edwin at clamav
Mar 12, 2010, 2:06 PM
Post #1 of 1
(770 views)
Permalink
|
|
Announcing ClamAV bytecode compiler 0.10
|
|
Hi!
The ClamAV bytecode compiler version 0.10 is now available.
You can get it by using one of these commands:
$ git clone git://git.clamav.net/git/clamav-bytecode-compiler
$ git clone http://git.clamav.net/clamav-bytecode-compiler.git
The repository can be browsed online here:
http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=summary
You can checkout the clambc-0.10 version using:
$ git checkout clambc-0.10
The README for the compiler, including build instructions can be found here:
http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=blob_plain;f=README
The User manual can be found here:
http://git.clamav.net/gitweb?p=clamav-bytecode-compiler.git;a=blob_plain;f=docs/user/clambc-user.pdf
Bugs for the compiler should be filed using the clambc-compiler
component in bugzilla.
Here is an example of using the compiler (example source code available
in repository)
$ clambc-compiler examples/in/match_with_read.o1.c -o test.cbc
To load it into clamscan [1]
$ clamscan --debug --trust -dtest.cbc test/clam.exe
....
LibClamAV debug: bytecode debug: EP:
LibClamAV debug: bytecode debug: 64
LibClamAV debug: bytecode debug: VA of cyphertext is
LibClamAV debug: bytecode debug: 4198513
LibClamAV debug: bytecode debug: RVA of cyphertext is
LibClamAV debug: bytecode debug: 4209
LibClamAV debug: bytecode debug: Cyphertext starts at
LibClamAV debug: bytecode debug: 113
LibClamAV debug: bytecode debug: HELLO WORM
LibClamAV debug: Bytecode found virus:
ClamAV-Test-File-detected-via-bytecode
....
test/clam.exe: ClamAV-Test-File-detected-via-bytecode FOUND
To see information about the bytecode run:
$ clambc -i test.cbc
Bytecode format functionality level: 6
Bytecode metadata:
compiler version: clambc-0.10
compiled on: Fri Mar 12 23:59:52 2010
compiled by: edwin
target exclude: 0
bytecode type: PE hook
bytecode logical signature:
.{ClamAV-Test-File-detected-via-bytecode};Target:1;(2&1&0);0:4d5a50000200000004000f00ffff0000;EOF-544:4d5a50000200000004000f00ffff0000;S0+0:4d5a50000200000004000f00ffff0000
virusname prefix: (null)
virusnames: 0
bytecode triggered on: PE files matching logical signature
number of functions: 2
number of types: 51
number of global constants: 39
number of debug nodes: 0
bytecode APIs used:
read, seek, setvirusname, debug_print_str, debug_print_uint,
pe_rawaddr
To see the sourcecode of a bytecode run:
$ clambc -p test.cbc
[1] You will need to build the git version of clamscan with
--enable-debug, and use the --trust commandline parameter to load it.
This is just a temporary situation that will be solved before the final
0.96 release.
The RC release only loads signed bytecode from bytecode.cvd.
For 0.96 you will have the possibility to create your own bytecode using
this compiler (more on this later).
P.S.:
This version was tested on Linux/x86-64, if you encounter problems on
other systems please open a bugreport.
Note that regardless of what system you build the compiler on, the
compiler creates the same bytecode.
Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
|
