morphdetect/detectSimilar.h at master · nastya/morphdetect · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#ifndef __DETECT_SIMILAR_H
#define __DETECT_SIMILAR_H

#include <string>
#include <vector>

using namespace std;

namespace detect_similar
{
	class Analyzer;
}

class FindDecryptor;

class DetectSimilar
{
public:
	enum AnalyzerType {
		AnalyzerTypeDiff = 1,
		AnalyzerTypeNgram = 2,
		AnalyzerTypeCFG = 3,
		AnalyzerTypeTrace = 4,
	};
	enum AnalyzerFlag { // 1, 2, 4, 8, 16, 32, 64, 128, etc.
		AnalyzerFlagBrute = 1,
	};

	DetectSimilar(AnalyzerType analyzerType = AnalyzerTypeTrace, int flags = AnalyzerFlagBrute, int minL = 0,
		      int maxL = 1000, int finderType = 0, int emulatorTypeFD = 1, int emulatorTypeCHM = 1);
	~DetectSimilar();
	void link(const unsigned char* data, int data_size);
	void loadShellcodes(string dirname);
	bool loadModel(string filename);
	void saveModel(string filename);
	string analyze();
private:
	typedef pair<unsigned char*, int> block_info;

	void clear();
	void unpack();
	unsigned char* _data;
	int _data_size;
	detect_similar::Analyzer *_an;
	FindDecryptor *_fd;
	int _emulatorTypeCHM; //emulator type for changed memory
	vector<block_info> _queue;
	vector<int> _queue_level;
	int _minLevel, _maxLevel;
};
#endif //__DETECT_SIMILAR_H