2
* Copyright (C) 2009-2010 Sourcefire, Inc.
6
* Redistribution and use in source and binary forms, with or without
7
* modification, are permitted provided that the following conditions
9
* 1. Redistributions of source code must retain the above copyright
10
* notice, this list of conditions and the following disclaimer.
11
* 2. Redistributions in binary form must reproduce the above copyright
12
* notice, this list of conditions and the following disclaimer in the
13
* documentation and/or other materials provided with the distribution.
15
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
16
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
19
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29
#ifndef BYTECODE_API_H
30
#define BYTECODE_API_H
33
#include "bytecode_execs.h"
34
#include "bytecode_pe.h"
35
#include "bytecode_disasm.h"
43
/** Bytecode trigger kind */
45
/** generic bytecode, not tied a specific hook */
48
/** triggered by a logical signature */
55
enum { PE_INVALID_RVA = 0xFFFFFFFF };
59
/** @brief Logical signature match counts
61
* This is a low-level variable, use the Macros in bytecode_local.h instead to
64
extern const uint32_t __clambc_match_counts[64];
65
/** PE data, if this is a PE hook */
66
extern const struct cli_pe_hook_data __clambc_pedata;
67
/** File size (max 4G) */
68
extern const uint32_t __clambc_filesize[1];
70
/** Kind of the bytecode */
71
const uint16_t __clambc_kind;
73
uint32_t test1(uint32_t, uint32_t);
76
* @brief Reads specified amount of bytes from the current file
77
* into a buffer. Also moves current position in the file.
79
* @param[in] size amount of bytes to read
80
* @param[out] data pointer to buffer where data is read into
81
* @return amount read.
83
int32_t read(uint8_t *data, int32_t size);
87
/**set file position to specified absolute position */
89
/**set file position relative to current position */
91
/**set file position relative to file end*/
96
* @brief Writes the specified amount of bytes from a buffer to the
97
* current temporary file.
98
* @param[in] data pointer to buffer of data to write
99
* @param[in] size amount of bytes to write
100
* \p size bytes to temporary file, from the buffer pointed to
102
* @return amount of bytes successfully written
104
int32_t write(uint8_t *data, int32_t size);
107
* @brief Changes the current file position to the specified one.
108
* @sa SEEK_SET, SEEK_CUR, SEEK_END
109
* @param[in] pos offset (absolute or relative depending on \p whence param)
110
* @param[in] whence one of \p SEEK_SET, \p SEEK_CUR, \p SEEK_END
111
* @return absolute position in file
113
int32_t seek(int32_t pos, uint32_t whence);
116
* Sets the name of the virus found.
118
* @param[in] name the name of the virus
119
* @param[in] len length of the virusname
122
uint32_t setvirusname(const uint8_t *name, uint32_t len);
125
* Prints a debug message.
127
* @param[in] str Message to print
128
* @param[in] len length of message to print
131
uint32_t debug_print_str(const uint8_t *str, uint32_t len);
134
* Prints a number as a debug message.
136
* @param[in] a number to print
139
uint32_t debug_print_uint(uint32_t a);
142
* Disassembles starting from current file position, the specified amount of
144
* @param[out] result pointer to struct holding result
145
* @param[in] len how many bytes to disassemble
146
* @return 0 for success
148
* You can use lseek to disassemble starting from a different location.
149
* This is a low-level API, the result is in ClamAV type-8 signature format
150
* (64 bytes/instruction).
153
uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);
157
/* a scope: lexical block, function, or compile unit */
158
uint32_t trace_directory(const uint8_t* directory, uint32_t dummy);
159
uint32_t trace_scope(const uint8_t* newscope, uint32_t scopeid);
160
uint32_t trace_source(const uint8_t* srcfile, uint32_t line);
161
uint32_t trace_op(const uint8_t* opname, uint32_t column);
162
uint32_t trace_value(const uint8_t* name, uint32_t v);
163
uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy);
165
/** Converts a RVA (Relative Virtual Address) to
166
* an absolute PE file offset.
167
* @param rva a rva address from the PE file
168
* @return absolute file offset mapped to the \p rva,
169
* or PE_INVALID_RVA if the \p rva is invalid.
171
uint32_t pe_rawaddr(uint32_t rva);
173
/** Looks for the specified sequence of bytes in the current file.
174
* @param[in] data the sequence of bytes to look for
175
* @param len length of \p data, cannot be more than 1024
176
* @return offset in the current file if match is found, -1 otherwise */
177
int32_t file_find(const uint8_t* data, uint32_t len);
179
/** Read a single byte from current file
180
* @param offset file offset
181
* @return byte at offset \p off in the current file, or -1 if offset is
183
int32_t file_byteat(uint32_t offset);
185
/** Allocates memory. Currently this memory is freed automatically on exit
186
from the bytecode, and there is no way to free it sooner.
187
@param size amount of memory to allocate in bytes
188
@return pointer to allocated memory */
189
void* malloc(uint32_t size);
191
uint32_t test2(uint32_t a);
193
int32_t get_pe_section(struct cli_exe_section *section, uint32_t num);