1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
#include <string.h>
#include "sigscan.h"
/* There is no ANSI ustrncpy */
unsigned char* ustrncpy(unsigned char *dest, const unsigned char *src, int len) {
while(len--)
dest[len] = src[len];
return dest;
}
/* //////////////////////////////////////
CSigScan Class
////////////////////////////////////// */
unsigned char* CSigScan::base_addr;
size_t CSigScan::base_len;
void *(*CSigScan::sigscan_dllfunc)(const char *pName, int *pReturnCode);
/* Initialize the Signature Object */
int CSigScan::Init(const unsigned char *sig, const char *mask, size_t len) {
is_set = 0;
sig_len = len;
if ( sig_str )
delete[] sig_str;
sig_str = new unsigned char[sig_len];
ustrncpy(sig_str, sig, sig_len);
if ( sig_mask )
delete[] sig_mask;
sig_mask = new char[sig_len/*+1*/];
strncpy(sig_mask, mask, sig_len);
//sig_mask[sig_len+1] = 0;
if(!base_addr)
return 2; // GetDllMemInfo() Failed
if((sig_addr = FindSignature()) == NULL)
return 1; // FindSignature() Failed
is_set = 1;
// SigScan Successful!
return 0;
}
/* Destructor frees sig-string allocated memory */
CSigScan::~CSigScan(void) {
delete[] sig_str;
delete[] sig_mask;
}
/* Get base address of the server module (base_addr) and get its ending offset (base_len) */
bool CSigScan::GetDllMemInfo(void) {
void *pAddr = (void*)sigscan_dllfunc;
base_addr = 0;
base_len = 0;
#ifdef WIN32
MEMORY_BASIC_INFORMATION mem;
if(!pAddr)
return false; // GetDllMemInfo failed!pAddr
if(!VirtualQuery(pAddr, &mem, sizeof(mem)))
return false;
base_addr = (unsigned char*)mem.AllocationBase;
IMAGE_DOS_HEADER *dos = (IMAGE_DOS_HEADER*)mem.AllocationBase;
IMAGE_NT_HEADERS *pe = (IMAGE_NT_HEADERS*)((unsigned long)dos+(unsigned long)dos->e_lfanew);
if(pe->Signature != IMAGE_NT_SIGNATURE) {
base_addr = 0;
return false; // GetDllMemInfo failedpe points to a bad location
}
base_len = (size_t)pe->OptionalHeader.SizeOfImage;
#else
Dl_info info;
struct stat buf;
if(!dladdr(pAddr, &info))
return false;
if(!info.dli_fbase || !info.dli_fname)
return false;
if(stat(info.dli_fname, &buf) != 0)
return false;
base_addr = (unsigned char*)info.dli_fbase;
base_len = buf.st_size;
#endif
return true;
}
/* Scan for the signature in memory then return the starting position's address */
void* CSigScan::FindSignature(void) {
unsigned char *pBasePtr = base_addr;
unsigned char *pEndPtr = base_addr+base_len;
size_t i;
while(pBasePtr < pEndPtr) {
for(i = 0;i < sig_len;i++) {
if((sig_mask[i] != '?') && (sig_str[i] != pBasePtr[i]))
break;
}
// If 'i' reached the end, we know we have a match!
if(i == sig_len)
return (void*)pBasePtr;
pBasePtr++;
}
return NULL;
}
|
