{"componentChunkName":"component---src-templates-post-template-js","path":"/clamav-debug-signature-libclamav-en","result":{"data":{"markdownRemark":{"id":"bd154938-1e0f-59fa-9559-e1091dc04111","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/clamav-debug-signature-libclamav\">original page</a>.</p>\n</blockquote>\n<p>The other day, I wrote an article on creating and analyzing ClamAV bytecode signatures using the SECCON 2022 challenge Devil Hunter as the theme.</p>\n<p>Reference: <a href=\"/clamav-signature-basic\">Learning ClamAV Signature Creation and Analysis Through a CTF</a></p>\n<p>I did not cover it in that article, but there is also a brilliant analysis technique for bytecode signatures: patching libclamav so you can trace the bytecode being executed.</p>\n<p>Reference: <a href=\"https://hxp.io/blog/94/SECCON-CTF-2022-Quals/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">hxp | SECCON CTF 2022 Quals</a></p>\n<p>In this article, I summarize a method for analyzing how bytecode signatures work by patching libclamav, based on the write-up above.</p>\n<p>Note that when patching libclamav, you need to build ClamAV yourself from source.</p>\n<p>I summarized how to build ClamAV in the following article.</p>\n<p>Reference: <a href=\"/clamav-note01-en\">Notes on Building ClamAV from Source and Setting Up OnAccessScan</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#customizing-libclamav-to-dump-operands-at-conditional-branches\">Customizing libclamav to dump operands at conditional branches</a></li>\n<li><a href=\"#enabling-debug-traces-for-bytecode-signatures\">Enabling debug traces for bytecode signatures</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"customizing-libclamav-to-dump-operands-at-conditional-branches\" style=\"position:relative;\"><a href=\"#customizing-libclamav-to-dump-operands-at-conditional-branches\" aria-label=\"customizing libclamav to dump operands at conditional branches permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Customizing libclamav to dump operands at conditional branches</h2>\n<p>To use this technique, modify the line <code class=\"language-text\">DEFINE_ICMPOP(OP_BC_ICMP_EQ, res = (op0 == op1));</code> in <code class=\"language-text\">bytecode_vm.c</code> in libclamav as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// DEFINE_ICMPOP(OP_BC_ICMP_EQ, res = (op0 == op1));</span>\n<span class=\"token function\">DEFINE_ICMPOP</span><span class=\"token punctuation\">(</span>OP_BC_ICMP_EQ<span class=\"token punctuation\">,</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d: %x == %x\\n\"</span><span class=\"token punctuation\">,</span> bb_inst<span class=\"token punctuation\">,</span> op0<span class=\"token punctuation\">,</span> op1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>res <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>op0 <span class=\"token operator\">==</span> op1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>This change lets you dump the two values being compared when <code class=\"language-text\">OP_BC_ICMP_EQ</code> is called.</p>\n<p>Let’s actually run a scan with <code class=\"language-text\">clamscan</code> in an environment where this change has been applied.</p>\n<p>The following is the result when scanning a fake Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 553px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7ea9c0b47d85fdfb3c10a19db528f22a/74cfa/image-20240818150736162.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 85%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAABjElEQVQ4y51U7Y6CQBDjJQREEUXYlQ9FEdBEE/X9H6pHJ0IQuIvcj4bdnaV0pjMYcaSRJQppHEKFAUzTHGA2mw3WlmUJbNv+gLHb7bDfpzjnOQ6HA5IkQRzHLdI0reN7aK0lxjtaK6zXa3ieB9d1sVqt5EkYvu/D1ymOxyOKokBZliOo2lhVlSjOZ9lTDMlI3sDgQfuF9/o7eKKwD2PscpPGx17O3EGKfRhkDcMQi8VCLrIEXAdBIGulQjiOg1DX9cxyOHVsu93CXS5bUxqDCGOz2bRyl+9LQ9Qv2Q7MGlaHoE8mhHSOxaWLLOpYKwh43mAs3m0bpqyUEpV9wlZJByS1fiNkr3UJuw3cTesvVR+ETJWkURSJCTSAxKztfD6fTCqmXK9XPB4PaW4q5f75fMoHqPZbda1CjtbtdsPpdJKW4BRcLhchn5KuENJlKqNCjhbrWVWVENKwyYSsHQeeCvP6B0GFJL7f79JK/1KYZRler5coIwmf3LMUk2vI3xNTpgEcvWYE2eRcT1X4A+2YzxqayheiAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7ea9c0b47d85fdfb3c10a19db528f22a/8ac56/image-20240818150736162.webp 240w,\n/static/7ea9c0b47d85fdfb3c10a19db528f22a/d3be9/image-20240818150736162.webp 480w,\n/static/7ea9c0b47d85fdfb3c10a19db528f22a/e58ce/image-20240818150736162.webp 553w\"\n              sizes=\"(max-width: 553px) 100vw, 553px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7ea9c0b47d85fdfb3c10a19db528f22a/8ff5a/image-20240818150736162.png 240w,\n/static/7ea9c0b47d85fdfb3c10a19db528f22a/e85cb/image-20240818150736162.png 480w,\n/static/7ea9c0b47d85fdfb3c10a19db528f22a/74cfa/image-20240818150736162.png 553w\"\n            sizes=\"(max-width: 553px) 100vw, 553px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7ea9c0b47d85fdfb3c10a19db528f22a/74cfa/image-20240818150736162.png\"\n            alt=\"image-20240818150736162\"\n            title=\"image-20240818150736162\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The following is the result when scanning the correct Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 480px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bb17d1448e87caebb6330039a258d134/e85cb/image-20240818150754132.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 107.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAWCAYAAADAQbwGAAAACXBIWXMAAAsTAAALEwEAmpwYAAACBklEQVQ4y6WUabLiMAyEcwkwELKHfYewb8Xc/04afwI/AsNMkZofjWU7brUW5M1mM9nv9zIajaTT6UgYBFKr1cQYI/V6/Q+Uz7EbjYYCG3gQTSYTGY/HMhgMJE1TJWZ16Np9luV6HkWR5HkuvV5P0iQRv9WSlkW73VZ43W5XH61WKzlYpbdfNzkeD7LZbmWz2UhRFBoBNsD5YrGQ3W5n3yztfirFurBOc3Xm8QMgxXN/0Fcl2CDLMsnyTFe++bSiNkliCUNLGIahlIHswOYxDANdn7jfu/3zjdtHrwrdx5/s8lkcR5JYBEFbSZyInxwmSSo9m8c4jqXZbEquiQ/Ft5f3UBJdIWr5gYzmKxlbNFv+vWj23pj6s8p4dezY5cv3djG2PWrmDmx351oHeK5d+v2+KkFlub9eoOcPvPXgD+FwOBRah8qyfiI0DzLzsM3b2YtC1EHk8E+FX0AJCZWeQ+V/ExKyC/dvOaziQAkhghQ0StUrD4BvST2qC6g25L7vK1zDY1dSyH+RiXM+n3UIQE5eD4eD3G43za3rtW+IPcJF3el0kq2dMKiElGmCA6ZLpZAhgwBFy+VSySmQG1fsq1Tec7k7Ho+yXq81fBygFpUorEQIATm7Xq8aIjbVxr5cLtVD5gGKCA+C6XSqKpng7FkrEUIwn891rDOOmDq0CuOMPfOuCuFvfchY94ZqvWQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bb17d1448e87caebb6330039a258d134/8ac56/image-20240818150754132.webp 240w,\n/static/bb17d1448e87caebb6330039a258d134/d3be9/image-20240818150754132.webp 480w\"\n              sizes=\"(max-width: 480px) 100vw, 480px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bb17d1448e87caebb6330039a258d134/8ff5a/image-20240818150754132.png 240w,\n/static/bb17d1448e87caebb6330039a258d134/e85cb/image-20240818150754132.png 480w\"\n            sizes=\"(max-width: 480px) 100vw, 480px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bb17d1448e87caebb6330039a258d134/e85cb/image-20240818150754132.png\"\n            alt=\"image-20240818150754132\"\n            title=\"image-20240818150754132\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>With just a simple patch to libclamav, you can easily determine that this bytecode signature transforms the scanned text and compares the result against hard-coded integer values.</p>\n<h2 id=\"enabling-debug-traces-for-bytecode-signatures\" style=\"position:relative;\"><a href=\"#enabling-debug-traces-for-bytecode-signatures\" aria-label=\"enabling debug traces for bytecode signatures permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enabling debug traces for bytecode signatures</h2>\n<p>libclamav provides <code class=\"language-text\">TRACE_INST</code>, which can trace the bytecode being executed by using <code class=\"language-text\">cli_byteinst_describe(inst, &amp;bbnum);</code>, but this feature is disabled by default.</p>\n<p>To enable it, set the <code class=\"language-text\">CL_DEBUG</code> flag and change <code class=\"language-text\">#if 0</code> to <code class=\"language-text\">#if CL_DEBUG</code> in the section that contains <code class=\"language-text\">TRACE_INST</code>.</p>\n<p>Reference: <a href=\"https://github.com/kash1064/clamav/blob/patch-libclamav/libclamav/bytecode_vm.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode_vm.c at patch-libclamav · kash1064/clamav</a></p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token punctuation\">[</span><span class=\"token operator\">+</span><span class=\"token punctuation\">]</span> #define CL_DEBUG <span class=\"token number\">1</span>\n\n<span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span>\n\n<span class=\"token punctuation\">[</span><span class=\"token operator\">-</span><span class=\"token punctuation\">]</span> #<span class=\"token keyword\">if</span> <span class=\"token number\">0</span> <span class=\"token comment\">/* too verbose, use #ifdef CL_DEBUG if needed */</span>\n<span class=\"token punctuation\">[</span><span class=\"token operator\">+</span><span class=\"token punctuation\">]</span> #<span class=\"token keyword\">if</span> CL_DEBUG <span class=\"token comment\">/* too verbose, use #ifdef CL_DEBUG if needed */</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">CHECK_UNREACHABLE</span>                                <span class=\"token punctuation\">\\</span>\n    <span class=\"token expression\"><span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>                                                 </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">cli_dbgmsg</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode: unreachable executed!\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token keyword\">return</span> CL_EBYTECODE<span class=\"token punctuation\">;</span>                             </span><span class=\"token punctuation\">\\</span>\n    <span class=\"token expression\"><span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_PTR</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>ptr<span class=\"token punctuation\">,</span> s<span class=\"token punctuation\">)</span> <span class=\"token function\">cli_dbgmsg</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode trace: ptr %llx, +%x\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> ptr<span class=\"token punctuation\">,</span> s<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_R</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span> <span class=\"token function\">cli_dbgmsg</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode trace: %u, read %llx\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> pc<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span>x<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_W</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> w<span class=\"token punctuation\">,</span> p<span class=\"token punctuation\">)</span> <span class=\"token function\">cli_dbgmsg</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode trace: %u, write%d @%u %llx\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> pc<span class=\"token punctuation\">,</span> p<span class=\"token punctuation\">,</span> w<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_EXEC</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>id<span class=\"token punctuation\">,</span> dest<span class=\"token punctuation\">,</span> ty<span class=\"token punctuation\">,</span> stack<span class=\"token punctuation\">)</span> <span class=\"token function\">cli_dbgmsg</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode trace: executing %d, -> %u (%u); %u\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> id<span class=\"token punctuation\">,</span> dest<span class=\"token punctuation\">,</span> ty<span class=\"token punctuation\">,</span> stack<span class=\"token punctuation\">)</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_INST</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>inst<span class=\"token punctuation\">)</span>                                                   </span><span class=\"token punctuation\">\\</span>\n    <span class=\"token expression\"><span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>                                                                   </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token keyword\">unsigned</span> bbnum <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>                                                </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"\"</span><span class=\"token expression\"><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">cli_byteinst_describe</span><span class=\"token punctuation\">(</span>inst<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>bbnum<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                               </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                                                      </span><span class=\"token punctuation\">\\</span>\n    <span class=\"token expression\"><span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span></span></span></code></pre></div>\n<p>Once you scan using the rebuilt ClamAV, you can inspect the runtime bytecode trace as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 830px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/aed5696936179ab660834714417093ff/715a3/image-20240818223620961.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 97.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB10lEQVQ4y42UWXqDMAyEe4psBDCbCYZsbe9/NdW/QG660TzocyBmPDMa+eV6uwp1OBxkt9tJ27XS9710vpNxGmUIg5zPk65FkcvxeJT9fq97Wb/XiwHaJu+99KcI2HUSxqBAAHMA75q2kSzL/ga8XC9yu9+kbmrZbrdyimDny1natpXTcEqgFO+yY5bUrAKWrpwlL0Dezwz5PY5RelyRy6H28W+gSTJ/UkjzvdfVAEMIakXTNFLX9brk621mmEfDOR3/8AymyHyUzCHOuf89vL/eFQBA6+5jU1ipoixks9kksFXJtoHY/JA8zpJhB+hqU77nEDBAAMa7sDC0bOLjc5K7WTIfWmwARD6ArICtyU0MaQqRsNhosCObaZrSpMA6z3NV8tSkWGx0UhZ52l1yGNlhBSqekgxDV7k0KVNkZLHReV4a00VAlPw7KXhIYDU2xCWEFBuk4im/n5uUCGhdtqbY3FpTuBAAI4Psof5qTpKM4TYpsMGvdCksUskgM1+W5RfZ5n8CfHt//ZRMM7gcev+FLVXVlYbbxm+1KZZDHb2FoXVaL93IHHYowYKqqhTULDAbNDaYzqlV7PQwDHKJzwCRQyYFicjV0SsKfXZId+XMuHJ6AAw/AE93DzoKdFBpAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/aed5696936179ab660834714417093ff/8ac56/image-20240818223620961.webp 240w,\n/static/aed5696936179ab660834714417093ff/d3be9/image-20240818223620961.webp 480w,\n/static/aed5696936179ab660834714417093ff/b2a51/image-20240818223620961.webp 830w\"\n              sizes=\"(max-width: 830px) 100vw, 830px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/aed5696936179ab660834714417093ff/8ff5a/image-20240818223620961.png 240w,\n/static/aed5696936179ab660834714417093ff/e85cb/image-20240818223620961.png 480w,\n/static/aed5696936179ab660834714417093ff/715a3/image-20240818223620961.png 830w\"\n            sizes=\"(max-width: 830px) 100vw, 830px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/aed5696936179ab660834714417093ff/715a3/image-20240818223620961.png\"\n            alt=\"image-20240818223620961\"\n            title=\"image-20240818223620961\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, as you can see from the following code, the trace output available through <code class=\"language-text\">cli_byteinst_describe</code> expresses operands as variables, just like the output disassembled with the <code class=\"language-text\">clambc</code> command, so you cannot see the actual values.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">cli_byteinst_describe</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">cli_bc_inst</span> <span class=\"token operator\">*</span>inst<span class=\"token punctuation\">,</span> <span class=\"token keyword\">unsigned</span> <span class=\"token operator\">*</span>bbnum<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">size_t</span> j<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> inst_str<span class=\"token punctuation\">[</span><span class=\"token number\">256</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">cli_apicall</span> <span class=\"token operator\">*</span>api<span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>inst<span class=\"token operator\">-></span>opcode <span class=\"token operator\">></span> OP_BC_INVALID<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"opcode %u[%u] of type %u is not implemented yet!\"</span><span class=\"token punctuation\">,</span>\n               inst<span class=\"token operator\">-></span>opcode<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>interp_op <span class=\"token operator\">/</span> <span class=\"token number\">5</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>interp_op <span class=\"token operator\">%</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">snprintf</span><span class=\"token punctuation\">(</span>inst_str<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>inst_str<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"%-20s[%-3d/%3d/%3d]\"</span><span class=\"token punctuation\">,</span> bc_opstr<span class=\"token punctuation\">[</span>inst<span class=\"token operator\">-></span>opcode<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n             inst<span class=\"token operator\">-></span>opcode<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>interp_op<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>interp_op <span class=\"token operator\">%</span> inst<span class=\"token operator\">-></span>opcode<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%-35s\"</span><span class=\"token punctuation\">,</span> inst_str<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">switch</span> <span class=\"token punctuation\">(</span>inst<span class=\"token operator\">-></span>opcode<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token comment\">// binary operations</span>\n        <span class=\"token keyword\">case</span> OP_BC_ADD<span class=\"token operator\">:</span>\n            <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d = %d + %d\"</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>dest<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>binop<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>binop<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">case</span> OP_BC_SUB<span class=\"token operator\">:</span>\n            <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d = %d - %d\"</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>dest<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>binop<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>binop<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">case</span> OP_BC_MUL<span class=\"token operator\">:</span>\n            <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d = %d * %d\"</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>dest<span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>binop<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> inst<span class=\"token operator\">-></span>u<span class=\"token punctuation\">.</span>binop<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>       \n<span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/Cisco-Talos/clamav/blob/main/libclamav/bytecode.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode.c at main · Cisco-Talos/clamav</a></p>\n<p>So, in addition to <code class=\"language-text\">TRACE_INST</code>, I modified the libclamav code so that the debug output from <code class=\"language-text\">TRACE_PTR</code>, <code class=\"language-text\">TRACE_R</code>, <code class=\"language-text\">TRACE_W</code>, <code class=\"language-text\">TRACE_EXEC</code>, and <code class=\"language-text\">TRACE_API</code> is written to standard output.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token comment\">// #define TRACE_PTR(ptr, s) cli_dbgmsg(\"bytecode trace: ptr %llx, +%x\\n\", ptr, s);</span>\n<span class=\"token comment\">// #define TRACE_R(x) cli_dbgmsg(\"bytecode trace: %u, read %llx\\n\", pc, (long long)x);</span>\n<span class=\"token comment\">// #define TRACE_W(x, w, p) cli_dbgmsg(\"bytecode trace: %u, write%d @%u %llx\\n\", pc, p, w, (long long)(x));</span>\n<span class=\"token comment\">// #define TRACE_EXEC(id, dest, ty, stack) cli_dbgmsg(\"bytecode trace: executing %d, -> %u (%u); %u\\n\", id, dest, ty, stack)</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_PTR</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>ptr<span class=\"token punctuation\">,</span> s<span class=\"token punctuation\">)</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"ptr %llx, +%x\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> ptr<span class=\"token punctuation\">,</span> s<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_R</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"%u, read %llx\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> pc<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span>x<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_W</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span> w<span class=\"token punctuation\">,</span> p<span class=\"token punctuation\">)</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"%u, write%d @%u %llx\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> pc<span class=\"token punctuation\">,</span> p<span class=\"token punctuation\">,</span> w<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_EXEC</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>id<span class=\"token punctuation\">,</span> dest<span class=\"token punctuation\">,</span> ty<span class=\"token punctuation\">,</span> stack<span class=\"token punctuation\">)</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode trace: executing %d, -> %u (%u); %u\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> id<span class=\"token punctuation\">,</span> dest<span class=\"token punctuation\">,</span> ty<span class=\"token punctuation\">,</span> stack<span class=\"token punctuation\">)</span></span></span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_INST</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>inst<span class=\"token punctuation\">)</span>                                                   </span><span class=\"token punctuation\">\\</span>\n    <span class=\"token expression\"><span class=\"token keyword\">do</span> <span class=\"token punctuation\">{</span>                                                                   </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token keyword\">unsigned</span> bbnum <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>                                                </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"\"</span><span class=\"token expression\"><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">cli_byteinst_describe</span><span class=\"token punctuation\">(</span>inst<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>bbnum<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                               </span><span class=\"token punctuation\">\\</span>\n        <span class=\"token expression\"><span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>                                                      </span><span class=\"token punctuation\">\\</span>\n    <span class=\"token expression\"><span class=\"token punctuation\">}</span> <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span></span></span>\n\n<span class=\"token comment\">// #define TRACE_API(s, dest, ty, stack) cli_dbgmsg(\"bytecode trace: executing %s, -> %u (%u); %u\\n\", s, dest, ty, stack)</span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name function\">TRACE_API</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">,</span> dest<span class=\"token punctuation\">,</span> ty<span class=\"token punctuation\">,</span> stack<span class=\"token punctuation\">)</span> <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span></span><span class=\"token string\">\"bytecode trace: executing %s, -> %u (%u); %u\\n\"</span><span class=\"token expression\"><span class=\"token punctuation\">,</span> s<span class=\"token punctuation\">,</span> dest<span class=\"token punctuation\">,</span> ty<span class=\"token punctuation\">,</span> stack<span class=\"token punctuation\">)</span></span></span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/kash1064/clamav/blob/patch-libclamav/libclamav/bytecode_vm.c\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">clamav/libclamav/bytecode_vm.c at patch-libclamav · kash1064/clamav</a></p>\n<p>With this change enabled, you can trace memory reads and writes as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 826px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/58e71899203578c9c3e1c0e339533fdd/6a6e9/image-20240819002036877.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 101.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB+ElEQVQ4y42UaZKqQBCEPYUL+w4qIC7xIibe/c9V019hIeMw6o+KbpFOsjKzetV2rVDDeZCv/19yvV2lqivZbrey2+20bM8639v/81r1p172h70Csu/7Xg7HgwRBIEEYSBiGEkWRWwNdX4Ep4Gk4ydEBnC+DdH0nSZpIFEcKBCDAYRTqGsfxe0BYAQgrAGHh+/4I5ECNIfVRy6ehVw3zIpfNZiOe7z2YhSMzbdmxfMfuwbA9StM0kmWZ+IGvDD3Pm0BHDT8EREMY1nWtB9M0lbIspSgLZc0ztPvEkB8M0XC/b3TPR4qikCRJFOyZ3WtTnBHzluumVnMaBw7bNEsnwOdaAl5ZXGgzyzMFgnXu9tm9UhclNMW0R/0O+9QyGrKWTjemBMZoWlalsqNtCsZ5nutHkGORIRMCINNCqAGwHBIfC/n07F78XtJUGWJIVVXKYsrdPdQ2Hev1Wmve9lLQV+P8djrLAAGIOeZwnMQPPd1ztLRswvIXw8v1oqagGyBo2OK6MwcZKqcjzvOMbFpW0ZI9H/gBCFh3ZwhbWPACL1JzBtbmy5YxBMDbv5vAFnft8NLBd3kcXW5bZYZ+ZA6DLB5IwMXwfMn+VS7YZ2WoB8MxKja7Nsdznd7OMuIjus0zzLgU7HKAOeM3TY3bj87n6r524t5h0jDrG/jOIJqxcr1dAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/58e71899203578c9c3e1c0e339533fdd/8ac56/image-20240819002036877.webp 240w,\n/static/58e71899203578c9c3e1c0e339533fdd/d3be9/image-20240819002036877.webp 480w,\n/static/58e71899203578c9c3e1c0e339533fdd/40616/image-20240819002036877.webp 826w\"\n              sizes=\"(max-width: 826px) 100vw, 826px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/58e71899203578c9c3e1c0e339533fdd/8ff5a/image-20240819002036877.png 240w,\n/static/58e71899203578c9c3e1c0e339533fdd/e85cb/image-20240819002036877.png 480w,\n/static/58e71899203578c9c3e1c0e339533fdd/6a6e9/image-20240819002036877.png 826w\"\n            sizes=\"(max-width: 826px) 100vw, 826px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/58e71899203578c9c3e1c0e339533fdd/6a6e9/image-20240819002036877.png\"\n            alt=\"image-20240819002036877\"\n            title=\"image-20240819002036877\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As you can see from the output above, information about memory reads and writes is printed immediately after the traced instruction.</p>\n<p>For example, in the following part, <code class=\"language-text\">v640</code> and <code class=\"language-text\">v1240</code> each read <code class=\"language-text\">0x6cbfdd9f</code>, compare them with <code class=\"language-text\">OP_BC_ICMP_EQ</code>, and store the result (<code class=\"language-text\">1</code>) at <code class=\"language-text\">@644</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">OP_BC_ICMP_EQ       <span class=\"token punctuation\">[</span><span class=\"token number\">21</span> /108/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">644</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">640</span> <span class=\"token operator\">==</span> <span class=\"token number\">1240</span><span class=\"token punctuation\">)</span>\n<span class=\"token number\">1444</span>, <span class=\"token builtin class-name\">read</span> 6cbfdd9f\n<span class=\"token number\">1444</span>, <span class=\"token builtin class-name\">read</span> 6cbfdd9f\n<span class=\"token number\">1444</span>, write8 @644 <span class=\"token number\">1</span></code></pre></div>\n<p>Also, in the following part, you can confirm that the 4-character integer value <code class=\"language-text\">0x33547962</code> (<code class=\"language-text\">3Tyb</code>) is read from the <code class=\"language-text\">p.248</code> pointer, written to <code class=\"language-text\">v256</code>, and then passed in a function call as the argument to <code class=\"language-text\">Func2</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">OP_BC_LOAD          <span class=\"token punctuation\">[</span><span class=\"token number\">39</span> /198/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  load  <span class=\"token number\">256</span> <span class=\"token operator\">&lt;</span>- p.248\n<span class=\"token number\">530</span>, <span class=\"token builtin class-name\">read</span> fffffffe00000019\nptr fffffffe00000019, +4\n<span class=\"token number\">530</span>, <span class=\"token builtin class-name\">read</span> 617f7db2ab69\n<span class=\"token number\">530</span>, write32 @256 <span class=\"token number\">33547962</span>\n\nOP_BC_CALL_DIRECT   <span class=\"token punctuation\">[</span><span class=\"token number\">32</span> /163/  <span class=\"token number\">3</span><span class=\"token punctuation\">]</span>  <span class=\"token number\">260</span> <span class=\"token operator\">=</span> call F.2 <span class=\"token punctuation\">(</span><span class=\"token number\">256</span><span class=\"token punctuation\">)</span>\nbytecode trace: executing <span class=\"token number\">2</span>, -<span class=\"token operator\">></span> <span class=\"token number\">260</span> <span class=\"token punctuation\">(</span><span class=\"token number\">32</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token number\">2</span></code></pre></div>\n<p>In this way, by enabling debug tracing, you can easily determine—without having to struggle through disassembled code like in the previous article—that the Flag text is split into 4-character chunks and passed to <code class=\"language-text\">Func2</code> as 32-bit integer values.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>The debug tracing was extremely useful.</p>\n<p>If another bytecode signature challenge comes up in the future, I feel like I’ll be able to solve it without too much trouble.</p>","fields":{"slug":"/clamav-debug-signature-libclamav-en","tagSlugs":["/tag/clam-av/","/tag/malware/","/tag/english/"]},"frontmatter":{"date":"2024-08-19","description":"This article summarizes how to enable debug tracing for bytecode signatures in libclamav.","tags":["ClamAV","Malware","English"],"title":"How to Enable Debug Tracing for Bytecode Signatures in libclamav","socialImage":{"publicURL":"/static/677321ee47cda9d6640b819d3190fe11/clamav-debug-signature-libclamav.png"}}}},"pageContext":{"slug":"/clamav-debug-signature-libclamav-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}