RBOOL rpal_string_isprint ( RNCHAR ch ) { #ifdef RNATIVE_IS_WIDE return rpal_string_isprintW( ch ); #else return rpal_string_isprintA( ch ); #endif }
RPRIVATE RVOID _getStringsList ( rList stringsAList, rList stringsWList, RPU8 pBuff, RU64 size, RU32 minLength, RU32 maxLength ) { RPU8 pCurr; RPU8 pEnd; RPCHAR pStartStr = NULL; RBOOL isChar; RPU16 pwCurr; RPU16 pwEnd; RBOOL isWChar; RPWCHAR pwStartStr = NULL; pCurr = pBuff; pEnd = pBuff + size; // currently we only deal with NULL terminated strings // start with ascii strings... while( pCurr < pEnd ) { isChar = rpal_string_isprintA( *pCurr ); if( NULL == pStartStr && isChar ) // found the begining of a string { pStartStr = (RPCHAR)pCurr; } else if( NULL != pStartStr && ( !isChar || 0 == *pCurr ) ) // found the end of a string { // is string NULL terminated if( 0 == *pCurr ) { // strlen is really pCurr - pStartStr if( (RU32)( (RPCHAR)pCurr - pStartStr ) >= minLength && (RU32)( (RPCHAR)pCurr - pStartStr ) <= maxLength ) // is string long enough { rList_addSTRINGA( stringsAList, pStartStr ); } } pStartStr = NULL; } pCurr++; } // Now look for Unicode strings pwCurr = (RPU16)pBuff; pwEnd = pwCurr + ( size / 2 ); while( pwCurr < pwEnd ) { isWChar = rpal_string_isprintW( *pwCurr ); if( NULL == pwStartStr && isWChar ) // found the begining of a string { pwStartStr = (RPWCHAR)pwCurr; } else if( NULL != pwStartStr && ( !isWChar || 0 == *pwCurr ) ) // found the end of a string { // is string NULL terminated if( 0 == *pwCurr ) { // wcslen is really pCurr - pStartStr if( (RU32)( (RPWCHAR)pwCurr - pwStartStr ) >= minLength && (RU32)( (RPWCHAR)pwCurr - pwStartStr ) <= maxLength ) // is string long enough { rList_addSTRINGW( stringsWList, pwStartStr ); } } pwStartStr = NULL; } pwCurr++; } }
RPRIVATE RVOID _searchForStrings ( rList stringsFound, rList searchStrings, RPU8 pBuff, RU64 size, RU64 baseAddr, RU32 minLength, RU32 maxLength ) { RPU8 pCurr; RPU8 pEnd; RPCHAR pStartStr = NULL; RBOOL isChar; RPU16 pwCurr; RPU16 pwEnd; RBOOL isWChar; RPWCHAR pwStartStr = NULL; RPWCHAR thisStrW = NULL; rSequence newFoundStr; pCurr = pBuff; pEnd = pBuff + size; // currently we only deal with NULL terminated strings // start with ascii strings... while( pCurr < pEnd ) { isChar = rpal_string_isprint( *pCurr ); if( NULL == pStartStr && isChar ) // found the begining of a string { pStartStr = (RPCHAR)pCurr; } else if( NULL != pStartStr && ( !isChar || 0 == *pCurr ) ) // found the end of a string { // is string NULL or Non-Ascii terminated if( 0 == *pCurr || !rpal_string_charIsAscii( *pCurr ) ) { // Null terminate it so we can use it like a normal string *pCurr = 0; // strlen is really pCurr - pStartStr if( (RU32)( (RPCHAR)pCurr - pStartStr ) >= minLength && (RU32)( (RPCHAR)pCurr - pStartStr ) <= maxLength ) // is string long enough { // convert string to wide char for comparision if( NULL != ( thisStrW = rpal_string_atow( pStartStr ) ) ) { if( _isStringInList( searchStrings, thisStrW ) && NULL != ( newFoundStr = rSequence_new() ) ) { rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, thisStrW ); rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pStartStr - pBuff ) ); if( !rList_addSEQUENCE( stringsFound, newFoundStr ) ) { rSequence_free( newFoundStr ); } } rpal_memory_free( thisStrW ); } } } pStartStr = NULL; } pCurr++; } // Now look for Unicode strings pwCurr = (RPU16)pBuff; pwEnd = pwCurr + ( size / 2 ); while( pwCurr < pwEnd ) { isWChar = rpal_string_isprintW( *pwCurr ); if( NULL == pwStartStr && isWChar ) // found the begining of a string { pwStartStr = (RPWCHAR)pwCurr; } else if( NULL != pwStartStr && ( !isWChar || 0 == *pwCurr ) ) // found the end of a string { // is string NULL terminated if( 0 == *pwCurr ) { // wcslen is really pCurr - pStartStr if( (RU32)( (RPWCHAR)pwCurr - pwStartStr ) >= minLength && (RU32)( (RPWCHAR)pwCurr - pwStartStr ) <= maxLength ) // is string long enough { if( _isStringInList( searchStrings, pwStartStr ) && NULL != ( newFoundStr = rSequence_new() ) ) { rSequence_addSTRINGW( newFoundStr, RP_TAGS_STRING, pwStartStr ); rSequence_addRU64( newFoundStr, RP_TAGS_MEMORY_ADDRESS, baseAddr + ( (RPU8)pwStartStr - pBuff ) ); if( !rList_addSEQUENCE( stringsFound, newFoundStr ) ) { rSequence_free( newFoundStr ); } } } } pwStartStr = NULL; } pwCurr++; } }