/* return 0 if good, else 2222 */ static int do_checksum(int *buf, int len, bool quiet) { int sum = base; int i; int rln = len; for (i = 0; i < len/BPI; i++) sum += buf[i]; while (rln%BPI) sum += ((char*)buf)[--rln]; if (sum != 0x12345678) { if (!quiet) printf ("sg_test_rwbuf: Checksum error (sz=%i):" " %08x\n", len, sum); if (cmpbuf && !quiet) { int diff = mymemcmp (cmpbuf, (uint8_t*)buf, len); printf ("Differ at pos %i/%i:\n", diff, len); for (i = 0; i < 24 && i+diff < len; i++) printf (" %02x", cmpbuf[i+diff]); printf ("\n"); for (i = 0; i < 24 && i+diff < len; i++) printf (" %02x", ((uint8_t*)buf)[i+diff]); printf ("\n"); } return 2222; } else { if (verbose > 1) printf("Checksum value: 0x%x\n", sum); return 0; } }
///Takes the NTAPI name (and its length) and retrieves the corresponding syscall number. ///Could be written less complicated and smaller using strcmp routine and zero-terminated ///strings in the lookup table. ULONG ntapiLookup(const char* pNtXxxApiName, SIZE_T nameLen) { USHORT currLen = 0; BOOLEAN stringsAreEqual = FALSE; char* pCurrPos = sg_pSyscallTable + 4; USHORT desiredApiLen = (USHORT)nameLen - sizeof(ANSI_NULL); if (!pNtXxxApiName || !desiredApiLen) return NT_INVALID_SYSCALL; for (ULONG i = 0; i < *(PULONG)sg_pSyscallTable; i++) { currLen = *(PUSHORT)pCurrPos; pCurrPos += 2; if (desiredApiLen != currLen) stringsAreEqual = FALSE; else stringsAreEqual = (BOOLEAN)mymemcmp(pCurrPos, (char*)pNtXxxApiName, currLen); pCurrPos += currLen; if (stringsAreEqual){ if (NT_INVALID_SYSCALL > ((PULONG)pCurrPos)[1]) return ((PULONG)pCurrPos)[1]; else return NT_INVALID_SYSCALL; } pCurrPos += 8; } return NT_INVALID_SYSCALL; }
/*@null@*/ const GtUchar *gt_tyrindex_binmersearch(const Tyrindex *tyrindex, GtUword offset, const GtUchar *key, const GtUchar *leftbound, const GtUchar *rightbound) { const GtUchar *leftptr, *midptr, *rightptr; int cmpval; GtUword leftlength = offset, rightlength = offset, len; leftptr = leftbound; rightptr = rightbound; while (leftptr <= rightptr) { len = (GtUword) (rightptr-leftptr)/GT_MULT2(tyrindex->merbytes); midptr = leftptr + tyrindex->merbytes * len; cmpval = mymemcmp(&offset,midptr,key,tyrindex->merbytes); if (cmpval < 0) { leftptr = midptr + tyrindex->merbytes; leftlength = offset; if (offset > rightlength) { offset = rightlength; } } else { if (cmpval > 0) { rightptr = midptr - tyrindex->merbytes; rightlength = offset; if (offset > leftlength) { offset = leftlength; } } else { return midptr; } } } return NULL; }
char *mystrstr(const char *haystack, const char *needle) { int haystack_len; int needle_len; const char *p; if (NULL != haystack && NULL != needle) { haystack_len = mystrlen(haystack); needle_len = mystrlen(needle); if (0 < needle_len && needle_len <= haystack_len) { for (p = haystack; *(p + needle_len) != '\0'; ++p) { if (mymemcmp(p, needle, needle_len) == 0) { return (char*) p; } } } } return NULL; }
int main(void) { printf("\n\n"); char string[17]; char *ptr,c='r'; char d[20]="GoldenGlobal"; char *s="View"; char *s1 = "Hello,Programmer"; char *s2 = "Hello,Programmer!"; int r; strcpy(string,"Thisisastring"); ptr=mystrrchr(string,c); if(ptr) printf("The character %c is at position:%s\n" , c, ptr); else printf("The character was notfound\n"); printf("\nfinish\n"); mystrcat(d,s); printf("%s\n", d); mystrncat(d,s,2); printf("%s",d); printf("\n"); r = memcmp(s1,s2,strlen(s1)); print(r); r = mymemcmp(s1,s2,strlen(s1)); print(r); printf("finish \n"); r = strcmp(s1,s2); print(r); // r = mystrcmp(s1,s2); print(r); r = linuxstrcmp(s1,s2); print(r); return 0; }
long ch$compare(int n1, char * ptr1, int n2, char *ptr2, char fill) { return mymemcmp(ptr1,ptr2,n1,n2,fill,compare); }
long ch$geq(int n1, char * ptr1, int n2, char *ptr2, char fill) { return mymemcmp(ptr1,ptr2,n1,n2,fill,geq); }
long ch$lss(int n1, char * ptr1, int n2, char *ptr2, char fill) { return mymemcmp(ptr1,ptr2,n1,n2,fill,lss); }
long ch$eql(int n1, char * ptr1, int n2, char *ptr2, char fill) { return mymemcmp(ptr1,ptr2,n1,n2,fill,eql); }
int payload_compare(struct signature *sig, char *data, int psize,int ptype) { int i,cindex,strfound = 0,matches=0, breakbool = 0; int offset=0, lmatch=0; struct payload_opts *popts = NULL; for(cindex=0;cindex <SIG_MAX_CONTENT;cindex++) { // Loop content or loop uricontent if(ptype == TYPE_CONTENT) { popts = (struct payload_opts*)sig->content[cindex]; } else { popts = (struct payload_opts*)sig->uricontent[cindex]; } // If below is true then we're done processing the content or // uricontent payload options and can check if this signature // was a match or not. if(popts == NULL) { //printf("matches: %d cindex: %d\n",matches,cindex); if(cindex > 0 && matches == cindex) { return 1; } return 0; } if(popts->offset > 0) { if(popts->offset >= psize) { DEBUG(stdout,"Offset exceeds data size"); return 0; } offset = popts->offset; } // Distance if an offset that is relative to the // last match.. if(popts->distance != -1) offset = lmatch + popts->distance; if(popts->within != -1) offset = lmatch; DEBUGF("Going to inspect %d bytes\n",psize); strfound = CONTENT_TEST_NOT_FOUND; for (i=offset; i<(psize - popts->matchstr_size) + 1 && breakbool == 0 ;i++) { if(popts->distance != -1) breakbool = 1; // If depth was used then only look the amount of bytes // as specified by it if(popts->depth > 0 && popts->depth > i) return 0; // within check if(lmatch != 0) { // If 'i' is larger then lmatch + within then the // next string is not within "within" bytes ;p if(popts->within != -1 && i > (lmatch + popts->within)){ break; // Test.. break instead of return //return 0; } } // Potential start if(data[i] != ((char *)popts->matchstr)[0]) continue; // Check if the is data at "isdataat", relatively to the point // of the last match. isdataat without "relative" is not supported and // can be replaced with dsize. //printf("if(%d != -1 && %d < %d)\n",popts->isdataat,(psize - (i + popts->matchstr_size)),popts->isdataat); if(popts->isdataat != -1 && (psize - (i + popts->matchstr_size)) < popts->isdataat) { return 0; } // Match if(mymemcmp(data + i,popts->matchstr,popts->matchstr_size,popts->nocase) == 0) { // Continue searching ater match i = (i + popts->matchstr_size); // Last matchpointer lmatch = i; strfound = CONTENT_TEST_FOUND; break; } } if(popts->test == strfound) matches++; } // No match return 2; }
int content_payload_compare(struct signature *sig, struct traffic* traf, struct payload_opts *popts) { int i,strfound = 0, breakbool = 0; char *payload = (char *)traf->payload; // Always assume we start from the first byte int offset=0; // If there is an offset defined in the signature then // we apply it (offset is always relative from byte 0 if(popts->offset > 0) { if(popts->offset >= traf->psize) { DEBUG(stdout,"Offset exceeds data size"); return 0; } offset = popts->offset; } // Distance if an offset that is relative to the // last match.. overwrites the above. which is pretty ugly if(popts->distance != -1) offset = traf->poffset + popts->distance; if(popts->within != -1) offset = traf->poffset; DEBUGF("Going to inspect %d bytes\n",psize); strfound = CONTENT_TEST_NOT_FOUND; for (i=offset; i<(traf->psize - popts->matchstr_size) + 1 && breakbool == 0 ;i++) { if(popts->distance != -1) breakbool = 1; // If depth was used then only look the amount of bytes // as specified by it if(popts->depth > 0 && popts->depth > i) return 0; // within check (todo: abuse depth?) // If 'i' is larger then i + within then the // next string is not within "within" bytes ;p if(popts->within != -1 && i > (traf->poffset + popts->within)){ return 0; } // Not a possible start? -> revise if(popts->nocase != 1 && payload[i] != ((char *)popts->matchstr)[0]) { continue; } else if(popts->nocase == 1 && tolower(payload[i]) != tolower(((char *)popts->matchstr)[0])) { continue; } // Check if the is data at "isdataat", relatively to the point // of the last match. isdataat without "relative" is not supported and // can be replaced with dsize. //printf("if(%d != -1 && %d < %d)\n",popts->isdataat,(traf->psize - (i + popts->matchstr_size)),popts->isdataat); if(popts->isdataat != -1 && (traf->psize - (i + popts->matchstr_size)) < popts->isdataat) { return 0; } // Match? if(mymemcmp(payload + i,popts->matchstr,popts->matchstr_size,popts->nocase) == 0) { // Continue searching ater match i = (i + popts->matchstr_size); // Last matchpointer traf->poffset = i; strfound = CONTENT_TEST_FOUND; break; } } if(popts->test == strfound) return 1; // No match return 0; }