Navigation

← Previous Changeset
Next Changeset →

Changeset 471

Timestamp:

04/04/06 17:03:33 (3 years ago)

Author:

common

Message:

shellcode-signatures
- s/sc_pcre/sc_decoder/g including mapping

Files:

nepenthes/trunk/modules/shellcode-signatures/parser.h (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.l (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/parser.y (modified) (3 diffs)
nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp (modified) (1 diff)
nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (19 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/shellcode-signatures/parser.h

r448	r471
30	30	sc_command,
31	31	sc_uri,
32		sc_~~pcre~~,
	32	sc_decoder,
33	33	sc_pre,
34	34	sc_post,

nepenthes/trunk/modules/shellcode-signatures/parser.l

r464	r471
66	66	"command" { return SC_COMMAND; }
67	67	"uri" { return SC_URI; }
68		"~~pcre" { return SC_PCRE~~; }
	68	"decoder" { return SC_DECODER; }
69	69	"pre" { return SC_PRELOAD; }
70	70	"post" { return SC_POSTLOAD; }

nepenthes/trunk/modules/shellcode-signatures/parser.y

r470	r471
44	44	SC_KEY SC_SUBKEY SC_SIZE SC_SIZEINVERT SC_HOST SC_PORT SC_COMMAND
45	45	SC_URI
46		SC_~~PCRE~~ SC_PRELOAD SC_POSTLOAD
	46	SC_DECODER SC_PRELOAD SC_POSTLOAD
47	47	SC_HOSTKEY SC_PORTKEY
48	48
…	…
228	228	$$ = sc_uri;
229	229	}
230		\| SC_~~PCRE~~
231		{
232		$$ = sc_~~pcre~~;
	230	\| SC_DECODER
	231	{
	232	$$ = sc_decoder;
233	233	}
234	234	\| SC_PRELOAD
…	…
356	356	"command",
357	357	"uri",
358		"~~pcre~~",
	358	"decoder",
359	359	"pre",
360	360	"post",

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp

r445	r471
117	117	break;
118	118
119		case sc_~~pcre~~:
	119	case sc_decoder:
120	120	decoderMatch = match;
121	121	decoderSize = matchSize;

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

r456	r471
44	44	"(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(.)"
45	45	"\\xFF\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$";
46		mapping (none,pre,~~pcre~~,size,key,post);
	46	mapping (none,pre,decoder,size,key,post);
47	47	};
48	48
…	…
54	54	"(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\xB1(.)\\x80"
55	55	"\\x73\\x0C(.)\\x43\\xE2\\xF9)(.*)$";
56		mapping (none,pre,~~pcre~~,size,key,post);
	56	mapping (none,pre,decoder,size,key,post);
57	57	};
58	58
…	…
62	62	"(.*)(\\xEB\\x10\\x5A\\x4A\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0A(.)\\xE2\\xFA"
63	63	"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.*)$";
64		mapping (none,pre,~~pcre~~,size,key,post);
	64	mapping (none,pre,decoder,size,key,post);
65	65	};
66	66
…	…
70	70	"(.*)(\\xEB\\x02\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5B\\x31\\xC9\\x66\\xB9(..)"
71	71	"\\x80\\x73\\x0E(.)\\x43\\xE2\\xF9)(.*)$";
72		mapping (none,pre,~~pcre~~,size,key,post);
	72	mapping (none,pre,decoder,size,key,post);
73	73	};
74	74
…	…
79	79	"(.*)(\\xEB\\x19\\x5E\\x31\\xC9\\x81\\xE9(....)\\x81\\x36(....)\\x81\\xEE\\xFC"
80	80	"\\xFF\\xFF\\xFF\\xE2\\xF2\\xEB\\x05\\xE8\\xE2\\xFF\\xFF\\xFF)(.*)$";
81		mapping (none,pre,~~pcre~~,sizeinvert,key,post);
	81	mapping (none,pre,decoder,sizeinvert,key,post);
82	82	};
83	83
…	…
89	89	"(.*)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x8B\\xC5\\x83\\xC0\\x11"
90	90	"\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)\\x40\\xE2\\xFA)(.*)$";
91		mapping (none,pre,~~pcre~~,size,key,post);
	91	mapping (none,pre,decoder,size,key,post);
92	92	};
93	93
…	…
97	97	"(.*)(\\xEB\\x10\\x5A\\x4A\\x31\\xC9\\x66\\xB9\(..)\\x80\\x34\\x0A(.)\\xE2\\xFA"
98	98	"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.*)$";
99		mapping (none,pre,~~pcre~~,size,key,post);
	99	mapping (none,pre,decoder,size,key,post);
100	100	};
101	101
…	…
106	106	"(.*)(\\xEB\\x0F\\x5B\\x33\\xC9\\x66\\xB9(..)\\x80\\x33(.)\\x43\\xE2\\xFA\\xEB"
107	107	"\\x05\\xE8\\xEC\\xFF\\xFF\\xFF)(.*)$";
108		mapping (none,pre,~~pcre~~,size,key,post);
	108	mapping (none,pre,decoder,size,key,post);
109	109	};
110	110
…	…
114	114	"(.*)(\\xEB\\x03\\x5D\\xEB\\x05\\xE8\\xF8\\xFF\\xFF\\xFF\\x83\\xC5\\x15\\x90\\x90"
115	115	"\\x90\\x8B\\xC5\\x33\\xC9\\x66\\xB9(..)\\x50\\x80\\x30(.)\\x40\\xE2\\xFA)(.*)$";
116		mapping (none,pre,~~pcre~~,size,key,post);
	116	mapping (none,pre,decoder,size,key,post);
117	117	};
118	118
…	…
122	122	"(.*)(\\x31\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)"
123	123	"\\x83\\xEB\\xFC\\xE2\\xF4)(.*)$";
124		mapping (none,pre,~~pcre~~,sizeinvert,key,post);
	124	mapping (none,pre,decoder,sizeinvert,key,post);
125	125	};
126	126
…	…
130	130	"(.*)(\\x33\\xC0\\xF7\\xD0\\x8B\\xFC\\xF2\\xAF\\x57\\x33\\xC9\\xB1(.)\\x90\\x90\\x90"
131	131	"\\x90\\x80\\x37(.)\\x47\\xE2\\xFA.\\xFF\\xFF\\xFF\\xFF)(.)$";
132		mapping (none,pre,~~pcre~~,size,key,post);
	132	mapping (none,pre,decoder,size,key,post);
133	133	};
134	134
…	…
138	138	"(.*)(\\xEB\\x0F\\x8B\\x34\\x24\\x33\\xC9\\x80\\xC1(.)\\x80\\x36(.)\\x46\\xE2\\xFA"
139	139	"\\xC3\\xE8\\xEC\\xFF\\xFF\\xFF)(.*)$";
140		mapping (none,pre,~~pcre~~,size,key,post);
	140	mapping (none,pre,decoder,size,key,post);
141	141	};
142	142
…	…
148	148	"\\x01\\xFC\\xFF\\xFF\\x83\\xE4\\xFC\\x8B\\xEC\\x33\\xC9\\x66\\xB9(..)\\x80\\x30(.)"
149	149	"\\x40\\xE2\\xFA)(.*)$";
150		mapping (none,pre,~~pcre~~,size,key,post);
	150	mapping (none,pre,decoder,size,key,post);
151	151	};
152	152
…	…
157	157	"(.*)(\\xC9\\x83\\xE9(.)\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x81\\x73\\x13(....)\\x83"
158	158	"\\xEB\\xFC\\xE2\\xF4)(.*)$";
159		mapping (none,pre,~~pcre~~,sizeinvert,key,post);
	159	mapping (none,pre,decoder,sizeinvert,key,post);
160	160	};
161	161
…	…
167	167	"(.*)(\\x2B\\xC9\\x83\\xE9(.)\\xE8\\xFF\\xFF\\xFF\\xFF\\xC0\\x5E\\x81\\x76\\x0E(....)"
168	168	"\\x83\\xEE\\xFC\\xE2\\xF4)(.*)$";
169		mapping (none,pre,~~pcre~~,sizeinvert,key,post);
	169	mapping (none,pre,decoder,sizeinvert,key,post);
170	170	};
171	171
…	…
176	176	"(.*)(\\xEB\\x0E\\x5B\\x4B\\x33\\xC9\\xB1(.)\\x80\\x34\\x0B(.)\\xE2\\xFA\\xEB\\x05\\xE8"
177	177	"\\xED\\xFF\\xFF\\xFF)(.*)$";
178		mapping (none,pre,~~pcre~~,size,key,post);
	178	mapping (none,pre,decoder,size,key,post);
179	179	};
180	180
…	…
186	186	pattern
187	187	"(.)(\\xEB.\\xEB.\\xE8.\\xB1(.).\\x80..(.).\\xE2.)(.*)$";
188		mapping (none,pre,~~pcre~~,size,key,post);
	188	mapping (none,pre,decoder,size,key,post);
189	189	};
190	190	*/
…	…
195	195	"(.)(\\xEB\\x10\\x5B\\x4B\\x33\\xC9\\x66\\xB9(..)\\x80\\x34\\x0B(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF)(.)$";
196	196
197		mapping (none,pre,~~pcre~~,size,key,post);
	197	mapping (none,pre,decoder,size,key,post);
198	198	};
199	199
…	…
209	209	"\\x06\\x3C(.)\\x75\\x05\\x46\\x8A\\x06\\x2C(.)\\x46\\x34(.)\\x88\\x07\\x47\\xE2\\xED\\xEB\\x0A\\xE8"
210	210	"\\xDA\\xFF\\xFF\\xFF)(.*)$";
211		mapping (none,pre,~~pcre~~,size,key,subkey,none,post);
	211	mapping (none,pre,decoder,size,key,subkey,none,post);
212	212	};
213	213	*/

Navigation

Changeset 471

Legend:

nepenthes/trunk/modules/shellcode-signatures/parser.h

nepenthes/trunk/modules/shellcode-signatures/parser.l

nepenthes/trunk/modules/shellcode-signatures/parser.y

nepenthes/trunk/modules/shellcode-signatures/sch_namespace_xor.cpp

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

Download in other formats: