home *** CD-ROM | disk | FTP | other *** search
/* BoyerMoore.c — Functions for fast, variable- randomized virus infection detection. Copyright © 1992 by William H. Hsu. Think C version. Notes: • As explained in the dynamic algorithm code, these routines are tolerant toward a wide variety of variations, including padded and mutating viral code /* byrmoore.c: main searching file */ #include "bmdec.h" void boyer_moore() { FILE *my_file; char n[MAXSIZE], *sub_string, **pattern_array; int text_length, i, j, sum, match_count, size, divisor, total_match, index, index2, vdat_count, refNum, files_to_scan = 5, total_virus_length; int *pattern_length_array, *pattern_index_array; /* virus segment lengths and delimiters */ long file_size, total_file_size; register Handle rsrc, rsrc2; /* Note: the code which scans files in the same way that Disinfectant does is far too long to include in this article. The array used below is for the purpose of example only. John Norstad has made the enumeration part of his program publicly available (by FTP at acns.nwu.edu) */ Str255 ResFileArray[5] = {"\pOne*", "\pTwo*", "\pThree", "\pFour", "\pFive"}; Str255 DescriptionArray[5] = {"File 1\t", "File 2\t", "File 3\t", "File 4\t", "File 5\t"}; ResType typeName; short resCount, typeCount, resCount2; srand((unsigned)time(NULL)); ToolBoxInit(); open_file (&my_file, WRITE_MODE); csettabs (TABS, stdout); #ifdef _REPORT printf("File description\t\t\tScore\tFile size\tAlgorithm's Decision\n"); printf("================\t\t\t=====\t=========\t====================\n\n"); fprintf(my_file, "File description\t\t\tScore\tFile size\tAlgorithm's Decision\n"); fprintf(my_file, "================\t\t\t=====\t=========\t====================\n\n"); #endif sub_string = (char *)calloc(SIZE, sizeof(char)); CurResFile(); resCount = Count1Resources ('VDAT'); vdat_count = resCount; pattern_length_array = (int *)calloc(resCount, sizeof(int)); pattern_index_array = (int *)calloc(resCount, sizeof(int)); pattern_array = (char **)calloc(resCount, sizeof(char *)); while (resCount) /* loop resCount down to 1 */ { /* get handle, but don't load it */ rsrc = Get1IndResource ('VDAT', resCount); index = SizeResource (rsrc); HLock (rsrc); pattern_array[resCount-1] = (char *) calloc(index, sizeof(char)); pattern_length_array[resCount-1] = copy_array (*rsrc, pattern_array[resCount-1], &index); pattern_index_array[resCount-1] = ((resCount < vdat_count) ? (pattern_length_array[resCount- 1] + pattern_index_array[resCount]) : pattern_length_array[resCount-1]); HUnlock (rsrc); --resCount; } total_virus_length = pattern_index_array[0]; SetResLoad (true); for (i = 0; i < files_to_scan; i++) { refNum = OpenResFile (ResFileArray[i]); match_count = 0; divisor = 0; for (j = 0; j < ITERATIONS; j++) { total_file_size = 0; sum = 0; while (!random_string(pattern_array, sub_string, pattern_index_array, total_virus_length, SIZE, vdat_count)); typeCount = Count1Types (); while (typeCount) { Get1IndType (&typeName, typeCount); resCount2 = Count1Resources (typeName); while (resCount2) { rsrc2 = Get1IndResource (typeName, resCount2); index2 = SizeResource (rsrc2); file_size = 0; HLock (rsrc2); while (text_length = copy_array (*rsrc2, n, &index2)) { compare(sub_string, n, SIZE, text_length, &sum); file_size += text_length; } HUnlock (rsrc2); total_file_size += file_size; --resCount2; } --typeCount; } divisor++; if (sum) match_count++; } # ifdef _REPORT printf("%s\t\t", DescriptionArray[i]); fprintf(my_file, "%s\t\t", DescriptionArray[i]); printf("%d\t\t%ld\t", match_count, total_file_size); fprintf(my_file, "%d\t\t%ld\t", match_count, total_file_size); # endif if (match_count >= (divisor/LIMIT)) { # ifdef _REPORT printf("\t%s\n", INFECTED_STRING); fprintf(my_file, "\t%s\n", INFECTED_STRING); # endif } else { # ifdef _REPORT printf("\t%s\n", CLEAN_STRING); fprintf(my_file, "\t%s\n", CLEAN_STRING); # endif } CloseResFile(refNum); } printf("\nScore represents matches out of %d, with %d needed to diagnose infection.\n", divisor, divisor/LIMIT); fprintf(my_file, "\nScore represents matches out of %d, with %d needed to diagnose infection.\n", divisor, divisor/LIMIT); free(sub_string); fclose(my_file); } char random_string(string_array, sub_string, index_array, length, substring_length, vdat_count) char **string_array, sub_string[]; int index_array[], length, substring_length, vdat_count; { int location, segment, i, zero_count = 0; Boolean legal = false, In_The_Right_Segment = false; /* length and segments okay? */ segment = vdat_count-1; while (!legal) { location = (int)((rand()/(double)MAXINT)* (length - substring_length)); In_The_Right_Segment = false; while (!In_The_Right_Segment) { if (location <= index_array[segment]) { In_The_Right_Segment = true; if (location <= (index_array[segment] - substring_length + 1)) legal = true; else legal = false; } else segment--; } } if (segment < vdat_count-1) location -= index_array[segment+1]; for (i = location; i < location + substring_length; i++) { sub_string[i-location] = (string_array[segment])[i]; if (!string_array[segment][i]) zero_count++; } if (zero_count < substring_length/2) return(TRUE); else return(FALSE); } /* compare: the heart of the Boyer-Moore heurstic, similar to Knuth-Morris-Pratt's matching engine */ void compare(p, t, pattern_length, text_length, sum) char *p, *t; int pattern_length, text_length, *sum; { ALPHABET_ARRAY char_jump; int *match_jumps, print; allocate_array(&match_jumps, pattern_length); compute_jumps(p, char_jump, pattern_length-1); compute_match_jumps(p, &match_jumps, pattern_length); if (bm_match(p, t, char_jump, match_jumps, pattern_length, text_length)) (*sum)++; free(match_jumps); } void allocate_array(array, size) INDEX_ARRAY array; int size; { *array = (int *)calloc(size, sizeof(int)); } /* the bad-character failure function NOTE: if the ASCII alphabet, which has size 256, is used, this function is not worth computing for resource text strings of length ≤ 256 */ void compute_jumps(p, char_jump, length) char *p; ALPHABET_ARRAY char_jump; int length; { int c, k; for (c = 0; c < CHARS; c++) char_jump[c] = length; for (k = 0; k < length; k++) char_jump[POSITIVE(p[k])] = length-k-1; } /* implementation of pseudocode from [Baase 88] — uses the good-suffix failure function */ void compute_match_jumps(p, match_jump, pattern_length) char *p; INDEX_ARRAY match_jump; int pattern_length; { int m, k, q, qq; int *back; allocate_array(&back, pattern_length+1); m = pattern_length; for (k = 0; k < m; k++) (*match_jump)[k] = 2*m-k-1; q = m; for (k = m-1; k >= 0; k--) { back[k] = q; while ((q < m) && (p[k] != p[q])) { (*match_jump)[q] = MIN2((*match_jump)[q], m- k-1); q = back[q]; } q--; } for (k = 0; k < q; k++) (*match_jump)[k] = MIN2((*match_jump)[k], m+q- k-1); qq = back[q]; while (q < m) { while (q < qq) { (*match_jump)[q] = MIN2((*match_jump)[q], qq- q+m-1); q++; } qq = back[qq]; } free(back); } int bm_match(p, t, char_jump, match_jump, pattern_length, text_length) char *p, *t; ALPHABET_ARRAY char_jump; int *match_jump, pattern_length, text_length; { int j, k; /* j indexes text characters; k indexes the pattern */ j = pattern_length - 1; k = j; while (j < text_length) { if (k == -1) return(TRUE); if (t[j] == p[k]) { j--; k--; } else { j += MAX2(char_jump[POSITIVE(t[j])], match_jump[k]); k = pattern_length - 1; } } return(FALSE); } 
