filesize, and pe_rawaddr API.

libclamav/bytecode.c

@@ -1605,6 +1605,7 @@ int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, fmap_t *map)
 {
     ctx->fmap = map;
     ctx->file_size = map->len + map->offset;
+    ctx->hooks.filesize = &ctx->file_size;
     return 0;
 }
 

libclamav/bytecode_api.c

@@ -38,6 +38,7 @@
 #include "bytecode_api.h"
 #include "bytecode_api_impl.h"
 #include "others.h"
+#include "pe.h"
 
 uint32_t cli_bcapi_test0(struct cli_bc_ctx *ctx, struct foo* s, uint32_t u)
 {
@@ -239,3 +240,15 @@ uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t* ptr, u
 	ctx->trace_ptr(ctx, ptr);
     return 0;
 }
+
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t rva, uint32_t dummy)
+{
+  uint32_t ret;
+  int err = 0;
+  const struct cli_pe_hook_data *pe = ctx->hooks.pedata;
+  ret = cli_rawaddr(rva, pe->exe_info.section, pe->exe_info.nsections, &err,
+		    ctx->file_size, pe->hdr_size);
+  if (err)
+    return PE_INVALID_RVA;
+  return ret;
+}

libclamav/bytecode_api.h

@@ -56,6 +56,8 @@ enum BytecodeKind {
     _BC_LAST_HOOK
 };
 
+enum { PE_INVALID_RVA = 0xFFFFFFFF };
+
 #ifdef __CLAMBC__
 
 /** @brief Logical signature match counts
@@ -68,6 +70,8 @@ extern const uint32_t __clambc_match_counts[64];
 extern const struct cli_exe_info __clambc_exeinfo;
 /** PE data, if this is a PE hook */
 extern const struct cli_pe_hook_data __clambc_pedata;
+/** File size (max 4G) */
+extern const uint32_t __clambc_filesize;
 
 /** Kind of the bytecode */
 const uint16_t __clambc_kind;
@@ -153,7 +157,7 @@ uint32_t debug_print_uint(uint32_t a, uint32_t b);
  * This is a low-level API, the result is in ClamAV type-8 signature format 
  * (64 bytes/instruction).
  *  \sa DisassembleAt
- * */
+ */
 uint32_t disasm_x86(struct DISASM_RESULT* result, uint32_t len);
 
 /* tracing API */
@@ -166,5 +170,13 @@ uint32_t trace_op(const uint8_t* opname, uint32_t column);
 uint32_t trace_value(const uint8_t* name, uint32_t v);
 uint32_t trace_ptr(const uint8_t* ptr, uint32_t dummy);
 
+/** Converts a RVA (Relative Virtual Address) to
+  * an absolute PE file offset.
+  * @param rva a rva address from the PE file
+  * @return absolute file offset mapped to the \p rva,
+  * or PE_INVALID_RVA if the \p rva is invalid.
+  */
+uint32_t pe_rawaddr(uint32_t rva, uint32_t dummy);
+
 #endif
 #endif

libclamav/bytecode_api_decl.c

@@ -48,6 +48,7 @@ uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const const uint8_t*, ui
 uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
 uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
 uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
 
 const struct cli_apiglobal cli_globals[] = {
 /* Bytecode globals BEGIN */
@@ -55,6 +56,8 @@ const struct cli_apiglobal cli_globals[] = {
 	 ((char*)&((struct cli_bc_ctx*)0)->hooks.kind - (char*)NULL)},
 	{"__clambc_match_counts", GLOBAL_MATCH_COUNTS, 82,
 	 ((char*)&((struct cli_bc_ctx*)0)->hooks.match_counts - (char*)NULL)},
+	{"__clambc_filesize", GLOBAL_FILESIZE, 32,
+	 ((char*)&((struct cli_bc_ctx*)0)->hooks.filesize - (char*)NULL)},
 	{"__clambc_exeinfo", GLOBAL_EXEINFO, 79,
 	 ((char*)&((struct cli_bc_ctx*)0)->hooks.exeinfo - (char*)NULL)},
 	{"__clambc_pedata", GLOBAL_PEDATA, 69,
@@ -76,14 +79,14 @@ static uint16_t cli_tmp10[]={80, 32, 32, 16};
 static uint16_t cli_tmp11[]={81};
 static uint16_t cli_tmp12[]={32, 32, 32, 32, 32, 32, 32, 32, 32};
 static uint16_t cli_tmp13[]={32};
-static uint16_t cli_tmp14[]={32, 65, 32};
-static uint16_t cli_tmp15[]={32, 85, 32};
-static uint16_t cli_tmp16[]={86};
-static uint16_t cli_tmp17[]={16, 8, 8, 8, 88, 87};
-static uint16_t cli_tmp18[]={8};
-static uint16_t cli_tmp19[]={89};
-static uint16_t cli_tmp20[]={8};
-static uint16_t cli_tmp21[]={32, 32, 32};
+static uint16_t cli_tmp14[]={32, 32, 32};
+static uint16_t cli_tmp15[]={32, 65, 32};
+static uint16_t cli_tmp16[]={32, 86, 32};
+static uint16_t cli_tmp17[]={87};
+static uint16_t cli_tmp18[]={16, 8, 8, 8, 89, 88};
+static uint16_t cli_tmp19[]={8};
+static uint16_t cli_tmp20[]={90};
+static uint16_t cli_tmp21[]={8};
 static uint16_t cli_tmp22[]={32, 92, 32};
 static uint16_t cli_tmp23[]={93};
 static uint16_t cli_tmp24[]={92};
@@ -105,12 +108,12 @@ const struct cli_bc_type cli_apicall_types[]={
 	{DArrayType, cli_tmp13, 64, 0, 0},
 	{DFunctionType, cli_tmp14, 3, 0, 0},
 	{DFunctionType, cli_tmp15, 3, 0, 0},
-	{DPointerType, cli_tmp16, 1, 0, 0},
-	{DStructType, cli_tmp17, 6, 0, 0},
-	{DArrayType, cli_tmp18, 29, 0, 0},
-	{DArrayType, cli_tmp19, 10, 0, 0},
-	{DArrayType, cli_tmp20, 3, 0, 0},
-	{DFunctionType, cli_tmp21, 3, 0, 0},
+	{DFunctionType, cli_tmp16, 3, 0, 0},
+	{DPointerType, cli_tmp17, 1, 0, 0},
+	{DStructType, cli_tmp18, 6, 0, 0},
+	{DArrayType, cli_tmp19, 29, 0, 0},
+	{DArrayType, cli_tmp20, 10, 0, 0},
+	{DArrayType, cli_tmp21, 3, 0, 0},
 	{DFunctionType, cli_tmp22, 3, 0, 0},
 	{DPointerType, cli_tmp23, 1, 0, 0},
 	{DStructType, cli_tmp24, 1, 0, 0}
@@ -120,26 +123,28 @@ const unsigned cli_apicall_maxtypes=sizeof(cli_apicall_types)/sizeof(cli_apicall
 const struct cli_apicall cli_apicalls[]={
 /* Bytecode APIcalls BEGIN */
 	{"test0", 22, 0, 1},
-	{"test1", 21, 0, 0},
-	{"read", 14, 1, 1},
-	{"write", 14, 2, 1},
-	{"seek", 21, 1, 0},
-	{"setvirusname", 14, 3, 1},
-	{"debug_print_str", 14, 4, 1},
-	{"debug_print_uint", 21, 2, 0},
-	{"disasm_x86", 15, 5, 1},
-	{"trace_directory", 14, 6, 1},
-	{"trace_scope", 14, 7, 1},
-	{"trace_source", 14, 8, 1},
-	{"trace_op", 14, 9, 1},
-	{"trace_value", 14, 10, 1},
-	{"trace_ptr", 14, 11, 1}
+	{"test1", 14, 0, 0},
+	{"read", 15, 1, 1},
+	{"write", 15, 2, 1},
+	{"seek", 14, 1, 0},
+	{"setvirusname", 15, 3, 1},
+	{"debug_print_str", 15, 4, 1},
+	{"debug_print_uint", 14, 2, 0},
+	{"disasm_x86", 16, 5, 1},
+	{"trace_directory", 15, 6, 1},
+	{"trace_scope", 15, 7, 1},
+	{"trace_source", 15, 8, 1},
+	{"trace_op", 15, 9, 1},
+	{"trace_value", 15, 10, 1},
+	{"trace_ptr", 15, 11, 1},
+	{"pe_rawaddr", 14, 3, 0}
 /* Bytecode APIcalls END */
 };
 const cli_apicall_int2 cli_apicalls0[] = {
 	(cli_apicall_int2)cli_bcapi_test1,
 	(cli_apicall_int2)cli_bcapi_seek,
-	(cli_apicall_int2)cli_bcapi_debug_print_uint
+	(cli_apicall_int2)cli_bcapi_debug_print_uint,
+	(cli_apicall_int2)cli_bcapi_pe_rawaddr
 };
 const cli_apicall_pointer cli_apicalls1[] = {
 	(cli_apicall_pointer)cli_bcapi_test0,

libclamav/bytecode_api_impl.h

@@ -45,5 +45,6 @@ uint32_t cli_bcapi_trace_source(struct cli_bc_ctx *ctx, const const uint8_t*, ui
 uint32_t cli_bcapi_trace_op(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
 uint32_t cli_bcapi_trace_value(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
 uint32_t cli_bcapi_trace_ptr(struct cli_bc_ctx *ctx, const const uint8_t*, uint32_t);
+uint32_t cli_bcapi_pe_rawaddr(struct cli_bc_ctx *ctx, uint32_t, uint32_t);
 
 #endif

libclamav/bytecode_hooks.h

@@ -32,6 +32,7 @@
 struct cli_bc_hooks {
 	 const uint16_t* kind;
 	 const uint32_t* match_counts;
+	 const uint32_t* filesize;
 	 const struct cli_exe_info* exeinfo;
 	 const struct cli_pe_hook_data* pedata;
 };

libclamav/bytecode_priv.h

@@ -124,7 +124,7 @@ struct cli_bc_ctx {
     operand_t *operands;
     uint16_t funcid;
     unsigned numParams;
-    size_t file_size;
+    uint32_t file_size;
     off_t off;
     fmap_t *fmap;
     const char *virname;

libclamav/clambc.h

@@ -119,6 +119,7 @@ enum bc_global {
   GLOBAL_VIRUSNAMES,
   GLOBAL_EXEINFO,
   GLOBAL_PEDATA,
+  GLOBAL_FILESIZE,
   _LAST_GLOBAL
 };
 

libclamav/pe.c

@@ -2236,6 +2236,7 @@ int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)
     pedata.e_lfanew = e_lfanew;
     pedata.overlays = overlays;
     pedata.overlays_sz = fsize - overlays;
+    pedata.hdr_size = hdr_size;
     cli_bytecode_context_setpe(bc_ctx, &pedata);
     cli_bytecode_context_setctx(bc_ctx, ctx);
     ret = cli_bytecode_runhook(ctx->engine, bc_ctx, BC_PE_UNPACKER, map, ctx->virname);

libclamav/pe.h

@@ -145,6 +145,7 @@ struct cli_pe_hook_data {
     uint32_t e_lfanew;/**< address of new exe header */
     uint32_t overlays;/**< number of overlays */
     int32_t overlays_sz;/**< size of overlays */
+    uint32_t hdr_size;/**< internally needed by rawaddr */
     /* FIXME: these should not be necessary (they are for now) */
     uint8_t dummyn;
     uint8_t *dummy EBOUNDS(dummyn);