libclamav: stub work for DMG (bb #1570) and XAR (bb #3801) formats

12 years ago · ca019d6d94
parent 7afc0a61cf
commit ca019d6d94
14 changed files with 359 additions and 8 deletions
--- a/libclamav/Makefile.am
+++ b/libclamav/Makefile.am
@ -1,5 +1,6 @@
 #
 #  Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm@clamav.net>
+#  Copyright (C) 2008 - 2013 Sourcefire, Inc.
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@ -370,6 +371,10 @@ libclamav_la_SOURCES = \
 	builtin_bytecodes.h\
 	events.c\
 	events.h \
+	dmg.c \
+	dmg.h \
+	xar.c \
+	xar.h \
 	swf.c \
 	swf.h \
 	jpeg.c \
--- a/libclamav/Makefile.in
+++ b/libclamav/Makefile.in
@ -17,6 +17,7 @@

 #
 #  Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm@clamav.net>
+#  Copyright (C) 2008 - 2013 Sourcefire, Inc.
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@ -184,7 +185,8 @@ am_libclamav_la_OBJECTS = libclamav_la-matcher-ac.lo \
 	libclamav_la-ishield.lo libclamav_la-bytecode_api.lo \
 	libclamav_la-bytecode_api_decl.lo libclamav_la-cache.lo \
 	libclamav_la-bytecode_detect.lo libclamav_la-events.lo \
-	libclamav_la-swf.lo libclamav_la-jpeg.lo libclamav_la-png.lo \
+	libclamav_la-dmg.lo libclamav_la-xar.lo libclamav_la-swf.lo \
+	libclamav_la-jpeg.lo libclamav_la-png.lo \
 	libclamav_la-iso9660.lo libclamav_la-arc4.lo \
 	libclamav_la-rijndael.lo libclamav_la-crtmgr.lo \
 	libclamav_la-asn1.lo libclamav_la-fp_add.lo \
@ -706,12 +708,12 @@ libclamav_la_SOURCES = clamav.h matcher-ac.c matcher-ac.h matcher-bm.c \
 	bcfeatures.h bytecode_api.c bytecode_api_decl.c bytecode_api.h \
 	bytecode_api_impl.h bytecode_hooks.h cache.c cache.h \
 	bytecode_detect.c bytecode_detect.h builtin_bytecodes.h \
-	events.c events.h swf.c swf.h jpeg.c jpeg.h png.c png.h \
-	iso9660.c iso9660.h arc4.c arc4.h rijndael.c rijndael.h \
-	crtmgr.c crtmgr.h asn1.c asn1.h bignum.h bignum_fast.h \
-	tomsfastmath/addsub/fp_add.c tomsfastmath/addsub/fp_add_d.c \
-	tomsfastmath/addsub/fp_addmod.c tomsfastmath/addsub/fp_cmp.c \
-	tomsfastmath/addsub/fp_cmp_d.c \
+	events.c events.h dmg.c dmg.h xar.c xar.h swf.c swf.h jpeg.c \
+	jpeg.h png.c png.h iso9660.c iso9660.h arc4.c arc4.h \
+	rijndael.c rijndael.h crtmgr.c crtmgr.h asn1.c asn1.h bignum.h \
+	bignum_fast.h tomsfastmath/addsub/fp_add.c \
+	tomsfastmath/addsub/fp_add_d.c tomsfastmath/addsub/fp_addmod.c \
+	tomsfastmath/addsub/fp_cmp.c tomsfastmath/addsub/fp_cmp_d.c \
 	tomsfastmath/addsub/fp_cmp_mag.c tomsfastmath/addsub/fp_sub.c \
 	tomsfastmath/addsub/fp_sub_d.c tomsfastmath/addsub/fp_submod.c \
 	tomsfastmath/addsub/s_fp_add.c tomsfastmath/addsub/s_fp_sub.c \
@ -931,6 +933,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-dconf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-disasm.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-dlp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-dmg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-dsig.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-elf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-entconv.Plo@am__quote@
@ -1085,6 +1088,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-vba_extract.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-version.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-wwunpack.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-xar.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libclamav_la-yc.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unrar.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unrar15.Plo@am__quote@
@ -1838,6 +1842,20 @@ libclamav_la-events.lo: events.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-events.lo `test -f 'events.c' || echo '$(srcdir)/'`events.c

+libclamav_la-dmg.lo: dmg.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-dmg.lo -MD -MP -MF $(DEPDIR)/libclamav_la-dmg.Tpo -c -o libclamav_la-dmg.lo `test -f 'dmg.c' || echo '$(srcdir)/'`dmg.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-dmg.Tpo $(DEPDIR)/libclamav_la-dmg.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='dmg.c' object='libclamav_la-dmg.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-dmg.lo `test -f 'dmg.c' || echo '$(srcdir)/'`dmg.c
+
+libclamav_la-xar.lo: xar.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-xar.lo -MD -MP -MF $(DEPDIR)/libclamav_la-xar.Tpo -c -o libclamav_la-xar.lo `test -f 'xar.c' || echo '$(srcdir)/'`xar.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-xar.Tpo $(DEPDIR)/libclamav_la-xar.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='xar.c' object='libclamav_la-xar.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -c -o libclamav_la-xar.lo `test -f 'xar.c' || echo '$(srcdir)/'`xar.c
+
 libclamav_la-swf.lo: swf.c
@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libclamav_la_CFLAGS) $(CFLAGS) -MT libclamav_la-swf.lo -MD -MP -MF $(DEPDIR)/libclamav_la-swf.Tpo -c -o libclamav_la-swf.lo `test -f 'swf.c' || echo '$(srcdir)/'`swf.c
@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/libclamav_la-swf.Tpo $(DEPDIR)/libclamav_la-swf.Plo
--- a/libclamav/dconf.c
+++ b/libclamav/dconf.c
@ -96,6 +96,8 @@ static struct dconf_module modules[] = {
    { "ARCHIVE",    "ISHIELD",	    ARCH_CONF_ISHIELD,	    1 },
    { "ARCHIVE",    "7zip",	    ARCH_CONF_7Z,	    1 },
    { "ARCHIVE",    "ISO9660",	    ARCH_CONF_ISO9660,	    1 },
+    { "ARCHIVE",    "DMG",	    ARCH_CONF_DMG,	    1 },
+    { "ARCHIVE",    "XAR",	    ARCH_CONF_XAR,	    1 },

    { "DOCUMENT",   "HTML",	    DOC_CONF_HTML,	    1 },
    { "DOCUMENT",   "RTF",	    DOC_CONF_RTF,	    1 },
--- a/libclamav/dconf.h
+++ b/libclamav/dconf.h
@ -82,6 +82,8 @@ struct cli_dconf {
 #define ARCH_CONF_ISHIELD   0x8000
 #define ARCH_CONF_7Z        0x10000
 #define ARCH_CONF_ISO9660   0x20000
+#define ARCH_CONF_DMG       0x40000
+#define ARCH_CONF_XAR       0x80000

 /* Document flags */
 #define DOC_CONF_HTML		0x1
--- a/libclamav/dmg.c
+++ b/libclamav/dmg.c
@ -0,0 +1,76 @@
+/*
+ *  Copyright (C) 2013 Sourcefire, Inc.
+ *
+ *  Authors: David Raynor <draynor@sourcefire.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#include <stdio.h>
+#include <ctype.h>
+
+#include "cltypes.h"
+#include "others.h"
+#include "dmg.h"
+#include "scanners.h"
+
+int cli_scandmg(cli_ctx *ctx)
+{
+    struct dmg_koly_block hdr;
+    int ret, conv;
+    size_t maplen;
+
+    char name[513];
+    unsigned int file = 0, trailer = 0;
+    uint32_t filesize, namesize, hdr_namesize;
+    off_t pos = 0;
+
+    if (!ctx || !ctx->fmap) {
+        cli_errmsg("cli_scandmg: Invalid context\n");
+        return CL_ENULLARG;
+    }
+
+    maplen = (*ctx->fmap)->real_len;
+    pos = maplen - 512;
+    if (pos <= 0) {
+        cli_dbgmsg("cli_scandmg: Sizing problem for DMG archive.\n");
+        return CL_CLEAN;
+    }
+
+    /* Grab koly block */
+    if (fmap_readn(*ctx->fmap, &hdr, pos, sizeof(hdr)) != sizeof(hdr)) {
+        cli_dbgmsg("cli_scandmg: Invalid DMG trailer block\n");
+        return CL_EFORMAT;
+    }
+
+    /* Check magic */
+    hdr.magic = be32_to_host(hdr.magic);
+    if (hdr.magic == 0x6b6f6c79) {
+        cli_dbgmsg("cli_scandmg: Found koly block @ %ld\n", (long) pos);
+    }
+    else {
+        cli_dbgmsg("cli_scandmg: No koly magic, %8x\n", hdr.magic);
+        return CL_EFORMAT;
+    }
+
+    /* TODO: the rest of the unpacking */
+
+    return CL_CLEAN;
+}
+
--- a/libclamav/dmg.h
+++ b/libclamav/dmg.h
@ -0,0 +1,100 @@
+/*
+ *  Copyright (C) 2013 Sourcefire, Inc.
+ *
+ *  Authors: David Raynor <draynor@sourcefire.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#ifndef __DMG_H
+#define __DMG_H
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#include "cltypes.h"
+#include "others.h"
+
+#ifndef HAVE_ATTRIB_PACKED
+#define __attribute__(x)
+#endif
+
+#ifdef HAVE_PRAGMA_PACK
+#pragma pack(1)
+#endif
+
+#ifdef HAVE_PRAGMA_PACK_HPPA
+#pragma pack 1
+#endif
+
+/* 512-byte block, remember these are big-endian! */
+struct dmg_koly_block {
+    uint32_t magic  __attribute__ ((packed));
+    uint32_t version __attribute__ ((packed));
+    uint32_t headerLength __attribute__ ((packed));
+    uint32_t flags __attribute__ ((packed));
+    uint64_t runningOffset __attribute__ ((packed));
+    uint64_t dataForkOffset __attribute__ ((packed));
+    uint64_t dataForkLength __attribute__ ((packed));
+    uint64_t resourceForkOffset __attribute__ ((packed));
+    uint64_t resourceForkLength __attribute__ ((packed));
+    uint32_t segment __attribute__ ((packed));
+    uint32_t segmentCount __attribute__ ((packed));
+    /* technically uuid */
+    uint8_t  segmentID[16];
+
+    uint32_t dataChecksumFields[34] __attribute__ ((packed));
+
+    uint64_t xmlOffset __attribute__ ((packed));
+    uint64_t xmlLength __attribute__ ((packed));
+    uint8_t  padding[120];
+
+    uint32_t masterChecksumFields[34] __attribute__ ((packed));
+
+    uint32_t imageVariant __attribute__ ((packed));
+    uint64_t sectorCount __attribute__ ((packed));
+
+    uint32_t reserved[3] __attribute__ ((packed));
+};
+
+/* 204-byte block, still big-endian */
+struct dmg_mish_block {
+    uint32_t magic;
+    uint32_t version;
+
+    uint64_t startSector;
+    uint64_t sectorCount;
+    uint64_t dataOffset;
+    uint32_t bufferCount;
+    uint32_t descriptorBlocks;
+
+    uint8_t  reserved[24];
+
+    uint32_t checksum[34];
+    uint64_t blockDescriptorCount;
+};
+
+#ifdef HAVE_PRAGMA_PACK
+#pragma pack()
+#endif
+
+#ifdef HAVE_PRAGMA_PACK_HPPA
+#pragma pack
+#endif
+
+int cli_scandmg(cli_ctx *ctx);
+
+#endif
--- a/libclamav/filetypes.c
+++ b/libclamav/filetypes.c
@ -101,6 +101,8 @@ static const struct ftmap_s {
    { "CL_TYPE_SWF",		CL_TYPE_SWF		},
    { "CL_TYPE_ISO9660",	CL_TYPE_ISO9660		},
    { "CL_TYPE_JAVA",		CL_TYPE_JAVA		},
+    { "CL_TYPE_DMG",		CL_TYPE_DMG		},
+    { "CL_TYPE_XAR",		CL_TYPE_XAR		},
    { NULL,			CL_TYPE_IGNORED		}
 };

--- a/libclamav/filetypes.h
+++ b/libclamav/filetypes.h
@ -74,6 +74,7 @@ typedef enum {
    CL_TYPE_7Z,
    CL_TYPE_SWF,
    CL_TYPE_JAVA,
+    CL_TYPE_XAR,

    /* bigger numbers have higher priority (in o-t-f detection) */
    CL_TYPE_HTML, /* on the fly */
@ -88,6 +89,7 @@ typedef enum {
    CL_TYPE_AUTOIT,
    CL_TYPE_ISHIELD_MSI,
    CL_TYPE_ISO9660,
+    CL_TYPE_DMG,
    CL_TYPE_IGNORED /* please don't add anything below */
 } cli_file_t;

--- a/libclamav/filetypes_int.h
+++ b/libclamav/filetypes_int.h
@ -172,6 +172,8 @@ static const char *ftypes_int[] = {
  "1:0:cafebabe0000001?:Universal Binary:CL_TYPE_ANY:CL_TYPE_MACHO_UNIBIN:73",
  "1:0:cafebabe0000002?:Java class file:CL_TYPE_ANY:CL_TYPE_JAVA:73",
  "1:0:cafebabe0000003?:Java class file:CL_TYPE_ANY:CL_TYPE_JAVA:73",
+  "1:EOF-512:6b6f6c79:DMG container file:CL_TYPE_ANY:CL_TYPE_DMG:73",
+  "0:0:78617221:XAR container file:CL_TYPE_ANY:CL_TYPE_XAR:73",
  NULL
 };

--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@ -94,6 +94,8 @@
 #include "jpeg.h"
 #include "png.h"
 #include "iso9660.h"
+#include "dmg.h"
+#include "xar.h"

 #ifdef HAVE_BZLIB_H
 #include <bzlib.h>
@ -595,7 +597,6 @@ static int cli_scangzip(cli_ctx *ctx)
    return ret;
 }

-
 #ifndef HAVE_BZLIB_H
 static int cli_scanbzip(cli_ctx *ctx) {
    cli_warnmsg("cli_scanbzip: bzip2 support not compiled in\n");
@ -2114,6 +2115,14 @@ static int cli_scanraw(cli_ctx *ctx, cli_file_t type, uint8_t typercg, cli_file_
 			}
 			break;

+		    case CL_TYPE_DMG:
+			if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_DMG)) {
+			    ctx->container_type = CL_TYPE_DMG;
+			    nret = cli_scandmg(ctx);
+			    cli_dbgmsg("DMG signature found at %u\n", (unsigned int) fpt->offset);
+			}
+			break;
+
 		    case CL_TYPE_PDF:
 			if(type != CL_TYPE_PDF && SCAN_PDF && (DCONF_DOC & DOC_CONF_PDF)) {
 			    ctx->container_type = CL_TYPE_PDF;
@ -2650,6 +2659,12 @@ static int magic_scandesc(cli_ctx *ctx, cli_file_t type)
 		ret = cli_scan_structured(ctx);
 	    break;

+	case CL_TYPE_XAR:
+	    ctx->container_type = CL_TYPE_XAR;
+	    if(SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_XAR))
+		ret = cli_scanxar(ctx);
+	    break;
+
 	default:
 	    break;
    }
--- a/libclamav/xar.c
+++ b/libclamav/xar.c
@ -0,0 +1,57 @@
+/*
+ *  Copyright (C) 2013 Sourcefire, Inc.
+ *
+ *  Authors: David Raynor <draynor@sourcefire.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#include "cltypes.h"
+#include "others.h"
+#include "xar.h"
+#include "fmap.h"
+#include "scanners.h"
+
+int cli_scanxar(cli_ctx *ctx)
+{
+    struct xar_header hdr;
+    char name[513];
+    unsigned int file = 0, trailer = 0;
+    uint32_t filesize, namesize, hdr_namesize;
+    int ret, conv;
+    off_t pos = 0;
+
+    if (fmap_readn(*ctx->fmap, &hdr, pos, sizeof(hdr)) != sizeof(hdr)) {
+        cli_dbgmsg("cli_scanxar: Invalid header, too short.\n");
+        return CL_EFORMAT;
+    }
+    hdr.magic = be32_to_host(hdr.magic);
+    if (hdr.magic == 0x78617221) {
+        cli_dbgmsg("cli_scanxar: Matched magic\n");
+    }
+    else {
+        cli_dbgmsg("cli_scanxar: Invalid magic\n");
+        return CL_EFORMAT;
+    }
+
+    /* TODO: First grab the TOC, parse that, and then unpack the rest. */
+
+    return CL_CLEAN;
+}
+
--- a/libclamav/xar.h
+++ b/libclamav/xar.h
@ -0,0 +1,62 @@
+/*
+ *  Copyright (C) 2013 Sourcefire, Inc.
+ *
+ *  Authors: David Raynor <draynor@sourcefire.com>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#ifndef __XAR_H
+#define __XAR_H
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#include "cltypes.h"
+#include "others.h"
+
+#ifndef HAVE_ATTRIB_PACKED
+#define __attribute__(x)
+#endif
+
+#ifdef HAVE_PRAGMA_PACK
+#pragma pack(1)
+#endif
+
+#ifdef HAVE_PRAGMA_PACK_HPPA
+#pragma pack 1
+#endif
+
+struct xar_header {
+    uint32_t magic;
+    uint16_t size;
+    uint16_t version;
+    uint64_t toc_length_compressed;
+    uint64_t toc_length_decompressed;
+    uint32_t chksum_alg; /* 0 = none */
+};
+
+#ifdef HAVE_PRAGMA_PACK
+#pragma pack()
+#endif
+
+#ifdef HAVE_PRAGMA_PACK_HPPA
+#pragma pack
+#endif
+
+int cli_scanxar(cli_ctx *ctx);
+
+#endif
--- a/win32/libclamav.vcxproj
+++ b/win32/libclamav.vcxproj
@ -298,6 +298,7 @@
    <ClCompile Include="..\libclamav\dconf.c"/>
    <ClCompile Include="..\libclamav\disasm.c"/>
    <ClCompile Include="..\libclamav\dlp.c"/>
+    <ClCompile Include="..\libclamav\dmg.c"/>
    <ClCompile Include="..\libclamav\dsig.c"/>
    <ClCompile Include="..\libclamav\elf.c"/>
    <ClCompile Include="..\libclamav\entconv.c"/>
@ -372,6 +373,7 @@
    <ClCompile Include="..\libclamav\vba_extract.c"/>
    <ClCompile Include="..\libclamav\version.c"/>
    <ClCompile Include="..\libclamav\wwunpack.c"/>
+    <ClCompile Include="..\libclamav\xar.c"/>
    <ClCompile Include="..\libclamav\yc.c"/>
    <ClCompile Include="..\shared\getopt.c"/>
    <ClCompile Include="..\shared\misc.c"/>
--- a/win32/libclamav.vcxproj.filters
+++ b/win32/libclamav.vcxproj.filters
@ -102,6 +102,9 @@
    <ClCompile Include="..\libclamav\dlp.c">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="..\libclamav\dmg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
    <ClCompile Include="..\libclamav\dsig.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -282,6 +285,9 @@
    <ClCompile Include="..\libclamav\wwunpack.c">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="..\libclamav\xar.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
    <ClCompile Include="..\libclamav\sha256.c">
      <Filter>Source Files</Filter>
    </ClCompile>