Add functionality for scanning buffers

Adds in a basic version of memmem. Also added a wrapper to this which will accept a 'max scan range'
spender-sandbox · Nov 18, 2016 · d4b4813 · d4b4813
1 parent 6363d44
commit d4b4813
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 4 deletions.
diff --git a/hook_network.c b/hook_network.c
@@ -662,10 +662,12 @@ HOOKDEF(BOOL, WINAPI, InternetReadFile,
     _In_   DWORD dwNumberOfBytesToRead,
     _Out_  LPDWORD lpdwNumberOfBytesRead
 ) {
-    BOOL ret = Old_InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead,
-        lpdwNumberOfBytesRead);
-    LOQ_bool("network", "pB", "InternetHandle", hFile,
-        "Buffer", lpdwNumberOfBytesRead, lpBuffer);
+    BOOL ret = Old_InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead);
+    if (is_bytes_in_buffer(lpBuffer, *lpdwNumberOfBytesRead, "\x00\x50\x4f\x4c\x49\x4d\x4f\x52\x46\x00", 10, 256))
+      LOQ_bool("network", "pC", "InternetHandle", hFile, "Buffer", lpdwNumberOfBytesRead, lpBuffer);
+    else
+      LOQ_bool("network", "pB", "InternetHandle", hFile, "Buffer", lpdwNumberOfBytesRead, lpBuffer);
+
     return ret;
 }
 

diff --git a/misc.c b/misc.c
@@ -135,6 +135,25 @@ int is_stack_pivoted(void)
 	return 1;
 }
 
+PCHAR memmem(PCHAR haystack, ULONG hlen, PCHAR needle, ULONG nlen)
+{
+  if (nlen > hlen)
+    return NULL;
+
+  ULONG i;
+  for (i = 0; i < hlen - nlen + 1; i++) {
+    if (!memcmp(haystack + i, needle, nlen))
+      return haystack + i;
+  }
+
+  return NULL;
+}
+
+BOOL is_bytes_in_buf(PCHAR buf, ULONG len, PCHAR memstr, ULONG memlen, ULONG maxsearchbytes)
+{
+    return memmem(buf, min(maxsearchbytes, len), memstr, memlen) ? TRUE : FALSE;
+}
+
 void replace_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr)
 {
 	unsigned int findlen = (unsigned int)strlen(findstr);

diff --git a/misc.h b/misc.h
@@ -177,6 +177,8 @@ ULONG_PTR get_cdocument_write_addr(HMODULE mod);
 ULONG_PTR get_olescript_compile_addr(HMODULE mod);
 ULONG_PTR get_olescript_parsescripttext_addr(HMODULE mod);
 
+PCHAR memmem(PCHAR haystack, ULONG hlen, PCHAR needle, ULONG nlen);
+BOOL is_bytes_in_buffer(PCHAR buf, ULONG len, PCHAR memstr, ULONG memlen, ULONG maxsearchbytes);
 void replace_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr);
 void replace_wstring_in_buf(PWCHAR buf, ULONG len, PWCHAR findstr, PWCHAR repstr);
 void replace_ci_string_in_buf(PCHAR buf, ULONG len, PCHAR findstr, PCHAR repstr);