PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
format_util.cpp
Go to the documentation of this file.
1#include "format_util.h"
2
3#include <algorithm>
4#include <sstream>
5#include <iomanip>
6#include <cctype>
7
8namespace pesieve {
9 namespace util {
10
11 bool is_hex(const char *buf, size_t len)
12 {
13 for (size_t i = 0; i < len; i++) {
14 if (buf[i] >= '0' && buf[i] <= '9') continue;
15 if (buf[i] >= 'A' && buf[i] <= 'F') continue;
16 if (buf[i] >= 'a' && buf[i] <= 'f') continue;
17 return false;
18 }
19 return true;
20 }
21
22 bool is_dec(const char *buf, size_t len)
23 {
24 for (size_t i = 0; i < len; i++) {
25 if (buf[i] >= '0' && buf[i] <= '9') continue;
26 return false;
27 }
28 return true;
29 }
30
31 };
32};
33
34long pesieve::util::get_number(const char *my_buf)
35{
36 const char hex_pattern[] = "0x";
37 size_t hex_pattern_len = strlen(hex_pattern);
38
39 const size_t len = strlen(my_buf);
40 if (len == 0) return 0;
41
42 long out = 0;
43 const size_t min_length = 1; //tolerate number with at least 1 character
44 if (len > hex_pattern_len) {
45 if (is_cstr_equal(my_buf, hex_pattern, hex_pattern_len)) {
46 if (!is_hex(my_buf + hex_pattern_len, min_length)) return 0;
47
48 std::stringstream ss;
49 ss << std::hex << my_buf;
50 ss >> out;
51 return out;
52 }
53 }
54 if (!is_dec(my_buf, min_length)) return 0;
55
56 std::stringstream ss;
57 ss << std::dec << my_buf;
58 ss >> out;
59 return out;
60}
61
62bool pesieve::util::is_number(const char* my_buf)
63{
64 const char hex_pattern[] = "0x";
65 size_t hex_pattern_len = strlen(hex_pattern);
66
67 const size_t len = strlen(my_buf);
68 if (len == 0) return false;
69
70 if (len > hex_pattern_len) {
71 if (is_cstr_equal(my_buf, hex_pattern, hex_pattern_len)) {
72 if (!is_hex(my_buf + hex_pattern_len, len - hex_pattern_len)) return false;
73
74 return true;
75 }
76 }
77 if (!is_dec(my_buf, len)) return false;
78 return true;
79}
80
81bool pesieve::util::is_in_list(std::string searched_str, std::set<std::string>& string_list, bool to_lower)
82{
83 bool result = false;
84 if (to_lower) {
85 std::transform(searched_str.begin(), searched_str.end(), searched_str.begin(), [](unsigned char c){ return std::tolower(c); });
86 }
87 std::set<std::string>::iterator found = string_list.find(searched_str);
88 if (found != string_list.end()) {
89 result = true;
90 }
91 return result;
92}
93
94namespace pesieve {
95 namespace util {
96
97 std::string& ltrim(std::string& str, const std::string& chars = "\t\n\v\f\r ")
98 {
99 str.erase(0, str.find_first_not_of(chars));
100 return str;
101 }
102
103 std::string& rtrim(std::string& str, const std::string& chars = "\t\n\v\f\r ")
104 {
105 str.erase(str.find_last_not_of(chars) + 1);
106 return str;
107 }
108
109 std::string& trim(std::string& str, const std::string& chars = "\t\n\v\f\r ")
110 {
111 return ltrim(rtrim(str, chars), chars);
112 }
113 }
114};
115
116size_t pesieve::util::string_to_list(IN::std::string s, IN char _delim, OUT::std::set<::std::string>& elements_list, bool to_lower)
117{
118 std::string delim(std::string(1, _delim));
119 size_t start = 0;
120 size_t end = s.find(delim);
121 while (end != std::string::npos)
122 {
123 std::string next_str = s.substr(start, end - start);
124 trim(next_str);
125 if (next_str.length() > 0) {
126 if (to_lower) {
127 std::transform(next_str.begin(), next_str.end(), next_str.begin(), [](unsigned char c){ return std::tolower(c); });
128 }
129 elements_list.insert(next_str);
130 }
131 start = end + delim.length();
132 end = s.find(delim, start);
133 }
134 std::string next_str = s.substr(start, end);
135 trim(next_str);
136 if (next_str.length() > 0) {
137 if (to_lower) {
138 std::transform(next_str.begin(), next_str.end(), next_str.begin(), [](unsigned char c){ return std::tolower(c); });
139 }
140 elements_list.insert(next_str);
141 }
142 return elements_list.size();
143}
format_util.h
pesieve::util::ltrim
std::string & ltrim(std::string &str, const std::string &chars="\t\n\v\f\r ")
Definition format_util.cpp:97
pesieve::util::is_hex
bool is_hex(const char *buf, size_t len)
Definition format_util.cpp:11
pesieve::util::is_number
bool is_number(const char *buf)
Definition format_util.cpp:62
pesieve::util::rtrim
std::string & rtrim(std::string &str, const std::string &chars="\t\n\v\f\r ")
Definition format_util.cpp:103
pesieve::util::trim
std::string & trim(std::string &str, const std::string &chars="\t\n\v\f\r ")
Definition format_util.cpp:109
pesieve::util::is_cstr_equal
bool is_cstr_equal(char const *a, char const *b, const size_t max_len)
Definition strings_util.cpp:12
pesieve::util::string_to_list
size_t string_to_list(IN::std::string s, IN char _delim, OUT std::set< std::string > &elements_list, bool to_lower=true)
pesieve::util::is_in_list
bool is_in_list(std::string searched_string, std::set< std::string > &string_list, bool to_lower=true)
Definition format_util.cpp:81
pesieve::util::is_dec
bool is_dec(const char *buf, size_t len)
Definition format_util.cpp:22
pesieve::util::get_number
long get_number(const char *buf)
Definition format_util.cpp:34
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
Generated by doxygen 1.10.0