Navigation

← Previous Changeset
Next Changeset →

Changeset 426

Timestamp:

03/25/06 23:16:38 (3 years ago)

Author:

common

Message:

shellcode-signatures
- added pcre pcre post as mappings
- sch_namespace_xor seems to work

Files:

nepenthes/trunk/modules/shellcode-signatures/lex.yy.c (modified) (14 diffs)
nepenthes/trunk/modules/shellcode-signatures/parser.h (modified) (2 diffs)
nepenthes/trunk/modules/shellcode-signatures/parser.l (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.y (modified) (10 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.hpp (modified) (2 diffs)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/y.tab.c (modified) (43 diffs)
nepenthes/trunk/modules/shellcode-signatures/y.tab.h (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/shellcode-signatures/lex.yy.c

r424	r426
352	352	(yy_c_buf_p) = yy_cp;
353	353
354		#define YY_NUM_RULES 51
355		#define YY_END_OF_BUFFER 52
	354	#define YY_NUM_RULES 54
	355	#define YY_END_OF_BUFFER 55
356	356	/* This struct is not used in this scanner,
357	357	but its presence is necessary. */
…	…
361	361	flex_int32_t yy_nxt;
362	362	};
363		static yyconst flex_int16_t yy_accept[216] =
	363	static yyconst flex_int16_t yy_accept[223] =
364	364	{ 0,
365		49, 49, 34, 34, 47, 47, 52, 51, 49, 50,
366		38, 1, 2, 7, 51, 6, 5, 32, 32, 32,
367		32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
368		32, 32, 32, 3, 4, 34, 37, 36, 47, 39,
369		51, 49, 33, 48, 32, 32, 32, 32, 32, 32,
370		32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
371		32, 32, 32, 34, 36, 35, 47, 43, 44, 45,
372		40, 41, 42, 0, 48, 32, 32, 32, 32, 32,
373		32, 32, 25, 32, 32, 32, 32, 32, 32, 32,
374		32, 32, 31, 22, 13, 0, 32, 32, 32, 32,
375
376		32, 32, 28, 32, 32, 32, 32, 12, 32, 29,
377		26, 9, 46, 32, 32, 32, 32, 32, 32, 11,
378		32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
379		32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
380		30, 32, 32, 20, 32, 32, 14, 10, 8, 32,
381		32, 32, 32, 21, 32, 32, 32, 32, 17, 32,
382		32, 32, 32, 32, 32, 32, 32, 27, 32, 32,
383		15, 16, 32, 32, 32, 32, 32, 32, 32, 32,
384		32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
385		32, 18, 32, 32, 32, 32, 32, 32, 32, 32,
386
387		32, 24, 32, 32, 32, 32, 32, 32, 19, 32,
388		32, 32, 32, 23, 0
	365	52, 52, 37, 37, 50, 50, 55, 54, 52, 53,
	366	41, 1, 2, 7, 54, 6, 5, 35, 35, 35,
	367	35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
	368	35, 35, 35, 3, 4, 37, 40, 39, 50, 42,
	369	54, 52, 36, 51, 35, 35, 35, 35, 35, 35,
	370	35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
	371	35, 35, 35, 35, 35, 37, 39, 38, 50, 46,
	372	47, 48, 43, 44, 45, 0, 51, 35, 35, 35,
	373	35, 35, 35, 35, 25, 35, 35, 35, 35, 35,
	374	35, 35, 35, 35, 33, 35, 35, 31, 22, 13,
	375
	376	0, 35, 35, 35, 35, 35, 35, 28, 35, 35,
	377	35, 35, 12, 35, 32, 29, 34, 26, 9, 49,
	378	35, 35, 35, 35, 35, 35, 11, 35, 35, 35,
	379	35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
	380	35, 35, 35, 35, 35, 35, 35, 30, 35, 35,
	381	20, 35, 35, 14, 10, 8, 35, 35, 35, 35,
	382	21, 35, 35, 35, 35, 17, 35, 35, 35, 35,
	383	35, 35, 35, 35, 27, 35, 35, 15, 16, 35,
	384	35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
	385	35, 35, 35, 35, 35, 35, 35, 35, 18, 35,
	386
	387	35, 35, 35, 35, 35, 35, 35, 35, 24, 35,
	388	35, 35, 35, 35, 35, 19, 35, 35, 35, 35,
	389	23, 0
389	390	} ;
390	391
…	…
430	431	} ;
431	432
432		static yyconst flex_int16_t yy_base[224] =
	433	static yyconst flex_int16_t yy_base[231] =
433	434	{ 0,
434		0, 0, 43, 44, 42, 43, 2~~58, 259, 52, 259~~,
435		2~~59, 259, 259, 259, 53, 259, 259, 0, 229, 223~~,
436		22~~2, 213, 223, 219, 26, 27, 231, 217, 38, 221~~,
437		2~~06, 212, 213, 259, 259, 0, 259, 54, 0, 259~~,
438		~~66, 64, 259, 0, 0, 213, 42, 204, 219, 222~~,
439		2~~05, 198, 207, 210, 205, 202, 203, 197, 198, 189~~,
440		~~197, 47, 195, 0, 70, 259, 0, 259, 259, 259~~,
441		2~~59, 259, 259, 0, 0, 206, 197, 195, 194, 203~~,
442		~~198, 186, 0, 186, 190, 191, 185, 194, 180, 179~~,
443		1~~91, 190, 0, 0, 0, 0, 40, 193, 188, 181~~,
444
445		~~172, 173, 0, 171, 186, 165, 177, 0, 180,~~ 0,
446		1~~75, 0, 259, 174, 174, 168, 177, 165, 160, 0~~,
447		17~~6, 175, 161, 161, 157, 159, 158, 165, 165, 150~~,
448		16~~6, 161, 152, 161, 147, 155, 148, 140, 149, 147~~,
449		~~0, 155, 152, 0, 131, 146, 0, 0, 0, 148~~,
450		~~146, 140, 149, 0, 127, 126, 131, 137, 0, 142~~,
451		~~130, 129, 124, 130, 130, 123, 122, 0, 132, 55~~,
452		~~0, 0, 118, 126, 125, 125, 116, 120, 117, 124~~,
453		1~~27, 122, 116, 114, 111, 105, 116, 110, 99, 95~~,
454		~~97, 0, 98, 86, 75, 80, 70, 76, 64, 61~~,
455
456		~~59, 0, 70, 59, 69, 72, 55, 57, 0, 52~~,
457		6~~2, 62, 48, 0, 259, 107, 113, 115, 121, 127~~,
458		~~133, 77, 62~~
	435	0, 0, 43, 44, 42, 43, 265, 266, 52, 266,
	436	266, 266, 266, 266, 53, 266, 266, 0, 236, 230,
	437	229, 220, 230, 226, 26, 27, 238, 224, 43, 228,
	438	213, 219, 220, 266, 266, 0, 266, 57, 0, 266,
	439	73, 65, 266, 0, 0, 220, 40, 211, 226, 229,
	440	212, 205, 214, 217, 212, 209, 210, 204, 205, 38,
	441	215, 195, 203, 47, 201, 0, 71, 266, 0, 266,
	442	266, 266, 266, 266, 266, 0, 0, 212, 203, 201,
	443	200, 209, 204, 192, 0, 192, 196, 197, 191, 200,
	444	186, 198, 184, 183, 0, 195, 194, 0, 0, 0,
	445
	446	0, 51, 197, 192, 185, 176, 177, 0, 175, 190,
	447	169, 181, 0, 184, 0, 0, 0, 179, 0, 266,
	448	178, 178, 172, 181, 169, 164, 0, 180, 179, 165,
	449	165, 161, 163, 162, 169, 169, 154, 170, 165, 156,
	450	165, 151, 159, 152, 144, 153, 151, 0, 159, 156,
	451	0, 135, 150, 0, 0, 0, 152, 150, 144, 153,
	452	0, 131, 130, 135, 141, 0, 146, 134, 133, 128,
	453	134, 134, 127, 126, 0, 136, 58, 0, 0, 122,
	454	130, 129, 129, 120, 124, 121, 128, 131, 126, 120,
	455	118, 115, 105, 112, 102, 94, 78, 84, 0, 86,
	456
	457	89, 77, 82, 72, 79, 67, 65, 63, 0, 74,
	458	63, 73, 76, 60, 61, 0, 56, 65, 65, 51,
	459	0, 266, 114, 120, 122, 128, 134, 140, 79, 53
459	460	} ;
460	461
461		static yyconst flex_int16_t yy_def[224] =
	462	static yyconst flex_int16_t yy_def[231] =
462	463	{ 0,
463		2~~15, 1, 216, 216, 217, 217, 215, 215, 215, 215~~,
464		2~~15, 215, 215, 215, 215, 215, 215, 218, 218, 218~~,
465		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
466		2~~18, 218, 218, 215, 215, 219, 215, 215, 220, 215~~,
467		2~~15, 215, 215, 221, 218, 218, 218, 218, 218, 218~~,
468		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
469		2~~18, 218, 218, 219, 215, 215, 220, 215, 215, 215~~,
470		2~~15, 215, 215, 222, 221, 218, 218, 218, 218, 218~~,
471		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
472		2~~18, 218, 218, 218, 218, 223, 218, 218, 218, 218~~,
473
474		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
475		2~~18, 218, 215, 218, 218, 218, 218, 218, 218, 218~~,
476		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
477		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
478		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
479		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
480		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
481		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
482		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
483		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
484
485		2~~18, 218, 218, 218, 218, 218, 218, 218, 218, 218~~,
486		2~~18, 218, 218, 218, 0, 215, 215, 215, 215, 21~~5,
487		2~~15, 215, 215~~
	464	222, 1, 223, 223, 224, 224, 222, 222, 222, 222,
	465	222, 222, 222, 222, 222, 222, 222, 225, 225, 225,
	466	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	467	225, 225, 225, 222, 222, 226, 222, 222, 227, 222,
	468	222, 222, 222, 228, 225, 225, 225, 225, 225, 225,
	469	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	470	225, 225, 225, 225, 225, 226, 222, 222, 227, 222,
	471	222, 222, 222, 222, 222, 229, 228, 225, 225, 225,
	472	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	473	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	474
	475	230, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	476	225, 225, 225, 225, 225, 225, 225, 225, 225, 222,
	477	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	478	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	479	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	480	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	481	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	482	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	483	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	484	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	485
	486	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	487	225, 225, 225, 225, 225, 225, 225, 225, 225, 225,
	488	225, 0, 222, 222, 222, 222, 222, 222, 222, 222
488	489	} ;
489	490
490		static yyconst flex_int16_t yy_nxt[305] =
	491	static yyconst flex_int16_t yy_nxt[312] =
491	492	{ 0,
492	493	8, 9, 10, 9, 9, 11, 12, 13, 8, 14,
…	…
495	496	27, 28, 18, 29, 18, 30, 31, 32, 18, 18,
496	497	33, 18, 18, 34, 35, 37, 37, 40, 40, 52,
497		54, 38, 38, 42, 55, 42, 42, 58, 53, 41,
498		41, 43, 65, 44, 66, 42, 113, 42, 42, 114,
499		59, 68, 77, 78, 93, 115, 94, 69, 65, 174,
500		66, 96, 214, 70, 175, 213, 212, 211, 210, 209,
501		176, 208, 207, 206, 205, 204, 203, 71, 202, 201,
502
503		72, 200, 73, 199, 198, 197, 74, 36, 36, 36,
504		36, 36, 36, 39, 39, 39, 39, 39, 39, 45,
505		45, 64, 196, 64, 195, 64, 64, 67, 67, 194,
506		67, 67, 67, 75, 193, 75, 75, 75, 75, 192,
507		191, 190, 189, 188, 187, 186, 185, 184, 183, 182,
508		181, 180, 179, 178, 177, 173, 172, 171, 170, 169,
509		168, 167, 166, 165, 164, 163, 162, 161, 160, 159,
510		158, 157, 156, 155, 154, 153, 152, 151, 150, 149,
511		148, 147, 146, 145, 144, 143, 142, 141, 140, 139,
512		138, 137, 136, 135, 134, 133, 132, 131, 130, 129,
513
514		128, 127, 126, 125, 124, 123, 122, 121, 120, 119,
515		118, 117, 116, 112, 111, 110, 109, 108, 107, 106,
516		105, 104, 103, 102, 101, 100, 99, 98, 97, 95,
517		92, 91, 90, 89, 88, 87, 86, 85, 84, 83,
518		82, 81, 80, 79, 76, 63, 62, 61, 60, 57,
519		56, 51, 50, 49, 48, 47, 46, 215, 7, 215,
520		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
521		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
522		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
523		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
524
525		215, 215, 215, 215
	498	54, 38, 38, 42, 55, 42, 42, 120, 53, 41,
	499	41, 43, 58, 44, 59, 67, 42, 68, 42, 42,
	500	79, 80, 93, 94, 98, 60, 99, 61, 70, 67,
	501	121, 68, 181, 101, 71, 221, 122, 182, 220, 219,
	502	72, 218, 217, 183, 216, 215, 214, 213, 212, 211,
	503
	504	210, 209, 208, 207, 73, 206, 205, 74, 204, 75,
	505	203, 202, 201, 76, 36, 36, 36, 36, 36, 36,
	506	39, 39, 39, 39, 39, 39, 45, 45, 66, 200,
	507	66, 199, 66, 66, 69, 69, 198, 69, 69, 69,
	508	77, 197, 77, 77, 77, 77, 196, 195, 194, 193,
	509	192, 191, 190, 189, 188, 187, 186, 185, 184, 180,
	510	179, 178, 177, 176, 175, 174, 173, 172, 171, 170,
	511	169, 168, 167, 166, 165, 164, 163, 162, 161, 160,
	512	159, 158, 157, 156, 155, 154, 153, 152, 151, 150,
	513	149, 148, 147, 146, 145, 144, 143, 142, 141, 140,
	514
	515	139, 138, 137, 136, 135, 134, 133, 132, 131, 130,
	516	129, 128, 127, 126, 125, 124, 123, 119, 118, 117,
	517	116, 115, 114, 113, 112, 111, 110, 109, 108, 107,
	518	106, 105, 104, 103, 102, 100, 97, 96, 95, 92,
	519	91, 90, 89, 88, 87, 86, 85, 84, 83, 82,
	520	81, 78, 65, 64, 63, 62, 57, 56, 51, 50,
	521	49, 48, 47, 46, 222, 7, 222, 222, 222, 222,
	522	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	523	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	524	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	525
	526	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	527	222
526	528	} ;
527	529
528		static yyconst flex_int16_t yy_chk[305] =
	530	static yyconst flex_int16_t yy_chk[312] =
529	531	{ 0,
530	532	1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
…	…
533	535	1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
534	536	1, 1, 1, 1, 1, 3, 4, 5, 6, 25,
535		26, 3, 4, 9, 26, 9, 9, 29, 25, 5,
536		6, 15, 38, 15, 38, 42, 223, 42, 42, 97,
537		29, 41, 47, 47, 62, 97, 62, 41, 65, 170,
538		65, 222, 213, 41, 170, 212, 211, 210, 208, 207,
539		170, 206, 205, 204, 203, 201, 200, 41, 199, 198,
540
541		41, 197, 41, 196, 195, 194, 41, 216, 216, 216,
542		216, 216, 216, 217, 217, 217, 217, 217, 217, 218,
543		218, 219, 193, 219, 191, 219, 219, 220, 220, 190,
544		220, 220, 220, 221, 189, 221, 221, 221, 221, 188,
545		187, 186, 185, 184, 183, 182, 181, 180, 179, 178,
546		177, 176, 175, 174, 173, 169, 167, 166, 165, 164,
547		163, 162, 161, 160, 158, 157, 156, 155, 153, 152,
548		151, 150, 146, 145, 143, 142, 140, 139, 138, 137,
549		136, 135, 134, 133, 132, 131, 130, 129, 128, 127,
550		126, 125, 124, 123, 122, 121, 119, 118, 117, 116,
551
552		115, 114, 111, 109, 107, 106, 105, 104, 102, 101,
553		100, 99, 98, 92, 91, 90, 89, 88, 87, 86,
554		85, 84, 82, 81, 80, 79, 78, 77, 76, 63,
555		61, 60, 59, 58, 57, 56, 55, 54, 53, 52,
556		51, 50, 49, 48, 46, 33, 32, 31, 30, 28,
557		27, 24, 23, 22, 21, 20, 19, 7, 215, 215,
558		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
559		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
560		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
561		215, 215, 215, 215, 215, 215, 215, 215, 215, 215,
562
563		215, 215, 215, 215
	537	26, 3, 4, 9, 26, 9, 9, 230, 25, 5,
	538	6, 15, 29, 15, 29, 38, 42, 38, 42, 42,
	539	47, 47, 60, 60, 64, 29, 64, 29, 41, 67,
	540	102, 67, 177, 229, 41, 220, 102, 177, 219, 218,
	541	41, 217, 215, 177, 214, 213, 212, 211, 210, 208,
	542
	543	207, 206, 205, 204, 41, 203, 202, 41, 201, 41,
	544	200, 198, 197, 41, 223, 223, 223, 223, 223, 223,
	545	224, 224, 224, 224, 224, 224, 225, 225, 226, 196,
	546	226, 195, 226, 226, 227, 227, 194, 227, 227, 227,
	547	228, 193, 228, 228, 228, 228, 192, 191, 190, 189,
	548	188, 187, 186, 185, 184, 183, 182, 181, 180, 176,
	549	174, 173, 172, 171, 170, 169, 168, 167, 165, 164,
	550	163, 162, 160, 159, 158, 157, 153, 152, 150, 149,
	551	147, 146, 145, 144, 143, 142, 141, 140, 139, 138,
	552	137, 136, 135, 134, 133, 132, 131, 130, 129, 128,
	553
	554	126, 125, 124, 123, 122, 121, 118, 114, 112, 111,
	555	110, 109, 107, 106, 105, 104, 103, 97, 96, 94,
	556	93, 92, 91, 90, 89, 88, 87, 86, 84, 83,
	557	82, 81, 80, 79, 78, 65, 63, 62, 61, 59,
	558	58, 57, 56, 55, 54, 53, 52, 51, 50, 49,
	559	48, 46, 33, 32, 31, 30, 28, 27, 24, 23,
	560	22, 21, 20, 19, 7, 222, 222, 222, 222, 222,
	561	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	562	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	563	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	564
	565	222, 222, 222, 222, 222, 222, 222, 222, 222, 222,
	566	222
564	567	} ;
565	568
…	…
595	598
596	599
597		#line ~~598~~ "lex.yy.c"
	600	#line 601 "lex.yy.c"
598	601
599	602	#define INITIAL 0
…	…
752	755
753	756
754		#line 755 "lex.yy.c"
	757	#line 758 "lex.yy.c"
755	758
756	759	if ( (yy_init) )
…	…
805	808	{
806	809	yy_current_state = (int) yy_def[yy_current_state];
807		if ( yy_current_state >= 216 )
	810	if ( yy_current_state >= 223 )
808	811	yy_c = yy_meta[(unsigned int) yy_c];
809	812	}
…	…
811	814	++yy_cp;
812	815	}
813		while ( yy_base[yy_current_state] != 259 );
	816	while ( yy_base[yy_current_state] != 266 );
814	817
815	818	yy_find_action:
…	…
992	995	case 32:
993	996	YY_RULE_SETUP
	997	#line 64 "parser.l"
	998	{ return SC_PCRE; }
	999	YY_BREAK
	1000	case 33:
	1001	YY_RULE_SETUP
994	1002	#line 65 "parser.l"
	1003	{ return SC_PRELOAD; }
	1004	YY_BREAK
	1005	case 34:
	1006	YY_RULE_SETUP
	1007	#line 66 "parser.l"
	1008	{ return SC_PRELOAD; }
	1009	YY_BREAK
	1010	case 35:
	1011	YY_RULE_SETUP
	1012	#line 68 "parser.l"
995	1013	{ string_append(yytext, strlen(yytext)); return SC_ID; }
996	1014	YY_BREAK
997		case 33:
998		YY_RULE_SETUP
999		#line 68 "parser.l"
	1015	case 36:
	1016	YY_RULE_SETUP
	1017	#line 71 "parser.l"
1000	1018	{ BEGIN(comment); }
1001	1019	YY_BREAK
1002		case 34:
1003		YY_RULE_SETUP
1004		#line 69 "parser.l"
	1020	case 37:
	1021	YY_RULE_SETUP
	1022	#line 72 "parser.l"
1005	1023	{ }
1006	1024	YY_BREAK
1007		case 35:
1008		YY_RULE_SETUP
1009		#line 70 "parser.l"
	1025	case 38:
	1026	YY_RULE_SETUP
	1027	#line 73 "parser.l"
1010	1028	{ BEGIN(INITIAL); }
1011	1029	YY_BREAK
1012		case 36:
1013		YY_RULE_SETUP
1014		#line 71 "parser.l"
	1030	case 39:
	1031	YY_RULE_SETUP
	1032	#line 74 "parser.l"
1015	1033	{ }
1016	1034	YY_BREAK
1017		case 37:
1018		/* rule 37 can match eol */
1019		YY_RULE_SETUP
1020		#line 72 "parser.l"
	1035	case 40:
	1036	/* rule 40 can match eol */
	1037	YY_RULE_SETUP
	1038	#line 75 "parser.l"
1021	1039	{ line_number++; }
1022	1040	YY_BREAK
1023		case 38:
1024		YY_RULE_SETUP
1025		#line 74 "parser.l"
	1041	case 41:
	1042	YY_RULE_SETUP
	1043	#line 77 "parser.l"
1026	1044	{ BEGIN(string); }
1027	1045	YY_BREAK
1028		case 39:
1029		YY_RULE_SETUP
1030		#line 75 "parser.l"
	1046	case 42:
	1047	YY_RULE_SETUP
	1048	#line 78 "parser.l"
1031	1049	{ BEGIN(INITIAL); return SC_STRING; }
1032	1050	YY_BREAK
1033		case 40:
1034		YY_RULE_SETUP
1035		#line 76 "parser.l"
	1051	case 43:
	1052	YY_RULE_SETUP
	1053	#line 79 "parser.l"
1036	1054	{ string_append("\n", 1); }
1037	1055	YY_BREAK
1038		case 41:
1039		YY_RULE_SETUP
1040		#line 77 "parser.l"
	1056	case 44:
	1057	YY_RULE_SETUP
	1058	#line 80 "parser.l"
1041	1059	{ string_append("\r", 1); }
1042	1060	YY_BREAK
1043		case 42:
1044		YY_RULE_SETUP
1045		#line 78 "parser.l"
	1061	case 45:
	1062	YY_RULE_SETUP
	1063	#line 81 "parser.l"
1046	1064	{ string_append("\t", 1); }
1047	1065	YY_BREAK
1048		case 43:
1049		YY_RULE_SETUP
1050		#line 79 "parser.l"
	1066	case 46:
	1067	YY_RULE_SETUP
	1068	#line 82 "parser.l"
1051	1069	{ string_append("\"", 1); }
1052	1070	YY_BREAK
1053		case 44:
1054		YY_RULE_SETUP
1055		#line 80 "parser.l"
	1071	case 47:
	1072	YY_RULE_SETUP
	1073	#line 83 "parser.l"
1056	1074	{ string_append("\0", 1); }
1057	1075	YY_BREAK
1058		case 45:
1059		YY_RULE_SETUP
1060		#line 81 "parser.l"
	1076	case 48:
	1077	YY_RULE_SETUP
	1078	#line 84 "parser.l"
1061	1079	{ string_append("\\", 1); }
1062	1080	YY_BREAK
1063		case 46:
1064		YY_RULE_SETUP
1065		#line 82 "parser.l"
	1081	case 49:
	1082	YY_RULE_SETUP
	1083	#line 85 "parser.l"
1066	1084	{
1067	1085	char hexval[] = {'0', 'x', (yytext + 2), (yytext + 3), '\0'};
…	…
1072	1090	}
1073	1091	YY_BREAK
1074		~~case 47:~~
1075		~~/* rule 47 can match eol */~~
1076		~~YY_RULE_SETUP~~
1077		~~#line 89 "parser.l"~~
1078		~~{ string_append(yytext, strlen(yytext)); }~~
1079		~~YY_BREAK~~
1080		~~case 48:~~
1081		~~YY_RULE_SETUP~~
1082		~~#line 91 "parser.l"~~
1083		~~{ }~~
1084		~~YY_BREAK~~
1085		~~case 49:~~
1086		~~YY_RULE_SETUP~~
1087		~~#line 93 "parser.l"~~
1088		~~{ }~~
1089		~~YY_BREAK~~
1090	1092	case 50:
1091	1093	/* rule 50 can match eol */
1092	1094	YY_RULE_SETUP
	1095	#line 92 "parser.l"
	1096	{ string_append(yytext, strlen(yytext)); }
	1097	YY_BREAK
	1098	case 51:
	1099	YY_RULE_SETUP
1093	1100	#line 94 "parser.l"
	1101	{ }
	1102	YY_BREAK
	1103	case 52:
	1104	YY_RULE_SETUP
	1105	#line 96 "parser.l"
	1106	{ }
	1107	YY_BREAK
	1108	case 53:
	1109	/* rule 53 can match eol */
	1110	YY_RULE_SETUP
	1111	#line 97 "parser.l"
1094	1112	{ line_number++; }
1095	1113	YY_BREAK
1096		case 51:
1097		YY_RULE_SETUP
1098		#line 96 "parser.l"
	1114	case 54:
	1115	YY_RULE_SETUP
	1116	#line 99 "parser.l"
1099	1117	ECHO;
1100	1118	YY_BREAK
1101		#line 1102 "lex.yy.c"
	1119	#line 1120 "lex.yy.c"
1102	1120	case YY_STATE_EOF(INITIAL):
1103	1121	case YY_STATE_EOF(comment):
…	…
1385	1403	{
1386	1404	yy_current_state = (int) yy_def[yy_current_state];
1387		if ( yy_current_state >= 216 )
	1405	if ( yy_current_state >= 223 )
1388	1406	yy_c = yy_meta[(unsigned int) yy_c];
1389	1407	}
…	…
1413	1431	{
1414	1432	yy_current_state = (int) yy_def[yy_current_state];
1415		if ( yy_current_state >= 216 )
	1433	if ( yy_current_state >= 223 )
1416	1434	yy_c = yy_meta[(unsigned int) yy_c];
1417	1435	}
1418	1436	yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
1419		yy_is_jam = (yy_current_state == 215);
	1437	yy_is_jam = (yy_current_state == 222);
1420	1438
1421	1439	return yy_is_jam ? 0 : yy_current_state;
…	…
2068	2086	#undef YY_DECL
2069	2087	#endif
2070		#line 96 "parser.l"
	2088	#line 99 "parser.l"
2071	2089
2072	2090

nepenthes/trunk/modules/shellcode-signatures/parser.h

r422	r426
19	19	};
20	20
21		enum mapping
	21	enum sc_mapping
22	22	{
23		key,
24		size,
25		sizeinvert,
26		port,
27		host,
28		command,
29		uri
	23	sc_key,
	24	sc_size,
	25	sc_sizeinvert,
	26	sc_port,
	27	sc_host,
	28	sc_command,
	29	sc_uri,
	30	sc_pcre,
	31	sc_pre,
	32	sc_post
30	33	};
31	34
32	35	#define MAP_MAX 8
33		struct shellcode
	36	struct sc_shellcode
34	37	{
35	38	char *name;
…	…
40	43	enum sc_namespace nspace;
41	44	int map_items;
42		enum mapping map[MAP_MAX];
	45	enum sc_mapping map[MAP_MAX];
43	46	int flags;
44	47
45		struct shellcode *next;
	48	struct sc_shellcode *next;
46	49	};
47	50
48		extern struct shellcode sc_parse_file(const char );
	51	extern struct sc_shellcode sc_parse_file(const char );
49	52	extern char *sc_get_error();
50	53
	54	extern char *sc_get_namespace_by_numeric(int num);
	55	extern char *sc_get_mapping_by_numeric(int num);
	56
	57
51	58	#endif

nepenthes/trunk/modules/shellcode-signatures/parser.l

r422	r426
62	62	"command" { return SC_COMMAND; }
63	63	"uri" { return SC_URI; }
	64	"pcre" { return SC_PCRE; }
	65	"pre" { return SC_PRELOAD; }
	66	"post" { return SC_PRELOAD; }
64	67
65	68	{LETTER}({LETTER}\|{DIGIT}\|"_")* { string_append(yytext, strlen(yytext)); return SC_ID; }

nepenthes/trunk/modules/shellcode-signatures/parser.y

r423	r426
16	16	extern FILE *yyin;
17	17
18		static struct shellcode *shellcodes = NULL;
	18	static struct sc_shellcode *shellcodes = NULL;
19	19	extern int line_number;
20	20
21		static struct shellcode *init_shellcode();
22		static char *get_namespace_by_numeric(int num);
23		static char *get_mapping_by_numeric(int num);
	21	static struct sc_shellcode *init_shellcode();
24	22
25	23	static char error_buffer[0xff];
…	…
38	36	SC_KEY SC_SIZE SC_SIZEINVERT SC_HOST SC_PORT SC_COMMAND
39	37	SC_URI
40
	38	SC_PCRE SC_PRELOAD SC_POSTLOAD
41	39
42	40	%start body
…	…
57	55
58	56	printf("\tname %s\n", shellcodes->name);
59		printf("\tnamespace %s (%d) \n", get_namespace_by_numeric(shellcodes->nspace), shellcodes->nspace);
	57	printf("\tnamespace %s (%d) \n", sc_get_namespace_by_numeric(shellcodes->nspace), shellcodes->nspace);
60	58	// printf("\tpattern %s\n", shellcodes->pattern);
61	59	printf("\tmap-size %d\n", shellcodes->map_items);
…	…
64	62	for( i = 0; i < shellcodes->map_items; i++ )
65	63	{
66		printf("%s (%d) ", get_mapping_by_numeric(shellcodes->map[i]),shellcodes->map[i]);
	64	printf("%s (%d) ", sc_get_mapping_by_numeric(shellcodes->map[i]),shellcodes->map[i]);
67	65	}
68	66
…	…
182	180	: SC_KEY
183	181	{
184		shellcodes->map[shellcodes->map_items++] = key;
	182	shellcodes->map[shellcodes->map_items++] = sc_key;
185	183	}
186	184	\| SC_SIZE
187	185	{
188		shellcodes->map[shellcodes->map_items++] = size;
	186	shellcodes->map[shellcodes->map_items++] = sc_size;
189	187	}
190	188	\| SC_SIZEINVERT
191	189	{
192		shellcodes->map[shellcodes->map_items++] = sizeinvert;
	190	shellcodes->map[shellcodes->map_items++] = sc_sizeinvert;
193	191	}
194	192	\| SC_PORT
195	193	{
196		shellcodes->map[shellcodes->map_items++] = port;
	194	shellcodes->map[shellcodes->map_items++] = sc_port;
197	195	}
198	196	\| SC_HOST
199	197	{
200		shellcodes->map[shellcodes->map_items++] = host;
	198	shellcodes->map[shellcodes->map_items++] = sc_host;
201	199	}
202	200	\| SC_COMMAND
203	201	{
204		shellcodes->map[shellcodes->map_items++] = command;
	202	shellcodes->map[shellcodes->map_items++] = sc_command;
205	203	}
206	204	\| SC_URI
207		{
208		shellcodes->map[shellcodes->map_items++] = uri;
209		}
210		;
	205	{
	206	shellcodes->map[shellcodes->map_items++] = sc_uri;
	207	}
	208	\| SC_PCRE
	209	{
	210	shellcodes->map[shellcodes->map_items++] = sc_pcre;
	211	}
	212	\| SC_PRELOAD
	213	{
	214	shellcodes->map[shellcodes->map_items++] = sc_pre;
	215	}
	216	\| SC_POSTLOAD
	217	{
	218	shellcodes->map[shellcodes->map_items++] = sc_post;
	219	}
	220
	221	;
211	222
212	223	pattern
…	…
226	237	%%
227	238
228		struct shellcode *init_shellcode()
229		{
230		struct s~~hellcode s = (struct shellcode )malloc(sizeof(struct~~ shellcode));
231
232		memset(s, 0, sizeof(struct shellcode));
	239	struct sc_shellcode *init_shellcode()
	240	{
	241	struct sc_shellcode s = (struct sc_shellcode )malloc(sizeof(struct sc_shellcode));
	242
	243	memset(s, 0, sizeof(struct sc_shellcode));
233	244
234	245	s->next = shellcodes;
…	…
239	250
240	251
241		static char *get_namespace_by_numeric(int num)
	252	char *sc_get_namespace_by_numeric(int num)
242	253	{
243	254
…	…
264	275	}
265	276
266		static char *get_mapping_by_numeric(int num)
	277	char *sc_get_mapping_by_numeric(int num)
267	278	{
268	279	static char *mapmapping[]=
…	…
274	285	"host",
275	286	"command",
276		"uri"
	287	"uri",
	288	"pcre",
	289	"pre",
	290	"post"
277	291	};
278	292	if ( num > sizeof(mapmapping)/sizeof(char *) )
…	…
297	311	}
298	312
299		struct shellcode sc_parse_file(const char filename)
	313	struct sc_shellcode sc_parse_file(const char filename)
300	314	{
301	315	yyin = fopen(filename, "r");

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp

r424	r426
36	36	#include "Utilities.hpp"
37	37
	38	#include "parser.hpp"
38	39
39	40	#ifdef STDTAGS
…	…
44	45	using namespace nepenthes;
45	46
46		NamespaceXOR::NamespaceXOR(shellcode *)
47		{
48
	47	NamespaceXOR::NamespaceXOR(sc_shellcode *sc)
	48	{
	49	m_ShellcodeHandlerName = sc_get_namespace_by_numeric(sc->nspace);
	50	m_ShellcodeHandlerName += "::";
	51	m_ShellcodeHandlerName += sc->name;
	52
	53	m_Shellcode = sc;
	54
49	55	}
50	56
51	57	NamespaceXOR::~NamespaceXOR()
52	58	{
	59
53	60	}
54	61
55	62	bool NamespaceXOR::Init()
56	63	{
	64	const char * pcreEerror;
	65	int32_t pcreErrorPos;
	66	if ( (m_Pcre = pcre_compile(m_Shellcode->pattern, PCRE_DOTALL, &pcreEerror, (int *)&pcreErrorPos, 0)) == NULL )
	67	{
	68	logCrit("%s could not compile pattern \n\t\"%s\"\n\t Error:\"%s\" at Position %u",
	69	m_ShellcodeHandlerName.c_str(), pcreEerror, pcreErrorPos);
	70	return false;
	71	}else
	72	{
	73	logInfo("%s loaded ...\n",m_ShellcodeHandlerName.c_str());
	74	}
	75
	76	printf("%s\n",m_Shellcode->pattern);
	77	// g_Nepenthes->getUtilities()->hexdump((byte *)m_Shellcode->pattern,m_Shellcode->pattern_size);
57	78	return true;
58	79	}
…	…
65	86	sch_result NamespaceXOR::handleShellcode(Message **msg)
66	87	{
	88	logSpam("%s checking ...\n",m_ShellcodeHandlerName.c_str());
	89
	90	char shellcode = (msg)->getMsg();
	91	uint32_t len = (*msg)->getSize();
	92
	93	int32_t ovec[10 * 3];
	94	int32_t matchCount;
	95
	96	// data before xor
	97	const char *preMatch = NULL;
	98	uint32_t preSize = 0;
	99
	100
	101	// data before xor
	102	const char *decoderMatch= NULL;
	103	uint32_t decoderSize = 0;
	104
	105
	106
	107	// key
	108	const char *keyMatch = NULL;
	109	char byteKey = 0;
	110	uint32_t intKey = 0;
	111	uint32_t keySize = 0;
	112
	113
	114	// 'data to xor' size
	115	const char *sizeMatch = NULL;
	116	uint32_t codeSize = 0;
	117
	118
	119	// data after xor
	120	const char *postMatch = NULL;
	121	uint32_t postSize = 0;
	122