_t seek(int32_t pos, uint32_t whence);
00220 
00229 uint32_t setvirusname(const uint8_t *name, uint32_t len);
00230 
00239 uint32_t debug_print_str(const uint8_t *str, uint32_t len);
00240 
00249 uint32_t debug_print_uint(uint32_t a);
00250 
00264 uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);
00265 
00266 /* tracing API */
00267 
00268 /* a scope: lexical block, function, or compile unit */
00269 uint32_t trace_directory(const uint8_t* directory, uint32_t dummy);
00270 uint32_t trace_scope(const uint8_t* newscope, uint32_t scopeid);
00271 uint32_t trace_source(const uint8_t* srcfile, uint32_t line);
00272 uint32_t trace_op(const uint8_t* opname, uint32_t column);
00273 uint32_t trace_value(const uint8_t* name, uint32_t v);
00274 uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy);
00275 
00283 uint32_t pe_rawaddr(uint32_t rva);
00284 
00290 int32_t file_find(const uint8_t* data, uint32_t len);
00291 
00297 int32_t file_byteat(uint32_t offset);
00298 
00304 void* malloc(uint32_t size);
00305 
00309 uint32_t test2(uint32_t a);
00310 
00317 int32_t get_pe_section(struct cli_exe_section *section, uint32_t num);
00318 
00331 int32_t fill_buffer(uint8_t* buffer, uint32_t len, uint32_t filled,
00332                     uint32_t cursor, uint32_t fill);
00333 
00341 int32_t extract_new(int32_t id);
00342 
00350 int32_t read_number(uint32_t radix);
00351 
00356 int32_t hashset_new(void);
00357 
00364 int32_t hashset_add(int32_t hs, uint32_t key);
00365 
00372 int32_t hashset_remove(int32_t hs, uint32_t key);
00373 
00380 int32_t hashset_contains(int32_t hs, uint32_t key);
00381 
00391 int32_t hashset_done(int32_t id);
00392 
00398 int32_t hashset_empty(int32_t id);
00399 
00405 int32_t  buffer_pipe_new(uint32_t size);
00406 
00414 int32_t  buffer_pipe_new_fromfile(uint32_t pos);
00415 
00421 uint32_t buffer_pipe_read_avail(int32_t id);
00422 
00432 uint8_t *buffer_pipe_read_get(int32_t id, uint32_t amount);
00433 
00440 int32_t  buffer_pipe_read_stopped(int32_t id, uint32_t amount);
00441 
00447 uint32_t buffer_pipe_write_avail(int32_t id);
00448 
00458 uint8_t *buffer_pipe_write_get(int32_t id, uint32_t size);
00459 
00466 int32_t  buffer_pipe_write_stopped(int32_t id, uint32_t amount);
00467 
00476 int32_t  buffer_pipe_done(int32_t id);
00477 
00486 int32_t inflate_init(int32_t from_buffer, int32_t to_buffer, int32_t windowBits);
00487 
00499 int32_t inflate_process(int32_t id);
00500 
00509 int32_t inflate_done(int32_t id);
00510 
00516 int32_t bytecode_rt_error(int32_t locationid);
00517 
00526 int32_t jsnorm_init(int32_t from_buffer);
00527 
00535 int32_t jsnorm_process(int32_t id);
00536 
00543 int32_t jsnorm_done(int32_t id);
00544 
00545 /* ---------------- END 0.96 APIs (don't touch) --------------------------- */
00546 /* ---------------- BEGIN 0.96.1 APIs ------------------------------------- */
00547 
00548 /* ---------------- Math -------------------------------------------------- */
00549 
00557 int32_t ilog2(uint32_t a, uint32_t b);
00558 
00567 int32_t ipow(int32_t a, int32_t b, int32_t c);
00568 
00577 uint32_t iexp(int32_t a, int32_t b, int32_t c);
00578 
00587 int32_t isin(int32_t a, int32_t b, int32_t c);
00588 
00597 int32_t icos(int32_t a, int32_t b, int32_t c);
00598 
00599 /* ---------------- String operations --------------------------------------- */
00609 int32_t memstr(const uint8_t* haystack, int32_t haysize,
00610                const uint8_t* needle, int32_t needlesize);
00611 
00620 int32_t hex2ui(uint32_t hex1, uint32_t hex2);
00621 
00629 int32_t atoi(const uint8_t* str, int32_t size);
00630 
00639 uint32_t debug_print_str_start(const uint8_t *str, uint32_t len);
00640 
00649 uint32_t debug_print_str_nonl(const uint8_t *str, uint32_t len);
00650 
00658 uint32_t entropy_buffer(uint8_t* buffer, int32_t size);
00659 
00660 /* ------------------ Data Structures --------------------------------------- */
00668 int32_t map_new(int32_t keysize, int32_t valuesize);
00669 
00680 int32_t map_addkey(const uint8_t *key, int32_t ksize, int32_t id);
00681 
00691 int32_t map_setvalue(const uint8_t *value, int32_t vsize, int32_t id);
00692 
00703 int32_t map_remove(const uint8_t* key, int32_t ksize, int32_t id);
00704 
00718 int32_t map_find(const uint8_t* key, int32_t ksize, int32_t id);
00719 
00726 int32_t map_getvaluesize(int32_t id);
00727 
00735 uint8_t* map_getvalue(int32_t id, int32_t size);
00736 
00747 int32_t map_done(int32_t id);
00748 
00749 /* -------------- File Operations ------------------------------------------- */
00760 int32_t file_find_limit(const uint8_t *data, uint32_t len, int32_t maxpos);
00761 
00762 /* ------------- Engine Query ----------------------------------------------- */
00769 uint32_t engine_functionality_level(void);
00770 
00778 uint32_t engine_dconf_level(void);
00779 
00785 uint32_t engine_scan_options(void);
00786 
00792 uint32_t engine_db_options(void);
00793 
00794 /* ---------------- Scan Control -------------------------------------------- */
00801 int32_t extract_set_container(uint32_t container);
00802 
00814 int32_t input_switch(int32_t extracted_file);
00815 
00816 /* ---------------- END 0.96.1 APIs ------------------------------------- */
00817 /* ---------------- BEGIN 0.96.2 APIs ----------------------------------- */
00818 
00827 uint32_t get_environment(struct cli_environment *env, uint32_t len);
00828 
00839 uint32_t disable_bytecode_if(const int8_t *reason, uint32_t len, uint32_t cond);
00840 
00851 uint32_t disable_jit_if(const int8_t* reason, uint32_t len, uint32_t cond);
00852 
00863 int32_t version_compare(const uint8_t* lhs, uint32_t lhs_len,
00864                     const uint8_t* rhs, uint32_t rhs_len);
00865 
00875 uint32_t check_platform(uint32_t a, uint32_t b, uint32_t c);
00876 
00877 /* --------------------- PDF APIs ----------------------------------- */
00883 int32_t pdf_get_obj_num(void);
00884 
00890 int32_t pdf_get_flags(void);
00891 
00898 int32_t pdf_set_flags(int32_t flags);
00899 
00906 int32_t pdf_lookupobj(uint32_t id);
00907 
00913 uint32_t pdf_getobjsize(int32_t objidx);
00914 
00922 uint8_t *pdf_getobj(int32_t objidx, uint32_t amount);
00923 
00924 /* Return the object id for the specified object index.
00925   \group_pdf
00926    @param objidx - object index (from 0)
00927    @return -1 - object index invalid
00928           >=0 - object id (obj id << 8 | generation id)
00929 */
00930 int32_t pdf_getobjid(int32_t objidx);
00931 
00932 /* Return the object flags for the specified object index.
00933   \group_pdf
00934    @param objidx - object index (from 0)
00935    @return -1 - object index invalid
00936           >=0 - object flags
00937 */
00938 int32_t pdf_getobjflags(int32_t objidx);
00939 
00940 /* Sets the object flags for the specified object index.
00941   \group_pdf
00942    This can be used to force dumping of a certain obj, by setting the
00943    OBJ_FORCEDUMP flag for example.
00944    @param objidx - object index (from 0)
00945    @return -1 - object index invalid
00946           >=0 - flags set
00947 */
00948 int32_t pdf_setobjflags(int32_t objidx, int32_t flags);
00949 
00950 /* Return the object's offset in the PDF.
00951   \group_pdf
00952    @param objidx - object index (from 0)
00953    @return -1 - object index invalid
00954           >=0 - offset
00955 */
00956 int32_t pdf_get_offset(int32_t objidx);
00957 
00963 int32_t pdf_get_phase(void);
00964 
00971 int32_t pdf_get_dumpedobjid(void);
00972 
00973 /* ----------------------------- Icon APIs -------------------------- */
00986 int32_t matchicon(const uint8_t* group1, int32_t group1_len,
00987                   const uint8_t* group2, int32_t group2_len);
00988 /* ---------------- END 0.96.2 APIs   ----------------------------------- */
00989 /* ----------------- BEGIN 0.96.4 APIs ---------------------------------- */
00990 /* Returns whether running on JIT. As side-effect it disables
00991  * interp / JIT comparisons in test mode (errors are still checked) */
00992 int32_t running_on_jit(void);
00993 
00994 /* Get file reliability flag, higher value means less reliable 
00995  * 0 - normal
00996  * 1 - embedded PE
00997  * 2 - unpacker created file (not impl. yet)
00998  *
00999  * when >0 import tables and such are not reliable */
01000 int32_t get_file_reliability(void);
01001 
01002 /* ----------------- END 0.96.4 APIs ---------------------------------- */
01003 #endif
01004 #endif
 All Data Structures Files Functions Variables Enumerations Enumerator Defines