2
* Copyright (C) 2007-2013 Sourcefire, Inc.
6
* This program is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License version 2 as
8
* published by the Free Software Foundation.
10
* This program is distributed in the hope that it will be useful,
11
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13
* GNU General Public License for more details.
15
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, write to the Free Software
17
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
24
/* Certain OSs already use 64bit variables in their stat struct */
25
#define STAT64_BLACKLIST !defined(__FreeBSD__) && !defined(__APPLE__)
27
#if defined(HAVE_STAT64) && STAT64_BLACKLIST
31
#define STATBUF struct stat64
32
#define CLAMSTAT stat64
35
#define safe_open(a, b) open(a, b|O_LARGEFILE)
38
#define STATBUF struct stat
42
/* Nothing is safe in windows, not even open, safe_open defined under /win32 */
44
#define safe_open open
49
#include <sys/types.h>
57
#define CL_COUNT_PRECISION 4096
61
/* libclamav specific */
72
/* I/O and memory errors */
88
/* internal (not reported outside libclamav) */
95
CL_EBYTECODE,/* may be reported in testmode */
96
CL_EBYTECODE_TESTFAIL, /* may be reported in testmode */
103
/* no error codes below this line please */
108
#define CL_DB_PHISHING 0x2
109
#define CL_DB_PHISHING_URLS 0x8
110
#define CL_DB_PUA 0x10
111
#define CL_DB_CVDNOTMP 0x20 /* obsolete */
112
#define CL_DB_OFFICIAL 0x40 /* internal */
113
#define CL_DB_PUA_MODE 0x80
114
#define CL_DB_PUA_INCLUDE 0x100
115
#define CL_DB_PUA_EXCLUDE 0x200
116
#define CL_DB_COMPILED 0x400 /* internal */
117
#define CL_DB_DIRECTORY 0x800 /* internal */
118
#define CL_DB_OFFICIAL_ONLY 0x1000
119
#define CL_DB_BYTECODE 0x2000
120
#define CL_DB_SIGNED 0x4000 /* internal */
121
#define CL_DB_BYTECODE_UNSIGNED 0x8000
122
#define CL_DB_UNSIGNED 0x10000 /* internal */
123
#define CL_DB_BYTECODE_STATS 0x20000
124
#define CL_DB_ENHANCED 0x40000
126
/* recommended db settings */
127
#define CL_DB_STDOPT (CL_DB_PHISHING | CL_DB_PHISHING_URLS | CL_DB_BYTECODE)
130
#define CL_SCAN_RAW 0x0
131
#define CL_SCAN_ARCHIVE 0x1
132
#define CL_SCAN_MAIL 0x2
133
#define CL_SCAN_OLE2 0x4
134
#define CL_SCAN_BLOCKENCRYPTED 0x8
135
#define CL_SCAN_HTML 0x10
136
#define CL_SCAN_PE 0x20
137
#define CL_SCAN_BLOCKBROKEN 0x40
138
#define CL_SCAN_MAILURL 0x80 /* ignored */
139
#define CL_SCAN_BLOCKMAX 0x100 /* ignored */
140
#define CL_SCAN_ALGORITHMIC 0x200
141
#define CL_SCAN_PHISHING_BLOCKSSL 0x800 /* ssl mismatches, not ssl by itself*/
142
#define CL_SCAN_PHISHING_BLOCKCLOAK 0x1000
143
#define CL_SCAN_ELF 0x2000
144
#define CL_SCAN_PDF 0x4000
145
#define CL_SCAN_STRUCTURED 0x8000
146
#define CL_SCAN_STRUCTURED_SSN_NORMAL 0x10000
147
#define CL_SCAN_STRUCTURED_SSN_STRIPPED 0x20000
148
#define CL_SCAN_PARTIAL_MESSAGE 0x40000
149
#define CL_SCAN_HEURISTIC_PRECEDENCE 0x80000
150
#define CL_SCAN_BLOCKMACROS 0x100000
151
#define CL_SCAN_ALLMATCHES 0x200000
152
#define CL_SCAN_SWF 0x400000
154
#define CL_SCAN_PERFORMANCE_INFO 0x40000000 /* collect performance timings */
155
#define CL_SCAN_INTERNAL_COLLECT_SHA 0x80000000 /* Enables hash output in sha-collect builds - for internal use only */
157
/* recommended scan settings */
158
#define CL_SCAN_STDOPT (CL_SCAN_ARCHIVE | CL_SCAN_MAIL | CL_SCAN_OLE2 | CL_SCAN_PDF | CL_SCAN_HTML | CL_SCAN_PE | CL_SCAN_ALGORITHMIC | CL_SCAN_ELF | CL_SCAN_SWF)
160
/* cl_countsigs options */
161
#define CL_COUNTSIGS_OFFICIAL 0x1
162
#define CL_COUNTSIGS_UNOFFICIAL 0x2
163
#define CL_COUNTSIGS_ALL (CL_COUNTSIGS_OFFICIAL | CL_COUNTSIGS_UNOFFICIAL)
168
#define CL_INIT_DEFAULT 0x0
169
extern int cl_init(unsigned int initoptions);
171
extern struct cl_engine *cl_engine_new(void);
173
extern void cl_always_gen_section_hash(void);
175
enum cl_engine_field {
176
CL_ENGINE_MAX_SCANSIZE, /* uint64_t */
177
CL_ENGINE_MAX_FILESIZE, /* uint64_t */
178
CL_ENGINE_MAX_RECURSION, /* uint32_t */
179
CL_ENGINE_MAX_FILES, /* uint32_t */
180
CL_ENGINE_MIN_CC_COUNT, /* uint32_t */
181
CL_ENGINE_MIN_SSN_COUNT, /* uint32_t */
182
CL_ENGINE_PUA_CATEGORIES, /* (char *) */
183
CL_ENGINE_DB_OPTIONS, /* uint32_t */
184
CL_ENGINE_DB_VERSION, /* uint32_t */
185
CL_ENGINE_DB_TIME, /* time_t */
186
CL_ENGINE_AC_ONLY, /* uint32_t */
187
CL_ENGINE_AC_MINDEPTH, /* uint32_t */
188
CL_ENGINE_AC_MAXDEPTH, /* uint32_t */
189
CL_ENGINE_TMPDIR, /* (char *) */
190
CL_ENGINE_KEEPTMP, /* uint32_t */
191
CL_ENGINE_BYTECODE_SECURITY, /* uint32_t */
192
CL_ENGINE_BYTECODE_TIMEOUT, /* uint32_t */
193
CL_ENGINE_BYTECODE_MODE, /* uint32_t */
194
CL_ENGINE_MAX_EMBEDDEDPE, /* uint64_t */
195
CL_ENGINE_MAX_HTMLNORMALIZE, /* uint64_t */
196
CL_ENGINE_MAX_HTMLNOTAGS, /* uint64_t */
197
CL_ENGINE_MAX_SCRIPTNORMALIZE, /* uint64_t */
198
CL_ENGINE_MAX_ZIPTYPERCG, /* uint64_t */
199
CL_ENGINE_FORCETODISK /* uint32_t */
202
enum bytecode_security {
203
CL_BYTECODE_TRUST_ALL=0, /* obsolete */
204
CL_BYTECODE_TRUST_SIGNED, /* default */
205
CL_BYTECODE_TRUST_NOTHING /* paranoid setting */
209
CL_BYTECODE_MODE_AUTO=0, /* JIT if possible, fallback to interpreter */
210
CL_BYTECODE_MODE_JIT, /* force JIT */
211
CL_BYTECODE_MODE_INTERPRETER, /* force interpreter */
212
CL_BYTECODE_MODE_TEST, /* both JIT and interpreter, compare results,
213
all failures are fatal */
214
CL_BYTECODE_MODE_OFF /* for query only, not settable */
217
extern int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long long num);
219
extern long long cl_engine_get_num(const struct cl_engine *engine, enum cl_engine_field field, int *err);
221
extern int cl_engine_set_str(struct cl_engine *engine, enum cl_engine_field field, const char *str);
223
extern const char *cl_engine_get_str(const struct cl_engine *engine, enum cl_engine_field field, int *err);
225
extern struct cl_settings *cl_engine_settings_copy(const struct cl_engine *engine);
227
extern int cl_engine_settings_apply(struct cl_engine *engine, const struct cl_settings *settings);
229
extern int cl_engine_settings_free(struct cl_settings *settings);
231
extern int cl_engine_compile(struct cl_engine *engine);
233
extern int cl_engine_addref(struct cl_engine *engine);
235
extern int cl_engine_free(struct cl_engine *engine);
240
/* I certainly wish I could declare the callback protoes stable and
241
move on to better things. But real life crossed my way enough times
242
already and what looked perfect had to evolve somehow.
243
So all I can say is I'll try my best not to break these things in the long run.
244
But I just can't guarantee that won't happen (again). */
246
typedef cl_error_t (*clcb_pre_cache)(int fd, const char *type, void *context);
248
Called for each processed file (both the entry level - AKA 'outer' - file and
249
inner files - those generated when processing archive and container files), before
250
the actual scanning takes place.
253
fd = File descriptor which is about to be scanned
254
type = File type detected via magic - i.e. NOT on the fly - (e.g. "CL_TYPE_MSEXE")
255
context = Opaque application provided data
258
CL_CLEAN = File is scanned
259
CL_BREAK = Whitelisted by callback - file is skipped and marked as clean
260
CL_VIRUS = Blacklisted by callback - file is skipped and marked as infected
262
extern void cl_engine_set_clcb_pre_cache(struct cl_engine *engine, clcb_pre_cache callback);
264
typedef cl_error_t (*clcb_pre_scan)(int fd, const char *type, void *context);
266
Called for each NEW file (inner and outer) before the scanning takes place. This is
267
roughly the the same as clcb_before_cache, but it is affected by clean file caching.
268
This means that it won't be called if a clean cached file (inner or outer) is
269
scanned a second time.
272
fd = File descriptor which is about to be scanned
273
type = File type detected via magic - i.e. NOT on the fly - (e.g. "CL_TYPE_MSEXE")
274
context = Opaque application provided data
277
CL_CLEAN = File is scanned
278
CL_BREAK = Whitelisted by callback - file is skipped and marked as clean
279
CL_VIRUS = Blacklisted by callback - file is skipped and marked as infected
281
extern void cl_engine_set_clcb_pre_scan(struct cl_engine *engine, clcb_pre_scan callback);
283
typedef cl_error_t (*clcb_post_scan)(int fd, int result, const char *virname, void *context);
285
Called for each processed file (inner and outer), after the scanning is complete.
288
fd = File descriptor which is was scanned
289
result = The scan result for the file
290
virname = Virus name if infected
291
context = Opaque application provided data
294
CL_CLEAN = Scan result is not overridden
295
CL_BREAK = Whitelisted by callback - scan result is set to CL_CLEAN
296
CL_VIRUS = Blacklisted by callback - scan result is set to CL_VIRUS
298
extern void cl_engine_set_clcb_post_scan(struct cl_engine *engine, clcb_post_scan callback);
301
typedef int (*clcb_sigload)(const char *type, const char *name, unsigned int custom, void *context);
304
type = The signature type (e.g. "db", "ndb", "mdb", etc.)
305
name = The virus name
306
custom = The signature is official (custom == 0) or custom (custom != 0)
307
context = Opaque application provided data
310
0 = Load the current signature
311
Non 0 = Skip the current signature
313
WARNING: Some signatures (notably ldb, cbc) can be dependent upon other signatures.
314
Failure to preserve dependency chains will result in database loading failure.
315
It is the implementor's responsibility to guarantee consistency.
317
extern void cl_engine_set_clcb_sigload(struct cl_engine *engine, clcb_sigload callback, void *context);
319
/* LibClamAV messages callback
320
* The specified callback will be called instead of logging to stderr.
321
* Messages of lower severity than specified are logged as usual.
323
* Just like with cl_debug() this must be called before going multithreaded.
324
* Callable before cl_init, if you want to log messages from cl_init() itself.
326
* You can use context of cl_scandesc_callback to convey more information to the callback (such as the filename!)
327
* Note: setting a 2nd callbacks overwrites previous, multiple callbacks are not
331
/* leave room for more message levels in the future */
332
CL_MSG_INFO_VERBOSE = 32, /* verbose */
333
CL_MSG_WARN = 64, /* LibClamAV WARNING: */
334
CL_MSG_ERROR = 128/* LibClamAV ERROR: */
336
typedef void (*clcb_msg)(enum cl_msg severity, const char *fullmsg, const char *msg, void *context);
337
extern void cl_set_clcb_msg(clcb_msg callback);
339
/* LibClamAV hash stats callback */
340
typedef void (*clcb_hash)(int fd, unsigned long long size, const unsigned char *md5, const char *virname, void *context);
341
extern void cl_engine_set_clcb_hash(struct cl_engine *engine, clcb_hash callback);
343
/* Archive member metadata callback. Return CL_VIRUS to blacklist, CL_CLEAN to
344
* continue scanning */
345
typedef cl_error_t (*clcb_meta)(const char* container_type, unsigned long fsize_container, const char *filename,
346
unsigned long fsize_real, int is_encrypted, unsigned int filepos_container, void *context);
347
extern void cl_engine_set_clcb_meta(struct cl_engine *engine, clcb_meta callback);
353
unsigned int entries;
356
struct cl_cvd { /* field no. */
358
unsigned int version; /* 3 */
359
unsigned int sigs; /* 4 */
360
unsigned int fl; /* 5 */
364
char *builder; /* 8 */
365
unsigned int stime; /* 9 */
369
extern int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, unsigned int scanoptions);
370
extern int cl_scandesc_callback(int desc, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, unsigned int scanoptions, void *context);
372
extern int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, unsigned int scanoptions);
373
extern int cl_scanfile_callback(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, unsigned int scanoptions, void *context);
375
/* database handling */
376
extern int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, unsigned int dboptions);
377
extern const char *cl_retdbdir(void);
379
/* engine handling */
382
extern struct cl_cvd *cl_cvdhead(const char *file);
383
extern struct cl_cvd *cl_cvdparse(const char *head);
384
extern int cl_cvdverify(const char *file);
385
extern void cl_cvdfree(struct cl_cvd *cvd);
387
/* db dir stat functions */
388
extern int cl_statinidir(const char *dirname, struct cl_stat *dbstat);
389
extern int cl_statchkdir(const struct cl_stat *dbstat);
390
extern int cl_statfree(struct cl_stat *dbstat);
392
/* count signatures */
393
extern int cl_countsigs(const char *path, unsigned int countoptions, unsigned int *sigs);
395
/* enable debug messages */
396
extern void cl_debug(void);
398
/* software versions */
399
extern unsigned int cl_retflevel(void);
400
extern const char *cl_retver(void);
403
extern const char *cl_strerror(int clerror);
405
/* custom data scanning */
407
typedef struct cl_fmap cl_fmap_t;
409
/* handle - the handle passed to cl_fmap_open_handle, its meaning is up to the
410
* callback's implementation
411
* buf, count, offset - read 'count' bytes starting at 'offset' into the buffer 'buf'
412
* Thread safety: it is guaranteed that only one callback is executing for a specific handle at
413
* any time, but there might be multiple callbacks executing for different
414
* handle at the same time.
416
typedef off_t (*clcb_pread)(void* handle, void *buf, size_t count, off_t offset);
418
/* Open a map for scanning custom data accessed by a handle and pread (lseek +
419
* read)-like interface. For example a WIN32 HANDLE.
420
* By default fmap will use aging to discard old data, unless you tell it not
422
* The handle will be passed to the callback each time.
424
extern cl_fmap_t *cl_fmap_open_handle(void* handle, size_t offset, size_t len,
425
clcb_pread, int use_aging);
427
/* Open a map for scanning custom data, where the data is already in memory,
428
* either in the form of a buffer, a memory mapped file, etc.
429
* Note that the memory [start, start+len) must be the _entire_ file,
430
* you can't give it parts of a file and expect detection to work.
432
extern cl_fmap_t *cl_fmap_open_memory(const void *start, size_t len);
434
/* Releases resources associated with the map, you should release any resources
435
* you hold only after (handles, maps) calling this function */
436
extern void cl_fmap_close(cl_fmap_t*);
438
/* Scan custom data */
439
extern int cl_scanmap_callback(cl_fmap_t *map, const char **virname, unsigned long int *scanned, const struct cl_engine *engine, unsigned int scanoptions, void *context);
445
#endif /* __CLAMAV_H */