1

From this PDF, we see that ClamAV looks at certain sections in a PE file (executable or dynamic library) in order to build a fingerprint it can match up with its CVD format file. They mention that I can use the *.mdb file and the *.msb file (inside the CVD file) to find md5, sha1, and sha256 hashes of the PE sections of a PE file.

How, in C++ or C, do I programmatically open a PE file, find these sections, and match them against these hashes?

Community
  • 1
  • 1
Volomike
  • 23,743
  • 21
  • 113
  • 209
  • ClamAV surely implements its own PE parser - it's not that difficult, the specs are public. But if you are working on Windows probably imagehlp.dll provides some helpers (and in the platform sdk there are already defined the on-disk structures that are part of the PE format). – Matteo Italia Oct 17 '15 at 00:42
  • I don't know about C or C++, but Go seems to have a module for PE formats - https://golang.org/pkg/debug/pe/ – James Parsons Oct 17 '15 at 00:59
  • @MatteoItalia , that custom parser wouldn't happen to be pe.c, would it? I'm trying to determine the starting point where it examines a PE file, finds the sections it wants, and generates the hashes. https://github.com/vrtadmin/clamav-devel/blob/e0056fe676cd5ad1783bf670b3437bd2a95e7ee0/libclamav/pe.c – Volomike Oct 17 '15 at 01:01
  • @Volomike: yeah that's probably it. – Matteo Italia Oct 17 '15 at 10:50

0 Answers0