/* Finds the pointers to target functions by searching their patterns in the .text section of the current module */ BOOL FindTargetFunctions(DWORD* pLdiscSend, DWORD* pTermData) { UCHAR modulePath[MAX_PATH]; DWORD moduleBaseAddress; DWORD textSectionAddress; DWORD textSectionSize; DWORD numBytes; GetModuleFileName(NULL, modulePath, MAX_PATH); sprintf(buffer, "[+] [%i] Target path: %s\n", processID, modulePath); WritePipeMessage(logPipe, buffer); moduleBaseAddress = GetModuleBaseAddress(); if(GetTextSection(modulePath, &textSectionAddress, &textSectionSize) == FALSE) { sprintf(buffer, "[-] [%i] %s\n", processID, "Could not find .text section\n"); WritePipeMessage(logPipe, buffer); return FALSE; } else { sprintf(buffer, "[+] [%i] Base address: %08x\n", processID, moduleBaseAddress); WritePipeMessage(logPipe, buffer); sprintf(buffer, "[+] [%i] .text start address: %08x\n", processID, textSectionAddress); WritePipeMessage(logPipe, buffer); sprintf(buffer, "[+] [%i] .text size: %08x\n", processID, textSectionSize); WritePipeMessage(logPipe, buffer); } /* Find ldisc_send() address in .text section of Putty.exe */ HexStringToBytes(LDISC_SEND_SIGN1, buffer); *pLdiscSend = (DWORD)memmem((const unsigned char*)(moduleBaseAddress + textSectionAddress), textSectionSize, (const unsigned char*)buffer, strlen(LDISC_SEND_SIGN1) / 2); if (*pLdiscSend == 0) { sprintf(buffer, "[-] [%i] %s\n", processID, "Could not find ldisc_send()\n"); WritePipeMessage(logPipe, buffer); return FALSE; } /* Find term_data() address in .text section of Putty.exe */ /* Try all signatures */ HexStringToBytes(TERM_DATA_SIGN1, buffer); *pTermData = (DWORD)memmem((const unsigned char*)(moduleBaseAddress + textSectionAddress), textSectionSize, (const unsigned char*)buffer, strlen(TERM_DATA_SIGN1) / 2); if (*pTermData == 0) { HexStringToBytes(TERM_DATA_SIGN2, buffer); *pTermData = (DWORD)memmem((const unsigned char*)(moduleBaseAddress + textSectionAddress), textSectionSize, (const unsigned char*)buffer, strlen(TERM_DATA_SIGN2) / 2); if (*pTermData == 0) { HexStringToBytes(TERM_DATA_SIGN3, buffer); *pTermData = (DWORD)memmem((const unsigned char*)(moduleBaseAddress + textSectionAddress), textSectionSize, (const unsigned char*)buffer, strlen(TERM_DATA_SIGN3) / 2); if (*pTermData == 0) { sprintf(buffer, "[-] [%i] %s\n", processID, "Could not find term_data()\n"); WritePipeMessage(logPipe, buffer); return FALSE; } } } return TRUE; }
static int ProcessRawProfile(const char* profile, size_t profile_len, MetadataPayload* const payload) { const char* src = profile; char* end; int expected_length; if (profile == NULL || profile_len == 0) return 0; // ImageMagick formats 'raw profiles' as // '\n<name>\n<length>(%8lu)\n<hex payload>\n'. if (*src != '\n') { fprintf(stderr, "Malformed raw profile, expected '\\n' got '\\x%.2X'\n", *src); return 0; } ++src; // skip the profile name and extract the length. while (*src != '\0' && *src++ != '\n') {} expected_length = (int)strtol(src, &end, 10); if (*end != '\n') { fprintf(stderr, "Malformed raw profile, expected '\\n' got '\\x%.2X'\n", *end); return 0; } ++end; // 'end' now points to the profile payload. payload->bytes = HexStringToBytes(end, expected_length); if (payload->bytes == NULL) return 0; payload->size = expected_length; return 1; }
int main() { int success; //HexToValue TEST success = 1; if( HexToValue( 'd' ) != HexToValue( 'D' ) ) success = 0; if( HexToValue( 'Z' ) != 255 ) success = 0; if( HexToValue( 'b' ) != 11 ) success = 0; if( HexToValue( '4' ) != 4 ) success = 0; evaluate("HEXTOVALUE",success); //EOT //HEXTOBYTE success = 1; if( HexToByte( '1', '2' ) != 0x12 ) success = 0; if( HexToByte( 'a', 'B' ) != 0xAB ) success = 0; if( HexToByte( '3', '4' ) != 0x34 ) success = 0; if( HexToByte( '1', '2' ) != 0x12 ) success = 0; evaluate("HEXTOBYTE",success); //EOT //B64ToValue success = 1; if( B64ToValue( 'a' ) != 26 ) success = 0; if( B64ToValue( 'B' ) != 1 ) success = 0; if( B64ToValue( '+' ) != 62 ) success = 0; if( B64ToValue( 'Z' ) != 25 ) success = 0; evaluate("B64ToVal",success); //EOT //ValueToHex success = 1; if( ValueToHex(3) != '3' ) success = 0; if( ValueToHex(11) != 'B' ) success = 0; if( ValueToHex(18) != -1 ) success = 0; evaluate("ValueToHex",success); //EOT //ValueToB64 success = 1; if( ValueToB64(3) != 'D' ) success = 0; if( ValueToB64(42) != 'q' ) success = 0; if( ValueToB64(55) != '3' ) success = 0; if( ValueToB64(62) != '+' ) success = 0; if( ValueToB64(63) != '/' ) success = 0; if( ValueToB64(66) != -1 ) success = 0; evaluate("ValueToB64",success); //B64ToBytes success = 1; byte_t *b = malloc(3); if( ( B64ToBytes( b, "TWlL" ) != 0) ) success = 0; if( b[0] != 0x4D || b[1] != 0x69 || b[2] != 0x4B ) success = 0; if( ( B64ToBytes( b, "Z29z" ) != 0) ) success = 0; if( b[0] != 0x67 || b[1] != 0x6F || b[2] != 0x73 ) success = 0; if( ( B64ToBytes( b, "YQ==" ) != 0) ) success = 0; if( b[0] != 0x61 || b[1] != 0x00 || b[2] != 0x00 ) success = 0; if( ( B64ToBytes( b, "YWM=" ) != 0) ) success = 0; if( b[0] != 0x61 || b[1] != 0x63 || b[2] != 0x00 ) success = 0; evaluate("B64ToBytes",success); //EOT //ByteToHex success = 1; char b2h[3]; b2h[2] = '\0'; ByteToHex( b2h ,0xAF ); if( b2h[0] != 'A' || b2h[1] != 'F' ) success = 0; ByteToHex( b2h ,0x02 ); if( b2h[0] != '0' || b2h[1] != '2' ) success = 0; evaluate("ByteToHex",success); //EOT //BytesToB64 char b2b[4]; BytesToB64( b2b, (unsigned char *)"gat", 3); if( b2b[0] != 'Z' || b2b[1] != '2' || b2b[2] != 'F' || b2b[3] != '0' ) success = 0; BytesToB64( b2b, (unsigned char *)"pa", 2); if( b2b[0] != 'c' || b2b[1] != 'G' || b2b[2] != 'E' || b2b[3] != '=' ) success = 0; BytesToB64( b2b, (unsigned char *)"g", 1); if( b2b[0] != 'Z' || b2b[1] != 'w' || b2b[2] != '=' || b2b[3] != '=' ) success = 0; evaluate("BytesToB64",success); //EOT //HexStringToBytes success = 1; byte_t *dest; int temp = HexStringToBytes( &dest, LOREMHEX ); char * str; BytesToString( &str, dest, (size_t)temp ); if( strcmp( str, LOREM ) ) success = 0; free(dest); free(str); evaluate("HexStringToBytes",success); //EOT //B64StringToBytes success = 1; temp = B64StringToBytes( &dest, LOREMB64 ); BytesToString( &str, dest, (size_t)temp ); if( strcmp( str, LOREM ) ) success = 0; free(dest); free(str); evaluate("B64StringToBytes",success); //EOT //BytesToHexString success = 1; dest = (byte_t *) LOREM; BytesToHexString( &str, dest, strlen( LOREM ) ); if( strcmp( LOREMHEX, str ) ) success = 0; evaluate("BytesToHexString",success); //BytesToB64String success = 1; BytesToB64String( &str, (byte_t *)LOREM, strlen(LOREM) ); if( strcmp( LOREMB64, str ) ) success = 0; evaluate("B64StringToBytes",success); free(str); BytesToB64String( &str, (byte_t *)"A", 1 ); if( strcmp( str, "QQ==" ) ) success = 0; free(str); BytesToB64String( &str, (byte_t *)"AB", 2 ); if( strcmp( str, "QUI=" ) ) success = 0; free(str); BytesToB64String( &str,(byte_t *)"ABC", 3 ); if( strcmp( str, "QUJD" ) ) success = 0; free(str); evaluate("B64StringToBytes",success); //eot return 0; }
ErrorCode CDispLRegFilter::BuildRegFilter(XmlData::Element* element) { m_Name = element->getAttribute(WSTR("name")); m_Src = element->getAttribute(WSTR("src")); XmlData::Node* node = element->get_firstChild(); while (node) { XmlData::Element* element = dynamic_cast<XmlData::Element*>(node); if (element) { String tagName = element->get_tagName(); if (tagName == L"inputpin" || tagName == L"outputpin") { CLRegPin* pRegPin = new CLRegPin; if (tagName == L"inputpin") { pRegPin->m_dir = PINDIR_INPUT; } else// if (!wcscmp(tagName, L"outputpin")) { pRegPin->m_dir = PINDIR_OUTPUT; } String minOccurs = element->getAttribute(WSTR("minOccurs")); String maxOccurs = element->getAttribute(WSTR("maxOccurs")); pRegPin->m_name = element->getAttribute(WSTR("name")); XmlData::Element* mediaTypes = GetElementByTagNameNS(element, NULL, WSTR("mediatypes"), false); if (mediaTypes) { XmlData::Node* node = mediaTypes->get_firstChild(); while (node) { XmlData::Element* element = dynamic_cast<XmlData::Element*>(node); if (element) { String tagName = element->get_tagName(); if (tagName == "mediatype") { CLRegMediaType* pRegMediaType = new CLRegMediaType; String majortype = element->getAttribute(WSTR("majortype")); if (majortype.Compare(WSTR("stream")) == 0) { pRegMediaType->m_majortype = LMEDIATYPE_Stream; XmlData::Element* streamcontent = GetElementByTagNameNS(element, NULL, WSTR("streamcontent"), false); if (streamcontent) { XmlData::Node* node = streamcontent->get_firstChild(); while (node) { XmlData::Element* element = dynamic_cast<XmlData::Element*>(node); if (element) { String tagName = element->get_tagName(); if (tagName == "match") { CMatch match; XmlData::Node* node = element->get_firstChild(); while (node) { XmlData::Element* element = dynamic_cast<XmlData::Element*>(node); if (element) { String tagName = element->get_tagName(); if (tagName == "pattern") { String value = element->getAttribute(WSTR("value")); if (value != NULL) { BytePattern pattern; String offset = element->getAttribute(WSTR("offset")); if (offset != NULL) //pattern.m_offset = _wtoi64(offset.c_str()); pattern.m_offset = str2int(CString(offset)); else pattern.m_offset = 0; String v = stripspaces(value); pattern.m_length = v.GetLength()/2; pattern.m_value = new uint8[pattern.m_length]; HexStringToBytes(CStringw(v), pattern.m_value, pattern.m_length); pattern.m_mask = new uint8[pattern.m_length]; String mask = element->getAttribute(WSTR("mask")); int masklen; if (mask != NULL) { v = stripspaces(mask); masklen = MIN(v.GetLength()/2, pattern.m_length); HexStringToBytes(CStringw(v), pattern.m_mask, masklen); } else masklen = 0; while (masklen < pattern.m_length) // Fill rest with 0xFF { pattern.m_mask[masklen++] = 0xFF; } match.m_patterns.Add(pattern); } } } node = node->get_nextSibling(); } pRegMediaType->m_streamcontent.m_matches.Add(match); } } node = node->get_nextSibling(); } } } else if (majortype.Compare(WSTR("video")) == 0) { pRegMediaType->m_majortype = LMEDIATYPE_Video; } else if (majortype.Compare(WSTR("audio")) == 0) { pRegMediaType->m_majortype = LMEDIATYPE_Audio; } else if (majortype.Compare(WSTR("scene")) == 0) { pRegMediaType->m_majortype = LMEDIATYPE_Scene; } else { // TODO ASSERT(0); } pRegPin->m_mediaTypes.Add(pRegMediaType); } } node = node->get_nextSibling(); } } m_RegPins.Add(pRegPin); } } node = node->get_nextSibling(); } return 0; }