2006-04-16 04:41:54 +00:00
|
|
|
module Rex
|
|
|
|
module PeScan
|
|
|
|
module Analyze
|
|
|
|
|
|
|
|
class Fingerprint
|
|
|
|
attr_accessor :pe
|
|
|
|
|
|
|
|
def initialize(pe)
|
|
|
|
self.pe = pe
|
|
|
|
end
|
|
|
|
|
|
|
|
def config(param)
|
|
|
|
@sigs = {}
|
|
|
|
|
|
|
|
name = nil
|
|
|
|
regx = ''
|
|
|
|
epon = 0
|
|
|
|
sidx = 0
|
|
|
|
|
2006-07-30 21:31:02 +00:00
|
|
|
fd = File.open(param['database'], 'rb')
|
2006-04-16 04:41:54 +00:00
|
|
|
fd.each_line do |line|
|
|
|
|
case line
|
|
|
|
when /^\s*#/
|
|
|
|
next
|
|
|
|
when /\[\s*(.*)\s*\]/
|
|
|
|
if (name)
|
|
|
|
@sigs[ name ] = [regx, epon]
|
|
|
|
end
|
|
|
|
name = $1 + " [#{ sidx+=1 }]"
|
|
|
|
epon = 0
|
|
|
|
next
|
|
|
|
when /signature\s*=\s*(.*)/
|
|
|
|
pat = $1.strip
|
|
|
|
regx = ''
|
|
|
|
pat.split(/\s+/).each do |c|
|
2006-07-27 22:28:19 +00:00
|
|
|
next if c.length != 2
|
2006-04-16 04:41:54 +00:00
|
|
|
regx << (c.index('?') ? '.' : "\\x#{c}")
|
|
|
|
end
|
|
|
|
when /ep_only\s*=\s*(.*)/
|
|
|
|
epon = ($1 =~ /^T/i) ? 1 : 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if (name and ! @sigs[name])
|
|
|
|
@sigs[ name ] = [regx, epon]
|
|
|
|
end
|
|
|
|
|
|
|
|
fd.close
|
|
|
|
end
|
|
|
|
|
|
|
|
def scan(param)
|
|
|
|
config(param)
|
|
|
|
|
|
|
|
epa = pe.hdr.opt.AddressOfEntryPoint
|
2006-04-21 21:06:31 +00:00
|
|
|
buf = pe.read_rva(epa, 256)
|
2006-04-16 04:41:54 +00:00
|
|
|
|
|
|
|
@sigs.each_pair do |name, data|
|
|
|
|
begin
|
|
|
|
if (buf.match(Regexp.new('^' + data[0])))
|
|
|
|
$stdout.puts param['file'] + ": " + name
|
|
|
|
end
|
|
|
|
rescue RegexpError
|
|
|
|
$stderr.puts "Invalid signature: #{name} #{data[0]}"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|