/* Digests the standard input and prints the result. */ static void MDFilter () { MD_CTX context; size_t len = 0; unsigned char buffer[128] = {0}, digest[16] = {0}; printf("Input a word(string) (length < 128): \n"); MDInit(&context); if (fgets(buffer, 128, stdin) != NULL) { len = strlen(buffer); // erase '\n' at the end of the buffer buffer[len - 1] = '\0'; len --; printf("Length: %d\n", len); } else return; MDUpdate(&context, buffer, len); MDFinal(digest, &context); printf("MD5 (\"%s\") = ", buffer); MDPrint(digest); printf("\n"); }
static void MDCrypt(unsigned char md5_target[32]) { struct timeval endTime, startTime; double timedif; unsigned int i; unsigned char word[WORD_LENGTH]; MD32ToChar16(md5_target, md5_target16); printf("Target MD5:\n"); MDPrint(md5_target16); printf("\n"); /* Start timer */ gettimeofday(&startTime, NULL); for (i = 1; i <= WORD_LENGTH; i++) CrackWord(word, i, i); /* Stop timer */ gettimeofday(&endTime, NULL); if (found) printf("\n\n the original word: %s\n", original_word); printf(" word_count: %d\n", word_count); printf(" done\n"); timedif = (endTime.tv_sec - startTime.tv_sec) + (endTime.tv_usec - startTime.tv_usec) / 1000000.0; printf("\nTime = %f seconds\n", timedif); return; }
static void CrackWord(unsigned char word[WORD_LENGTH], int index, int len) { MD_CTX context; unsigned char digest[16]; unsigned int i; if (index == 0) { // MD5 calculate MDInit (&context); MDUpdate(&context, word, len); MDFinal(digest, &context); // MD5 finished for (i = 0; i < len; i++) printf("%c", word[i]); printf(":"); MDPrint(digest); printf("\n"); if (strncmp(digest, md5_target16, 16) == 0) { printf("\nFind!!!\n\n"); found = 1; strncpy(original_word, word, len); } word_count++; } else { for (i = 0; i < 62; i++) { word[index - 1] = char_set[i]; CrackWord(word, index - 1, len); } } }
static void MDTimeTrial (void) { MD5_CONTEXT context; time_t endTime, startTime; unsigned char block [TEST_BLOCK_LEN], digest [16]; unsigned i; printf ("MD5 time trial. Digesting %d %d-byte blocks ...", TEST_BLOCK_COUNT, TEST_BLOCK_LEN); /* Initialize block */ for (i = 0; i < TEST_BLOCK_LEN; i++) block [i] = (unsigned char)(i & 0xff); /* Start timer */ time (&startTime); /* Digest blocks */ md5_init (&context); for (i = 0; i < TEST_BLOCK_COUNT; i++) md5_update (&context, block, TEST_BLOCK_LEN); md5_final (digest, &context); /* Stop timer */ time (&endTime); printf (" done\n"); printf ("Digest = "); MDPrint (digest); printf ("\nTime = %ld seconds\n", (long) (endTime - startTime)); printf ("Speed = %ld bytes/second\n", (long) TEST_BLOCK_LEN * (long) TEST_BLOCK_COUNT / (endTime - startTime)); }
/* Digests a file and prints the result. */ static void MDFile(char *filename) { apr_file_t *file; apr_md4_ctx_t context; apr_size_t len = 1024; unsigned char buffer[1024], digest[APR_MD4_DIGESTSIZE]; if (apr_file_open(&file, filename, APR_READ, APR_OS_DEFAULT, local_pool) != APR_SUCCESS) apr_file_printf(err, "%s can't be opened\n", filename); else { apr_md4_init(&context); while (apr_file_read(file, buffer, &len) != APR_SUCCESS) { apr_md4_update(&context, buffer, len); len = 1024; } apr_md4_final(digest, &context); apr_file_close(file); apr_file_printf(out, "MD4 (%s) = ", filename); MDPrint(digest); apr_file_printf(out, "\n"); } }
/* Digests a file and prints the result. */ static void MDFile(char *filename) { FILE *file; MD_CTX context; int len; unsigned char buffer[1024], digest[16]; if ((file = fopen(filename, "rb")) == NULL) { printf("%s can't be opened\n", filename); } else { MDInit(&context); while (len = fread(buffer, 1, 1024, file)) { MDUpdate(&context, buffer, len); } MDFinal(digest, &context); fclose(file); printf("MD%d (%s) = ", MD, filename); MDPrint(digest); printf("\n"); } }
/* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte blocks. */ static void MDTimeTrial () { MD_CTX context; struct timeval endTime, startTime; double timedif; unsigned char block[TEST_BLOCK_LEN], digest[16]; unsigned int i; printf("MD%d time trial. Digesting %d %d-byte blocks ...", MD, TEST_BLOCK_LEN, TEST_BLOCK_COUNT); /* Initialize block */ for (i = 0; i < TEST_BLOCK_LEN; i++) block[i] = (unsigned char)(i & 0xff); /* Start timer */ gettimeofday(&startTime, NULL); /* Digest blocks */ MDInit (&context); for (i = 0; i < TEST_BLOCK_COUNT; i++) MDUpdate(&context, block, TEST_BLOCK_LEN); MDFinal(digest, &context); /* Stop timer */ gettimeofday(&endTime, NULL); printf(" done\n"); printf("Digest = "); MDPrint(digest); timedif = (endTime.tv_sec - startTime.tv_sec) + (endTime.tv_usec - startTime.tv_usec) / 1000000.0; printf("\nTime = %f seconds\n", timedif); printf("Speed = %f bytes/second\n", (long)TEST_BLOCK_LEN * (long)TEST_BLOCK_COUNT / timedif); }
//generate md5 and print virtual address and md5 void genMd5(void * startAdress, int pageSize, unsigned vaddr) { unsigned char md5digest[16]; MDMem(startAdress, pageSize, md5digest); // printf("%x ", vaddr); //print vaddr MDPrint(md5digest); printf(" %x ", vaddr); //print vaddr printf("\n"); }
//generate md5 and print virtual address and md5 void genMd5WithOffset(void * startAdress, int pageSize, unsigned vaddr, unsigned offset) { unsigned char md5digest[16]; MDMem(startAdress, pageSize, md5digest); //print md5 and vaddr MDPrint(md5digest); printf(" %x %u", vaddr, offset / 4096); printf("\n"); }
//signatures match void sigMatch(range range, Mem *mem, int pageSize, int dsmPages[], int *match_time) { int i; struct timeval earlier; struct timeval later; //begin match int osNumber = initDb(); extern fingerprint fingerprints[FINGERPRINT_NO]; if (gettimeofday(&earlier, NULL)) { perror("gettimeofday() error"); exit(1); } int availableOs[FINGERPRINT_NO], matchCounts[FINGERPRINT_NO]; for (i = 0; i < FINGERPRINT_NO; i++) { availableOs[i] = 1; matchCounts[i] = 0; } unsigned startVirtualAddr = range.start; for (; startVirtualAddr <= range.end; startVirtualAddr += 0x1000) { unsigned pAddr = vtop(mem->mem, mem->mem_size, mem->pgd, startVirtualAddr); if (pAddr == -1 || pAddr > mem->mem_size) continue; int pageIndex = pAddr / pageSize; if (dsmPages[pageIndex] == 1) { int offset = (startVirtualAddr - range.start) / 4096; void *startAdress = (void*) ((unsigned) mem->mem + pageIndex * pageSize); unsigned char md5digest[16]; MDMem(startAdress, pageSize, md5digest); // printf("%x ", vaddr); //print vaddr MDPrint(md5digest); printf("\n"); int ret = matchByIndex(osNumber, md5digest, offset, availableOs, matchCounts); // if(ret ==1) } } int maxIndex = -1; int maxMatch = 0; for (i = 0; i < FINGERPRINT_NO; i++) { if (matchCounts[i] > maxMatch) { maxIndex = i; maxMatch = matchCounts[i]; } } if (maxMatch > 0) printf("Os is %s, match count is %d\n", fingerprints[maxIndex].osVersion, maxMatch); else puts("Unknown OS!"); if (gettimeofday(&later, NULL)) { perror("gettimeofday() error"); exit(1); } *match_time = timeval_diff(NULL, &later, &earlier) / 1000; printf("match time cost is %d milliseconds\n", *match_time); }
static void MDFilter () { MD5_CTX context; int len; unsigned char buffer[16], digest[16]; MD5Init (&context); while ((len = fread (buffer, 1, 16, stdin)) != 0) MD5Update (&context, buffer, len); MD5Final (digest, &context); MDPrint (digest); printf ("\n"); }
static void MDString(char *string) { MD5_CTX context; unsigned char digest[16]; unsigned int len = strlen(string); xMD5Init(&context); xMD5Update(&context, string, len); xMD5Final(digest, &context); printf("MD5 (\"%s\") = ", string); MDPrint(digest); printf("\n"); }
static void MDFilter (void) { MD5_CONTEXT context; int len; unsigned char buffer [16], digest [16]; md5_init (&context); while (len = fread (buffer, 1, 16, stdin)) md5_update (&context, buffer, len); md5_final (digest, &context); MDPrint (digest); printf ("\n"); }
static void MDString (const char *string) { MD5_CONTEXT context; unsigned char digest [16]; unsigned len = strlen (string); md5_init (&context); md5_update (&context, string, len); md5_final (digest, &context); printf ("MD5 (\"%s\") = ", string); MDPrint (digest); printf ("\n"); }
/* Digests a string and prints the result. */ static void MDString(char *string) { apr_md4_ctx_t context; unsigned char digest[APR_MD4_DIGESTSIZE]; unsigned int len = strlen(string); apr_md4_init(&context); apr_md4_update(&context, (unsigned char *)string, len); apr_md4_final(digest, &context); apr_file_printf (out, "MD4 (\"%s\") = ", string); MDPrint(digest); apr_file_printf (out, "\n"); }
int main (int argc, char *argv[]) { int i; unsigned char digest[16]; if (argc > 1) { for (i = 1; i < argc; i++) { if (argv[i][0] == '-' && argv[i][1] == 's') { MDString (&digest, argv[i] + 2); /* printf ("\nMD%d (\"%s\") = ", MD, argv[i] + 2); MDPrint (digest); printf ("\n"); */ } else if (strcmp (argv[i], "-t") == 0) MDTimeTrial (); else { MDFile (&digest, argv[i]); //MDPartOfFile (&digest, argv[i], 1000, 1003); //printf ("\nMD%d (%s) = ", MD, argv[i]); //fprintf (stderr, "xxxx %02x\n", digest[0]); unsigned int lol; char ans[32]; fprintf(stderr, "Wrote : "); for (lol = 0; lol < 16; lol++) { fprintf (stderr, "%02x", digest[lol]); sprintf (ans+2*lol, "%02x", digest[lol]); } #if 1 fprintf (stderr, "\n===================\n"); fprintf (stderr, "ANS : %s\n", ans); fprintf (stderr, "\n====================\n"); MDPrint (digest); printf ("\n"); #endif } } } else MDFilter (); return (0); }
/* Digests the standard input and prints the result. */ static void MDFilter(void) { apr_md4_ctx_t context; apr_size_t len = 16; unsigned char buffer[16], digest[16]; apr_md4_init(&context); while (apr_file_read(in, buffer, &len) != APR_SUCCESS) { apr_md4_update(&context, buffer, len); len = 16; } apr_md4_update(&context, buffer, len); apr_md4_final(digest, &context); MDPrint(digest); apr_file_printf(out, "\n"); }
//generate md5 and print virtual address and md5 void genMd5WithOffset(void *startAdress, int pageSize, unsigned vaddr, unsigned offset) { unsigned char md5digest[16]; MDMem(startAdress, pageSize, md5digest); //print md5 and vaddr MDPrint(md5digest); printf(" %x %u", vaddr, offset / 4096); printf("\n"); /* int i; for (i = 0; i < 16; i++) fprintf(kernel_code_sig, "%02x", md5digest[i]); fprintf(kernel_code_sig, " %x %u", vaddr, offset / 4096); fprintf(kernel_code_sig, "\n"); */ }
static void MDFile (const char *filename) { FILE *file; MD5_CONTEXT context; int len; unsigned char buffer [1024], digest [16]; if ((file = fopen (filename, "rb")) == NULL) printf ("%s can't be opened\n", filename); else { md5_init (&context); while (len = fread (buffer, 1, 1024, file)) md5_update (&context, buffer, len); md5_final (digest, &context); fclose (file); printf ("MD5 (%s) = ", filename); MDPrint (digest); printf ("\n"); } }
/* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte blocks. */ static void MDTimeTrial(void) { apr_md4_ctx_t context; apr_time_t endTime, startTime; apr_interval_time_t timeTaken; unsigned char block[TEST_BLOCK_LEN], digest[APR_MD4_DIGESTSIZE]; unsigned int i; apr_file_printf(out, "MD4 time trial. Digesting %d %d-byte blocks ...", TEST_BLOCK_LEN, TEST_BLOCK_COUNT); /* Initialize block */ for (i = 0; i < TEST_BLOCK_LEN; i++) block[i] = (unsigned char)(i & 0xff); /* Start timer */ startTime = apr_time_now(); /* Digest blocks */ apr_md4_init(&context); for (i = 0; i < TEST_BLOCK_COUNT; i++) apr_md4_update(&context, block, TEST_BLOCK_LEN); apr_md4_final(digest, &context); /* Stop timer */ endTime = apr_time_now(); timeTaken = endTime - startTime; apr_file_printf(out, " done\n"); apr_file_printf(out, "Digest = "); MDPrint(digest); apr_file_printf(out, "\nTime = %" APR_TIME_T_FMT " seconds\n", timeTaken); apr_file_printf(out, "Speed = % " APR_TIME_T_FMT " bytes/second\n", TEST_BLOCK_LEN * TEST_BLOCK_COUNT/timeTaken); }
/* determine version of OS by mem * 1.To get signature of multiply versions of os, which is the md5 of kernel code * 2.Compared by a decision tree. * 3.Done!*/ void determineOsVersion(Mem * mem) { int i; int pageSize = 4 * 1024; //4k int totalPageNumber = mem->mem_size / (4 * 1024); //assume that every page has 4k unsigned codePageNo = 0; //record when two page have different page index and the same sharp int calledPages[totalPageNumber]; int dsmPages[totalPageNumber]; //record virtual address unsigned virtualAddrs[totalPageNumber]; for (i = 0; i < totalPageNumber; i++) { calledPages[i] = 0; dsmPages[i] = 0; virtualAddrs[i] = 0; } //start address unsigned startVirtualAddr = KERNEL_START_ADDRESS; //with dissemble or not int withDissemble = 1; int cr3PageIndex = 0; unsigned cr3Pages[20]; for (i = 0; i < 20; i++) { cr3Pages[i] = 0; } struct timeval earlier; struct timeval later; if (gettimeofday(&earlier, NULL)) { perror("gettimeofday() error"); exit(1); } //generate step 1 clusters clusters[0].end = 0; int pre_rw = -1; //read or write int pre_us = -1; //use or system int pre_g = -1; //global, no move out of TLB int pre_ps = -1; //page size unsigned cluster_index = 0; newstart = 1; unsigned vAddr = startVirtualAddr; for (; vAddr > KERNEL_START_ADDRESS - 1; vAddr += 0x1000) { //printf("startvirtual %x:\n",startVirtualAddr); int rw = 0; //read or write int us = 0; //use or system int g = 0; //global, no move out of TLB int ps = 0; //page size 4M or 4k unsigned pAddr = vtopPageProperty(mem->mem, mem->mem_size, mem->pgd, vAddr, &rw, &us, &g, &ps); //if PHYSICAL ADDRESS is not VALID, then start a new cluster if (pAddr < 0 || pAddr > mem->mem_size || us != 0 || g != 256) { if (newstart == 0) { clusters[cluster_index].end = vAddr - 1; //printf("err address end is %x %x\n", vAddr, ranges[range_index].end); newstart = 1; } continue; } //if any property changes, then start a new cluster if (rw != pre_rw || us != pre_us || g != pre_g || ps != pre_ps) { if (newstart == 0) { clusters[cluster_index].end = vAddr - 1; //printf("property change end is %x %x\n", vAddr, ranges[range_index].end); newstart = 1; } } //update pre properties pre_rw = rw; pre_us = us; pre_g = g; pre_ps = ps; //collect pages with continuous properties; if (newstart) { clusters[++cluster_index].start = vAddr; clusters[cluster_index].end = vAddr + pageSize - 1; newstart = 0; } else clusters[cluster_index].end = vAddr + pageSize - 1; } if (gettimeofday(&later, NULL)) { perror("gettimeofday() error"); exit(1); } printf("step1, cluster: %d,time cost is %d milliseconds\n", cluster_index, timeval_diff(NULL, &later, &earlier) / 1000); //step2. kernel code page clusters with cr3 if (gettimeofday(&earlier, NULL)) { perror("gettimeofday() error"); exit(1); } unsigned startVirtual = startVirtualAddr; for (; startVirtual > startVirtualAddr - 1; startVirtual += 0x1000) { // for (; startVirtual < 0x818f0000; startVirtual += 0x1000) { unsigned vAddr = startVirtual; int rw = 0; //read or write int us = 0; //use or system int g = 0; //global(no move out of TLB) or not global int ps = 0; //page size unsigned pAddr = vtopPageProperty(mem->mem, mem->mem_size, mem->pgd, vAddr, &rw, &us, &g, &ps); // IS PHYSICAL ADDRESS VALID? if (pAddr == -1 || pAddr > mem->mem_size) continue; //collect pages which are system access, and global pages if (us == 0 && g == 256) { // printf("r only page %x\n", vAddr); if (find_kernel(mem, vAddr, pageSize) == 0) { //record kernel address cr3Pages[cr3PageIndex++] = vAddr; printf("kernel start at %x\n", vAddr); } } } if (gettimeofday(&later, NULL)) { perror("gettimeofday() error"); exit(1); } printf("step2 time cost is %d milliseconds\n", timeval_diff(NULL, &later, &earlier) / 1000); //step 3. clusters if (gettimeofday(&earlier, NULL)) { perror("gettimeofday() error"); exit(1); } int cr3PagesNo = 0; ranges[0].end = 0; newstart = 1; for (i = 1; i <= cluster_index; i++) { //:w printf("%x %x\n", clusters[i].start, clusters[i].end); if (containKernelAddres(clusters[i], cr3Pages) == -1) { continue; } cr3PagesNo++; unsigned vAddr = clusters[i].start; // printf("%x %x\n", clusters[i].start, clusters[i].end); newstart = 1; for (; vAddr < clusters[i].end; vAddr += 0x1000) { unsigned pAddr = vtop(mem->mem, mem->mem_size, mem->pgd, vAddr); if (vAddr == out_pc) code_init(mem, vAddr, pageSize, dsmPages, virtualAddrs, 1, calledPages, &codePageNo); else code_init(mem, vAddr, pageSize, dsmPages, virtualAddrs, 0, calledPages, &codePageNo); } ranges[range_index].end = clusters[i].end; } if (gettimeofday(&later, NULL)) { perror("gettimeofday() error"); exit(1); } printf("step2, cluster: %d\n", cr3PagesNo); printf("step3, cluster: %d,time cost is %d milliseconds\n", range_index, timeval_diff(NULL, &later, &earlier) / 1000); //3.find the kernel core code page cluster, and print it int osNumber = initDb(); if (gettimeofday(&earlier, NULL)) { perror("gettimeofday() error"); exit(1); } int max_len = 0, max_index = 0; for (i = 1; i <= range_index; i++) { // printf("start:%x, end:%x: len:%x kernel\n", ranges[i].start, ranges[i].end, ranges[i].len); if (ranges[i].len > max_len) { max_index = i; max_len = ranges[i].len; } } //4.print md5 of pages that can be disassembled int availableOs[FINGERPRINT_NO], matchCounts[FINGERPRINT_NO]; for (i = 0; i < FINGERPRINT_NO; i++) { availableOs[i] = 1; matchCounts[i] = 0; } startVirtualAddr = ranges[max_index].start; unsigned disasPageNo = 0; unsigned totalPageNo = 0; for (; startVirtualAddr <= ranges[max_index].end; startVirtualAddr += 0x1000) { totalPageNo++; unsigned pAddr = vtop(mem->mem, mem->mem_size, mem->pgd, startVirtualAddr); if (pAddr == -1 || pAddr > mem->mem_size) continue; int pageIndex = pAddr / pageSize; if (dsmPages[pageIndex] == 1) { int offset = (startVirtualAddr - ranges[max_index].start) / 4096; void *startAdress = (void *) ((unsigned) mem->mem + pageIndex * pageSize); unsigned char md5digest[16]; MDMem(startAdress, pageSize, md5digest); // printf("%x ", vaddr); //print vaddr MDPrint(md5digest); printf("\n"); //search hash table int ret = matchByIndex(osNumber, md5digest, offset, availableOs, matchCounts); // genMd5WithOffset(startAdress, pageSize, startVirtualAddr, offset); disasPageNo++; } } if (gettimeofday(&later, NULL)) { perror("gettimeofday() error"); exit(1); } printf("step4.time cost is %d milliseconds\n", timeval_diff(NULL, &later, &earlier) / 1000); int maxIndex = -1; int maxMatch = 0; for (i = 0; i < FINGERPRINT_NO; i++) { if (matchCounts[i] > maxMatch) { maxIndex = i; maxMatch = matchCounts[i]; } } if (maxMatch > 0) printf("Os is %s, match count is %d\n", fingerprints[maxIndex].osVersion, maxMatch); else puts("Unknown OS!"); return; }
int main(int argc, char **argv) { int sockfd, n; struct sockaddr_in servaddr; struct stat fileInfo; FILE *filepath; int blockSize = 100; char line[MAXLINE], path[MAXLINE]; char buffer[blockSize]; MD5_CTX mdContext; FILE * fdin; FILE * fdout; /* Check of arg usage */ if (argc != 3) { error("usage: ingest original-file file-receipe\n"); } /*-------------------------------------------------------- Establishing socket connection --------------------------------------------------------*/ /* Send out error message if error on socket */ if ( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { error("Socket error\n"); } /* Write zero-valued bytes to servaddr */ memset(&servaddr, 0, sizeof(servaddr)); servaddr.sin_family = AF_INET; /* Defines protocol*/ servaddr.sin_port = htons(5624); /* Choosing port number */ int i = inet_pton(AF_INET, "127.0.0.1", &servaddr.sin_addr); printf("%d\n", i); if ( i <= 0) { error("Inet_pton error\n"); } /* Sends out error message if can't make connection on socket */ int c = connect(sockfd, (struct sockaddr *) &servaddr, sizeof(servaddr)); printf("%d\n", c); if ( c < 0) { error("Connect error\n"); } /*-------------------------------------------------------- Ingest stuff --------------------------------------------------------*/ /* Read in the orginal file */ fdin = fopen(argv[1], "r"); if (fdin == NULL) { error("Error on original-file\n"); } /* Output file for recipe */ fdout = fopen(argv[2], "w+"); if (fdout == NULL) { error("Error on file-receipe\n"); } /* Obtaining the stats about the file */ stat(argv[1], &fileInfo); /* Obtaining the path of the file */ filepath = popen("/bin/pwd", "r"); if (filepath == NULL) { error("Error detecting filepath\n"); } /* Obtaining the permission bits of the file */ int fileChmod = fileInfo.st_mode & (S_IRWXU | S_IRWXG | S_IRWXO); while(fgets(line, sizeof(line-1), filepath)) { strcat(path, line); } /* File permission, file length, filepath */ fprintf(fdout,"%o,%d,%s", fileChmod, (int)fileInfo.st_size, path); char b[blockSize+100]; while((n = fread(buffer, blockSize, 1, fdin)) >= 0) { /* Converting buffer into md5 key */ MD5Init (&mdContext); MD5Update (&mdContext, buffer, strlen(buffer)); MD5Final (&mdContext); MDPrint (&mdContext); //printf ("%s\n", buffer); /* Information being sent to the server */ // printf("n=%d\n", n); sprintf(b, "INSERT %s~%s~%d", keydigest, buffer, strlen(buffer)); write(sockfd, b, sizeof(b)); //printf("%s\n\n", keydigest); /* Sending md5 keys out for the recipe */ fprintf(fdout, "%s\n", keydigest); /* Response from the server */ bzero(b, sizeof(b)); read(sockfd, b, sizeof(b)); printf("%s\n", b); /* Clears out the buffers */ bzero(keydigest, 16); bzero(buffer, blockSize); /* Breaks out of loop when nothing to read */ if(n == 0) break; } printf("\n"); fclose(fdin); fclose(fdout); return 0; }
/* determine version of OS by mem * 1.To get signature of multiply versions of os, which is the md5 of kernel code * 2.scan all pages of input memory, generate the md5 checksum of one page, compare to all the signature, * if they are match, output the version of the os. * 3.Done! * 4.abandoned*/ void determineOsVersion2(Mem * mem) { //get signature int osNumber = initDb(); int pageSize = 4 * 1024; //4k int totalPageNumber = mem->mem_size / (4 * 1024); //assume that every page has 4k //record when two page have different page index and the same sharp int calledPages[totalPageNumber]; int dsmPages[totalPageNumber]; //record virtual address int i; unsigned virtualAddrs[totalPageNumber]; for (i = 0; i < totalPageNumber; i++) { calledPages[i] = 0; dsmPages[i] = 0; virtualAddrs[i] = 0; } //start address unsigned start_vaddr = KERNEL_START_ADDRESS; unsigned vaddr = start_vaddr; int matchCount = 0; int matchPageIndex = 0; int availableOs[FINGERPRINT_NO]; for (i = 0; i < FINGERPRINT_NO; i++) availableOs[i] = 1; for (; vaddr > start_vaddr - 1; vaddr += 0x1000) { int rw = 0, us = 0, g = 0, ps = 0; //page size 4M or 4k unsigned pAddr = vtopPageProperty(mem->mem, mem->mem_size, mem->pgd, vaddr, &rw, &us, &g, &ps); if (pAddr == -1 || pAddr > mem->mem_size) continue; int pageIndex = pAddr / pageSize; if (us == 0 && g == 256 && is_code_page(mem, vaddr, pageSize, virtualAddrs) == 0) { page_init(mem, pageIndex, pageSize, dsmPages, 0, vaddr, calledPages); if (dsmPages[pageIndex] != 1) continue; void *startAdress = (void *) ((unsigned) mem->mem + pageIndex * pageSize); unsigned char md5digest[16]; MDMem(startAdress, pageSize, md5digest); MDPrint(md5digest); printf("\n"); //search hash table int ret = match(osNumber, md5digest, &matchPageIndex, availableOs); while (ret == 2) { matchPageIndex++; ret = match(osNumber, md5digest, &matchPageIndex, availableOs); } if (ret >= 0) { matchPageIndex++; matchCount++; if (ret == 1) break; } } } if (matchCount == 0) puts("Unknown OS!"); printf("match Count:%d\n", matchCount); }