Re: [Clamav-devel] Some Questions in the PE section scanning
On Wed, 30 Jun 2010 15:37:07 +0800 candy wrote: > Thanks for your reply. > I am very interesting in the virus engien. I want to know the whole > algorithm of scaning and trying to optimize the "int > cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)" function. > I have read the readdb.c and pe.c file, I think the soff variable > restore the length of the PE sections in the database. Am I right? No, it is actually the section size, I don't know why it was called soff. > And I want to know why not using the binary search instead of > following code? Maybe it can speed up scanning? > for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <= > exe_sections[i].rsz; j++) { You could, but it would complicate the code. How much faster is it if you are using binary search here? --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Some Questions in the PE section scanning
Thanks for your reply. I am very interesting in the virus engien. I want to know the whole algorithm of scaning and trying to optimize the "int cli_scanpe(cli_ctx *ctx, icon_groupset *iconset)" function. I have read the readdb.c and pe.c file, I think the soff variable restore the length of the PE sections in the database. Am I right? And I want to know why not using the binary search instead of following code? Maybe it can speed up scanning? for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <= exe_sections[i].rsz; j++) { 2010/6/30 Török Edwin > On Wed, 30 Jun 2010 11:45:15 +0800 > candy wrote: > > > Hi all~ > > Thank you for solving my problem before. I still have some other > > questions when analysing the codes of ClamAV. Could anybody help me > > again? What does the member variable uint32_t *soff stands for? > > Have a look at readdb.c, and pe.c. > > > Why > > sort the elements which the soff point to? Is the qsort function in > > the code implement the quick sort algorithm? > > See qsort.c. > > What are you trying to do with soff? > > Best regards, > --Edwin > ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] Some Questions in the PE section scanning
On Wed, 30 Jun 2010 11:45:15 +0800 candy wrote: > Hi all~ > Thank you for solving my problem before. I still have some other > questions when analysing the codes of ClamAV. Could anybody help me > again? What does the member variable uint32_t *soff stands for? Have a look at readdb.c, and pe.c. > Why > sort the elements which the soff point to? Is the qsort function in > the code implement the quick sort algorithm? See qsort.c. What are you trying to do with soff? Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
[Clamav-devel] Some Questions in the PE section scanning
Hi all~ Thank you for solving my problem before. I still have some other questions when analysing the codes of ClamAV. Could anybody help me again? What does the member variable uint32_t *soff stands for? Why sort the elements which the soff point to? Is the qsort function in the code implement the quick sort algorithm? struct cli_matcher { unsigned int type; /* Extended Boyer-Moore */ uint8_t *bm_shift; struct cli_bm_patt **bm_suffix, **bm_pattab; struct cli_hashset md5_sizes_hs; uint32_t *soff, soff_len; /* for PE section sigs */ uint32_t bm_offmode, bm_patterns, bm_reloff_num, bm_absoff_num; /* Extended Aho-Corasick */ uint32_t ac_partsigs, ac_nodes, ac_patterns, ac_lsigs; struct cli_ac_lsig **ac_lsigtable; struct cli_ac_node *ac_root, **ac_nodetable; struct cli_ac_patt **ac_pattable; struct cli_ac_patt **ac_reloff; uint32_t ac_reloff_num, ac_absoff_num; uint8_t ac_mindepth, ac_maxdepth; struct filter *filter; uint16_t maxpatlen; uint8_t ac_only; #ifdef USE_MPOOL mpool_t *mempool; #endif }; ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net