collapse collapse

* Who's Online

  • Dot Guests: 131
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.

* Board Stats

  • stats Total Members: 88
  • stats Total Posts: 11164
  • stats Total Topics: 1700
  • stats Total Categories: 4
  • stats Total Boards: 76
  • stats Most Online: 1470

Author Topic: Parse Null Bytes Out of String  (Read 3867 times)

0 Members and 1 Guest are viewing this topic.

Offline Samo502

  • Jr. Member
  • **
  • Posts: 52
  • Reputation 70
  • Gender: Male
  • That guy watching you.
    • View Profile
Parse Null Bytes Out of String
« on: August 08, 2011, 09:42:48 am »
I'm planning on making a program to test viral exes for email info hidden inside(yum yum). Strings in executables are generally seperated by null bytes between each character, I'd like to make this in C++ obviously.

What would be the best method of parsing these out? would replacing them with the replace function work?
Quote from: Sherlock Holmes
"I consider that a man's brain originally is like a little empty attic, and you have to stock it with such furniture as you choose. A fool takes in all the lumber of every sort that he comes across, so that the knowledge which might be useful to him gets crowded out, or at best is jumbled up with a lot of other things, so that he has a difficulty in laying his hands upon it. Now the skilful workman is very careful indeed as to what he takes into his brain-attic. He will have nothing but the tools which may help him in doing his work, but of these he has a large assortment, and all in the most perfect order. It is a mistake to think that that little room has elastic walls and can distend to any extent. Depend upon it - there comes a time when for every addition of knowledge you forget something that you knew before. It is of the highest importance, therefore, not to have useless facts elbowing out the useful ones."

Offline Celestialkey

  • Administrator
  • Hero Member
  • *
  • Posts: 3962
  • Reputation 4874
  • Gender: Male
  • Its Alive!!
    • View Profile
    • www.CelestialCoding.com
Re: Parse Null Bytes Out of String
« Reply #1 on: August 08, 2011, 07:48:25 pm »
Using string::replace will work for this. It's pretty simple to use.
http://www.cplusplus.com/reference/string/string/replace/
Created By: Eczuo
Quote
I have noticed that people who claim that everything is predestined, and we can do nothing to change it, look both ways before they cross the road.
Quote
I'd prefer to die standing, than to live on my knees - Che Guevara
Quote
If you change the way you look at something, does that something change in any way?
- Quantum Theory

Hacking
Quote
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill


Quote from: Revelations 12:4
And his tail drew the third part of the stars of heaven, and did cast them into the earth; and the dragon stood before the woman which was ready to be delivered, for to devour her child as soon as it was born.

Quote
It takes skill to build an empire. It takes an idiot to maintain it.

Offline Samo502

  • Jr. Member
  • **
  • Posts: 52
  • Reputation 70
  • Gender: Male
  • That guy watching you.
    • View Profile
Re: Parse Null Bytes Out of String
« Reply #2 on: August 08, 2011, 07:57:08 pm »
Now that I read a bit more on it, I'm not sure if it's what I need or not. Basically what I'm trying to do is turn this:

Code: [Select]
u.s.e.r.n.a.m.e.@.h.o.s.t...c.o.m.
into

Code: [Select]
username@host.com
Using the .s to represent null bytes, since strings in PE files are usually stored that way. I'd want to take all those out to make the file easier to find the string i'm looking for in.

I think I may have an idea, if I used a for loop to go through the string, if I knew how to detect which bytes where null then i could easily work with it. What if I tried reading the file with ios::hex?


EDIT: I've found a way to do it effectively. This is what I came up with:

Code: C++
  1. ifstream file(argv[1], ios::binary | ios::in);
  2.         char input[513];
  3.         string sanitized;
  4.         unsigned char val;
  5.         char temp[513];
  6.         int cnt = 0;
  7.         int count = 0;
  8.         int pos;
  9.  
  10.         for(int i = 0; i < 513; i++) {
  11.                 val = input[i];
  12.                 if(val != 0x00 && val != 0x07) {
  13.                         temp[cnt] = input[i];
  14.                         cnt++;
  15.                         count++;
  16.                 }
  17.         }

That's not the complete code, some stuff was chopped out. But that's the gist of it anyway. (0x07 is removed for debug printing purposes, you have no idea how annoying BEEP BEEP BEEP BEEP BEEP BEEP BEEP is when printing debug substrings)
« Last Edit: August 08, 2011, 09:15:38 pm by Samo502 »
Quote from: Sherlock Holmes
"I consider that a man's brain originally is like a little empty attic, and you have to stock it with such furniture as you choose. A fool takes in all the lumber of every sort that he comes across, so that the knowledge which might be useful to him gets crowded out, or at best is jumbled up with a lot of other things, so that he has a difficulty in laying his hands upon it. Now the skilful workman is very careful indeed as to what he takes into his brain-attic. He will have nothing but the tools which may help him in doing his work, but of these he has a large assortment, and all in the most perfect order. It is a mistake to think that that little room has elastic walls and can distend to any extent. Depend upon it - there comes a time when for every addition of knowledge you forget something that you knew before. It is of the highest importance, therefore, not to have useless facts elbowing out the useful ones."

Offline Nathan

  • Administrator
  • Hero Member
  • *
  • Posts: 1437
  • Reputation 1768
  • Gender: Male
  • woof woof
    • View Profile
Re: Parse Null Bytes Out of String
« Reply #3 on: August 10, 2011, 09:36:55 pm »
Now that I read a bit more on it, I'm not sure if it's what I need or not. Basically what I'm trying to do is turn this:

Code: [Select]
u.s.e.r.n.a.m.e.@.h.o.s.t...c.o.m.
into

Code: [Select]
username@host.com
Using the .s to represent null bytes, since strings in PE files are usually stored that way. I'd want to take all those out to make the file easier to find the string i'm looking for in.

I think I may have an idea, if I used a for loop to go through the string, if I knew how to detect which bytes where null then i could easily work with it. What if I tried reading the file with ios::hex?


EDIT: I've found a way to do it effectively. This is what I came up with:

Code: C++
  1. ifstream file(argv[1], ios::binary | ios::in);
  2.         char input[513];
  3.         string sanitized;
  4.         unsigned char val;
  5.         char temp[513];
  6.         int cnt = 0;
  7.         int count = 0;
  8.         int pos;
  9.  
  10.         for(int i = 0; i < 513; i++) {
  11.                 val = input[i];
  12.                 if(val != 0x00 && val != 0x07) {
  13.                         temp[cnt] = input[i];
  14.                         cnt++;
  15.                         count++;
  16.                 }
  17.         }

That's not the complete code, some stuff was chopped out. But that's the gist of it anyway. (0x07 is removed for debug printing purposes, you have no idea how annoying BEEP BEEP BEEP BEEP BEEP BEEP BEEP is when printing debug substrings)
This sounds like a job for this application:
http://technet.microsoft.com/en-us/sysinternals/bb897439
Projects:
[ Axios Engine ] [ sourcehub ]
Compilers: Microsoft Visual Studio 2008, GNU C++, FASM, MASM, VB 6/.Net.
Languages: C++, PHP, ASM, JS, VB6/.Net, BASIC, HTML, MySQL
Please buy me some books: Amazon Wishlist

 

Donate


* Search


* Recent Posts

I miss the chatbox by Shishka
[August 27, 2019, 11:52:39 pm]


Image Comparison by Shishka
[May 15, 2017, 01:18:02 pm]


Re: srchub - free source code hosting by Nathan
[December 14, 2015, 11:37:02 pm]


Re: srchub - free source code hosting by Celestialkey
[November 27, 2015, 08:51:42 am]


Updates by Nathan
[October 30, 2015, 08:27:36 pm]