clamav 使用clamdscan检测病毒

我们使用 eicar.com作为测试用例。

# ./clamdscan/clamdscan  eicar.com
/home/jack/code/clamav-0.104.2/build/eicar.com: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.006 sec (0 m 0 s)
Start Date: 2022:05:19 05:03:25
End Date:   2022:05:19 05:03:25

eicar.com文件内容如下：

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

使用md5在线转换工具计算出对应的值为：

44d88612fea8a8f36de82e1278abb02f

这个值与daily.cvd中的daily.hdb内容一致:

44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature

但是与我们的检测输出不一致，输出打印的病毒名为Eicar-Signature。查看clamd的日志有如下日志：

LibClamAV debug: Bytecode found virus: Eicar-Signature

通过使用sigtool定位出来是bytecode.cvd中6327695.cbc文件的第二行中的一个病毒。如下：

Eicar-Signature.{};Engine:56-255,Target:0;0;0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

名字也对上了。

上面的没有hdb报病毒是因为代码原因，读取病毒文件内容时，使用的长度与病毒库中的不对应，本来因该是69， 使用69去计算的，所以导致md5的结果对不上。改完之后就行了。我改成68，

fmap_get_MD5和cli_hm_scan，长度-1，代码如下：

cl_error_t fmap_get_MD5(fmap_t *map, unsigned char **hash)
{
    cl_error_t status = CL_ERROR;
    size_t todo, at = 0;
    void *hashctx = NULL;

    todo = map->len;

    if (!map->have_maphash) {
        /* Need to calculate the hash */
        hashctx = cl_hash_init("md5");
        if (!(hashctx)) {
            cli_errmsg("fmap_get_MD5: error initializing new md5 hash!\n");
            goto done;
        }

        while (todo) {
            const void *buf;
            size_t readme = todo < 1024 * 1024 * 10 ? todo : 1024 * 1024 * 10;

            if (!(buf = fmap_need_off_once(map, at, readme))) {
                cli_errmsg("fmap_get_MD5: error reading while generating hash!\n");
                status = CL_EREAD;
                goto done;
            }

            todo -= readme;
            at += readme;

			cli_dbgmsg("xxx buf :%s, readme :%u\n", (char *)buf, readme);
            if (cl_update_hash(hashctx, (void *)buf, readme-1)) {
                cli_errmsg("fmap_get_MD5: error calculating hash!\n");
                status = CL_EREAD;
                goto done;
            }
        }

        cl_finish_hash(hashctx, map->maphash);
        hashctx = NULL;

        map->have_maphash = true;
    }

    *hash = map->maphash;
	cli_dbgmsg("hash :%s, str :%s\n", *hash, cli_str2hex(*hash, 16));
    status = CL_SUCCESS;

done:

    if (NULL != hashctx) {
        cl_hash_destroy(hashctx);
    }

    return status;
}

/* cli_hm_scan will scan only size-specific hashes, if any */
int cli_hm_scan(const unsigned char *digest, uint32_t size, const char **virname, const struct cli_matcher *root, enum CLI_HASH_TYPE type)
{
    const struct cli_htu32_element *item;
    struct cli_sz_hash *szh;

	cli_dbgmsg("xxxx digest :%s\n",  cli_str2hex(digest, 16));
    if (!digest || !size || size == 0xffffffff || !root || !root->hm.sizehashes[type].capacity)
        return CL_CLEAN;

    item = cli_htu32_find(&root->hm.sizehashes[type], size -1);
    if (!item)
        return CL_CLEAN;

    szh = (struct cli_sz_hash *)item->data.as_ptr;

    return hm_scan(digest, virname, szh, type);
}

编译后匹配如下：

d# ./clamdscan/clamdscan  eicar.com
/home/jack/code/clamav-0.104.2/build/eicar.com: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.011 sec (0 m 0 s)
Start Date: 2022:05:19 08:16:07
End Date:   2022:05:19 08:16:07

这个是main.cvd报的病毒

如果指定病毒库为daily.cvd，结果如下：

# ./clamdscan/clamdscan  eicar.com
/home/jack/code/clamav-0.104.2/build/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Start Date: 2022:05:19 08:22:55
End Date:   2022:05:19 08:22:55