/* return 0 if good, else 2222 */
static int
do_checksum(int *buf, int len, bool quiet)
{
int sum = base;
int i; int rln = len;
for (i = 0; i < len/BPI; i++)
sum += buf[i];
while (rln%BPI) sum += ((char*)buf)[--rln];
if (sum != 0x12345678) {
if (!quiet) printf ("sg_test_rwbuf: Checksum error (sz=%i):"
" %08x\n", len, sum);
if (cmpbuf && !quiet) {
int diff = mymemcmp (cmpbuf, (uint8_t*)buf,
len);
printf ("Differ at pos %i/%i:\n", diff, len);
for (i = 0; i < 24 && i+diff < len; i++)
printf (" %02x", cmpbuf[i+diff]);
printf ("\n");
for (i = 0; i < 24 && i+diff < len; i++)
printf (" %02x",
((uint8_t*)buf)[i+diff]);
printf ("\n");
}
return 2222;
}
else {
if (verbose > 1)
printf("Checksum value: 0x%x\n", sum);
return 0;
}
}
///Takes the NTAPI name (and its length) and retrieves the corresponding syscall number.
///Could be written less complicated and smaller using strcmp routine and zero-terminated
///strings in the lookup table.
ULONG ntapiLookup(const char* pNtXxxApiName, SIZE_T nameLen) {
USHORT currLen = 0;
BOOLEAN stringsAreEqual = FALSE;
char* pCurrPos = sg_pSyscallTable + 4;
USHORT desiredApiLen = (USHORT)nameLen - sizeof(ANSI_NULL);
if (!pNtXxxApiName || !desiredApiLen)
return NT_INVALID_SYSCALL;
for (ULONG i = 0; i < *(PULONG)sg_pSyscallTable; i++) {
currLen = *(PUSHORT)pCurrPos;
pCurrPos += 2;
if (desiredApiLen != currLen)
stringsAreEqual = FALSE;
else
stringsAreEqual = (BOOLEAN)mymemcmp(pCurrPos, (char*)pNtXxxApiName, currLen);
pCurrPos += currLen;
if (stringsAreEqual){
if (NT_INVALID_SYSCALL > ((PULONG)pCurrPos)[1])
return ((PULONG)pCurrPos)[1];
else
return NT_INVALID_SYSCALL;
}
pCurrPos += 8;
}
return NT_INVALID_SYSCALL;
}
/*@null@*/ const GtUchar *gt_tyrindex_binmersearch(const Tyrindex *tyrindex,
GtUword offset,
const GtUchar *key,
const GtUchar *leftbound,
const GtUchar *rightbound)
{
const GtUchar *leftptr, *midptr, *rightptr;
int cmpval;
GtUword leftlength = offset, rightlength = offset, len;
leftptr = leftbound;
rightptr = rightbound;
while (leftptr <= rightptr)
{
len = (GtUword) (rightptr-leftptr)/GT_MULT2(tyrindex->merbytes);
midptr = leftptr + tyrindex->merbytes * len;
cmpval = mymemcmp(&offset,midptr,key,tyrindex->merbytes);
if (cmpval < 0)
{
leftptr = midptr + tyrindex->merbytes;
leftlength = offset;
if (offset > rightlength)
{
offset = rightlength;
}
} else
{
if (cmpval > 0)
{
rightptr = midptr - tyrindex->merbytes;
rightlength = offset;
if (offset > leftlength)
{
offset = leftlength;
}
} else
{
return midptr;
}
}
}
return NULL;
}
char *mystrstr(const char *haystack, const char *needle) {
int haystack_len;
int needle_len;
const char *p;
if (NULL != haystack && NULL != needle) {
haystack_len = mystrlen(haystack);
needle_len = mystrlen(needle);
if (0 < needle_len && needle_len <= haystack_len) {
for (p = haystack; *(p + needle_len) != '\0'; ++p) {
if (mymemcmp(p, needle, needle_len) == 0) {
return (char*) p;
}
}
}
}
return NULL;
}
int main(void)
{
printf("\n\n");
char string[17];
char *ptr,c='r';
char d[20]="GoldenGlobal";
char *s="View";
char *s1 = "Hello,Programmer";
char *s2 = "Hello,Programmer!";
int r;
strcpy(string,"Thisisastring");
ptr=mystrrchr(string,c);
if(ptr)
printf("The character %c is at position:%s\n" , c, ptr);
else
printf("The character was notfound\n");
printf("\nfinish\n");
mystrcat(d,s);
printf("%s\n", d);
mystrncat(d,s,2);
printf("%s",d);
printf("\n");
r = memcmp(s1,s2,strlen(s1));
print(r);
r = mymemcmp(s1,s2,strlen(s1));
print(r);
printf("finish \n");
r = strcmp(s1,s2);
print(r);
// r = mystrcmp(s1,s2);
print(r);
r = linuxstrcmp(s1,s2);
print(r);
return 0;
}
long ch$compare(int n1, char * ptr1, int n2, char *ptr2, char fill) {
return mymemcmp(ptr1,ptr2,n1,n2,fill,compare);
}
long ch$geq(int n1, char * ptr1, int n2, char *ptr2, char fill) {
return mymemcmp(ptr1,ptr2,n1,n2,fill,geq);
}
long ch$lss(int n1, char * ptr1, int n2, char *ptr2, char fill) {
return mymemcmp(ptr1,ptr2,n1,n2,fill,lss);
}
long ch$eql(int n1, char * ptr1, int n2, char *ptr2, char fill) {
return mymemcmp(ptr1,ptr2,n1,n2,fill,eql);
}
int payload_compare(struct signature *sig, char *data, int psize,int ptype) {
int i,cindex,strfound = 0,matches=0, breakbool = 0;
int offset=0, lmatch=0;
struct payload_opts *popts = NULL;
for(cindex=0;cindex <SIG_MAX_CONTENT;cindex++) {
// Loop content or loop uricontent
if(ptype == TYPE_CONTENT) {
popts = (struct payload_opts*)sig->content[cindex];
} else {
popts = (struct payload_opts*)sig->uricontent[cindex];
}
// If below is true then we're done processing the content or
// uricontent payload options and can check if this signature
// was a match or not.
if(popts == NULL) {
//printf("matches: %d cindex: %d\n",matches,cindex);
if(cindex > 0 && matches == cindex) {
return 1;
}
return 0;
}
if(popts->offset > 0) {
if(popts->offset >= psize) {
DEBUG(stdout,"Offset exceeds data size");
return 0;
}
offset = popts->offset;
}
// Distance if an offset that is relative to the
// last match..
if(popts->distance != -1)
offset = lmatch + popts->distance;
if(popts->within != -1)
offset = lmatch;
DEBUGF("Going to inspect %d bytes\n",psize);
strfound = CONTENT_TEST_NOT_FOUND;
for (i=offset; i<(psize - popts->matchstr_size) + 1 && breakbool == 0 ;i++) {
if(popts->distance != -1)
breakbool = 1;
// If depth was used then only look the amount of bytes
// as specified by it
if(popts->depth > 0 && popts->depth > i)
return 0;
// within check
if(lmatch != 0) {
// If 'i' is larger then lmatch + within then the
// next string is not within "within" bytes ;p
if(popts->within != -1 && i > (lmatch + popts->within)){
break; // Test.. break instead of return
//return 0;
}
}
// Potential start
if(data[i] != ((char *)popts->matchstr)[0])
continue;
// Check if the is data at "isdataat", relatively to the point
// of the last match. isdataat without "relative" is not supported and
// can be replaced with dsize.
//printf("if(%d != -1 && %d < %d)\n",popts->isdataat,(psize - (i + popts->matchstr_size)),popts->isdataat);
if(popts->isdataat != -1 && (psize - (i + popts->matchstr_size)) < popts->isdataat) {
return 0;
}
// Match
if(mymemcmp(data + i,popts->matchstr,popts->matchstr_size,popts->nocase) == 0) {
// Continue searching ater match
i = (i + popts->matchstr_size);
// Last matchpointer
lmatch = i;
strfound = CONTENT_TEST_FOUND;
break;
}
}
if(popts->test == strfound)
matches++;
}
// No match
return 2;
}
int content_payload_compare(struct signature *sig, struct traffic* traf, struct payload_opts *popts) {
int i,strfound = 0, breakbool = 0;
char *payload = (char *)traf->payload;
// Always assume we start from the first byte
int offset=0;
// If there is an offset defined in the signature then
// we apply it (offset is always relative from byte 0
if(popts->offset > 0) {
if(popts->offset >= traf->psize) {
DEBUG(stdout,"Offset exceeds data size");
return 0;
}
offset = popts->offset;
}
// Distance if an offset that is relative to the
// last match.. overwrites the above. which is pretty ugly
if(popts->distance != -1)
offset = traf->poffset + popts->distance;
if(popts->within != -1)
offset = traf->poffset;
DEBUGF("Going to inspect %d bytes\n",psize);
strfound = CONTENT_TEST_NOT_FOUND;
for (i=offset; i<(traf->psize - popts->matchstr_size) + 1 && breakbool == 0 ;i++) {
if(popts->distance != -1)
breakbool = 1;
// If depth was used then only look the amount of bytes
// as specified by it
if(popts->depth > 0 && popts->depth > i)
return 0;
// within check (todo: abuse depth?)
// If 'i' is larger then i + within then the
// next string is not within "within" bytes ;p
if(popts->within != -1 && i > (traf->poffset + popts->within)){
return 0;
}
// Not a possible start? -> revise
if(popts->nocase != 1 && payload[i] != ((char *)popts->matchstr)[0]) {
continue;
} else if(popts->nocase == 1 && tolower(payload[i]) != tolower(((char *)popts->matchstr)[0])) {
continue;
}
// Check if the is data at "isdataat", relatively to the point
// of the last match. isdataat without "relative" is not supported and
// can be replaced with dsize.
//printf("if(%d != -1 && %d < %d)\n",popts->isdataat,(traf->psize - (i + popts->matchstr_size)),popts->isdataat);
if(popts->isdataat != -1 && (traf->psize - (i + popts->matchstr_size)) < popts->isdataat) {
return 0;
}
// Match?
if(mymemcmp(payload + i,popts->matchstr,popts->matchstr_size,popts->nocase) == 0) {
// Continue searching ater match
i = (i + popts->matchstr_size);
// Last matchpointer
traf->poffset = i;
strfound = CONTENT_TEST_FOUND;
break;
}
}
if(popts->test == strfound)
return 1;
// No match
return 0;
}
