generated from 8dcc/c-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.c
104 lines (82 loc) · 3.46 KB
/
main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#include <stdio.h>
#include "libsigscan.h"
/* This data would be in the application we are trying to scan. */
static const unsigned char secret[] = { 0xDE, 0xAD, 0xBE, 0xEF,
0x0B, 0xAD, 0xCA, 0xFE };
static void echo_maps(void) {
printf("Dumping /proc/self/maps:\n");
FILE* fd = fopen("/proc/self/maps", "r");
int c;
while ((c = fgetc(fd)) != EOF)
putchar(c);
fclose(fd);
putchar('\n');
}
int main(void) {
/*------------------------------------------------------------------------*/
/* Code from the main program */
printf("I am the main program, and this is my data at %p:\n", secret);
for (size_t i = 0; i < sizeof(secret); i++)
printf("0x%02X ", secret[i]);
printf("\n\n");
/*------------------------------------------------------------------------*/
/* Information to make sure the test was fine */
echo_maps();
/*------------------------------------------------------------------------*/
/* The following code should be ran after injecting to the target process.
* We don't inject in this example because we are looking in our own
* process.
*
* NOTE: The signatures have to be in IDA format. See also:
* https://github.com/ajkhoury/SigMaker-x64 */
const char* signature = "DE AD BE EF ? ? CA FE";
const char* module_regex;
void* match;
printf("Signature: \"%s\"\n", signature);
/* Look for those bytes in all loaded modules. */
match = sigscan(signature);
printf("Searched in all modules: %p\n", match);
if (match != NULL) {
unsigned char* as_bytes = (unsigned char*)match;
printf("First %ld bytes: ", (long)sizeof(secret));
for (size_t i = 0; i < sizeof(secret); i++)
printf("0x%02X ", as_bytes[i]);
putchar('\n');
}
/* Search only in this module. */
module_regex = "^.*libsigscan-test\\.out";
match = sigscan_module(module_regex, signature);
printf("Searched in all modules matching regex \"%s\": %p\n", module_regex,
match);
/* Invalid module, just returns NULL */
module_regex = "^INVALID$";
match = sigscan_module(module_regex, signature);
printf("Searched in all modules matching regex \"%s\": %p\n", module_regex,
match);
/*------------------------------------------------------------------------*/
/* The following code is used for testing libsigscan on an external
* process. */
printf("\n\n"
"Testing in an external process...\n");
int pid = sigscan_pidof("libsigscan-test-external.out");
if (pid == SIGSCAN_PID_INVALID) {
printf("External process not running. Make sure you execute "
"libsigscan-test-external.out\n");
return 0;
}
signature = "A4 A5 A6 ? ? ? AA AB";
printf("Signature: \"%s\"\n", signature);
match = sigscan_pid(pid, signature);
printf("Searched in all modules of PID \"%d\": %p\n", pid, match);
module_regex = "^.*libsigscan-test-external\\.out";
match = sigscan_pid_module(pid, module_regex, signature);
printf("Searched in all modules of PID \"%d\", that match regex \"%s\": "
"%p\n",
pid, module_regex, match);
module_regex = "^INVALID$";
match = sigscan_pid_module(pid, module_regex, signature);
printf("Searched in all modules of PID \"%d\", that match regex \"%s\": "
"%p\n",
pid, module_regex, match);
return 0;
}