我们使用 eicar.com作为测试用例。
# ./clamdscan/clamdscan eicar.com
/home/jack/code/clamav-0.104.2/build/eicar.com: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.006 sec (0 m 0 s)
Start Date: 2022:05:19 05:03:25
End Date: 2022:05:19 05:03:25
eicar.com文件内容如下:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
使用md5在线转换工具计算出对应的值为:
44d88612fea8a8f36de82e1278abb02f
这个值与daily.cvd中的daily.hdb内容一致:
44d88612fea8a8f36de82e1278abb02f:68:Eicar-Test-Signature
但是与我们的检测输出不一致,输出打印的病毒名为Eicar-Signature。查看clamd的日志有如下日志:
LibClamAV debug: Bytecode found virus: Eicar-Signature
通过使用sigtool定位出来是bytecode.cvd中6327695.cbc文件的第二行中的一个病毒。如下:
Eicar-Signature.{};Engine:56-255,Target:0;0;0:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
名字也对上了。
上面的没有hdb报病毒是因为代码原因,读取病毒文件内容时,使用的长度与病毒库中的不对应,本来因该是69, 使用69去计算的,所以导致md5的结果对不上。改完之后就行了。我改成68,
fmap_get_MD5和cli_hm_scan,长度-1,代码如下:
cl_error_t fmap_get_MD5(fmap_t *map, unsigned char **hash)
{
cl_error_t status = CL_ERROR;
size_t todo, at = 0;
void *hashctx = NULL;
todo = map->len;
if (!map->have_maphash) {
/* Need to calculate the hash */
hashctx = cl_hash_init("md5");
if (!(hashctx)) {
cli_errmsg("fmap_get_MD5: error initializing new md5 hash!\n");
goto done;
}
while (todo) {
const void *buf;
size_t readme = todo < 1024 * 1024 * 10 ? todo : 1024 * 1024 * 10;
if (!(buf = fmap_need_off_once(map, at, readme))) {
cli_errmsg("fmap_get_MD5: error reading while generating hash!\n");
status = CL_EREAD;
goto done;
}
todo -= readme;
at += readme;
cli_dbgmsg("xxx buf :%s, readme :%u\n", (char *)buf, readme);
if (cl_update_hash(hashctx, (void *)buf, readme-1)) {
cli_errmsg("fmap_get_MD5: error calculating hash!\n");
status = CL_EREAD;
goto done;
}
}
cl_finish_hash(hashctx, map->maphash);
hashctx = NULL;
map->have_maphash = true;
}
*hash = map->maphash;
cli_dbgmsg("hash :%s, str :%s\n", *hash, cli_str2hex(*hash, 16));
status = CL_SUCCESS;
done:
if (NULL != hashctx) {
cl_hash_destroy(hashctx);
}
return status;
}
/* cli_hm_scan will scan only size-specific hashes, if any */
int cli_hm_scan(const unsigned char *digest, uint32_t size, const char **virname, const struct cli_matcher *root, enum CLI_HASH_TYPE type)
{
const struct cli_htu32_element *item;
struct cli_sz_hash *szh;
cli_dbgmsg("xxxx digest :%s\n", cli_str2hex(digest, 16));
if (!digest || !size || size == 0xffffffff || !root || !root->hm.sizehashes[type].capacity)
return CL_CLEAN;
item = cli_htu32_find(&root->hm.sizehashes[type], size -1);
if (!item)
return CL_CLEAN;
szh = (struct cli_sz_hash *)item->data.as_ptr;
return hm_scan(digest, virname, szh, type);
}
编译后匹配如下:
d# ./clamdscan/clamdscan eicar.com
/home/jack/code/clamav-0.104.2/build/eicar.com: Win.Test.EICAR_HDB-1 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.011 sec (0 m 0 s)
Start Date: 2022:05:19 08:16:07
End Date: 2022:05:19 08:16:07
这个是main.cvd报的病毒
如果指定病毒库为daily.cvd,结果如下:
# ./clamdscan/clamdscan eicar.com
/home/jack/code/clamav-0.104.2/build/eicar.com: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.009 sec (0 m 0 s)
Start Date: 2022:05:19 08:22:55
End Date: 2022:05:19 08:22:55