From d4b481358483fcae3d2db542ae308f5c4422dfa5 Mon Sep 17 00:00:00 2001 From: KillerInstinct Date: Fri, 18 Nov 2016 08:06:58 -0500 Subject: [PATCH 1/2] Add functionality for scanning buffers Adds in a basic version of memmem. Also added a wrapper to this which will accept a 'max scan range' --- hook_network.c | 10 ++++++---- misc.c | 19 +++++++++++++++++++ misc.h | 2 ++ 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/hook_network.c b/hook_network.c index 3bea933..dd8c44e 100644 --- a/hook_network.c +++ b/hook_network.c @@ -662,10 +662,12 @@ HOOKDEF(BOOL, WINAPI, InternetReadFile, _In_ DWORD dwNumberOfBytesToRead, _Out_ LPDWORD lpdwNumberOfBytesRead ) { - BOOL ret = Old_InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, - lpdwNumberOfBytesRead); - LOQ_bool("network", "pB", "InternetHandle", hFile, - "Buffer", lpdwNumberOfBytesRead, lpBuffer); + BOOL ret = Old_InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead); + if (is_bytes_in_buffer(lpBuffer, *lpdwNumberOfBytesRead, "\x00\x50\x4f\x4c\x49\x4d\x4f\x52\x46\x00", 10, 256)) + LOQ_bool("network", "pC", "InternetHandle", hFile, "Buffer", lpdwNumberOfBytesRead, lpBuffer); + else + LOQ_bool("network", "pB", "InternetHandle", hFile, "Buffer", lpdwNumberOfBytesRead, lpBuffer); + return ret; } diff --git a/misc.c b/misc.c index 8a79764..6c51027 100644 --- a/misc.c +++ b/misc.c @@ -135,6 +135,25 @@ int is_stack_pivoted(void) return 1; } +PCHAR memmem(PCHAR haystack, ULONG hlen, PCHAR needle, ULONG nlen) +{ + if (nlen > hlen) + return NULL; + + ULONG i; + for (i = 0; i < hlen - nlen + 1; i++) { + if (!memcmp(haystack + i, needle, nlen)) + return haystack + i; + } + + return NULL; +} + +BOOL is_bytes_in_buf(PCHAR buf, ULONG len, PCHAR memstr, ULONG memlen, ULONG maxsearchbytes) +{ + return memmem(buf, min(maxsearchbytes, len), memstr, memlen) ? TRUE : FALSE; +} + void replace_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr) { unsigned int findlen = (unsigned int)strlen(findstr); diff --git a/misc.h b/misc.h index 2f57996..bb6e98a 100644 --- a/misc.h +++ b/misc.h @@ -177,6 +177,8 @@ ULONG_PTR get_cdocument_write_addr(HMODULE mod); ULONG_PTR get_olescript_compile_addr(HMODULE mod); ULONG_PTR get_olescript_parsescripttext_addr(HMODULE mod); +PCHAR memmem(PCHAR haystack, ULONG hlen, PCHAR needle, ULONG nlen); +BOOL is_bytes_in_buffer(PCHAR buf, ULONG len, PCHAR memstr, ULONG memlen, ULONG maxsearchbytes); void replace_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr); void replace_wstring_in_buf(PWCHAR buf, ULONG len, PWCHAR findstr, PWCHAR repstr); void replace_ci_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr); From 7aa422647c91e1e841292c3b4b7b3799fdda4ad4 Mon Sep 17 00:00:00 2001 From: KillerInstinct Date: Fri, 18 Nov 2016 08:12:17 -0500 Subject: [PATCH 2/2] Fix typo --- hook_network.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hook_network.c b/hook_network.c index dd8c44e..69c1164 100644 --- a/hook_network.c +++ b/hook_network.c @@ -663,7 +663,7 @@ HOOKDEF(BOOL, WINAPI, InternetReadFile, _Out_ LPDWORD lpdwNumberOfBytesRead ) { BOOL ret = Old_InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead); - if (is_bytes_in_buffer(lpBuffer, *lpdwNumberOfBytesRead, "\x00\x50\x4f\x4c\x49\x4d\x4f\x52\x46\x00", 10, 256)) + if (is_bytes_in_buf(lpBuffer, *lpdwNumberOfBytesRead, "\x00\x50\x4f\x4c\x49\x4d\x4f\x52\x46\x00", 10, 256)) LOQ_bool("network", "pC", "InternetHandle", hFile, "Buffer", lpdwNumberOfBytesRead, lpBuffer); else LOQ_bool("network", "pB", "InternetHandle", hFile, "Buffer", lpdwNumberOfBytesRead, lpBuffer);