Mailing List Archive: Some Questions in the PE section scanning

Some Questions in the PE section scanning

Jun 29, 2010, 8:45 PM

Post #1 of 4 (1750 views)

Hi all~
Thank you for solving my problem before. I still have some other
questions when analysing the codes of ClamAV. Could anybody help me again?
What does the member variable uint32_t *soff stands for? Why sort the
elements which the soff point to? Is the qsort function in the code
implement the quick sort algorithm?

struct cli_matcher {
unsigned int type;

/* Extended Boyer-Moore */
uint8_t *bm_shift;
struct cli_bm_patt **bm_suffix, **bm_pattab;
struct cli_hashset md5_sizes_hs;
uint32_t *soff, soff_len; /* for PE section sigs */
uint32_t bm_offmode, bm_patterns, bm_reloff_num, bm_absoff_num;

/* Extended Aho-Corasick */
uint32_t ac_partsigs, ac_nodes, ac_patterns, ac_lsigs;
struct cli_ac_lsig **ac_lsigtable;
struct cli_ac_node *ac_root, **ac_nodetable;
struct cli_ac_patt **ac_pattable;
struct cli_ac_patt **ac_reloff;
uint32_t ac_reloff_num, ac_absoff_num;
uint8_t ac_mindepth, ac_maxdepth;
struct filter *filter;

uint16_t maxpatlen;
uint8_t ac_only;
#ifdef USE_MPOOL
mpool_t *mempool;
#endif
};
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Some Questions in the PE section scanning [ In reply to ]

edwin at clamav

Jun 29, 2010, 11:55 PM

Post #2 of 4 (1692 views)

Permalink

On Wed, 30 Jun 2010 11:45:15 +0800
candy <outstandingcandy@gmail.com> wrote:

> Hi all~
> Thank you for solving my problem before. I still have some other
> questions when analysing the codes of ClamAV. Could anybody help me
> again? What does the member variable uint32_t *soff stands for?

Have a look at readdb.c, and pe.c.

> Why
> sort the elements which the soff point to? Is the qsort function in
> the code implement the quick sort algorithm?

See qsort.c.

What are you trying to do with soff?

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Some Questions in the PE section scanning [ In reply to ]

outstandingcandy at gmail

Jun 30, 2010, 12:37 AM

Post #3 of 4 (1688 views)

Permalink

Thanks for your reply.
I am very interesting in the virus engien. I want to know the whole
algorithm of scaning and trying to optimize the "int cli_scanpe(cli_ctx
*ctx, icon_groupset *iconset)" function.
I have read the readdb.c and pe.c file, I think the soff variable restore
the length of the PE sections in the database. Am I right?
And I want to know why not using the binary search instead of following
code? Maybe it can speed up scanning?
for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <=
exe_sections[i].rsz; j++) {

2010/6/30 Török Edwin <edwin@clamav.net>

> On Wed, 30 Jun 2010 11:45:15 +0800
> candy <outstandingcandy@gmail.com> wrote:
>
> > Hi all~
> > Thank you for solving my problem before. I still have some other
> > questions when analysing the codes of ClamAV. Could anybody help me
> > again? What does the member variable uint32_t *soff stands for?
>
> Have a look at readdb.c, and pe.c.
>
> > Why
> > sort the elements which the soff point to? Is the qsort function in
> > the code implement the quick sort algorithm?
>
> See qsort.c.
>
> What are you trying to do with soff?
>
> Best regards,
> --Edwin
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: Some Questions in the PE section scanning [ In reply to ]

edwin at clamav

Jun 30, 2010, 12:41 AM

Post #4 of 4 (1693 views)

Permalink

On Wed, 30 Jun 2010 15:37:07 +0800
candy <outstandingcandy@gmail.com> wrote:

> Thanks for your reply.
> I am very interesting in the virus engien. I want to know the whole
> algorithm of scaning and trying to optimize the "int
> cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)" function.
> I have read the readdb.c and pe.c file, I think the soff variable
> restore the length of the PE sections in the database. Am I right?

No, it is actually the section size, I don't know why it was called
soff.

> And I want to know why not using the binary search instead of
> following code? Maybe it can speed up scanning?
> for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <=
> exe_sections[i].rsz; j++) {

You could, but it would complicate the code. How much faster is it if
you are using binary search here?

--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net