예제 #1
0
 //$PERF: of course we should compile pattern files into a trie for super performance.
 //$REVIEW: move to ImageSignature class?
 // See https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml for implementation
 // ideas.
 public bool Matches(ImageSignature sig, byte[] image, uint entryPointOffset)
 {
     try
     {
         if (entryPointOffset >= image.Length || string.IsNullOrEmpty(sig.EntryPointPattern))
         {
             return(false);
         }
         int iImage   = (int)entryPointOffset;
         int iPattern = 0;
         while (iPattern < sig.EntryPointPattern !.Length - 1 && iImage < image.Length)
         {
             var msn = sig.EntryPointPattern[iPattern];
             var lsn = sig.EntryPointPattern[iPattern + 1];
             if (msn != '?' && lsn != '?')
             {
                 var pat = Loader.HexDigit(msn) << 4 | Loader.HexDigit(lsn);
                 var img = image[iImage];
                 if (pat != img)
                 {
                     return(false);
                 }
             }
             iImage   += 1;
             iPattern += 2;
         }
         return(iPattern == sig.EntryPointPattern.Length);
     } catch
     {
         Debug.Print("Pattern for '{0}' is unhandled: {1}", sig.Name, sig.EntryPointPattern);
         return(false);
     }
 }
예제 #2
0
        public void Upsvc_Match_Wildcard()
        {
            var image = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x12, 0x34, 0x56, 0x00 };
            var sig = new ImageSignature
            {
                EntryPointPattern = "??34"
            };
            var upsvc = new UnpackingService(sc);

            Assert.IsTrue(upsvc.Matches(sig, image, 4));
        }
예제 #3
0
 //$PERF: of course we should compile pattern files into a trie for super performance.
 //$REVIEW: move to ImageSignature class?
 // See https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml for implementation
 // ideas.
 public bool Matches(ImageSignature sig, byte[] image, uint entryPointOffset)
 {
     try
     {
         if (entryPointOffset >= image.Length || string.IsNullOrEmpty(sig.EntryPointPattern))
             return false;
         int iImage =  (int)entryPointOffset;
         int iPattern = 0;
         while (iPattern < sig.EntryPointPattern.Length - 1 && iImage < image.Length)
         {
             var msn = sig.EntryPointPattern[iPattern];
             var lsn = sig.EntryPointPattern[iPattern + 1];
             if (msn != '?' && lsn != '?')
             {
                 var pat = Loader.HexDigit(msn) << 4 | Loader.HexDigit(lsn);
                 var img = image[iImage];
                 if (pat != img)
                     return false;
             }
             iImage += 1;
             iPattern += 2;
         }
         return iPattern == sig.EntryPointPattern.Length;
     } catch
     {
         Debug.Print("Pattern for '{0}' is unhandled: {1}", sig.Name, sig.EntryPointPattern);
         return false;
     }
 }