0

In heart bleed exploit, I basically get a lot of weird characters(non-printable) from server.

Can somebody tell me, when I read a continuous memory segment, how to interpret those non-printable characters?

Cœur
  • 37,241
  • 25
  • 195
  • 267
asit_dhal
  • 1,239
  • 19
  • 35
  • 2
    It depends on what’s in memory at the time. Could be anything. – Ry- May 03 '14 at 03:31
  • You have to know the internal details of the application's memory use. If you don't, then it's lots of educated guesswork, based on recognizing patterns of data. There's no straightforward answer. – Barmar May 03 '14 at 03:38
  • can u suggest me any tutorial or technical paper for recognizing patterns of data ? – asit_dhal May 03 '14 at 04:37
  • I am voting this question as too broad. A random memory dump can contain anything, and this anything will be scrambles of other things you know nothing about. No algorithm will be able to decode that. Your best bet is to look for some kind of markers (e.g. beginning of an executable, jpeg header etc) to get a semi-educated guess what is in the memory – Eriks Klotins Jun 16 '19 at 14:15

1 Answers1

0

I know its old question, but this should help to figure out what those characters are and make them visible/printable

    private static string GetPrintableCharacter(char character)
    {
        switch (character)
        {
            case '\a':
            {
                return "\\a";
            }
            case '\b':
            {
                return "\\b";
            }
            case '\t':
            {
                return "\\t";
            }
            case '\n':
            {
                return "\\n";
            }
            case '\v':
            {
                return "\\v";
            }
            case '\f':
            {
                return "\\f";
            }
            case '\r':
            {
                return "\\r";
            }
            default:
            {
                if (character == ' ')
                {
                    break;
                }
                else
                {
                    throw new InvalidArgumentException(Resources.NOTSUPPORTCHAR, new object[] { character });
                }
            }
        }
        return "\\x20";
    }

    public static string GetPrintableText(string text)
    {
        StringBuilder stringBuilder = new StringBuilder(1024);
        if (text == null)
        {
            return "[~NULL~]";
        }
        if (text.Length == 0)
        {
            return "[~EMPTY~]";
        }
        stringBuilder.Remove(0, stringBuilder.Length);
        int num = 0;
        for (int i = 0; i < text.Length; i++)
        {
            if (text[i] == '\a' || text[i] == '\b' || text[i] == '\f' || text[i] == '\v' || text[i] == '\t' || text[i] == '\n' || text[i] == '\r' || text[i] == ' ')
            {
                num += 3;
            }
        }
        int length = text.Length + num;
        if (stringBuilder.Capacity < length)
        {
            stringBuilder = new StringBuilder(length);
        }
        string str = text;
        for (int j = 0; j < str.Length; j++)
        {
            char chr = str[j];
            if (chr > ' ')
            {
                stringBuilder.Append(chr);
            }
            else
            {
                stringBuilder.Append(StringHelper.GetPrintableCharacter(chr));
            }
        }
        return stringBuilder.ToString();
    }
Transformer
  • 6,963
  • 2
  • 26
  • 52