可使用clamdscan工具进行文件流的检查,核心处理函数为send_stream。如下分为四个步骤:
- 首先,发送流检查命令字:"zINSTREAM"到clamd守护进程;
- 发送文件内容,注意存放文件数据的缓存,其头部4个字节存放的是缓存中数据长度,网络字节序;
- 发送4个字节的空数据到clamd,表示文件流发送完成;
- 读取clamd的检测结果。
static int send_stream(int sockd, const char *filename)
{
uint32_t buf[BUFSIZ / sizeof(uint32_t)];
int fd, len;
unsigned long int todo = maxstream;
if (filename) {
if ((fd = safe_open(filename, O_RDONLY | O_BINARY)) < 0) {
logg("~%s: Failed to open file. ERROR\n", filename);
return 0;
}
} else {
/* Read stream from STDIN */
fd = 0;
}
if (sendln(sockd, "zINSTREAM", 10)) {
close(fd);
return -1;
}
while ((len = read(fd, &buf[1], sizeof(buf) - sizeof(uint32_t))) > 0) {
if ((unsigned int)len > todo) len = todo;
buf[0] = htonl(len);
if (sendln(sockd, (const char *)buf, len + sizeof(uint32_t))) {
close(fd);
return -1;
}
todo -= len;
if (!todo) {
len = 0;
break;
}
}
close(fd);
if (len) {
logg("!Failed to read from %s.\n", filename ? filename : "STDIN");
return 0;
}
*buf = 0;
sendln(sockd, (const char *)buf, 4);
return 1;
}
以下代码完整的实现文件流的检测:
头文件部分
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/uio.h>
初始化与clamd通信的本地套接口
static int sock_init(void)
{
int sockd;
struct sockaddr_un un;
memset((void *)&un, 0, sizeof(un));
un.sun_family = AF_UNIX;
strncpy(un.sun_path, "/tmp/clamd.socket", sizeof(un.sun_path)-1);
if ((sockd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
return -1;
if (connect(sockd, (struct sockaddr *)&un, sizeof(un)) < 0) {
printf("Could not connect to clamd on LocalSocket: %s\n", strerror(errno));
close(sockd);
return -1;
}
return sockd;
}
主函数如下。
int main(int argc, void *argv[])
{
int sockd = 0;
int fd = 0, len;
char *filename;
unsigned long int todo = 2000000; //stream_max_length;
uint32_t buf[1024 / sizeof(uint32_t)];
if (argc == 1) {
printf("need absolute file name\n");
return 0;
}
filename = argv[1];
if ((sockd = sock_init()) < 0)
return -1;
/* Send STREAM command */
if (sendln(sockd, "zINSTREAM", 10))
goto out;
if ((fd = open(filename, O_RDONLY)) < 0) {
printf("%s: Failed to open file\n", filename);
goto out;
}
while ((len = read(fd, &buf[1], sizeof(buf) - sizeof(uint32_t))) > 0) {
if ((unsigned int)len > todo)
len = todo;
buf[0] = htonl(len);
if (sendln(sockd, (const char *)buf, len + sizeof(uint32_t))) {
printf("stream checking failed\n");
goto out;
}
todo -= len;
if (!todo) {
len = 0;
break;
}
}
if (len) {
printf("Failed to read from %s\n", filename);
goto out;
}
/* Send Finish */
*buf = 0;
if (sendln(sockd, (const char *)buf, 4)) {
printf("Failed to send finish\n");
goto out;
}
memset(buf, 0, sizeof(buf));
/* Get result */
len = recv(sockd, buf, sizeof(buf)-1, 0);
if (len)
printf("result: %s\n", (char *)buf);
out:
if (fd) close(fd);
if (sockd) close(sockd);
return 0;
}
发送函数
static int sendln(int sockd, const char *line, unsigned int len)
{
while (len) {
int sent = send(sockd, line, len, 0);
if (sent <= 0) {
if (sent && errno == EINTR) continue;
printf("Can't send to clamd: %s\n", strerror(errno));
return 1;
}
line += sent;
len -= sent;
}
return 0;
}
clamav版本: 0.103.1