2
* ClamAV bytecode internal API
4
* Copyright (C) 2009-2010 Sourcefire, Inc.
8
* This program is free software; you can redistribute it and/or modify
9
* it under the terms of the GNU General Public License version 2 as
10
* published by the Free Software Foundation.
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, write to the Free Software
19
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
24
#include "clamav-config.h"
37
#include "bytecode_priv.h"
38
#include "type_desc.h"
39
#include "bytecode_api.h"
40
#include "bytecode_api_impl.h"
45
uint32_t cli_bcapi_test1(struct cli_bc_ctx *ctx, uint32_t a, uint32_t b)
47
return (a==0xf00dbeef && b==0xbeeff00d) ? 0x12345678 : 0x55;
50
uint32_t cli_bcapi_test2(struct cli_bc_ctx *ctx, uint32_t a)
52
return a == 0xf00d ? 0xd00f : 0x5555;
55
int32_t cli_bcapi_read(struct cli_bc_ctx* ctx, uint8_t *data, int32_t size)
61
cli_errmsg("bytecode: negative read size: %d\n", size);
64
n = fmap_readn(ctx->fmap, data, ctx->off, size);
71
int32_t cli_bcapi_seek(struct cli_bc_ctx* ctx, int32_t pos, uint32_t whence)
84
off = ctx->file_size + pos;
87
if (off < 0 || off > ctx->file_size)
93
uint32_t cli_bcapi_debug_print_str(struct cli_bc_ctx *ctx, const uint8_t *str, uint32_t len)
95
cli_dbgmsg("bytecode debug: %s\n", str);
99
uint32_t cli_bcapi_debug_print_uint(struct cli_bc_ctx *ctx, uint32_t a)
101
cli_dbgmsg("bytecode debug: %u\n", a);
105
/*TODO: compiler should make sure that only constants are passed here, and not
106
* pointers to arbitrary locations that may not be valid when bytecode finishes
108
uint32_t cli_bcapi_setvirusname(struct cli_bc_ctx* ctx, const uint8_t *name, uint32_t len)
114
uint32_t cli_bcapi_disasm_x86(struct cli_bc_ctx *ctx, struct DISASM_RESULT *res, uint32_t len)
119
if (!res || !ctx->fmap || ctx->off >= ctx->fmap->len)
121
/* 32 should be longest instr we support decoding.
122
* When we'll support mmx/sse instructions this should be updated! */
123
n = MIN(32, ctx->fmap->len - ctx->off);
124
buf = fmap_need_off_once(ctx->fmap, ctx->off, n);
125
next = cli_disasm_one(buf, n, res, 0);
128
return ctx->off + next - buf;
131
/* TODO: field in ctx, id of last bytecode that called magicscandesc, reset
132
* after hooks/other bytecodes are run. TODO: need a more generic solution
133
* to avoid uselessly recursing on bytecode-unpacked files, but also a way to
134
* override the limit if we need it in a special situation */
135
int32_t cli_bcapi_write(struct cli_bc_ctx *ctx, uint8_t*data, int32_t len)
138
cli_ctx *cctx = (cli_ctx*)ctx->ctx;
140
cli_warnmsg("Bytecode API: called with negative length!\n");
143
if (ctx->outfd == -1) {
144
ctx->tempfile = cli_gentemp(cctx ? cctx->engine->tmpdir : NULL);
145
if (!ctx->tempfile) {
146
cli_dbgmsg("Bytecode API: Unable to allocate memory for tempfile\n");
149
ctx->outfd = open(ctx->tempfile, O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_BINARY, 0600);
150
if (ctx->outfd == -1) {
151
cli_warnmsg("Bytecode API: Can't create file %s\n", ctx->tempfile);
156
if (cli_checklimits("bytecode api", cctx, ctx->written + len, 0, 0))
158
res = cli_writen(ctx->outfd, data, len);
159
if (res > 0) ctx->written += res;
161
cli_dbgmsg("Bytecode API: write failed: %d\n", errno);
165
void cli_bytecode_context_set_trace(struct cli_bc_ctx* ctx, unsigned level,
166
bc_dbg_callback_trace trace,
167
bc_dbg_callback_trace_op trace_op,
168
bc_dbg_callback_trace_val trace_val,
169
bc_dbg_callback_trace_ptr trace_ptr)
172
ctx->trace_op = trace_op;
173
ctx->trace_val = trace_val;
174
ctx->trace_ptr = trace_ptr;
175
ctx->trace_level = level;
178
uint32_t cli_bcapi_trace_scope(struct cli_bc_ctx *ctx, const uint8_t *scope, uint32_t scopeid)
180
if (LIKELY(!ctx->trace_level))
182
if (ctx->scope != (const char*)scope) {
183
ctx->scope = (const char*)scope ? (const char*)scope : "?";
184
ctx->scopeid = scopeid;
185
ctx->trace_level |= 0x80;/* temporarely increase level to print params */
186
} else if ((ctx->trace_level >= trace_scope) && ctx->scopeid != scopeid) {
187
ctx->scopeid = scopeid;
188
ctx->trace_level |= 0x40;/* temporarely increase level to print location */
193
uint32_t cli_bcapi_trace_directory(struct cli_bc_ctx *ctx, const uint8_t* dir, uint32_t dummy)
195
if (LIKELY(!ctx->trace_level))
197
ctx->directory = (const char*)dir ? (const char*)dir : "";
201
uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const uint8_t *file, uint32_t line)
203
if (LIKELY(ctx->trace_level < trace_line))
205
if (ctx->file != (const char*)file || ctx->line != line) {
207
ctx->file =(const char*)file ? (const char*)file : "??";
213
uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const uint8_t *op, uint32_t col)
215
if (LIKELY(ctx->trace_level < trace_col))
217
if (ctx->trace_level&0xc0) {
219
/* func/scope changed and they needed param/location event */
220
ctx->trace(ctx, (ctx->trace_level&0x80) ? trace_func : trace_scope);
221
ctx->trace_level &= ~0xc0;
223
if (LIKELY(ctx->trace_level < trace_col))
225
if (ctx->col != col) {
227
ctx->trace(ctx, trace_col);
229
ctx->trace(ctx, trace_line);
231
if (LIKELY(ctx->trace_level < trace_op))
233
if (ctx->trace_op && op)
234
ctx->trace_op(ctx, (const char*)op);
238
uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const uint8_t* name, uint32_t value)
240
if (LIKELY(ctx->trace_level < trace_val))
242
if (ctx->trace_level&0x80) {
243
if ((ctx->trace_level&0x7f) < trace_param)
245
ctx->trace(ctx, trace_param);
247
if (ctx->trace_val && name)
248
ctx->trace_val(ctx, name, value);
252
uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const uint8_t* ptr, uint32_t dummy)
254
if (LIKELY(ctx->trace_level < trace_val))
256
if (ctx->trace_level&0x80) {
257
if ((ctx->trace_level&0x7f) < trace_param)
259
ctx->trace(ctx, trace_param);
262
ctx->trace_ptr(ctx, ptr);
266
uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t rva)
270
const struct cli_pe_hook_data *pe = ctx->hooks.pedata;
271
ret = cli_rawaddr(rva, ctx->sections, pe->nsections, &err,
272
ctx->file_size, pe->hdr_size);
274
return PE_INVALID_RVA;
278
static inline const char* cli_memmem(const char *haystack, unsigned hlen,
279
const unsigned char *needle, unsigned nlen)
283
if (!needle || !haystack)
287
return memchr(haystack, c, hlen);
289
while (hlen >= nlen) {
291
haystack = memchr(haystack, c, hlen - nlen + 1);
295
if (!memcmp(p, needle, nlen-1))
297
hlen -= p - haystack;
303
int32_t cli_bcapi_file_find(struct cli_bc_ctx *ctx, const uint8_t* data, uint32_t len)
306
fmap_t *map = ctx->fmap;
307
uint32_t off = ctx->off, newoff;
310
if (!map || len > sizeof(buf)/4 || len <= 0)
314
n = fmap_readn(map, buf, off, sizeof(buf));
315
if ((unsigned)n < len)
317
p = cli_memmem(buf, n, data, len);
319
return off + p - buf;
325
int32_t cli_bcapi_file_byteat(struct cli_bc_ctx *ctx, uint32_t off)
330
if (fmap_readn(ctx->fmap, &c, off, 1) != 1)
335
uint8_t* cli_bcapi_malloc(struct cli_bc_ctx *ctx, uint32_t size)
339
ctx->mpool = mpool_create();
341
cli_dbgmsg("bytecode: mpool_create failed!\n");
345
return mpool_malloc(ctx->mpool, size);
347
/* TODO: implement using a list of pointers we allocated! */
348
cli_errmsg("cli_bcapi_malloc not implemented for systems without mmap yet!\n");
349
return cli_malloc(size);
353
int32_t cli_bcapi_get_pe_section(struct cli_bc_ctx *ctx, struct cli_exe_section* section, uint32_t num)
355
if (num < ctx->hooks.pedata->nsections) {
356
memcpy(section, &ctx->sections[num], sizeof(*section));