comparing in buffer

Index > Main > comparing in buffer

Author

Thread

GhostXoPCorp

Joined: 13 Dec 2008
Posts: 199
Location: 01F0:0100

GhostXoPCorp 03 Jun 2009, 04:53

how can i tell my program to compare what letter or space in my buffer

say 123456 letters defign where letters are in buffer
the buffer has "foo.exe"

and i want to compare the file extension, would i use

Code:

 
mov si,buffer 
cmp byte [si+4],'e'
je next1
jmp err
cmp byte [si+5],'x'
je next2
jmp err
cmp byte [si+6],'e'
je safeexec
jmp err

would this work, or is this all wrong and i have all of this misunderstood?

_________________
Oh that divide overflow. Just jumps out of the bushes every time to scare the day lights out of me.

03 Jun 2009, 04:53

pete

Joined: 20 Apr 2009
Posts: 110

pete 03 Jun 2009, 05:48

You could improve it this way:

Code:

mov si,buffer  
cmp byte [si+4],'e' 
jne err
cmp byte [si+5],'x' 
jne err 
cmp byte [si+6],'e' 
jne err
safeexec: 
...

Or you get rid of the byte-comparisons and do a word or dword-comparison.

03 Jun 2009, 05:48

GhostXoPCorp

Joined: 13 Dec 2008
Posts: 199
Location: 01F0:0100

GhostXoPCorp 03 Jun 2009, 07:21

true, thanks

_________________
Oh that divide overflow. Just jumps out of the bushes every time to scare the day lights out of me.

03 Jun 2009, 07:21

ManOfSteel

Joined: 02 Feb 2005
Posts: 1154

ManOfSteel 03 Jun 2009, 07:31

Or just use string operands instead?

Code:

rep* cmps*
jcc

Or, at the very least, some inc/decrements and loops/jmps, along with your comparisons?

Also, what if the file name is not 3 chars long?

What if there's no extension?

What if there's more than 1 extension?

In this case, you should set your pointer to the end of your buffer and go backwards until you find a ".", and only THEN do the above comparison (forwards).

03 Jun 2009, 07:31

GhostXoPCorp

Joined: 13 Dec 2008
Posts: 199
Location: 01F0:0100

GhostXoPCorp 03 Jun 2009, 08:26

i know, i just need this for my type of application, thanks for the tip though Very Happy

_________________
Oh that divide overflow. Just jumps out of the bushes every time to scare the day lights out of me.

03 Jun 2009, 08:26

GhostXoPCorp

Joined: 13 Dec 2008
Posts: 199
Location: 01F0:0100

GhostXoPCorp 04 Jun 2009, 21:13

well, that didnt work Sad

_________________
Oh that divide overflow. Just jumps out of the bushes every time to scare the day lights out of me.

04 Jun 2009, 21:13

pete

Joined: 20 Apr 2009
Posts: 110

pete 05 Jun 2009, 06:16

Post the bit of code that didn't work!

05 Jun 2009, 06:16

lamar

Joined: 05 Jun 2009
Posts: 16

lamar 10 Jun 2009, 16:53

Code:

format pe gui 4.0
entry start
include 'include\win32a.inc'
start:
 invoke lstrlen,filename
 cmp    eax,3
 jl        fileisok
 mov    eax,dword [filename+eax-3] ;Last 3 char of filename
 or     eax,202020h ;To lower case
 cmp    eax,'exe'
 je     not_safe_file
fileisok:
 invoke MessageBox,0,fileok,title,MB_OK or MB_ICONINFORMATION
 jmp    exit
not_safe_file:
 invoke MessageBox,0,notsafefile,title,MB_OK or MB_ICONWARNING
exit:
invoke ExitProcess,0

title db 'Information',0
notsafefile db 'File not safe!',0
fileok db 'File is ok!',0
filename db 'virus.eXE',0

data import
 library kernel32,'KERNEL32.DLL',user32,'USER32.DLL'
 include 'include\api\kernel32.inc'
 include 'include\api\user32.inc'
end data

That is simpla.

and 16 bit version:

Code:

mov si,buffer
or word[si],2020h
cmp word[si],'xe'
jne file_ok
or byte[si+2],20h
cmp byte[si+2],'e'
jne file_ok
jmp safe_exec

10 Jun 2009, 16:53

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum