Merge branch 'with_new_sigfinder'

hasherezade · Feb 12, 2024 · 7862215 · 7862215
2 parents e86b361 + 79cd4b7
commit 7862215
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 320 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -4,3 +4,6 @@
 [submodule "paramkit"]
 	path = paramkit
 	url = https://github.com/hasherezade/paramkit
+[submodule "sig_finder"]
+	path = sig_finder
+	url = https://github.com/hasherezade/sig_finder
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -34,15 +34,21 @@ set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
 
 # modules:
 set ( M_PARSER "libpeconv/libpeconv" )
+set ( M_SIGFIND "sig_finder/sig_finder" )
 
 # modules paths:
-set (PECONV_DIR "${PROJECT_SOURCE_DIR}/${M_PARSER}" CACHE PATH "PEConv main path")
+set ( PECONV_DIR "${PROJECT_SOURCE_DIR}/${M_PARSER}" CACHE PATH "PEConv main path")
+set ( SIGFIND_DIR "${PROJECT_SOURCE_DIR}/${M_SIGFIND}" CACHE PATH "SigFinder main path")
 
 # modules headers:
 include_directories ( ${PECONV_DIR}/include )
+include_directories ( ${SIGFIND_DIR}/include )
+
 # libs
-add_subdirectory (libpeconv/libpeconv)
+add_subdirectory (${M_PARSER})
 set ( PECONV_LIB $<TARGET_FILE:libpeconv> CACHE PATH "PEConvLib library path" )
+add_subdirectory(${M_SIGFIND})
+set ( SIGFIND_LIB $<TARGET_FILE:sig_finder> CACHE PATH "SigFinder library path" )
 
 if( NOT PESIEVE_AS_STATIC_LIB AND NOT PESIEVE_AS_DLL)
 	set ( M_PARAMKIT_LIB "paramkit" )
@@ -168,7 +174,6 @@ set (utils_hdrs
 	utils/workingset_enum.h
 	utils/modules_enum.h
 	utils/artefacts_util.h
-	utils/pattern_tree.h
 	utils/process_reflection.h
 	utils/console_color.h
 	utils/strings_util.h
@@ -275,19 +280,20 @@ if(PESIEVE_AS_STATIC_LIB OR PESIEVE_AS_DLL)
 	)
 	set_source_files_properties(main.def PROPERTIES HEADER_FILE_ONLY TRUE)
 else()
-	add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} ${rsrc} pe_sieve_res_icon.rc  main.cpp params.h )
+	add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs} ${rsrc} pe_sieve_res_icon.rc main.cpp params.h )
 endif()
 
 set (used_libs
 	${PECONV_LIB}
+	${SIGFIND_LIB}
 	psapi.lib
 	ntdll.lib
 	shlwapi
 	imagehlp
 )
 
 # dependencies
-add_dependencies(${PROJECT_NAME} libpeconv )
+add_dependencies( ${PROJECT_NAME} libpeconv sig_finder )
 
 if(PESIEVE_AS_STATIC_LIB OR PESIEVE_AS_DLL)
 	include(GNUInstallDirs)

diff --git a/pe_sieve_ver_short.h b/pe_sieve_ver_short.h
@@ -3,6 +3,6 @@
 #define PESIEVE_MAJOR_VERSION 0
 #define PESIEVE_MINOR_VERSION 3
 #define PESIEVE_MICRO_VERSION 8
-#define PESIEVE_PATCH_VERSION 3
+#define PESIEVE_PATCH_VERSION 5
 
-#define PESIEVE_VERSION_STR	"0.3.8.3"
+#define PESIEVE_VERSION_STR	"0.3.8.6"
diff --git a/sig_finder b/sig_finder
diff --git a/utils/artefacts_util.cpp b/utils/artefacts_util.cpp
@@ -1,13 +1,12 @@
 #include "artefacts_util.h"
 #include <peconv.h>
-#include "pattern_tree.h"
+#include <sig_finder.h>
+using namespace sig_finder;
 
 #ifdef _DEBUG
 	#include <iostream>
 #endif
 
-using namespace pattern_tree;
-
 BYTE* pesieve::util::find_pattern(BYTE* buffer, size_t buf_size, BYTE* pattern_buf, size_t pattern_size, size_t max_iter)
 {
 	for (size_t i = 0; (i + pattern_size) < buf_size; i++) {
@@ -38,9 +37,9 @@ bool init_32_patterns(Node* rootN)
 		0x89, 0xE5 // MOV EBP, ESP
 	};
 
-	Node::addPattern(rootN, "prolog32_1", prolog32_pattern, sizeof(prolog32_pattern));
-	Node::addPattern(rootN, "prolog32_2", prolog32_2_pattern, sizeof(prolog32_2_pattern));
-	Node::addPattern(rootN, "prolog32_3", prolog32_3_pattern, sizeof(prolog32_3_pattern));
+	rootN->addPattern("prolog32_1", prolog32_pattern, sizeof(prolog32_pattern));
+	rootN->addPattern("prolog32_2", prolog32_2_pattern, sizeof(prolog32_2_pattern));
+	rootN->addPattern("prolog32_3", prolog32_3_pattern, sizeof(prolog32_3_pattern));
 	return true;
 }
 
@@ -86,19 +85,19 @@ bool init_64_patterns(Node* rootN64)
 		 0x41, 0x57 // PUSH R15
 	};
 
-	Node::addPattern(rootN64, "prolog64_1", prolog64_pattern, sizeof(prolog64_pattern));
-	Node::addPattern(rootN64, "prolog64_2", prolog64_2_pattern, sizeof(prolog64_2_pattern));
-	Node::addPattern(rootN64, "prolog64_3", prolog64_3_pattern, sizeof(prolog64_3_pattern));
-	Node::addPattern(rootN64, "prolog64_4", prolog64_4_pattern, sizeof(prolog64_4_pattern));
-	Node::addPattern(rootN64, "prolog64_5", prolog64_5_pattern, sizeof(prolog64_5_pattern));
-	Node::addPattern(rootN64, "prolog64_6", prolog64_6_pattern, sizeof(prolog64_6_pattern));
-	Node::addPattern(rootN64, "prolog64_7", prolog64_7_pattern, sizeof(prolog64_7_pattern));
+	rootN64->addPattern("prolog64_1", prolog64_pattern, sizeof(prolog64_pattern));
+	rootN64->addPattern("prolog64_2", prolog64_2_pattern, sizeof(prolog64_2_pattern));
+	rootN64->addPattern("prolog64_3", prolog64_3_pattern, sizeof(prolog64_3_pattern));
+	rootN64->addPattern("prolog64_4", prolog64_4_pattern, sizeof(prolog64_4_pattern));
+	rootN64->addPattern("prolog64_5", prolog64_5_pattern, sizeof(prolog64_5_pattern));
+	rootN64->addPattern("prolog64_6", prolog64_6_pattern, sizeof(prolog64_6_pattern));
+	rootN64->addPattern("prolog64_7", prolog64_7_pattern, sizeof(prolog64_7_pattern));
 	return true;
 }
 
-size_t search_till_pattern(Node& rootN, const BYTE* loadedData, size_t loadedSize)
+size_t search_till_pattern(sig_finder::Node& rootN, const BYTE* loadedData, size_t loadedSize)
 {
-	Match m = pattern_tree::find_first_match(rootN, loadedData, loadedSize);
+	Match m = sig_finder::find_first_match(rootN, loadedData, loadedSize);
 	if (!m.sign) {
 		return CODE_PATTERN_NOT_FOUND;
 	}
@@ -107,7 +106,7 @@ size_t search_till_pattern(Node& rootN, const BYTE* loadedData, size_t loadedSiz
 
 size_t pesieve::util::is_32bit_code(BYTE *loadedData, size_t loadedSize)
 {
-	static Node rootN;
+	static sig_finder::Node rootN;
 	if(rootN.isEnd()) {
 		init_32_patterns(&rootN);
 	}
@@ -116,7 +115,7 @@ size_t pesieve::util::is_32bit_code(BYTE *loadedData, size_t loadedSize)
 
 size_t pesieve::util::is_64bit_code(BYTE* loadedData, size_t loadedSize)
 {
-	static Node rootN;
+	static sig_finder::Node rootN;
 	if (rootN.isEnd()) {
 		init_64_patterns(&rootN);
 	}