Comparesequence
stdapi
(ulong) Comparesequence(uchar *cmd,ulong cmdsize,ulong cmdip,uchar
*decode,t_asmmod *model,int nmodel,int mode,int *pa,int *pb,t_disasm
*da,ulong *amatch,int namatch);
Takes a sequence of 80x86 binary commands cmd that starts at memory address cmdip and compares it to the supplied sequence of models model. If mode flag CSEQ_IGNORECMD is set, allows for intermediate commands that have no influence on the result. For example: one searches for
MOV RA,ANY
ADD RA,CONST
and cmd contains commands
MOV ESI,[EAX*4+12345]
XOR EDI,EDI
ADD ESI,10
This sequence will be matched because intermediate command XOR EDI,EDI does not change the contents of RA = ESI. It changes flags, but MOV does not set them, so it's safe to ignore XOR.
To create model, for each command in the search pattern call Assembleallforms(), concatenating output in one large buffer. Assembleallforms() marks first created model with flag AMF_NEWCMD in the features and Comparesequence() looks for this flag to determine the borders between the commands.
If commands and model match, function updates optional indices of semi-defined registers pa and pb, fills optional array of addresses of matching commands amatch[namatch] and returns real length of the sequence in bytes, including intermediate non-influencing commands. Unused elements in amatch are zeroed. In the exampe above, if namatch is 4, amatch[0] will receive address of MOV, amatch[1] - address of ADD while amatch[2] and amatch[3] will be set to 0. If there is no match or some error is detected, returns 0. In this case the contents of amatch may be spoiled.Optional parameter da is used as a cache when Comparesequence() is called on the same cmdip with different models and keeps disassembly of the first command in cmd. When used, set da->ip to value that differs from cmdip before making the first call.
Parameters:
cmd
(in) Buffer of length cmdsize that contains binary code to compare with the model
cmdsize
(in) Length of valid data in cmd, bytes
cmdip
(in) Address of the cmd in the memory
decode
(in) Optional pointer to decoding information produced by the Analyser, or NULL if decoding is missing or unavailable. If present, decoding data must start at cmdip and its length must be at least cmdsize bytes. To locate decoding data, use Finddecode()
model
(in) Pointer to the array of nmodel structures of type t_asmmod that contain description of the model. To create model, use Assembleallforms()
nmodel
(in) Length of model
mode
(in) Comparison mode, a combination of zero or more of the following flags:
CSEQ_IGNORECMD - ignore non-influencing intermediate commands
CSEQ_ALLOWJMP
- allow jumps from outside. If flag is set, routine assumes that code
is in the memory of the debugged process. Note that jumps outside the
sequence are always allowed
pa
(in) Optional pointer to integer variable. If pa
is not NULL and pattern is matched, this variable will receive the
index of the register that is marked as RA in the model (REG_UNDEF if
RA is not used). See Assembling and disassembling for details
pb
(in) Optional pointer to integer variable. If pb
is not NULL and pattern is matched, this variable will receive the
index of the register that is marked as RB in the model (REG_UNDEF if
RB is not used)
da
(in) Optional pointer to the disassembly cache buffer, structure of type t_disasm. If defined, will keep description of the first command in cmd. If you are going to compare cmd with several different models, this cache may spare significant amount of time. Set da->ip to the value that differs from cmdip before calling Comparesequence() with the first model. If da->ip and cmdip are equal, function assumes that da contains correct information
amatch
(in) Optional array of namatch
unsigned long integers. If defined, will receive addresses of the
matched commands from the model. Intermediate commands are not
included. Unused entries in amatch are zeroed
namatch
(in) Number of elements in amatch
Return
values:
If cmd and model
match, returns length of the command sequence in bytes, including
intermediate commands. On error or if commands do not match, returns 0
See
also: