Change EXE code detection process to CSC's Analyzer.
This commit is contained in:
Moinak Ghosh
parent
4c3f3d5ee2
commit
6ba9c4b721
1 changed files with 14 additions and 21 deletions
|
|
@ -905,33 +905,26 @@ DisUnFilter(sU8 *source,sU32 sourceSize,sU8 *dest,sU32 destSize,sU32 memStart)
|
||||||
/*
|
/*
|
||||||
* Try to estimate if the given data block contains 32-bit x86 instructions
|
* Try to estimate if the given data block contains 32-bit x86 instructions
|
||||||
* especially of the call and jmp variety.
|
* especially of the call and jmp variety.
|
||||||
* TODO: This is a very rough estimation and can probably be improved.
|
* Estimator is adapted from CSC 3.2 Analyzer (Fu Siyuan).
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
is_x86_code(uchar_t *buf, int len)
|
is_x86_code(uchar_t *buf, int len)
|
||||||
{
|
{
|
||||||
int e8e9 = 0, ff = 0;
|
uint32_t avgFreq, freq[256] = {0};
|
||||||
uchar_t *pos, *last;
|
uint32_t freq0x80[2] = {0};
|
||||||
|
uint32_t ln = len;
|
||||||
|
int i;
|
||||||
|
|
||||||
pos = buf;
|
for (i = 0; i < len; i++) {
|
||||||
last = buf + len - 4;
|
freq[buf[i]]++;
|
||||||
while (pos < last) {
|
|
||||||
if (*pos == 0xe8 || *pos == 0xe9) {
|
|
||||||
if (pos[3] == 0xff && pos[4] == 0xff) {
|
|
||||||
e8e9++;
|
|
||||||
ff++;
|
|
||||||
pos += 4;
|
|
||||||
} else if (pos[3] == 0 && pos[4] == 0) {
|
|
||||||
e8e9++;
|
|
||||||
pos += 4;
|
|
||||||
} else {
|
|
||||||
pos++;
|
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
pos++;
|
for (i = 0; i< 256; i++) {
|
||||||
|
freq0x80[i>>7] += freq[i];
|
||||||
}
|
}
|
||||||
}
|
|
||||||
return ((double)e8e9/len >= 0.003 && (double)ff/e8e9 >= 0.1);
|
avgFreq = ln>>8;
|
||||||
|
return (freq[0x8b] > avgFreq && freq[0x00] > avgFreq * 2 && freq[0xE8] > 6);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue