![](https://csdnimg.cn/release/download_crawler_static/87600227/bg4.jpg)
Indeed,
libclamav
recognizes
the
UPX
data
and
saves
the
decompressed
(and
rebuilt)
executable
into
/tmp/clamav-90d2d25c9dca42bae6fa9a764a4bcede
.
Then
it
continues
by
scanning
this
new
file:
LibClamAV
debug:
File
type:
Executable
LibClamAV
debug:
Machine
type:
80386
LibClamAV
debug:
NumberOfSections:
3
LibClamAV
debug:
TimeDateStamp:
Thu
Jan
27
11:43:15
2011
LibClamAV
debug:
SizeOfOptionalHeader:
e0
LibClamAV
debug:
File
format:
PE
LibClamAV
debug:
MajorLinkerVersion:
6
LibClamAV
debug:
MinorLinkerVersion:
0
LibClamAV
debug:
SizeOfCode:
0xc000
LibClamAV
debug:
SizeOfInitializedData:
0x19000
LibClamAV
debug:
SizeOfUninitializedData:
0x0
LibClamAV
debug:
AddressOfEntryPoint:
0x7b9f
LibClamAV
debug:
BaseOfCode:
0x1000
LibClamAV
debug:
SectionAlignment:
0x1000
LibClamAV
debug:
FileAlignment:
0x1000
LibClamAV
debug:
MajorSubsystemVersion:
4
LibClamAV
debug:
MinorSubsystemVersion:
0
LibClamAV
debug:
SizeOfImage:
0x26000
LibClamAV
debug:
SizeOfHeaders:
0x1000
LibClamAV
debug:
NumberOfRvaAndSizes:
16
LibClamAV
debug:
Subsystem:
Win32
GUI
LibClamAV
debug:
------------------------------------
LibClamAV
debug:
Section
0
LibClamAV
debug:
Section
name:
.text
LibClamAV
debug:
Section
data
(from
headers
-
in
memory)
LibClamAV
debug:
VirtualSize:
0xc000
0xc000
LibClamAV
debug:
VirtualAddress:
0x1000
0x1000
LibClamAV
debug:
SizeOfRawData:
0xc000
0xc000
LibClamAV
debug:
PointerToRawData:
0x1000
0x1000
LibClamAV
debug:
Section
contains
executable
code
LibClamAV
debug:
Section’s
memory
is
executable
LibClamAV
debug:
------------------------------------
LibClamAV
debug:
Section
1
LibClamAV
debug:
Section
name:
.rdata
LibClamAV
debug:
Section
data
(from
headers
-
in
memory)
LibClamAV
debug:
VirtualSize:
0x2000
0x2000
LibClamAV
debug:
VirtualAddress:
0xd000
0xd000