Dynamic Signature Scanner Concept

SeLfkiLL · **Author**

This is just a draft I put together for anyone interested in creating a more dynamic sigscanner. I have not yet coded one myself.

Dynamic Signature Scanner
The Dynamic Signature Scanner (DSS) is a memory scanner that looks for a pattern of byte-segments. When a complete pattern is found, it returns the starting address of the pattern.
DSS has four input variables and one output variable:

Input
- char array: sig_str
- int: mem_len
- int: threshold
- int: give_or_take
Output
- void pointer: mem_addr

The Input Variables

"sig_str" is a string containing pairs of alpha and numeric characters representing each byte in hexidecimal form. A segment is one or more of these byte pairs ended with a newline character. A segment starting with a lowercase 'i' followed by alpha-numeric byte pairs (and ending with a newline character) represents an ignored segment. The first and last segments must be accurate. "sig_str" is null-terminated. Example sig_str:
Code:
```
8B01\n
iFF90C8000000\n
83F805\n
7417\n
i83F811\n
7412\n
```
"mem_len" is the actual length in bytes of memory to scan.
"threshold" determines how many repeated incorrect segments +1 must be matched before DSS gives up on the memory location.
“give_or_take” is a length in bytes “mem_len” can be stretched to.

The Output Variable

“mem_addr” is the pointer to the starting address of a matched signature pattern. If a pattern was not found, “mem_addr” is NULL.

Behavior
DSS will store the first and last segment of “sig_str” in two allocated character arrays. It will then start searching the memory for the first segment. When found, DSS will start matching byte by byte each alpha-numeric byte pair in “sig_str” to each byte in memory. A segment starting with ‘i’ will be ignored but the length will be tracked. If an unsuspected byte is found within a segment, the segment will be counted as incorrect and a variable tracking errors will be incremented. When this happens, the rest of the segment is ignored until the end of the segment is reached. Any byte in memory that does not match the beginning byte in the next segment is ignored until the length of memory being scanned is greater than “mem_len” + “give_or_take.” When the error-tracking variable is incremented past “threshold,” DSS starts over after the last erroneous byte. Otherwise, DSS continues to match until it reaches the last segment in “sig_str” or past “mem_len” + “give_or_take.” If the last segment is not within the bounds of “mem_len” + or - “give_or_take,” the pattern fails and DSS starts over. If “mem_len” + “give_or_take” is met without a successful pattern match, the scan fails and DSS starts over. If the scan is successful, “mem_addr” is pointed to the address where the scan begun.

devicenull · 01-09-2006 , 18:38

I would consider adding support for wildcards.. use some character to state, "This bit doesn't matter, ignore it"

SeLfkiLL · 01-10-2006 , 03:39

The idea behind it is basically if a new instruction has been inserted, the scanner will just ignore it and try to get itself back on track. Kind of like a mix between wildcards and the Unix "diff" tool. If you're talking about wildcards inside segments, like the '?' characters, maybe those could be added after each "byte-pair" to specify that it should be ignored. Otherwise the 'i' at the beginning of the segment declares all those bytes will be ignored. I'm not sure if it's even necessary though, considering bytes are already ignored if they aren't in the sig. But it could help for clarity, I guess.