-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathmemoryBlock.cpp
More file actions
126 lines (109 loc) · 2.93 KB
/
Copy pathmemoryBlock.cpp
File metadata and controls
126 lines (109 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#include "memoryBlock.h"
#include <cstring>
#include <iostream>
namespace detect_similar
{
MemoryBlock::MemoryBlock(const MemoryBlock &memoryBlock)
: size(memoryBlock.size), _del_flag(true), statByte(NULL)
{
data = new unsigned char [size];
memcpy((unsigned char *) data, memoryBlock.data, size);
}
MemoryBlock::MemoryBlock(int ds, const unsigned char *d)
: size(ds), _del_flag(true), statByte(NULL)
{
data = new unsigned char [size];
if (d != NULL)
memcpy((unsigned char *) data, d, size);
}
MemoryBlock::MemoryBlock()
: _del_flag(false), statByte(NULL)
{
}
MemoryBlock::~MemoryBlock()
{
if (_del_flag)
delete[] data;
if (statByte != NULL)
delete[] statByte;
}
void MemoryBlock::link(const unsigned char *data, size_t data_size)
{
if (_del_flag)
delete[] this->data;
statBlock.clear();
if (statByte != NULL)
delete[] statByte;
statByte = NULL;
this->data = data;
this->size = data_size;
_del_flag = false;
}
/**
* Shellcode is generally much smaller than the current block.
*/
size_t MemoryBlock::compareNgram(MemoryBlock &shellcode)
{
checkStatBlock();
shellcode.checkStatBlock();
size_t count = 0;
for (auto &pair : shellcode.statBlock)
if (statBlock.count(pair.first))
count += min(pair.second, statBlock[pair.first]);
return count;
}
void MemoryBlock::checkStatBlock()
{
if (statBlock.size() > 0)
return;
const unsigned char *b = data;
for (size_t i = 0; i <= size - sizeof(mblock); i++, b++)
statBlock[*(const mblock *) b]++;
}
/**
* Shellcode is generally much smaller than the current block.
*/
size_t MemoryBlock::compareDiff(MemoryBlock &shellcode, float threshold)
{
if ((shellcode.size == 0) || (size == 0)) {
cerr << "WHOOPS! " << shellcode.size << " " << size << endl;
return 0;
}
size_t step_size = shellcode.size * 2;
if (size <= 2 * step_size) {
if (!shellcode.possibleDiff(data, size, threshold))
return 0;
return CompareUtils::longest_common_subsequence(data, size, shellcode.data, shellcode.size);
}
size_t last = size - 2 * step_size;
size_t res = 0;
for (size_t i = 0; i < size - step_size; i += step_size) {
const mbyte *data_start = data + min(i, last);
size_t data_size = 2 * step_size;
if (!shellcode.possibleDiff(data_start, data_size, threshold))
continue;
res = max(res, CompareUtils::longest_common_subsequence(data_start, data_size, shellcode.data, shellcode.size));
}
return res;
}
bool MemoryBlock::possibleDiff(const unsigned char *data_start, size_t data_size, float threshold)
{
checkStatByte();
uint32_t stat_data[256] = {0};
for (size_t i = 0; i < data_size; i++)
stat_data[data_start[i]]++;
int total = 0;
for (size_t i = 0; i < 256; i++)
total += min(statByte[i], stat_data[i]);
return total >= threshold * size;
}
void MemoryBlock::checkStatByte()
{
if (statByte != NULL)
return;
statByte = new uint32_t[256];
memset(statByte, 0, 256 * sizeof(uint32_t));
for (size_t i = 0; i < size; i++)
statByte[data[i]]++;
}
} //namespace detect_similar