Re: [Clamav-devel] Some Questions in the PE section scanning

2010-06-30 Thread Török Edwin 
On Wed, 30 Jun 2010 11:45:15 +0800
candy outstandingca...@gmail.com wrote:

 Hi all~
 Thank you for solving my problem before. I still have some other
 questions when analysing the codes of ClamAV. Could anybody help me
 again? What does the member variable uint32_t *soff stands for?

Have a look at readdb.c, and pe.c.

 Why
 sort the elements which the soff point to? Is the qsort function in
 the code implement the quick sort algorithm?

See qsort.c.

What are you trying to do with soff?

Best regards,
--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Some Questions in the PE section scanning

2010-06-30 Thread candy 
Thanks for your reply.
I am very interesting in the virus engien. I want to know the whole
algorithm of scaning and trying to optimize the int cli_scanpe(cli_ctx
*ctx, icon_groupset *iconset) function.
I have read the readdb.c and pe.c file, I think the soff variable restore
the length of the PE sections in the database. Am I right?
And I want to know why not using the binary search instead of following
code? Maybe it can speed up scanning?
for(j = 0; j  md5_sect-soff_len  md5_sect-soff[j] =
exe_sections[i].rsz; j++) {

2010/6/30 Török Edwin ed...@clamav.net

 On Wed, 30 Jun 2010 11:45:15 +0800
 candy outstandingca...@gmail.com wrote:

  Hi all~
  Thank you for solving my problem before. I still have some other
  questions when analysing the codes of ClamAV. Could anybody help me
  again? What does the member variable uint32_t *soff stands for?

 Have a look at readdb.c, and pe.c.

  Why
  sort the elements which the soff point to? Is the qsort function in
  the code implement the quick sort algorithm?

 See qsort.c.

 What are you trying to do with soff?

 Best regards,
 --Edwin

___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Re: [Clamav-devel] Some Questions in the PE section scanning

2010-06-30 Thread Török Edwin 
On Wed, 30 Jun 2010 15:37:07 +0800
candy outstandingca...@gmail.com wrote:

 Thanks for your reply.
 I am very interesting in the virus engien. I want to know the whole
 algorithm of scaning and trying to optimize the int
 cli_scanpe(cli_ctx *ctx, icon_groupset *iconset) function.
 I have read the readdb.c and pe.c file, I think the soff variable
 restore the length of the PE sections in the database. Am I right?

No, it is actually the section size, I don't know why it was called
soff.

 And I want to know why not using the binary search instead of
 following code? Maybe it can speed up scanning?
 for(j = 0; j  md5_sect-soff_len  md5_sect-soff[j] =
 exe_sections[i].rsz; j++) {

You could, but it would complicate the code. How much faster is it if
you are using binary search here?

--Edwin
___
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net