Analysis of Complex Data Structures
by
Analysis of Complex Data Structures
This lecture builds off of the prior lecture by discussing how many common dynamic data structures are laid out in memory, and demonstrates navigating and analyzing these structures using GDB.
This demonstrates malloc/new heap analysis, which is both useful for analyzing malware at run-time, as well as analyzing vulnerabilities for exploit.
Code from class: struct-test2.cpp
Slides: lecture-w08-2.pdf (PDF)
Video: CS7038: Wk08.2 - Analysis of C Data Types
Code Example From Class
#include <iostream>
#include <strings.h>
using namespace std;
struct test_struct_def {
unsigned int ip_address; // An IP address, 32-bits
char modifier; // A character, 'b' means block, and 'a' means accept
unsigned short port; // A network TCP port
};
/* This is a linked list structure. */
struct test_list {
struct test_struct_def element;
struct test_list *next;
};
/* This is a linked list structure. */
struct test_tree {
struct test_struct_def element;
struct test_tree *right, *left;
};
/* This is a hash table structure. */
struct test_ht {
struct test_list *buckets[16];
};
#define MAKE_IP(a,b,c,d) (((a & 0xff) << 24) + ((b & 0xff) << 16) + ((c & 0xff) << 8) + (d & 0xff))
struct test_list*
add_to_list(unsigned int ip, char m, unsigned short p,
struct test_list *test_list_head) {
struct test_list *new_obj = new struct test_list;
new_obj->element.ip_address = ip;
new_obj->element.port = p;
new_obj->element.modifier = m;
if(test_list_head == nullptr) {
return new_obj;
}
struct test_list *ptr = test_list_head;
for(; ptr->next != nullptr; ptr = ptr->next) {
// Advance through the list.
}
ptr->next = new_obj;
return test_list_head;
}
int
hash_function(unsigned int val) {
return (val & 0xf);
}
void
add_to_ht(unsigned int ip, char m, unsigned short p,
struct test_ht *h) {
struct test_list *new_obj = new struct test_list;
new_obj->element.ip_address = ip;
new_obj->element.port = p;
new_obj->element.modifier = m;
int hval = hash_function(ip);
h->buckets[hval] = add_to_list(ip, m, p, h->buckets[hval]);
}
struct test_tree*
add_to_tree(unsigned int ip, char m, unsigned short p,
struct test_tree *test_list_tree) {
struct test_tree *new_obj = new struct test_tree;
new_obj->element.ip_address = ip;
new_obj->element.port = p;
new_obj->element.modifier = m;
if(test_list_tree == nullptr) {
return new_obj;
}
if(test_list_tree->element.ip_address >= ip) {
if(test_list_tree->right == nullptr) {
test_list_tree->right = new_obj;
} else {
add_to_tree(ip, m, p, test_list_tree->right);
}
} else {
if(test_list_tree->left == nullptr) {
test_list_tree->left = new_obj;
} else {
add_to_tree(ip, m, p, test_list_tree->left);
}
}
return test_list_tree;
}
int main(int argc, char **argv) {
struct test_list *l = nullptr;
struct test_ht ht;
struct test_tree *tree = nullptr;
bzero(ht.buckets, sizeof(ht.buckets));
/* Generate some example data, in linked list. */
l = add_to_list(MAKE_IP(172,20,22,1), 'a', 3333, l);
l = add_to_list(MAKE_IP(192,168,4,1), 'b', 444, l);
l = add_to_list(MAKE_IP(10,2,7,32), 'b', 1777, l);
l = add_to_list(MAKE_IP(184,138,202,46), 'b', 22, l);
l = add_to_list(MAKE_IP(127,0,0,1), 'a', 0, l);
/* Generate some example data, in hash table. */
add_to_ht(MAKE_IP(172,20,22,1), 'a', 3333, &ht);
add_to_ht(MAKE_IP(192,168,4,1), 'b', 444, &ht);
add_to_ht(MAKE_IP(10,2,7,32), 'b', 1777, &ht);
add_to_ht(MAKE_IP(184,138,202,46), 'b', 22, &ht);
add_to_ht(MAKE_IP(127,0,0,1), 'a', 0, &ht);
/* Generate some example data, in tree. */
tree = add_to_tree(MAKE_IP(172,20,22,1), 'a', 3333, tree);
tree = add_to_tree(MAKE_IP(192,168,4,1), 'b', 444, tree);
tree = add_to_tree(MAKE_IP(10,2,7,32), 'b', 1777, tree);
tree = add_to_tree(MAKE_IP(184,138,202,46), 'b', 22, tree);
tree = add_to_tree(MAKE_IP(127,0,0,1), 'a', 0, tree);
cout << "Done" << endl;
return 0;
};