bytecode_api.h File Reference

Go to the source code of this file.

Enumerations

enum  BytecodeKind { BC_GENERIC = 0 , BC_LOGICAL = 256, BC_PE_UNPACKER }
enum  { PE_INVALID_RVA = 0xFFFFFFFF }
enum  FunctionalityLevels
enum  pdf_phase
enum  pdf_flag
enum  pdf_objflags
enum  { SEEK_SET = 0, SEEK_CUR, SEEK_END }

Functions

uint32_t test1 (uint32_t a, uint32_t b)
int32_t read (uint8_t *data, int32_t size)
 Reads specified amount of bytes from the current file into a buffer. Also moves current position in the file.
int32_t write (uint8_t *data, int32_t size)
 Writes the specified amount of bytes from a buffer to the current temporary file.
int32_t seek (int32_t pos, uint32_t whence)
 Changes the current file position to the specified one.
uint32_t setvirusname (const uint8_t *name, uint32_t len)
uint32_t debug_print_str (const uint8_t *str, uint32_t len)
uint32_t debug_print_uint (uint32_t a)
uint32_t disasm_x86 (struct DISASM_RESULT *result, uint32_t len)
uint32_t pe_rawaddr (uint32_t rva)
int32_t file_find (const uint8_t *data, uint32_t len)
int32_t file_byteat (uint32_t offset)
void * malloc (uint32_t size)
uint32_t test2 (uint32_t a)
int32_t get_pe_section (struct cli_exe_section *section, uint32_t num)
int32_t fill_buffer (uint8_t *buffer, uint32_t len, uint32_t filled, uint32_t cursor, uint32_t fill)
int32_t extract_new (int32_t id)
int32_t read_number (uint32_t radix)
int32_t hashset_new (void)
int32_t hashset_add (int32_t hs, uint32_t key)
int32_t hashset_remove (int32_t hs, uint32_t key)
int32_t hashset_contains (int32_t hs, uint32_t key)
int32_t hashset_done (int32_t id)
int32_t hashset_empty (int32_t id)
int32_t buffer_pipe_new (uint32_t size)
int32_t buffer_pipe_new_fromfile (uint32_t pos)
uint32_t buffer_pipe_read_avail (int32_t id)
uint8_t * buffer_pipe_read_get (int32_t id, uint32_t amount)
int32_t buffer_pipe_read_stopped (int32_t id, uint32_t amount)
uint32_t buffer_pipe_write_avail (int32_t id)
uint8_t * buffer_pipe_write_get (int32_t id, uint32_t size)
int32_t buffer_pipe_write_stopped (int32_t id, uint32_t amount)
int32_t buffer_pipe_done (int32_t id)
int32_t inflate_init (int32_t from_buffer, int32_t to_buffer, int32_t windowBits)
int32_t inflate_process (int32_t id)
int32_t inflate_done (int32_t id)
int32_t bytecode_rt_error (int32_t locationid)
int32_t jsnorm_init (int32_t from_buffer)
int32_t jsnorm_process (int32_t id)
int32_t jsnorm_done (int32_t id)
int32_t ilog2 (uint32_t a, uint32_t b)
int32_t ipow (int32_t a, int32_t b, int32_t c)
uint32_t iexp (int32_t a, int32_t b, int32_t c)
int32_t isin (int32_t a, int32_t b, int32_t c)
int32_t icos (int32_t a, int32_t b, int32_t c)
int32_t memstr (const uint8_t *haystack, int32_t haysize, const uint8_t *needle, int32_t needlesize)
int32_t hex2ui (uint32_t hex1, uint32_t hex2)
int32_t atoi (const uint8_t *str, int32_t size)
uint32_t debug_print_str_start (const uint8_t *str, uint32_t len)
uint32_t debug_print_str_nonl (const uint8_t *str, uint32_t len)
uint32_t entropy_buffer (uint8_t *buffer, int32_t size)
int32_t map_new (int32_t keysize, int32_t valuesize)
int32_t map_addkey (const uint8_t *key, int32_t ksize, int32_t id)
int32_t map_setvalue (const uint8_t *value, int32_t vsize, int32_t id)
int32_t map_remove (const uint8_t *key, int32_t ksize, int32_t id)
int32_t map_find (const uint8_t *key, int32_t ksize, int32_t id)
int32_t map_getvaluesize (int32_t id)
uint8_t * map_getvalue (int32_t id, int32_t size)
int32_t map_done (int32_t id)
int32_t file_find_limit (const uint8_t *data, uint32_t len, int32_t maxpos)
uint32_t engine_functionality_level (void)
uint32_t engine_dconf_level (void)
uint32_t engine_scan_options (void)
uint32_t engine_db_options (void)
int32_t extract_set_container (uint32_t container)
int32_t input_switch (int32_t extracted_file)
uint32_t get_environment (struct cli_environment *env, uint32_t len)
uint32_t disable_bytecode_if (const int8_t *reason, uint32_t len, uint32_t cond)
uint32_t disable_jit_if (const int8_t *reason, uint32_t len, uint32_t cond)
int32_t version_compare (const uint8_t *lhs, uint32_t lhs_len, const uint8_t *rhs, uint32_t rhs_len)
uint32_t check_platform (uint32_t a, uint32_t b, uint32_t c)
int32_t pdf_get_obj_num (void)
int32_t pdf_get_flags (void)
int32_t pdf_set_flags (int32_t flags)
int32_t pdf_lookupobj (uint32_t id)
uint32_t pdf_getobjsize (int32_t objidx)
uint8_t * pdf_getobj (int32_t objidx, uint32_t amount)
int32_t pdf_get_phase (void)
int32_t pdf_get_dumpedobjid (void)
int32_t matchicon (const uint8_t *group1, int32_t group1_len, const uint8_t *group2, int32_t group2_len)

Variables

const uint32_t __clambc_match_counts [64]
 Logical signature match counts.
const uint32_t __clambc_match_offsets [64]
 Logical signature match offsets This is a low-level variable, use the Macros in bytecode_local.h instead to access it.
struct cli_pe_hook_data __clambc_pedata
const uint32_t __clambc_filesize [1]
const uint16_t __clambc_kind

Detailed Description


Enumeration Type Documentation

anonymous enum
Enumerator:
PE_INVALID_RVA 

Invalid RVA specified

anonymous enum
Enumerator:
SEEK_SET 

set file position to specified absolute position

SEEK_CUR 

set file position relative to current position

SEEK_END 

set file position relative to file end

Bytecode trigger kind

Enumerator:
BC_GENERIC 

generic bytecode, not tied a specific hook

BC_LOGICAL 

triggered by a logical signature

BC_PE_UNPACKER 

a PE unpacker

LibClamAV functionality level constants

enum pdf_flag

PDF flags

PDF obj flags

enum pdf_phase

Phase of PDF parsing


Function Documentation

int32_t atoi ( const uint8_t *  str,
int32_t  size 
)

Converts string to positive number.

Parameters:
strbuffer
sizesize of str
Returns:
>0 string converted to number if possible, -1 on error
String operation:
int32_t buffer_pipe_done ( int32_t  id)

Deallocate memory used by buffer.

Data structure:
After this all attempts to use this buffer will result in error. All buffer_pipes are automatically deallocated when bytecode finishes execution.
Parameters:
idID of buffer_pipe
Returns:
0 on success
int32_t buffer_pipe_new ( uint32_t  size)

Creates a new pipe with the specified buffer size

Data structure:
Parameters:
sizesize of buffer
Returns:
ID of newly created buffer_pipe
int32_t buffer_pipe_new_fromfile ( uint32_t  pos)

Same as buffer_pipe_new, except the pipe's input is tied

Data structure:
File operation:
to the current file, at the specified position.
Parameters:
posstarting position of pipe input in current file
Returns:
ID of newly created buffer_pipe
uint32_t buffer_pipe_read_avail ( int32_t  id)

Returns the amount of bytes available to read.

Data structure:
Parameters:
idID of buffer_pipe
Returns:
amount of bytes available to read
uint8_t* buffer_pipe_read_get ( int32_t  id,
uint32_t  amount 
)

Returns a pointer to the buffer for reading.

Data structure:
The 'amount' parameter should be obtained by a call to buffer_pipe_read_avail().
Parameters:
idID of buffer_pipe
amountto read
Returns:
pointer to buffer, or NULL if buffer has less than specified amount
int32_t buffer_pipe_read_stopped ( int32_t  id,
uint32_t  amount 
)
Data structure:
Updates read cursor in buffer_pipe.
Parameters:
idID of buffer_pipe
amountamount of bytes to move read cursor
Returns:
0 on success
uint32_t buffer_pipe_write_avail ( int32_t  id)

Returns the amount of bytes available for writing.

Data structure:
Parameters:
idID of buffer_pipe
Returns:
amount of bytes available for writing
uint8_t* buffer_pipe_write_get ( int32_t  id,
uint32_t  size 
)
Data structure:
Returns pointer to writable buffer. The 'amount' parameter should be obtained by a call to buffer_pipe_write_avail().
Parameters:
idID of buffer_pipe
sizeamount of bytes to write
Returns:
pointer to write buffer, or NULL if requested amount is more than what is available in the buffer
int32_t buffer_pipe_write_stopped ( int32_t  id,
uint32_t  amount 
)

Updates the write cursor in buffer_pipe.

Data structure:
Parameters:
idID of buffer_pipe
amountamount of bytes to move write cursor
Returns:
0 on success
int32_t bytecode_rt_error ( int32_t  locationid)

Report a runtime error at the specified locationID.

Scan:
Parameters:
locationid(line << 8) | (column&0xff)
Returns:
0
uint32_t check_platform ( uint32_t  a,
uint32_t  b,
uint32_t  c 
)

Disables the JIT if the platform id matches. 0xff can be used instead of a field to mark ANY.

Parameters:
a- os_category << 24 | arch << 20 | compiler << 16 | flevel << 8 | dconf
b- big_endian << 28 | sizeof_ptr << 24 | cpp_version
c- os_features << 24 | c_version
Returns:
0 - no match 1 - match
Environment:
uint32_t debug_print_str ( const uint8_t *  str,
uint32_t  len 
)

Prints a debug message.

Parameters:
[in]strMessage to print
[in]lenlength of message to print
Returns:
0
String operation:
uint32_t debug_print_str_nonl ( const uint8_t *  str,
uint32_t  len 
)

Prints a debug message with a trailing newline, and not preceded by 'LibClamAV debug'.

Parameters:
strthe string
lenlength of str
Returns:
0
String operation:
uint32_t debug_print_str_start ( const uint8_t *  str,
uint32_t  len 
)

Prints a debug message with a trailing newline, but preceded by 'LibClamAV debug'.

Parameters:
strthe string
lenlength of str
Returns:
0
String operation:
uint32_t debug_print_uint ( uint32_t  a)

Prints a number as a debug message. This is like debug_print_str_nonl!

Parameters:
[in]anumber to print
Returns:
0
String operation:
uint32_t disable_bytecode_if ( const int8_t *  reason,
uint32_t  len,
uint32_t  cond 
)

Disables the bytecode completely if condition is true. Can only be called from the BC_STARTUP bytecode.

Parameters:
reason- why the bytecode had to be disabled
len- length of reason
cond- condition
Returns:
0 - auto mode 1 - JIT disabled 2 - fully disabled
Environment:
uint32_t disable_jit_if ( const int8_t *  reason,
uint32_t  len,
uint32_t  cond 
)

Disables the JIT completely if condition is true. Can only be called from the BC_STARTUP bytecode.

Parameters:
reason- why the JIT had to be disabled
len- length of reason
cond- condition
Returns:
0 - auto mode 1 - JIT disabled 2 - fully disabled
Environment:
uint32_t disasm_x86 ( struct DISASM_RESULT result,
uint32_t  len 
)

Disassembles starting from current file position, the specified amount of bytes.

Parameters:
[out]resultpointer to struct holding result
[in]lenhow many bytes to disassemble
Returns:
0 for success

You can use lseek to disassemble starting from a different location. This is a low-level API, the result is in ClamAV type-8 signature format (64 bytes/instruction).

See also:
DisassembleAt
Disassemble:
uint32_t engine_db_options ( void  )

Returns the current engine's db options.

Returns:
CL_DB_* flags
Engine query:
uint32_t engine_dconf_level ( void  )

Returns the current engine (dconf) functionality level. Usually identical to engine_functionality_level(), unless distro backported patches. Compare with FunctionalityLevels.

Returns:
an integer representing the DCONF (security fixes) level.
Engine query:
uint32_t engine_functionality_level ( void  )

Returns the current engine (feature) functionality level. To map these to ClamAV releases, compare it with FunctionalityLevels.

Returns:
an integer representing current engine functionality level.
Engine query:
uint32_t engine_scan_options ( void  )

Returns the current engine's scan options.

Returns:
CL_SCAN* flags
Engine query:
uint32_t entropy_buffer ( uint8_t *  buffer,
int32_t  size 
)

Returns an approximation for the entropy of buffer.

Parameters:
bufferinput buffer
sizesize of buffer
Returns:
entropy estimation * 2^26
String operation:
int32_t extract_new ( int32_t  id)

Prepares for extracting a new file, if we've already extracted one it scans it.

Scan:
Parameters:
[in]idan id for the new file (for example position in container)
Returns:
1 if previous extracted file was infected
int32_t extract_set_container ( uint32_t  container)

Sets the container type for the currently extracted file.

Parameters:
containercontainer type (CL_TYPE_*)
Returns:
current setting for container (CL_TYPE_ANY default)
Scan:
int32_t file_byteat ( uint32_t  offset)

Read a single byte from current file

File operation:
Parameters:
offsetfile offset
Returns:
byte at offset off in the current file, or -1 if offset is invalid
int32_t file_find ( const uint8_t *  data,
uint32_t  len 
)

Looks for the specified sequence of bytes in the current file.

File operation:
Parameters:
[in]datathe sequence of bytes to look for
lenlength of data, cannot be more than 1024
Returns:
offset in the current file if match is found, -1 otherwise
int32_t file_find_limit ( const uint8_t *  data,
uint32_t  len,
int32_t  maxpos 
)

Looks for the specified sequence of bytes in the current file, up to the specified position.

Parameters:
[in]datathe sequence of bytes to look for
lenlength of data, cannot be more than 1024
maxposmaximum position to look for a match, note that this is 1 byte after the end of last possible match: match_pos + len < maxpos
Returns:
offset in the current file if match is found, -1 otherwise
File operation:
int32_t fill_buffer ( uint8_t *  buffer,
uint32_t  len,
uint32_t  filled,
uint32_t  cursor,
uint32_t  fill 
)

Fills the specified buffer with at least fill bytes.

File operation:
Parameters:
[out]bufferthe buffer to fill
[in]lenlength of buffer
[in]filledhow much of the buffer is currently filled
[in]cursorposition of cursor in buffer
[in]fillamount of bytes to fill in (0 is valid)
Returns:
<0 on error, 0 on EOF, number bytes available in buffer (starting from 0) The character at the cursor will be at position 0 after this call.
uint32_t get_environment ( struct cli_environment *  env,
uint32_t  len 
)

Queries the environment this bytecode runs in. Used by BC_STARTUP to disable bytecode when bugs are known for the current platform.

Parameters:
[out]env- the full environment
len- size of env
Returns:
0
Environment:
int32_t get_pe_section ( struct cli_exe_section section,
uint32_t  num 
)

Gets information about the specified PE section.

PE:
Parameters:
[out]sectionPE section information will be stored here
[in]numPE section number
Returns:
0 - success -1 - failure
int32_t hashset_add ( int32_t  hs,
uint32_t  key 
)

Add a new 32-bit key to the hashset.

Data structure:
Parameters:
hsID of hashset (from hashset_new)
keythe key to add
Returns:
0 on success
int32_t hashset_contains ( int32_t  hs,
uint32_t  key 
)

Returns whether the hashset contains the specified key.

Data structure:
Parameters:
hsID of hashset (from hashset_new)
keythe key to lookup
Returns:
1 if found, 0 if not found, <0 on invalid hashset ID
int32_t hashset_done ( int32_t  id)

Deallocates the memory used by the specified hashset.

Data structure:
Trying to use the hashset after this will result in an error. The hashset may not be used after this. All hashsets are automatically deallocated when bytecode finishes execution.
Parameters:
idID of hashset (from hashset_new)
Returns:
0 on success
int32_t hashset_empty ( int32_t  id)

Returns whether the hashset is empty.

Data structure:
Parameters:
idof hashset (from hashset_new)
Returns:
0 on success
int32_t hashset_new ( void  )

Creates a new hashset and returns its id.

Data structure:
Returns:
ID for new hashset
int32_t hashset_remove ( int32_t  hs,
uint32_t  key 
)

Remove a 32-bit key from the hashset.

Data structure:
Parameters:
hsID of hashset (from hashset_new)
keythe key to add
Returns:
0 on success
int32_t hex2ui ( uint32_t  hex1,
uint32_t  hex2 
)

Returns hexadecimal characters hex1 and hex2 converted to 8-bit number.

Parameters:
hex1hexadecimal character
hex2hexadecimal character
Returns:
hex1 hex2 converted to 8-bit integer, -1 on error
String operation:
int32_t icos ( int32_t  a,
int32_t  b,
int32_t  c 
)

Returns c*cos(a/b).

Parameters:
ainteger
binteger
cinteger
Returns:
c*sin(a/b)
Math function:
uint32_t iexp ( int32_t  a,
int32_t  b,
int32_t  c 
)

Returns exp(a/b)*c

Parameters:
ainteger
binteger
cinteger
Returns:
c*exp(a/b)
Math function:
int32_t ilog2 ( uint32_t  a,
uint32_t  b 
)

Returns 2^26*log2(a/b)

Parameters:
ainput
binput
Returns:
2^26*log2(a/b)
Math function:
int32_t inflate_done ( int32_t  id)

Deallocates inflate data structure. Using the inflate data structure after this will result in an error. All inflate data structures are automatically deallocated when bytecode finishes execution.

Data structure:
Parameters:
idID of inflate data structure
Returns:
0 on success.
int32_t inflate_init ( int32_t  from_buffer,
int32_t  to_buffer,
int32_t  windowBits 
)

Initializes inflate data structures for decompressing data

Data structure:
'from_buffer' and writing uncompressed uncompressed data 'to_buffer'.
Parameters:
from_bufferID of buffer_pipe to read compressed data from
to_bufferID of buffer_pipe to write decompressed data to
windowBits(see zlib documentation)
Returns:
ID of newly created inflate data structure, <0 on failure
int32_t inflate_process ( int32_t  id)

Inflate all available data in the input buffer, and write to output buffer. Stops when the input buffer becomes empty, or write buffer becomes full. Also attempts to recover from corrupted inflate stream (via inflateSync). This function can be called repeatedly on success after filling the input buffer, and flushing the output buffer. The inflate stream is done processing when 0 bytes are available from output buffer, and input buffer is not empty.

Data structure:
Parameters:
idID of inflate data structure
Returns:
0 on success, zlib error code otherwise
int32_t input_switch ( int32_t  extracted_file)

Toggles the read/seek API to read from the currently extracted file, and back. You must call seek after switching inputs to position the cursor to a valid position.

Parameters:
extracted_file1 - switch to reading from extracted file, 0 - switch back to original input
Returns:
-1 on error (if no extracted file exists) 0 on success
Scan:
int32_t ipow ( int32_t  a,
int32_t  b,
int32_t  c 
)

Returns c*a^b.

Parameters:
ainteger
binteger
cinteger
Returns:
c*pow(a,b)
Math function:
int32_t isin ( int32_t  a,
int32_t  b,
int32_t  c 
)

Returns c*sin(a/b).

Parameters:
ainteger
binteger
cinteger
Returns:
c*sin(a/b)
Math function:
int32_t jsnorm_done ( int32_t  id)

Flushes JS normalizer.

JavaScript:
Parameters:
idID of js normalizer to flush
Returns:
0 - success -1 - failure
int32_t jsnorm_init ( int32_t  from_buffer)

Initializes JS normalizer for reading 'from_buffer'. Normalized JS will be written to a single tempfile, one normalized JS per line, and automatically scanned when the bytecode finishes execution.

JavaScript:
Parameters:
from_bufferID of buffer_pipe to read javascript from
Returns:
ID of JS normalizer, <0 on failure
int32_t jsnorm_process ( int32_t  id)

Normalize all javascript from the input buffer, and write to tempfile. You can call this function repeatedly on success, if you (re)fill the input buffer.

JavaScript:
Parameters:
idID of JS normalizer
Returns:
0 on success, <0 on failure
void* malloc ( uint32_t  size)

Allocates memory. Currently this memory is freed automatically on exit from the bytecode, and there is no way to free it sooner.

Data structure:
Parameters:
sizeamount of memory to allocate in bytes
Returns:
pointer to allocated memory
int32_t map_addkey ( const uint8_t *  key,
int32_t  ksize,
int32_t  id 
)

Inserts the specified key/value pair into the map.

Parameters:
idid of table
keykey
ksizesize of key
Returns:
0 - if key existed before 1 - if key didn't exist before <0 - if ksize doesn't match keysize specified at table creation
Data structure:
int32_t map_done ( int32_t  id)

Deallocates the memory used by the specified map. Trying to use the map after this will result in an error. All maps are automatically deallocated when the bytecode finishes execution.

Parameters:
idid of map
Returns:
0 - success -1 - invalid map
Data structure:
int32_t map_find ( const uint8_t *  key,
int32_t  ksize,
int32_t  id 
)

Looks up key in map. The map remember the last looked up key (so you can retrieve the value).

Parameters:
idid of map
keykey
ksizesize of key
Returns:
0 - if not found 1 - if found <0 - if ksize doesn't match the size specified at table creation
Data structure:
uint8_t* map_getvalue ( int32_t  id,
int32_t  size 
)

Returns the value obtained during last map_find.

Parameters:
idid of map.
sizesize of value (obtained from map_getvaluesize)
Returns:
value
Data structure:
int32_t map_getvaluesize ( int32_t  id)

Returns the size of value obtained during last map_find.

Parameters:
idid of map.
Returns:
size of value
Data structure:
int32_t map_new ( int32_t  keysize,
int32_t  valuesize 
)

Creates a new map and returns its id.

Parameters:
keysizesize of key
valuesizesize of value, if 0 then value is allocated separately
Returns:
ID of new map
Data structure:
int32_t map_remove ( const uint8_t *  key,
int32_t  ksize,
int32_t  id 
)

Remove an element from the map.

Parameters:
idid of map
keykey
ksizesize of key
Returns:
0 on success, key was present 1 if key was not present <0 if ksize doesn't match keysize specified at table creation
Data structure:
int32_t map_setvalue ( const uint8_t *  value,
int32_t  vsize,
int32_t  id 
)

Sets the value for the last inserted key with map_addkey.

Parameters:
idid of table
valuevalue
vsizesize of value
Returns:
0 - if update was successful <0 - if there is no last key
Data structure:
int32_t matchicon ( const uint8_t *  group1,
int32_t  group1_len,
const uint8_t *  group2,
int32_t  group2_len 
)

Attempts to match current executable's icon against the specified icon groups.

Icon:
Parameters:
[in]group1- same as GROUP1 in LDB signatures
group1_len- length of group1
[in]group2- same as GROUP2 in LDB signatures
group2_len- length of group2
Returns:
-1 - invalid call, or sizes (only valid for PE hooks) 0 - not a match 1 - match
int32_t memstr ( const uint8_t *  haystack,
int32_t  haysize,
const uint8_t *  needle,
int32_t  needlesize 
)

Return position of match, -1 otherwise.

Parameters:
haystackbuffer to search
haysizesize of haystack
needlesubstring to search
needlesizesize of needle
Returns:
location of match, -1 otherwise
String operation:
int32_t pdf_get_dumpedobjid ( void  )

Return the currently dumped obj index.

PDF:
Valid only in PDF_PHASE_POSTDUMP.
Returns:
>=0 - object index -1 - invalid phase
int32_t pdf_get_flags ( void  )

Return the flags for the entire PDF (as set so far).

Returns:
-1 - if not called from PDF hook >=0 - pdf flags
PDF:
int32_t pdf_get_obj_num ( void  )

Return number of pdf objects

Returns:
-1 - if not called from PDF hook >=0 - number of PDF objects
PDF:
int32_t pdf_get_phase ( void  )

Return an 'enum pdf_phase'.

PDF:
Identifies at which phase this bytecode was called.
Returns:
the current pdf_phase
uint8_t* pdf_getobj ( int32_t  objidx,
uint32_t  amount 
)

Return the undecoded object.

PDF:
Meant only for reading, write modifies the fmap buffer, so avoid!
Parameters:
objidx- object index (from 0), not object id!
amount- size returned by pdf_getobjsize (or smaller)
Returns:
NULL - invalid objidx/amount pointer - pointer to original object
uint32_t pdf_getobjsize ( int32_t  objidx)

Return the size of the specified PDF obj.

PDF:
Parameters:
objidx- object index (from 0), not object id!
Returns:
0 - if not called from PDF hook, or invalid objnum >=0 - size of object
int32_t pdf_lookupobj ( uint32_t  id)

Lookup pdf object with specified id.

PDF:
Parameters:
id- pdf id (objnumber << 8 | generationid)
Returns:
-1 - if object id doesn't exist >=0 - object index
int32_t pdf_set_flags ( int32_t  flags)

Sets the flags for the entire PDF. It is recommended that you retrieve old flags, and just add new ones.

PDF:
Parameters:
flags- flags to set.
Returns:
0 - success -1 - invalid phase
uint32_t pe_rawaddr ( uint32_t  rva)

Converts a RVA (Relative Virtual Address) to an absolute PE file offset.

Parameters:
rvaa rva address from the PE file
Returns:
absolute file offset mapped to the rva, or PE_INVALID_RVA if the rva is invalid.
PE:
int32_t read ( uint8_t *  data,
int32_t  size 
)

Reads specified amount of bytes from the current file into a buffer. Also moves current position in the file.

Parameters:
[in]sizeamount of bytes to read
[out]datapointer to buffer where data is read into
Returns:
amount read.
File operation:
int32_t read_number ( uint32_t  radix)

Reads a number in the specified radix starting from the current position.

File operation:
Non-numeric characters are ignored.
Parameters:
[in]radix10 or 16
Returns:
the number read
int32_t seek ( int32_t  pos,
uint32_t  whence 
)

Changes the current file position to the specified one.

See also:
SEEK_SET, SEEK_CUR, SEEK_END
Parameters:
[in]posoffset (absolute or relative depending on whence param)
[in]whenceone of SEEK_SET, SEEK_CUR, SEEK_END
Returns:
absolute position in file
File operation:
uint32_t setvirusname ( const uint8_t *  name,
uint32_t  len 
)

Sets the name of the virus found.

Parameters:
[in]namethe name of the virus
[in]lenlength of the virusname
Returns:
0
Scan:
uint32_t test1 ( uint32_t  a,
uint32_t  b 
)

Test api.

Parameters:
a0xf00dbeef
b0xbeeff00d
Returns:
0x12345678 if parameters match, 0x55 otherwise
uint32_t test2 ( uint32_t  a)

Test api2.

Parameters:
a0xf00d
Returns:
0xd00f if parameter matches, 0x5555 otherwise
int32_t version_compare ( const uint8_t *  lhs,
uint32_t  lhs_len,
const uint8_t *  rhs,
uint32_t  rhs_len 
)

Compares two version numbers.

Parameters:
[in]lhs- left hand side of comparison
lhs_len- length of lhs
[in]rhs- right hand side of comparison
rhs_len- length of rhs
Returns:
-1 - lhs < rhs 0 - lhs == rhs 1 - lhs > rhs
Environment:
int32_t write ( uint8_t *  data,
int32_t  size 
)

Writes the specified amount of bytes from a buffer to the current temporary file.

Parameters:
[in]datapointer to buffer of data to write
[in]sizeamount of bytes to write size bytes to temporary file, from the buffer pointed to byte
Returns:
amount of bytes successfully written
File operation:

Variable Documentation

const uint32_t __clambc_filesize[1]

File size (max 4G).

Global variable:
const uint16_t __clambc_kind

Kind of the bytecode

Global variable:
const uint32_t __clambc_match_counts[64]

Logical signature match counts.

This is a low-level variable, use the Macros in bytecode_local.h instead to access it.

Global variable:
const uint32_t __clambc_match_offsets[64]

Logical signature match offsets This is a low-level variable, use the Macros in bytecode_local.h instead to access it.

Global variable:

PE data, if this is a PE hook.

Global variable:
 All Data Structures Files Functions Variables Enumerations Enumerator Defines