Clamav源代码分析
—— 分析版本:0.97.2
前言:
clamav version 0.7版本开始支持windows客户端。0.8rc版本开始支持PE文件的扫描。
分析目标:
1.Clamav杀毒理论基础浅析。
2.Clamav框架实现图示浅析。
3.Clamav关键技术深入。
4.疑问:
1.是否含有虚拟机查毒。
2.是否含有主动防御思路。
项目依赖关系
|clamdscan.vcxproj (exe)|clamd.vcxproj (exe)|clamconf.vcxproj (exe)|clambc.vcxproj (exe)|freshclam.vcxproj (exe)|sigtool.exe|
\_________________________________________________________________________________/
|
libclamav.vcxproj (dll)HAVE_CONFIG_H LIBCLAMAV_EXPORTS
|
libclamavcxx.vcxproj(lib)
|
/^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\ <LLVM编译器支持>
LLVMx86codegen.vcxproj|LLVMsystem.vcxproj|LLVMjit.vcxproj|LLVMcodegen.vcxproj
Q:
1.LLVM在clamav的作用。
2.杀毒流程。
==========LLVM=========
llvm/lib/VMCore/
This directory holds the core LLVM source files that implement core classes like Instruction and BasicBlock.
llvm/lib/AsmParser/
This directory holds the source code for the LLVM assembly language parser library.
llvm/lib/BitCode/
This directory holds code for reading and write LLVM bitcode.
llvm/lib/Analysis/
This directory contains a variety of different program analyses, such as Dominator Information, Call Graphs, Induction Variables, Interval Identification, Natural Loop Identification, etc.
llvm/lib/Transforms/
This directory contains the source code for the LLVM to LLVM program transformations, such as Aggressive Dead Code Elimination, Sparse Conditional Constant Propagation, Inlining, Loop Invariant Code Motion, Dead Global Elimination, and many others.
llvm/lib/Target/
This directory contains files that describe various target architectures for code generation. For example, the llvm/lib/Target/X86 directory holds the X86 machine description while llvm/lib/Target/ARM implements the ARM backend.
llvm/lib/CodeGen/
This directory contains the major parts of the code generator: Instruction Selector, Instruction Scheduling, and Register Allocation.
llvm/lib/MC/
(FIXME: T.B.D.)
llvm/lib/Debugger/
This directory contains the source level debugger library that makes it possible to instrument LLVM programs so that a debugger could identify source code locations at which the program is executing.
llvm/lib/ExecutionEngine/
This directory contains libraries for executing LLVM bitcode directly at runtime in both interpreted and JIT compiled fashions.
llvm/lib/Support/
This directory contains the source code that corresponds to the header files located in llvm/include/ADT/ and llvm/include/Support/.
参考
http://llvm.org/docs/GettingStarted.html
http://llvm.org/docs/tutorial/
http://www.aosabook.org/en/llvm.html
http://vrt-blog.snort.org/2010/09/introduction-to-clamavs-low-level.html
ClamWin Free Antivirus
Moon Secure Antivirus
clamav-sosdg
参考
可执行文件结构、加载、运行机制。
http://en.wikipedia.org/wiki/Antivirus_software
http://www.symantec.com/connect/articles/openav-developing-open-source-antivirus-engines