Re: [Clamav-devel] Some Questions in the PE section scanning
On Wed, 30 Jun 2010 11:45:15 +0800 candy outstandingca...@gmail.com wrote: Hi all~ Thank you for solving my problem before. I still have some other questions when analysing the codes of ClamAV. Could anybody help me again? What does the member variable uint32_t *soff stands for? Have a look at readdb.c, and pe.c. Why sort the elements which the soff point to? Is the qsort function in the code implement the quick sort algorithm? See qsort.c. What are you trying to do with soff? Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Some Questions in the PE section scanning
Thanks for your reply. I am very interesting in the virus engien. I want to know the whole algorithm of scaning and trying to optimize the int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset) function. I have read the readdb.c and pe.c file, I think the soff variable restore the length of the PE sections in the database. Am I right? And I want to know why not using the binary search instead of following code? Maybe it can speed up scanning? for(j = 0; j md5_sect-soff_len md5_sect-soff[j] = exe_sections[i].rsz; j++) { 2010/6/30 Török Edwin ed...@clamav.net On Wed, 30 Jun 2010 11:45:15 +0800 candy outstandingca...@gmail.com wrote: Hi all~ Thank you for solving my problem before. I still have some other questions when analysing the codes of ClamAV. Could anybody help me again? What does the member variable uint32_t *soff stands for? Have a look at readdb.c, and pe.c. Why sort the elements which the soff point to? Is the qsort function in the code implement the quick sort algorithm? See qsort.c. What are you trying to do with soff? Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Some Questions in the PE section scanning
On Wed, 30 Jun 2010 15:37:07 +0800 candy outstandingca...@gmail.com wrote: Thanks for your reply. I am very interesting in the virus engien. I want to know the whole algorithm of scaning and trying to optimize the int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset) function. I have read the readdb.c and pe.c file, I think the soff variable restore the length of the PE sections in the database. Am I right? No, it is actually the section size, I don't know why it was called soff. And I want to know why not using the binary search instead of following code? Maybe it can speed up scanning? for(j = 0; j md5_sect-soff_len md5_sect-soff[j] = exe_sections[i].rsz; j++) { You could, but it would complicate the code. How much faster is it if you are using binary search here? --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net