Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-16-2015, 14:11
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 331
Rept. Given: 25
Rept. Rcvd 108 Times in 53 Posts
Thanks Given: 49
Thanks Rcvd at 566 Times in 225 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
[C++] C++11 Signature Scanning

One of the more modern methods of approaching an application for modifications and relocation of specific functions, data, pointers, etc. is through signature scanning. Rather then using raw offsets or addresses, signature scanning allows you to locate data through known instructions of a function that make use of that data. I wont get into the specifics of signature scanning in this topic though for those that do not understand it.

Read this full tutorial on my personal site here:
Code:
http://atom0s.com/forums/viewtopic.php?f=5&t=4
Here is the important code that is used with this:
PHP Code:
/**
 * @brief Scans a given chunk of data for the given pattern and mask.
 *
 * @param data          The data to scan within for the given pattern.
 * @param baseAddress   The base address of where the scan data is from.
 * @param lpPattern     The pattern to scan for.
 * @param pszMask       The mask to compare against for wildcards.
 * @param offset        The offset to add to the pointer.
 * @param resultUsage   The result offset to use when locating signatures that match multiple functions.
 *
 * @return Pointer of the pattern found, 0 otherwise.
 */
static DWORD __stdcall FindPattern(std::vector<unsigned chardataunsigned int baseAddress, const unsigned charlpPattern, const charpszMaskint offsetint resultUsage)
{
    
// Build vectored pattern..
    
std::vector<std::pair<unsigned charbool>> pattern;
    for (
size_t x 0strlen(pszMask); x++)
        
pattern.push_back(std::make_pair(lpPattern[x], pszMask[x] == 'x'));
 
    
// The result count for multiple results..
    
auto resultCount 0;
    
auto scanStart data.begin();
 
    while (
true)
    {
        
// Search for the pattern..
        
auto ret std::search(scanStartdata.end(), pattern.begin(), pattern.end(),
            [&](
unsigned char currstd::pair<unsigned charboolcurrPattern)
        {
            return (!
currPattern.second) || curr == currPattern.first;
        });
 
        
// Did we find a match..
        
if (ret != data.end())
        {
            
// If we hit the usage count, return the result..
            
if (resultCount == resultUsage || resultUsage == 0)
                return (
std::distance(data.begin(), ret) + baseAddress) + offset;
 
            
// Increment the found count and scan again..
            
++resultCount;
            
scanStart = ++ret;
        }
        else
            break;
    }
 
    return 
0;

Example Usage With Futures (Async)
PHP Code:
std::map<std::stringstd::shared_future<unsigned long>> m_Signatures;

this->m_Signatures["sigName"] = std::async(std::launch::async, &FindPatternstd::ref(rawdata), sizeOfDatasignaturemaskoffsetresultUsage);

// Ensure all futures are completed..
std::for_each(this->m_Signatures.begin(), this->m_Signatures.end(), [](std::pair<std::stringstd::shared_future<unsigned long>> s)
{
    
// Obtain the current future status..
    
auto status std::future_status::timeout;
    do
    {
        
status s.second.wait_for(std::chrono::milliseconds(5));
    } while (
status != std::future_status::ready);
 
    
// Obtain the status value..
    
auto pointer s.second.get();
     
    
//
    // At this point you can check if pointer is valid and handle
    // any invalid pointers as needed. Perhaps you want the application
    // to fail to load if any pointers are invalid etc.
    //
});

/**
 * @brief Returns a pointers current value.
 *
 * @param name          The name of the pointer to obtain.
 *
 * @return The value of the pointer, 0 if not found.
 */
unsigned long Memory::GetPointer(const std::stringname) const
{
    
auto pointer this->m_Signatures.find(name);
    if (
pointer == this->m_Signatures.end())
        return 
0;
    return 
pointer->second.get();

Sorry for linking to my own site, the post limit is 10k chars which is too short to paste the whole post from my site. I included the important code above from the post though to have content here too.
Reply With Quote
The Following User Gave Reputation+1 to atom0s For This Useful Post:
mm10121991 (01-18-2015)
  #2  
Old 01-17-2015, 05:26
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 499
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 94
Thanks Rcvd at 757 Times in 359 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hi,

What I don't get is how your (linear) search (that uses all kinds of libraries) is faster than the linear search you say is slower at your website:

Code:
bool Compare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for (; *szMask; ++szMask, ++pData, ++bMask)
        if (*szMask == 'x' && *pData != *bMask)   return 0;
    return (*szMask) == NULL;
}
DWORD Pattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask)
{
    for (DWORD i = 0; i < dwLen; i++)
        if (Compare((BYTE*)(dwAddress + i), bMask, szMask))  return (DWORD)(dwAddress + i);
    return 0;
}
The worst cast complexity of std::search is O(count1*count2) (see cppreference.com) and the worst case complexity of the algorithm above is also O(count1*count2), right? Do you have any idea what specifically makes your algorithm faster?

Greetings

EDIT: Here is a combined version of our efforts to make pattern finding easier: https://gist.github.com/mrexodia/f058868b81b2f1cb011a
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf

Last edited by mr.exodia; 01-17-2015 at 08:15.
Reply With Quote
  #3  
Old 01-17-2015, 09:44
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 331
Rept. Given: 25
Rept. Rcvd 108 Times in 53 Posts
Thanks Given: 49
Thanks Rcvd at 566 Times in 225 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Here is a benchmark of mine vs the original typical FindPattern you posted:

Code:
FindPattern Benchmark Example
(c) 2014 atom0s

================================================
Test Name   : FindPattern
Test Author : dom1n1k & Patrick (GameDeception)
Test Time   : 0.681074

================================================
Test Name   : FindPattern (C++11) w/ Async
Test Author : atom0s
Test Time   : 0.235662
In this benchmark app, I am scanning a total of 26 patterns. The way I have the benchmark setup is each test is given 3 functions:
- Initialize
- Release
- RunTest

Initialize is used to simply handle the basic stuff that the test may need to prepare itself for the test to be ran. Things that are not specific to the scanning directly. Such as any object creation and so on.
Release is to allow the test to cleanup anything it created etc.
RunTest is to allow the test to do its work to scan for all the signature in the given test data.

About The Tests
The test data is the Final Fantasy XI's main game file 'FFXiMain.dll'. I load the unpacked file into memory as the raw bytes, I do not actually load the game in any manner, so these are static scans from the files raw data.

Each test is given a total of 26 signatures to scan for within the same memory data.
So the benchmark is entirely fair in terms of what to look for and what it is looking within.

I created the C++11 / async method I use solely for this game and decided to share it since others may find it useful for faster and threaded scans. In an application where you only need to scan for a few signatures and do not need threading, then yeah mine may not be the best bet however, so far it has performed the best for me outside of some other methods I discussed on my personal site that a friend of mine (devnull) and I came up with.

There is definitely room for improvement and speed increases, this is just the fastest and cleanest method that devnull and I came up with so far that was easy to read and maintain while keeping speed and performance.
Reply With Quote
The Following 5 Users Gave Reputation+1 to atom0s For This Useful Post:
b30wulf (01-18-2015), DMichael (01-17-2015), MarcElBichon (01-17-2015), mr.exodia (01-17-2015), p4r4d0x (01-21-2015)
  #4  
Old 01-17-2015, 16:37
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 199
Rept. Given: 139
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 30 Times in 24 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
Quote:
Originally Posted by atom0s View Post
Here is a benchmark of mine vs the original typical FindPattern you posted:

Code:
FindPattern Benchmark Example
(c) 2014 atom0s

================================================
Test Name   : FindPattern
Test Author : dom1n1k & Patrick (GameDeception)
Test Time   : 0.681074

================================================
Test Name   : FindPattern (C++11) w/ Async
Test Author : atom0s
Test Time   : 0.235662
In this benchmark app, I am scanning a total of 26 patterns. The way I have the benchmark setup is each test is given 3 functions:
- Initialize
- Release
- RunTest

Initialize is used to simply handle the basic stuff that the test may need to prepare itself for the test to be ran. Things that are not specific to the scanning directly. Such as any object creation and so on.
Release is to allow the test to cleanup anything it created etc.
RunTest is to allow the test to do its work to scan for all the signature in the given test data.

About The Tests
The test data is the Final Fantasy XI's main game file 'FFXiMain.dll'. I load the unpacked file into memory as the raw bytes, I do not actually load the game in any manner, so these are static scans from the files raw data.

Each test is given a total of 26 signatures to scan for within the same memory data.
So the benchmark is entirely fair in terms of what to look for and what it is looking within.

I created the C++11 / async method I use solely for this game and decided to share it since others may find it useful for faster and threaded scans. In an application where you only need to scan for a few signatures and do not need threading, then yeah mine may not be the best bet however, so far it has performed the best for me outside of some other methods I discussed on my personal site that a friend of mine (devnull) and I came up with.

There is definitely room for improvement and speed increases, this is just the fastest and cleanest method that devnull and I came up with so far that was easy to read and maintain while keeping speed and performance.
interesting conclusion but it not matter
is more about hardware and btw scanning speed won't be noticeable when the difference is measured only in millisecond
plus another thing is about compiler optimization which affects most on the speed(after hardware of course)
Reply With Quote
  #5  
Old 01-17-2015, 20:38
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 499
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 94
Thanks Rcvd at 757 Times in 359 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by DMichael View Post
interesting conclusion but it not matter
I don't agree with you here. Maybe it doesn't matter for searching a few MBs of data, but it will start to matter if you have to find 20 patterns in 2GB of data
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #6  
Old 01-17-2015, 21:14
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 58 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
I think both your implementations are still not perfect. Think about this: https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm
or at least
https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore%E2%80%93Horspool_algorithm
This algorithm is even more efficient for byte search. Skip as many bytes as possible...
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
The Following 2 Users Gave Reputation+1 to Carbon For This Useful Post:
DMichael (01-18-2015), hypn0 (01-17-2015)
  #7  
Old 01-18-2015, 03:30
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 331
Rept. Given: 25
Rept. Rcvd 108 Times in 53 Posts
Thanks Given: 49
Thanks Rcvd at 566 Times in 225 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Quote:
Originally Posted by Carbon View Post
I think both your implementations are still not perfect. Think about this: https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm
or at least
https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore%E2%80%93Horspool_algorithm
This algorithm is even more efficient for byte search. Skip as many bytes as possible...
Yeah there is a lot of room for improvement. My method was more aimed towards making use of C++11 features (to try them out and such) as well as being more maintainable as well as async which I needed for my project that I use it in.

Implementing Boyer Moore will definitely be a bit faster though.

Comparing my FindPattern to the original posted above, mine sees a lot of improvement when the data being scanned within is large and the number of scans being done is high. For low amounts of scanning and where async is not required, then the original will tend to outperform mine.

Overall it really depends on some specific factors:
- The data size being scanned within.
- The number of patterns being looked for.
- Threading; is it required or not, (along with thread-safety).
- Hardware can land up playing a roll as well etc.

Another implementation that could make use of different hardware would be a GPU implementation, which could also have a handful of speed benefits depending on similar factors above.
Reply With Quote
The Following 2 Users Gave Reputation+1 to atom0s For This Useful Post:
DMichael (01-18-2015)
  #8  
Old 01-19-2015, 02:45
Nukem Nukem is offline
Family
 
Join Date: Aug 2014
Posts: 8
Rept. Given: 9
Rept. Rcvd 67 Times in 6 Posts
Thanks Given: 5
Thanks Rcvd at 10 Times in 5 Posts
Nukem Reputation: 67
Quote:
Originally Posted by atom0s View Post
Yeah there is a lot of room for improvement. My method was more aimed towards making use of C++11 features (to try them out and such) as well as being more maintainable as well as async which I needed for my project that I use it in.

Implementing Boyer Moore will definitely be a bit faster though.
Actually a couple of those methods have been tested here: https://github.com/learn-more/findpattern-bench

BMH was second place when I checked (57ms):
Code:
FindPattern benchmark
Page size: 4096, allocating 22 pages (including 2 guard pages).
Running tests on 9 different implementations
===========
Running M-i-K-e
ran outside the area
FAILED
===========
Running Trippeh
Finding pattern 0 x 1000 took 1774.23 ms.
Finding pattern 1 x 1000 took 1905.49 ms.
===========
Running Trippeh v2
Finding pattern 0 x 1000 took 81.864 ms.
Finding pattern 1 x 1000 took 81.937 ms.
===========
Running Trippeh v3
Failed, cheating with the pattern length!
FAILED
===========
Running learn_more
Finding pattern 0 x 1000 took 204.665 ms.
Finding pattern 1 x 1000 took 164.068 ms.
===========
Running learn_more v2
Finding pattern 0 x 1000 took 82.226 ms.
Finding pattern 1 x 1000 took 82.679 ms.
===========
Running afffsdd
Finding pattern 0 x 1000 took 40.943 ms.
Finding pattern 1 x 1000 took 40.968 ms.
===========
Running DarthTon
Finding pattern 0 x 1000 took 56.974 ms.
Finding pattern 1 x 1000 took 57.045 ms.
===========
Running kokole
Finding pattern 0 x 1000 took 122.41 ms.
Finding pattern 1 x 1000 took 122.646 ms.
Done.
Press any key to continue . . .
Although it really does depend on what you're scanning/how long it is. I prefer a linear search because the code is shorter and it's still pretty fast.
Reply With Quote
The Following User Gave Reputation+1 to Nukem For This Useful Post:
atom0s (01-19-2015)
  #9  
Old 01-19-2015, 03:40
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 331
Rept. Given: 25
Rept. Rcvd 108 Times in 53 Posts
Thanks Given: 49
Thanks Rcvd at 566 Times in 225 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Ah interesting, I'll take their examples and add it to my tester and see what I get out of them. I can post the results here later on too.

As for the portability / 64bit questions and comments, here is mine that should work on both now:
PHP Code:
/**
 * @brief Scans a given chunk of data for the given pattern and mask.
 *
 * @param data          The data to scan within for the given pattern.
 * @param baseAddress   The base address of where the scan data is from.
 * @param lpPattern     The pattern to scan for.
 * @param pszMask       The mask to compare against for wildcards.
 * @param offset        The offset to add to the pointer.
 * @param resultUsage   The result offset to use when locating signatures that match multiple functions.
 *
 * @return Pointer of the pattern found, 0 otherwise.
 */
static intptr_t FindPattern(std::vector<unsigned chardataintptr_t baseAddress, const unsigned charlpPattern, const charpszMaskintptr_t offsetintptr_t resultUsage)
{
    
// Build vectored pattern..
    
std::vector<std::pair<unsigned charbool>> pattern;
    for (
size_t x 0strlen(pszMask); yx++)
        
pattern.push_back(std::make_pair(lpPattern[x], pszMask[x] == 'x'));
 
    
auto scanStart data.begin();
    
auto resultCnt 0;
 
    while (
true)
    {
        
// Search for the pattern..
        
auto ret std::search(scanStartdata.end(), pattern.begin(), pattern.end(),
            [&](
unsigned char currstd::pair<unsigned charboolcurrPattern)
        {
            return (!
currPattern.second) || curr == currPattern.first;
        });
 
        
// Did we find a match..
        
if (ret != data.end())
        {
            
// If we hit the usage count, return the result..
            
if (resultCnt == resultUsage || resultUsage == 0)
                return (
std::distance(data.begin(), ret) + baseAddress) + offset;
 
            
// Increment the found count and scan again..
            
++resultCnt;
            
scanStart = ++ret;
        }
        else
            break;
    }
 
    return 
0;

I used the following to test compiling and running on Linux:
Code:
http://www.tutorialspoint.com/compile_cpp11_online.php
I'll post the full benchmark once I have time to sit down and add all the other tests to mine and adjust as needed for how mine works.
Reply With Quote
The Following User Gave Reputation+1 to atom0s For This Useful Post:
b30wulf (01-19-2015)
  #10  
Old 01-20-2015, 08:36
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 499
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 94
Thanks Rcvd at 757 Times in 359 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Updated benchmark with atom0s' pattern finder, my pattern finder (which has nibble support, so not really a fair comparison) and atom0s' pattern finder updated with nibble support:

https://github.com/mrexodia/findpattern-bench

Code:
FindPattern benchmark
Page size: 4096, allocating 22 pages (including 2 guard pages).
Running tests on 10 different implementations
===========
Running learn_more
Finding pattern 0 x 1000 took 1103.94 ms.
Finding pattern 1 x 1000 took 887.791 ms.
===========
Running learn_more v2
Finding pattern 0 x 1000 took 467.905 ms.
Finding pattern 1 x 1000 took 473.792 ms.
===========
Running fdsasdf
Finding pattern 0 x 1000 took 216.19 ms.
Finding pattern 1 x 1000 took 217.753 ms.
===========
Running DarthTon
Finding pattern 0 x 1000 took 296.328 ms.
Finding pattern 1 x 1000 took 293.352 ms.
===========
Running kokole
Finding pattern 0 x 1000 took 541.427 ms.
Finding pattern 1 x 1000 took 587.715 ms.
===========
Running mrexodia
Finding pattern 0 x 1000 took 1089.7 ms.
Finding pattern 1 x 1000 took 1037.04 ms.
===========
Running atom0s
Finding pattern 0 x 1000 took 2274.7 ms.
Finding pattern 1 x 1000 took 2299.61 ms.
===========
Running atom0s (mrexodia modification)
Finding pattern 0 x 1000 took 1539.4 ms.
Finding pattern 1 x 1000 took 1877.84 ms.
===========
Running mrexodia (horspool)
Finding pattern 0 x 1000 took 602.06 ms.
Finding pattern 1 x 1000 took 572.722 ms.
===========
Running dom1n1k_Patrick
Finding pattern 0 x 1000 took 793.266 ms.
Finding pattern 1 x 1000 took 765.38 ms.
Done.
And yea... my laptop has an 1.8Ghz i3 so it's terribly slow compared to Nukem
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf

Last edited by mr.exodia; 01-20-2015 at 11:10. Reason: fixes
Reply With Quote
  #11  
Old 01-21-2015, 15:59
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 199
Rept. Given: 139
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 30 Times in 24 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
hmm probably no one need it anyway i'm have modified the algorithm by patrick and dom1n1k in my old project for x64 compatibility here it is:

Quote:
bool Match(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(; *szMask; ++szMask,++pData,++bMask)
{
if(*szMask=='x' && *pData!=*bMask )
return false;
}

if(*szMask == 0x00)
return true;

return false;
}

DWORD_PTR FindPattern(DWORD_PTR dwAddress,size_t dwLen,const BYTE *bMask,const char * szMask)
{
for(size_t i=0; i < dwLen; i++)
{
if( Match ( (BYTE*) (dwAddress+i) ,bMask,szMask ) == true )
return (DWORD_PTR)(dwAddress+i);
}

return NULL;
}
Reply With Quote
  #12  
Old 01-21-2015, 18:01
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 499
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 94
Thanks Rcvd at 757 Times in 359 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@DMichael: I recommend using a different algorithm, this one is the second-worst in time Thanks anyway.
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #13  
Old 01-21-2015, 18:35
DMichael's Avatar
DMichael DMichael is offline
Family
 
Join Date: Apr 2012
Location: Israel
Posts: 199
Rept. Given: 139
Rept. Rcvd 281 Times in 72 Posts
Thanks Given: 13
Thanks Rcvd at 30 Times in 24 Posts
DMichael Reputation: 200-299 DMichael Reputation: 200-299 DMichael Reputation: 200-299
Quote:
Originally Posted by mr.exodia View Post
@DMichael: I recommend using a different algorithm, this one is the second-worst in time Thanks anyway.
sure but you checks are meaning less since it mostly depend on compiler and hardware
Reply With Quote
  #14  
Old 01-24-2015, 22:41
alephz alephz is offline
VIP
 
Join Date: May 2002
Location: Israel
Posts: 390
Rept. Given: 127
Rept. Rcvd 291 Times in 93 Posts
Thanks Given: 180
Thanks Rcvd at 69 Times in 23 Posts
alephz Reputation: 200-299 alephz Reputation: 200-299 alephz Reputation: 200-299
If anyone need a real example of signature search, I can recommend ClamAV source.
Reply With Quote
  #15  
Old 01-25-2015, 21:45
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 499
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 94
Thanks Rcvd at 757 Times in 359 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Quote:
Originally Posted by alephz View Post
If anyone need a real example of signature search, I can recommend ClamAV source.
After some reading it appears to be using Aho-Corasick or the Booyer-more string search algorithms, which is nice indeed. It is very unfortunate that the signature search is so tightly integrated with the codebase, otherwise I would have added it to the tests...
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 03:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )