--- signcfg.h Sun Mar 23 23:29:22 2008 +++ ../signsrch/signcfg.h Thu Jan 31 17:55:36 2008 @@ -53,9 +53,13 @@ CMD_NONE = -1 }; + + u64 current_type; u8 *current_title; + + int delimit(u8 *data) { u8 *p; @@ -194,13 +198,11 @@ return(num); error: -#ifdef DEBUG printf("\n" "Error: %s\n" " the number \"%s\" doesn't match the type specified\n", current_title, data); -#endif free_sign(); exit(1); } @@ -434,14 +436,12 @@ return(op); error: -#ifdef DEBUG printf("\n" "Error: %u) %s\n" " the number 0x%"NTS"x is bigger than %d bits\n" " check your signature file, probably you must increate the TYPE size\n", signs, current_title, num, size); -#endif free_sign(); exit(1); } @@ -715,7 +715,7 @@ -int read_cfg(u8 *filename) { +void read_cfg(u8 *filename) { FILE *fd; int len, currlen, @@ -728,11 +728,10 @@ *buff_limit, *data, *ins; -#ifdef DEBUG + printf("- open file %s\n", filename); -#endif fd = fopen(filename, "rb"); - if(!fd) return 0; + if(!fd) std_err(); bufflen = 256; buff = malloc(bufflen); @@ -779,6 +778,4 @@ free(buff); fclose(fd); - - return 1; } --- signsrch.c Sun Mar 30 17:39:13 2008 +++ ../signsrch/signsrch.c Thu Jan 31 18:08:10 2008 @@ -1,334 +1,705 @@ -/* - Copyright 2007,2008 Luigi Auriemma - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - http://www.gnu.org/licenses/gpl.txt -*/ - -#include -#include -#include "stdint.h" -#include -#include -#include -#include -#include "show_dump.h" -#include "hal_search.h" -#include "stristr.c" -#include "hal_search.c" - - -typedef uint8_t u8; -typedef uint16_t u16; -typedef uint32_t u32; -typedef uint64_t u64; - -#pragma pack(1) -typedef struct { - u8 *title; - u8 *data; - u16 size; - u8 and; -} sign_t; -#pragma pack() - -#include "iss.h" - -#include -#include - - -#define LOADDLL hLib = LoadLibrary(fname); \ - if(!hLib) winerr(); -#define GETFUNC(x,y) x = GetProcAddress(hLib, y); \ - if(!x) winerr(); -#define CLOSEDLL FreeLibrary(hLib); -HINSTANCE hLib; - -void winerr(void); - - -#define MAX_AND_DISTANCE 3000 -#define SIGNFILE "signsrch.sig" - - -u8 *get_main_path(u8 *fname, u8 *argv0); -void free_sign(void); -u8 *fd_read(u8 *name, int *fdlen); -u8 *my_fd_read(FILE *fd, int *fdlen); -void fd_write(u_char *name, u_char *data, int datasz); -u32 search_file(u8 *filebuff, int filesize, u8 *pattbuff, int pattsize, int and); -u8 *process_list(u8 *myname, DWORD *mypid, DWORD *size); -u8 *process_read(u8 *pname, int *fdlen); -void help(u8 *arg0); -void std_err(void); - - - -int signs, - PE_entrypoint = 0; -sign_t **sign; -u32 rva, // this value is very simple, if the file is a process we add this number - sign_alloclen; - - - -#include "signcfg.h" -#include "signcrc.h" -#ifdef WIN32 - #include "parse_pe.h" -#endif - - -u8 *process_list(u8 *myname, DWORD *mypid, DWORD *size) { - - PROCESSENTRY32 Process; - MODULEENTRY32 Module; - HANDLE snapProcess, - snapModule; - DWORD retpid = 0; - int len; - BOOL b; - u8 tmpbuff[60], - *process_name, - *module_name, - *module_print, - *tmp; - - if(mypid) retpid = *mypid; - -#define START(X,Y) \ - snap##X = CreateToolhelp32Snapshot(Y, Process.th32ProcessID); \ - X.dwSize = sizeof(X); \ - for(b = X##32First(snap##X, &X); b; b = X##32Next(snap##X, &X)) { \ - X.dwSize = sizeof(X); -#define END(X) \ - } \ - CloseHandle(snap##X); - - Process.th32ProcessID = 0; - START(Process, TH32CS_SNAPPROCESS) - process_name = Process.szExeFile; - - if(myname && stristr(process_name, myname)) { - retpid = Process.th32ProcessID; - } - - START(Module, TH32CS_SNAPMODULE) - module_name = Module.szExePath; // szModule? - - len = strlen(module_name); - if(len >= 60) { - tmp = strrchr(module_name, '\\'); - if(!tmp) tmp = strrchr(module_name, '/'); - if(!tmp) tmp = module_name; - len -= (tmp - module_name); - sprintf(tmpbuff, - "%.*s...%s", - 54 - len, - module_name, - tmp); - module_print = tmpbuff; - } else { - module_print = module_name; - } - - if(!retpid) { - if(myname && stristr(module_name, myname)) { - retpid = Process.th32ProcessID; - } - } - if(retpid && mypid && (Process.th32ProcessID == retpid)) { - - *mypid = retpid; - if(size) *size = Module.modBaseSize; - return(Module.modBaseAddr); - } - - END(Module) - - END(Process) - -#undef START -#undef END - - return(NULL); -} - -u8 *process_read(u8 *pname, int *fdlen) { - - HANDLE process; - DWORD pid, - size; - u8 *baddr, - *buff; - - if(!pname && !pname[0]) return(NULL); - baddr = process_list(pid ? NULL : pname, &pid, &size); - if(!baddr) { - return NULL; - } - rva = (u32)baddr; - process = OpenProcess( - PROCESS_VM_READ, - FALSE, - pid); - if(!process) winerr(); - - buff = malloc(size); - if(!buff) std_err(); - - if(!ReadProcessMemory( - process, - (LPCVOID)baddr, - buff, - size, - &size) - ) winerr(); - - CloseHandle(process); - - *fdlen = size; - return(buff); -} - -twoP *initPid(u32 pid, char* path) { - u32 i, - argi, - filesize = 0, - listsign = 0, - dumpsign = 0; - u8 *dumpfile = NULL, - *filebuff = NULL, - *sign_file = SIGNFILE, - *filebuff_old = NULL; - - twoP *twop = malloc(sizeof(twoP)); - - setbuf(stdin, NULL); - setbuf(stdout, NULL); - setbuf(stderr, NULL); - - i = 1; - argi = i; - - rva = 0; - sign = NULL; - signs = 0; - sign_alloclen = 0; - - filebuff = process_read(pid, &filesize); - if( !filebuff ) - return NULL; - - if( !read_cfg(get_main_path(sign_file, path)) ) - return NULL; - - return initTwoP( - twop, - filebuff, - filesize, - signs, - sign, - rva - ); -} - -u8 *get_main_path(u8 *fname, u8 *argv0) { - static u8 fullname[2000]; - - snprintf(fullname, 1984, "%s/%s", argv0, fname); - return(fullname); -} - -void free_sign(void) { - int i; - - for(i = 0; i < signs; i++) { - free(sign[i]->title); - free(sign[i]->data); - free(sign[i]); - } - free(sign); -} - - -u8 *fd_read(u8 *name, int *fdlen) { - struct stat xstat; - FILE *fd; - int len, - memsize, - filesize; - u8 *buff; - - if(!strcmp(name, "-")) { - filesize = 0; - memsize = 0; - buff = NULL; - for(;;) { - if(filesize >= memsize) { - memsize += 0x7ffff; - buff = realloc(buff, memsize); - if(!buff) std_err(); - } - len = fread(buff + filesize, 1, memsize - filesize, stdin); - if(!len) break; - filesize += len; - } - buff = realloc(buff, filesize); - if(!buff) std_err(); - - } else { - fd = fopen(name, "rb"); - if(!fd) std_err(); - fstat(fileno(fd), &xstat); - filesize = xstat.st_size; - buff = malloc(filesize); - if(!buff) std_err(); - fread(buff, filesize, 1, fd); - fclose(fd); - } - - *fdlen = filesize; - return(buff); -} - - -#ifdef WIN32 -void winerr(void) { - u8 *message = NULL; - - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, - NULL, - GetLastError(), - 0, - (char *)&message, - 0, - NULL); - - if(message) - { - LocalFree(message); - } - exit(1); -} -#endif - -void std_err(void) { - perror("\nError"); - exit(1); -} +/* + Copyright 2007,2008 Luigi Auriemma + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + http://www.gnu.org/licenses/gpl.txt +*/ + +#include +#include +#include +#include +#include +#include +#include +#include "show_dump.h" +#include "hal_search.h" + +typedef uint8_t u8; +typedef uint16_t u16; +typedef uint32_t u32; +typedef uint64_t u64; + +#ifdef WIN32 + #include + #include + + #define LOADDLL hLib = LoadLibrary(fname); \ + if(!hLib) winerr(); + #define GETFUNC(x,y) x = GetProcAddress(hLib, y); \ + if(!x) winerr(); + #define CLOSEDLL FreeLibrary(hLib); + HINSTANCE hLib; + + void winerr(void); +#else + #include + + #define stricmp strcasecmp + #define stristr strcasestr + + typedef uint32_t DWORD; + + #define WINAPI + #define LOADDLL char *error; \ + hLib = dlopen(fname, RTLD_LAZY); \ + if(!hLib) { \ + fprintf(stderr, "\nError: %s\n\n", dlerror()); \ + exit(1); \ + } + #define GETFUNC(x,y) x = dlsym(hLib, y); \ + error = dlerror(); \ + if(error || !x) { \ + fprintf(stderr, "\nError: %s\n\n", error); \ + exit(1); \ + } + #define CLOSEDLL dlclose(hLib); + void *hLib; + void *sechdr = NULL; +#endif + + + +#define VER "0.1.4" +#define MAX_AND_DISTANCE 3000 +#define SIGNFILE "signsrch.sig" +#define SIGNFILEWEB "http://aluigi.org/mytoolz/signsrch.sig.zip" + + + +u8 *get_main_path(u8 *fname, u8 *argv0); +void free_sign(void); +u8 *fd_read(u8 *name, int *fdlen); +void fd_write(u_char *name, u_char *data, int datasz); +u32 search_file(u8 *filebuff, int filesize, u8 *pattbuff, int pattsize, int and); +u8 *process_list(u8 *myname, DWORD *mypid, DWORD *size); +u8 *process_read(u8 *pname, int *fdlen); +void help(u8 *arg0); +void std_err(void); + + + +#pragma pack(1) +typedef struct { + u8 *title; + u8 *data; + u16 size; + u8 and; +} sign_t; +#pragma pack() + + + +int signs, + PE_entrypoint = 0; +sign_t **sign; +u32 rva, // this value is very simple, if the file is a process we add this number + sign_alloclen; + + + +#include "signcfg.h" +#include "signcrc.h" +#ifdef WIN32 + #include "parse_pe.h" +#endif + + + +int main(int argc, char *argv[]) { + u32 i, + argi, + found, + offset, + filesize, + listsign = 0, + dumpsign = 0; + u8 *pid = NULL, + *dumpfile = NULL, + *filebuff = NULL, + *sign_file = SIGNFILE, + *filebuff_old = NULL; + + setbuf(stdin, NULL); + setbuf(stdout, NULL); + setbuf(stderr, NULL); + + fputs("\n" + "Signsrch "VER"\n" + "by Luigi Auriemma\n" + "e-mail: aluigi@autistici.org\n" + "web: aluigi.org\n" + " optimized search function from Andrew http://www.team5150.com/~andrew/\n" + "\n", stderr); + + if(argc < 2) { + help(argv[0]); + } + + for(i = 1; i < argc; i++) { + if(!stricmp(argv[i], "--help")) help(argv[0]); + if(((argv[i][0] != '-') && (argv[i][0] != '/')) || (strlen(argv[i]) != 2)) break; + switch(argv[i][1]) { + case '-': + case 'h': + case '?': { + help(argv[0]); + } break; + case 'l': { + listsign = 1; + } break; + case 'L': { + if(!argv[++i]) { + printf("\nError: signature number needed\n"); + exit(1); + } + dumpsign = atoi(argv[i]); + } break; + case 's': { + if(!argv[++i]) { + printf("\nError: signature filename needed\n"); + exit(1); + } + sign_file = argv[i]; + } break; + case 'p': { + pid = ""; + } break; + case 'P': { + if(!argv[++i]) { + printf("\nError: process name or pid needed\n"); + exit(1); + } + pid = argv[i]; + } break; + case 'd': { + if(!argv[++i]) { + printf("\nError: dump file name needed\n"); + exit(1); + } + dumpfile = argv[i]; + } break; + case 'e': { + PE_entrypoint = 1; + } break; + default: { + printf("\nError: wrong argument (%s)\n", argv[i]); + exit(1); + } break; + } + } + argi = i; + + rva = 0; + sign = NULL; + signs = 0; + sign_alloclen = 0; + + if(pid && !pid[0]) { + process_list(NULL, NULL, NULL); + goto quit; + } + +redo: + if(!listsign && !dumpsign) { + if(pid) { + filebuff = process_read(pid, &filesize); + } else { + if(i == argc) { + printf("\nError: you must specify the file to scan\n"); + exit(1); + } + filebuff = fd_read(argv[argi], &filesize); + } + printf("- %u bytes allocated\n", filesize); + } + + if(dumpfile) { + fd_write(dumpfile, filebuff, filesize); + goto quit; + } + + if(!sign) { + printf("- load signatures\n"); + read_cfg(get_main_path(sign_file, argv[0])); + printf( + "- %u bytes allocated for the signatures\n" + "- %u signatures in the database\n", + sign_alloclen, + signs); + if(!dumpsign) signcrc(); + } + + if(dumpsign) { + dumpsign--; + if((dumpsign < 0) || (dumpsign >= signs)) { + printf("\nError: wrong signature number\n"); + exit(1); + } + printf(" %s\n", sign[dumpsign]->title); + show_dump(sign[dumpsign]->data, sign[dumpsign]->size, stdout); + goto quit; + } + + if(listsign) { + printf("\n" + " num description [bits.endian.size]\n" + "-------------------------------------\n"); + for(i = 0; i < signs; i++) { + printf(" %-4u %s\n", i + 1, sign[i]->title); + } + printf("\n"); + goto quit; + } + + if(filesize > 10000000) { // more than 10 megabytes + printf( + "- WARNING:\n" + " the file loaded in memory is very big so the scanning could take many time\n"); + } + + if(PE_entrypoint) { +#ifdef WIN32 + filebuff_old = filebuff; + filebuff = parse_PE(filebuff, &filesize); +#else + fprintf(stderr, "\nAlert: the PE section scanning option is not available on non-Windows systems for the moment\n"); +#endif + } + + printf( + "- start signatures scanning:\n" + "\n" + " offset num description [bits.endian.size]\n" + " --------------------------------------------\n"); + + for(found = i = 0; i < signs; i++) { + offset = search_hashed(filebuff, filesize, sign[i]->data, sign[i]->size, sign[i]->and); + if(offset != -1) { + printf(" %08x %-4u %s\n", rva + offset, i + 1, sign[i]->title); + found++; + } + } + + printf("\n- %u signatures found in the file\n", found); + + if(filebuff) { + if(filebuff_old) filebuff = filebuff_old; + free(filebuff); + } + if(sechdr) free(sechdr); + if(++argi < argc) { + fputc('\n', stdout); + goto redo; + } + +quit: + if(sign) free_sign(); + return(0); +} + + + +u8 *get_main_path(u8 *fname, u8 *argv0) { + static u8 fullname[2000]; + u8 *p; + +#ifdef WIN32 + GetModuleFileName(NULL, fullname, sizeof(fullname)); +#else + sprintf(fullname, "%.*s", sizeof(fullname), argv0); +#endif + + p = strrchr(fullname, '\\'); + if(!p) p = strrchr(fullname, '/'); + if(!p) p = fullname - 1; + sprintf(p + 1, "%.*s", sizeof(fullname) - (p - fullname), fname); + return(fullname); +} + + + +void free_sign(void) { + int i; + + for(i = 0; i < signs; i++) { + free(sign[i]->title); + free(sign[i]->data); + free(sign[i]); + } + free(sign); +} + + + +u8 *fd_read(u8 *name, int *fdlen) { + struct stat xstat; + FILE *fd; + int len, + memsize, + filesize; + u8 *buff; + + if(!strcmp(name, "-")) { + printf("- open %s\n", "stdin"); + filesize = 0; + memsize = 0; + buff = NULL; + for(;;) { + if(filesize >= memsize) { + memsize += 0x7ffff; + buff = realloc(buff, memsize); + if(!buff) std_err(); + } + len = fread(buff + filesize, 1, memsize - filesize, stdin); + if(!len) break; + filesize += len; + } + buff = realloc(buff, filesize); + if(!buff) std_err(); + + } else { + printf("- open file \"%s\"\n", name); + fd = fopen(name, "rb"); + if(!fd) std_err(); + fstat(fileno(fd), &xstat); + filesize = xstat.st_size; + buff = malloc(filesize); + if(!buff) std_err(); + fread(buff, filesize, 1, fd); + fclose(fd); + } + + *fdlen = filesize; + return(buff); +} + + + +void fd_write(u_char *name, u_char *data, int datasz) { + FILE *fd; + + printf("- create file %s\n", name); + fd = fopen(name, "rb"); + if(fd) { + fclose(fd); + printf("- file already exists, do you want to overwrite it (y/N)?\n "); + fflush(stdin); + if(tolower(fgetc(stdin)) != 'y') exit(1); + } + fd = fopen(name, "wb"); + if(!fd) std_err(); + fwrite(data, datasz, 1, fd); + fclose(fd); +} + + + +u32 search_file(u8 *filebuff, int filesize, u8 *pattbuff, int pattsize, int and) { + u32 offset = 0, + min_offset = -1; + u8 *pattlimit, + *limit, + *patt, + *p; + + if(filesize < pattsize) return(-1); + + and >>= 3; + limit = filebuff + filesize - pattsize; + pattlimit = pattbuff + pattsize - and; + + if(and) { + p = filebuff; + for(patt = pattbuff; patt <= pattlimit; patt += and) { + for(p = filebuff; p <= limit; p++) { + if(!memcmp(p, patt, and)) { + offset = p - filebuff; + if(offset < min_offset) min_offset = offset; + if((offset - min_offset) > MAX_AND_DISTANCE) return(-1); + break; + } + } + if(p > limit) return(-1); + } + return(min_offset); + } else { + for(p = filebuff; p <= limit; p++) { + if(!memcmp(p, pattbuff, pattsize)) { + return(p - filebuff); + } + } + } + return(-1); +} + + + + // thanx to the extalia.com forum + +u8 *process_list(u8 *myname, DWORD *mypid, DWORD *size) { +#ifdef WIN32 + PROCESSENTRY32 Process; + MODULEENTRY32 Module; + HANDLE snapProcess, + snapModule; + DWORD retpid = 0; + int len; + BOOL b; + u8 tmpbuff[60], + *process_name, + *module_name, + *module_print, + *tmp; + + if(mypid) retpid = *mypid; + if(!myname && !retpid) { + printf( + " pid/addr/size process/module name\n" + " ---------------------------------------\n"); + } + +#define START(X,Y) \ + snap##X = CreateToolhelp32Snapshot(Y, Process.th32ProcessID); \ + X.dwSize = sizeof(X); \ + for(b = X##32First(snap##X, &X); b; b = X##32Next(snap##X, &X)) { \ + X.dwSize = sizeof(X); +#define END(X) \ + } \ + CloseHandle(snap##X); + + Process.th32ProcessID = 0; + START(Process, TH32CS_SNAPPROCESS) + process_name = Process.szExeFile; + + if(!myname && !retpid) { + printf(" %-10lu ******** %s\n", + Process.th32ProcessID, + process_name); + } + if(myname && stristr(process_name, myname)) { + retpid = Process.th32ProcessID; + } + + START(Module, TH32CS_SNAPMODULE) + module_name = Module.szExePath; // szModule? + + len = strlen(module_name); + if(len >= 60) { + tmp = strrchr(module_name, '\\'); + if(!tmp) tmp = strrchr(module_name, '/'); + if(!tmp) tmp = module_name; + len -= (tmp - module_name); + sprintf(tmpbuff, + "%.*s...%s", + 54 - len, + module_name, + tmp); + module_print = tmpbuff; + } else { + module_print = module_name; + } + + if(!myname && !retpid) { + printf(" %p %08lx %s\n", + Module.modBaseAddr, + Module.modBaseSize, + module_print); + } + if(!retpid) { + if(myname && stristr(module_name, myname)) { + retpid = Process.th32ProcessID; + } + } + if(retpid && mypid && (Process.th32ProcessID == retpid)) { + printf("- %p %08lx %s\n", + Module.modBaseAddr, + Module.modBaseSize, + module_print); + *mypid = retpid; + if(size) *size = Module.modBaseSize; + return(Module.modBaseAddr); + } + + END(Module) + + END(Process) + +#undef START +#undef END + +#else + + system("ps -eo pid,cmd"); + +#endif + + return(NULL); +} + + + +u8 *process_read(u8 *pname, int *fdlen) { + +#ifdef WIN32 + + HANDLE process; + DWORD pid, + size; + int len; + u8 *baddr, + *buff; + + if(!pname && !pname[0] && !pid) return(NULL); + + if(pname) { + len = 0; + sscanf(pname, "%lu%n", &pid, &len); + if(len != strlen(pname)) pid = 0; + } + + baddr = process_list(pid ? NULL : pname, &pid, &size); + if(!baddr) { + printf("\nError: process name/PID not found, use -p\n"); + exit(1); + } + rva = (u32)baddr; + + printf( + "- pid %u\n" + "- base address 0x%08x\n", + (u32)pid, rva); + + process = OpenProcess( + PROCESS_VM_READ, + FALSE, + pid); + if(!process) winerr(); + + buff = malloc(size); + if(!buff) std_err(); + + if(!ReadProcessMemory( + process, + (LPCVOID)baddr, + buff, + size, + &size) + ) winerr(); + + CloseHandle(process); + +#else + + pid_t pid; + u32 size, + memsize, + data; + u8 *buff; + + pid = atoi(pname); + rva = 0x8048000; + printf( + "- pid %u\n" + "- try using base address 0x%08x\n", + pid, rva); + + if(ptrace(PTRACE_ATTACH, pid, NULL, NULL) < 0) std_err(); + + size = 0; + memsize = 0; + buff = NULL; + + for(errno = 0; ; size += 4) { + if(!(size & 0xfffff)) fputc('.', stdout); + + data = ptrace(PTRACE_PEEKDATA, pid, (void *)rva + size, NULL); + if(errno) { + if(errno != EIO) std_err(); + break; + } + + if(size >= memsize) { + memsize += 0x7ffff; + buff = realloc(buff, memsize); + if(!buff) std_err(); + } + memcpy(buff + size, &data, 4); + } + fputc('\n', stdout); + buff = realloc(buff, size); + if(!buff) std_err(); + + if(ptrace(PTRACE_DETACH, pid, NULL, NULL) < 0) std_err(); + +#endif + + *fdlen = size; + return(buff); +} + + + +#ifdef WIN32 +void winerr(void) { + u8 *message = NULL; + + FormatMessage( + FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, + NULL, + GetLastError(), + 0, + (char *)&message, + 0, + NULL); + + if(message) { + printf("\nError: %s\n", message); + LocalFree(message); + } else { + printf("\nError: unknown Windows error\n"); + } + exit(1); +} +#endif + + + +void help(u8 *arg0) { + printf("\n" + "Usage: %s [options] [file1] ... [fileN]\n" + "\n" + "-l list available signatures in the database\n" + "-L NUM dumps the data of the signature NUM\n" + "-s FILE use the signature file FILE ("SIGNFILE")\n" + "-p list the running processes\n" + "-P PID use the process/module identified by its pid or part of name/path\n" + "-d FILE dump the process memory (like -P) in FILE\n" + "-e scan only the PE section to which points the entry point\n" + "\n" + "use - for stdin\n" + "updated "SIGNFILE": "SIGNFILEWEB"\n" + "\n", arg0); + exit(1); +} + + + +void std_err(void) { + perror("\nError"); + exit(1); +} +