merge disasm code

git-svn: trunk@3987

libclamav/Makefile.am

@@ -82,6 +82,9 @@ libclamav_la_SOURCES = \
 	msexpand.h \
 	pe.c \
 	pe.h \
+	disasm.c \
+	disasm.h \
+	disasmpriv.h \
 	upx.c \
 	upx.h \
 	htmlnorm.c \

libclamav/Makefile.in

@@ -81,16 +81,16 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher.lo \
 	md5.lo others.lo readdb.lo cvd.lo dsig.lo str.lo scanners.lo \
 	textdet.lo filetypes.lo rtf.lo blob.lo mbox.lo message.lo \
 	table.lo text.lo ole2_extract.lo vba_extract.lo msexpand.lo \
-	pe.lo upx.lo htmlnorm.lo chmunpack.lo rebuildpe.lo petite.lo \
-	wwunpack.lo unsp.lo aspack.lo packlibs.lo fsg.lo mew.lo \
-	upack.lo line.lo untar.lo unzip.lo inflate64.lo special.lo \
-	binhex.lo is_tar.lo tnef.lo autoit.lo strlcpy.lo regcomp.lo \
-	regerror.lo regexec.lo regfree.lo unarj.lo bzlib.lo nulsft.lo \
-	infblock.lo pdf.lo spin.lo yc.lo elf.lo sis.lo uuencode.lo \
-	phishcheck.lo phish_domaincheck_db.lo phish_whitelist.lo \
-	regex_list.lo regex_suffix.lo mspack.lo cab.lo entconv.lo \
-	hashtab.lo dconf.lo lzma_iface.lo explode.lo textnorm.lo \
-	dlp.lo js-norm.lo
+	pe.lo disasm.lo upx.lo htmlnorm.lo chmunpack.lo rebuildpe.lo \
+	petite.lo wwunpack.lo unsp.lo aspack.lo packlibs.lo fsg.lo \
+	mew.lo upack.lo line.lo untar.lo unzip.lo inflate64.lo \
+	special.lo binhex.lo is_tar.lo tnef.lo autoit.lo strlcpy.lo \
+	regcomp.lo regerror.lo regexec.lo regfree.lo unarj.lo bzlib.lo \
+	nulsft.lo infblock.lo pdf.lo spin.lo yc.lo elf.lo sis.lo \
+	uuencode.lo phishcheck.lo phish_domaincheck_db.lo \
+	phish_whitelist.lo regex_list.lo regex_suffix.lo mspack.lo \
+	cab.lo entconv.lo hashtab.lo dconf.lo lzma_iface.lo explode.lo \
+	textnorm.lo dlp.lo js-norm.lo
 libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS)
 libclamav_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
 	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -324,6 +324,9 @@ libclamav_la_SOURCES = \
 	msexpand.h \
 	pe.c \
 	pe.h \
+	disasm.c \
+	disasm.h \
+	disasmpriv.h \
 	upx.c \
 	upx.h \
 	htmlnorm.c \
@@ -544,6 +547,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chmunpack.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cvd.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dconf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/disasm.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dlp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsig.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/elf.Plo@am__quote@

libclamav/disasm.h

@@ -0,0 +1,32 @@
+/*
+ *  Copyright (C) 2008 Sourcefire, Inc.
+ *
+ *  Authors: aCaB <acab@clamav.net>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#ifndef __DISASM_H
+#define __DISASM_H
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#include "others.h"
+
+void disasmbuf(uint8_t *, unsigned int, int);
+
+#endif

libclamav/disasmpriv.h

@@ -0,0 +1,404 @@
+/*
+ *  Copyright (C) 2008 Sourcefire, Inc.
+ *
+ *  Authors: aCaB <acab@clamav.net>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#ifndef __DISASMPRIV_H
+#define __DISASMPRIV_H
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <assert.h>
+
+#include "others.h"
+
+enum X86OPS {
+  OP_INVALID,
+  OP_AAA,
+  OP_AAD,
+  OP_AAM,
+  OP_AAS,
+  OP_ADD,
+  OP_ADC,
+  OP_AND,
+  OP_ARPL,
+  OP_BOUND,
+  OP_BSF,
+  OP_BSR,
+  OP_BSWAP,
+  OP_BT,
+  OP_BTC,
+  OP_BTR,
+  OP_BTS,
+  OP_CALL,
+  OP_CDQ,
+  OP_CWD,
+  OP_CWDE,
+  OP_CBW,
+  OP_CLC,
+  OP_CLD,
+  OP_CLI,
+  OP_CLTS,
+  OP_CMC,
+  OP_CMOVO,
+  OP_CMOVNO,
+  OP_CMOVC,
+  OP_CMOVNC,
+  OP_CMOVZ,
+  OP_CMOVNZ,
+  OP_CMOVBE,
+  OP_CMOVA,
+  OP_CMOVS,
+  OP_CMOVNS,
+  OP_CMOVP,
+  OP_CMOVNP,
+  OP_CMOVL,
+  OP_CMOVGE,
+  OP_CMOVLE,
+  OP_CMOVG,
+  OP_CMP,
+  OP_CMPSD,
+  OP_CMPSW,
+  OP_CMPSB,
+  OP_CMPXCHG,
+  OP_CMPXCHG8B,
+  OP_CPUID,
+  OP_DAA,
+  OP_DAS,
+  OP_DEC,
+  OP_DIV,
+  OP_ENTER,
+  OP_FWAIT,
+  OP_HLT,
+  OP_IDIV,
+  OP_IMUL,
+  OP_INC,
+  OP_IN,
+  OP_INSD,
+  OP_INSW,
+  OP_INSB,
+  OP_INT,
+  OP_INT3,
+  OP_INTO,
+  OP_INVD,
+  OP_INVLPG,
+  OP_IRET,
+  OP_JO,
+  OP_JNO,
+  OP_JC,
+  OP_JNC,
+  OP_JZ,
+  OP_JNZ,
+  OP_JBE,
+  OP_JA,
+  OP_JS,
+  OP_JNS,
+  OP_JP,
+  OP_JNP,
+  OP_JL,
+  OP_JGE,
+  OP_JLE,
+  OP_JG,
+  OP_JMP,
+  OP_LAHF,
+  OP_LAR,
+  OP_LDS,
+  OP_LES,
+  OP_LFS,
+  OP_LGS,
+  OP_LEA,
+  OP_LEAVE,
+  OP_LGDT,
+  OP_LIDT,
+  OP_LLDT,
+  OP_PREFIX_LOCK,
+  OP_LODSD,
+  OP_LODSW,
+  OP_LODSB,
+  OP_LOOP,
+  OP_LOOPE,
+  OP_LOOPNE,
+  OP_LSL,
+  OP_LSS,
+  OP_LTR,
+  OP_MOV,
+  OP_MOVSD,
+  OP_MOVSW,
+  OP_MOVSB,
+  OP_MOVSX,
+  OP_MOVZX,
+  OP_MUL,
+  OP_NEG,
+  OP_NOP,
+  OP_NOT,
+  OP_OR,
+  OP_OUT,
+  OP_OUTSD,
+  OP_OUTSW,
+  OP_OUTSB,
+  OP_PUSH,
+  OP_PUSHAD,
+  OP_PUSHA,
+  OP_PUSHFD,
+  OP_PUSHF,
+  OP_POP,
+  OP_POPAD,
+  OP_POPFD,
+  OP_POPF,
+  OP_RCL,
+  OP_RCR,
+  OP_RDMSR,
+  OP_RDPMC,
+  OP_RDTSC,
+  OP_PREFIX_REPE,
+  OP_PREFIX_REPNE,
+  OP_RETF,
+  OP_RETN,
+  OP_ROL,
+  OP_ROR,
+  OP_RSM,
+  OP_SAHF,
+  OP_SAR,
+  OP_SBB,
+  OP_SCASD,
+  OP_SCASW,
+  OP_SCASB,
+  OP_SETO,
+  OP_SETNO,
+  OP_SETC,
+  OP_SETNC,
+  OP_SETZ,
+  OP_SETNZ,
+  OP_SETBE,
+  OP_SETA,
+  OP_SETS,
+  OP_SETNS,
+  OP_SETP,
+  OP_SETNP,
+  OP_SETL,
+  OP_SETGE,
+  OP_SETLE,
+  OP_SETG,
+  OP_SGDT,
+  OP_SIDT,
+  OP_SHL,
+  OP_SHLD,
+  OP_SHR,
+  OP_SHRD,
+  OP_SLDT,
+  OP_STOSD,
+  OP_STOSW,
+  OP_STOSB,
+  OP_STR,
+  OP_STC,
+  OP_STD,
+  OP_STI,
+  OP_SUB,
+  OP_SYSCALL,
+  OP_SYSENTER,
+  OP_SYSEXIT,
+  OP_SYSRET,
+  OP_TEST,
+  OP_UD2,
+  OP_VERR,
+  OP_VERRW,
+  OP_WBINVD,
+  OP_WRMSR,
+  OP_XADD,
+  OP_XCHG,
+  OP_XLAT,
+  OP_XOR,
+  OP_PREFIX_OPSIZE,
+  OP_PREFIX_ADDRSIZE,
+  OP_PREFIX_SEGMENT,
+  OP_2BYTE,
+
+  OP_FPU,
+
+  OP_F2XM1,
+  OP_FABS,
+  OP_FADD,
+  OP_FADDP,
+  OP_FBLD,
+  OP_FBSTP,
+  OP_FCHS,
+  OP_FCLEX,
+  OP_FCMOVB,
+  OP_FCMOVBE,
+  OP_FCMOVE,
+  OP_FCMOVNB,
+  OP_FCMOVNBE,
+  OP_FCMOVNE,
+  OP_FCMOVNU,
+  OP_FCMOVU,
+  OP_FCOM,
+  OP_FCOMI,
+  OP_FCOMIP,
+  OP_FCOMP,
+  OP_FCOMPP,
+  OP_FCOS,
+  OP_FDECSTP,
+  OP_FDIV,
+  OP_FDIVP,
+  OP_FDIVR,
+  OP_FDIVRP,
+  OP_FFREE,
+  OP_FIADD,
+  OP_FICOM,
+  OP_FICOMP,
+  OP_FIDIV,
+  OP_FIDIVR,
+  OP_FILD,
+  OP_FIMUL,
+  OP_FINCSTP,
+  OP_FINIT,
+  OP_FIST,
+  OP_FISTP,
+  OP_FISTTP,
+  OP_FISUB,
+  OP_FISUBR,
+  OP_FLD,
+  OP_FLD1,
+  OP_FLDCW,
+  OP_FLDENV,
+  OP_FLDL2E,
+  OP_FLDL2T,
+  OP_FLDLG2,
+  OP_FLDLN2,
+  OP_FLDPI,
+  OP_FLDZ,
+  OP_FMUL,
+  OP_FMULP,
+  OP_FNOP,
+  OP_FPATAN,
+  OP_FPREM,
+  OP_FPREM1,
+  OP_FPTAN,
+  OP_FRNDINT,
+  OP_FRSTOR,
+  OP_FSCALE,
+  OP_FSIN,
+  OP_FSINCOS,
+  OP_FSQRT,
+  OP_FSAVE,
+  OP_FST,
+  OP_FSTCW,
+  OP_FSTENV,
+  OP_FSTP,
+  OP_FSTSW,
+  OP_FSUB,
+  OP_FSUBP,
+  OP_FSUBR,
+  OP_FSUBRP,
+  OP_FTST,
+  OP_FUCOM,
+  OP_FUCOMI,
+  OP_FUCOMIP,
+  OP_FUCOMP,
+  OP_FUCOMPP,
+  OP_FXAM,
+  OP_FXCH,
+  OP_FXTRACT,
+  OP_FYL2X,
+  OP_FYL2XP1
+};
+
+
+enum DIS_STATE {
+  STATE_GETOP,
+  STATE_CHECKDTYPE,
+  STATE_CHECKSTYPE,
+  STATE_DECODEX87,
+  STATE_FINALIZE,
+  STATE_COMPLETE,
+  STATE_ERROR
+};
+
+enum DIS_ACCESS {
+  ACCESS_NOARG, /* arg not present */
+  ACCESS_IMM,   /* immediate */
+  ACCESS_REL,   /* +/- immediate */
+  ACCESS_REG,   /* register */
+  ACCESS_MEM    /* [something] */
+};
+
+enum DIS_SIZE { /* for mem access, immediate and relative */
+  SIZEB,
+  SIZEW,
+  SIZED,
+  SIZEF,
+  SIZEQ,
+  SIZET,
+  SIZEPTR
+};
+
+
+enum X86REGS {
+  REG_EAX, REG_ECX, REG_EDX, REG_EBX, REG_ESP, REG_EBP, REG_ESI, REG_EDI,
+  REG_AX, REG_CX, REG_DX, REG_BX, REG_SP, REG_BP, REG_SI, REG_DI,
+  REG_AH, REG_CH, REG_DH, REG_BH, REG_AL, REG_CL, REG_DL, REG_BL,
+  REG_ES, REG_CS, REG_SS, REG_DS, REG_FS, REG_GS,
+  REG_CR0, REG_CR1, REG_CR2, REG_CR3, REG_CR4, REG_CR5, REG_CR6, REG_CR7,
+  REG_DR0, REG_DR1, REG_DR2, REG_DR3, REG_DR4, REG_DR5, REG_DR6, REG_DR7,
+  REG_ST0, REG_ST1, REG_ST2, REG_ST3, REG_ST4, REG_ST5, REG_ST6, REG_ST7,
+  REG_INVALID
+};
+
+
+struct DIS_ARGS {
+  enum DIS_ACCESS access;
+  enum DIS_SIZE size;
+  enum X86REGS reg;
+  union {
+    uint8_t b;
+    int8_t rb;
+    uint16_t w;
+    int16_t rw;
+    uint32_t d;
+    int32_t rd;
+    /*    uint48_t f; FIXME */
+    uint64_t q;
+    int64_t rq;
+    struct {
+      enum X86REGS r1;  /* scaled */
+      enum X86REGS r2;  /* added */
+      uint8_t scale; /* r1 multiplier */
+      int32_t disp;
+    } marg;
+  } arg;
+};
+
+
+/* FIXME: pack this thing and make macroes to access it in different compilers */
+struct DISASMED {
+  uint16_t table_op;
+  uint16_t real_op;
+  enum DIS_STATE state;
+  uint32_t opsize;
+  uint32_t adsize;
+  uint32_t segment;
+  struct DIS_ARGS args[3];
+  uint8_t cur;
+  uint8_t padding[40]; /* FIXME: for future versions */
+};
+
+#endif