void proc_emu_on_io_in(struct connection *con, struct processor_data *pd)
{
g_debug("%s con %p pd %p", __PRETTY_FUNCTION__, con, pd);
struct emu_ctx *ctx = pd->ctx;
int offset = MAX(ctx->offset-300, 0);
void *streamdata = NULL;
int32_t size = bistream_get_stream(pd->bistream, bistream_in, offset, -1, &streamdata);
int ret = 0;
if( size != -1 )
{
struct emu *e = emu_new();
#if 0
emu_cpu_debugflag_set(emu_cpu_get(e), instruction_string);
emu_log_level_set(emu_logging_get(e),EMU_LOG_DEBUG);
#endif
ret = emu_shellcode_test(e, streamdata, size);
emu_free(e);
ctx->offset += size;
if( ret >= 0 )
{
struct incident *ix = incident_new("dionaea.shellcode.detected");
GAsyncQueue *aq = g_async_queue_ref(g_dionaea->threads->cmds);
g_async_queue_push(aq, async_cmd_new(async_incident_report, ix));
g_async_queue_unref(aq);
ev_async_send(g_dionaea->loop, &g_dionaea->threads->trigger);
g_debug("shellcode found offset %i", ret);
profile(ctx->config, con, streamdata, size, ret);
pd->state = processor_done;
}
g_free(streamdata);
}
}
int check_buffer(const unsigned char *bytes,uint32_t length)
{
//fprintf(stderr,"DEBUG:Checking buffer\n");
if (length > MAX_STR_LEN_TO_CHECK)
{
fprintf(stderr,"WARNING: Long string with more than %d bytes! return -1 in developing mode\n",MAX_STR_LEN_TO_CHECK);
return -1;
}
struct emu * e;
e = emu_new();
int result;
result = emu_shellcode_test(e, (unsigned char *)bytes, length);
emu_free(e);
if (result >= 0)
return result;
e = emu_new();
result = emu_shellcode_test(e, (unsigned char *)bytes, length);
emu_free(e);
return result;
}
