Changeset 427
- Timestamp:
- 03/25/06 23:18:56 (3 years ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp
r426 r427 26 26 *******************************************************************************/ 27 27 28 28 /* $Id$ */ 29 29 30 30 #include "sch_namespace_xor.hpp" … … 39 39 40 40 #ifdef STDTAGS 41 #undef STDTAGS41 #undef STDTAGS 42 42 #endif 43 43 #define STDTAGS l_sc | l_hlr … … 52 52 53 53 m_Shellcode = sc; 54 54 55 55 } 56 56 … … 69 69 m_ShellcodeHandlerName.c_str(), pcreEerror, pcreErrorPos); 70 70 return false; 71 } else71 } else 72 72 { 73 73 logInfo("%s loaded ...\n",m_ShellcodeHandlerName.c_str()); … … 95 95 96 96 // data before xor 97 const char *preMatch =NULL;98 uint32_t preSize =0;97 const char *preMatch = NULL; 98 uint32_t preSize = 0; 99 99 100 100 101 101 // data before xor 102 const char *decoderMatch= 103 uint32_t decoderSize =0;102 const char *decoderMatch= NULL; 103 uint32_t decoderSize = 0; 104 104 105 105 106 106 107 107 // key 108 const char *keyMatch =NULL;109 char byteKey =0;110 uint32_t intKey =0;111 uint32_t keySize =0;108 const char *keyMatch = NULL; 109 char byteKey = 0; 110 uint32_t intKey = 0; 111 uint32_t keySize = 0; 112 112 113 113 114 114 // 'data to xor' size 115 const char *sizeMatch =NULL;116 uint32_t codeSize =0;115 const char *sizeMatch = NULL; 116 uint32_t codeSize = 0; 117 117 118 118 119 119 // data after xor 120 const char *postMatch =NULL;121 uint32_t postSize =0;120 const char *postMatch = NULL; 121 uint32_t postSize = 0; 122 122 123 123 … … 133 133 int matchSize = pcre_get_substring((char *) shellcode, (int *)ovec, (int)matchCount, i, &match); 134 134 135 switch ( m_Shellcode->map[i])135 switch ( m_Shellcode->map[i] ) 136 136 { 137 137 138 138 case sc_pre: 139 139 preMatch = match; … … 144 144 decoderMatch = match; 145 145 decoderSize = matchSize; 146 146 break; 147 147 148 148 149 149 case sc_size: 150 150 sizeMatch = match; 151 151 switch ( matchSize ) 152 152 { 153 153 case 4: … … 162 162 break; 163 163 } 164 164 break; 165 165 166 166 … … 177 177 break; 178 178 } 179 179 break; 180 180 181 181 case sc_key: … … 193 193 194 194 } 195 195 break; 196 196 197 197 case sc_post: … … 209 209 memcpy(decodedMessage, postMatch, postSize); 210 210 211 switch ( keySize)211 switch ( keySize ) 212 212 { 213 213 case 1: 214 if ( codeSize > postSize )214 if ( codeSize > postSize ) 215 215 logWarn("codeSize (%i) > postSize (%i), maybe broken xor?\n",codeSize,postSize); 216 216 217 for ( uint32_t j = 0; j < codeSize && j < postSize; j++ )217 for ( uint32_t j = 0; j < codeSize && j < postSize; j++ ) 218 218 decodedMessage[j] ^= byteKey; 219 219 break; 220 220 221 221 case 4: 222 if ( codeSize*4 > postSize )222 if ( codeSize*4 > postSize ) 223 223 logWarn("codeSize*4 (%i) > postSize (%i), maybe broken xor?\n",codeSize*4,postSize); 224 224 225 for ( uint32_t j = 0; j < codeSize && (j+1)*4 < postSize; j++ )225 for ( uint32_t j = 0; j < codeSize && (j+1)*4 < postSize; j++ ) 226 226 *(uint32_t *)(decodedMessage+(j*4) ) ^= intKey; 227 227 break; … … 234 234 235 235 // the pre section 236 memcpy(newshellcode ,preMatch,preSize);236 memcpy(newshellcode ,preMatch ,preSize); 237 237 238 238 // the xor as 0x90 239 memset(newshellcode+preSize ,0x90,decoderSize);239 memset(newshellcode+preSize ,0x90 ,decoderSize); 240 240 241 241 // the xor decoded data 242 memcpy(newshellcode+preSize+decoderSize ,decodedMessage,postSize);242 memcpy(newshellcode+preSize+decoderSize ,decodedMessage ,postSize); 243 243 244 244 Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(), 245 245 (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket()); 246 246 247 247 delete *msg;
