控制台中的C ++签名扫描器

Question

I would like to start out by saying I am very new to C++. I am trying to build a simple console application to modify a paint tool's functionality by just changing a single array of bytes.

I have found the array of bytes which I need to change, and have tried to follow this tutorial, but it ended up being for dll injection which is not what I want to do http://guidedhacking.com/showthread.php?3981

If anyone could help me out in any way as to how I could go about doing a signature scan in a console application that would be greatly appreciated.

Answer 1

Since that tutorial was made I've made an external pattern scanning video tutorial as well. It's not perfect I'm sad to say. But to get you started here is the code I am currently using that hasn't failed me yet:

An internal pattern scanning function:

char* ScanIn(char* pattern, char* mask, char* begin, unsigned int size)
{
    unsigned int patternLength = strlen(mask);

    for (unsigned int i = 0; i < size - patternLength; i++)
    {
        bool found = true;
        for (unsigned int j = 0; j < patternLength; j++)
        {
            if (mask[j] != '?' && pattern[j] != *(begin + i + j))
            {
                found = false;
                break;
            }
        }
        if (found)
        {
            return (begin + i);
        }
    }
    return nullptr;
}

A wrapper for external pattern scanning:

char* ScanEx(char* pattern, char* mask, char* begin, char* end, HANDLE* hProc)
{
    char* currentChunk = begin;
    char* match = nullptr;
    SIZE_T bytesRead;

    while (currentChunk < end)
    {
        MEMORY_BASIC_INFORMATION mbi;

        //return nullptr if VirtualQuery fails
        if (!VirtualQueryEx(hProc, currentChunk, &mbi, sizeof(mbi)))
        {
            return nullptr;
        }

        char* buffer = new char[mbi.RegionSize];

        if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
        {
            DWORD oldprotect;
            if (VirtualProtectEx(hProc, mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &oldprotect))
            {
                ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead);
                VirtualProtectEx(hProc, mbi.BaseAddress, mbi.RegionSize, oldprotect, &oldprotect);

                char* internalAddress = ScanIn(pattern, mask, buffer, bytesRead);

                if (internalAddress != nullptr)
                {
                    //calculate from internal to external
                    uintptr_t offsetFromBuffer = internalAddress - buffer;
                    match = currentChunk + offsetFromBuffer;
                    delete[] buffer;
                    break;
                }
            }
        }

        currentChunk = currentChunk + mbi.RegionSize;
        delete[] buffer;
    }
    return match;
}

Then you would call it like:

ScanEx("\x29\x7b\x00\x8b\xc7", "xx?xx", moduleBase, moduleEnd, &hProc);

The idea I came up with is to use ReadProcessMemory to copy one region of memory at a time out of the target process, into the local process, and then run our ScanIn() internal scanning function on that buffer. As you move through the target memory, you check if the memory pages have the correct protection and state that confirm it's a valid memory region.

The single biggest caveat here is: if your pattern bridges across two regions, this function won't find it. But I haven't had any issue using it in the past 3 years.

Answer 2

I would read ReadProcessMemory , it is a nice way of reading data externally without a need of DLL injection.

No answer a signature scanning problem. I would read the memory of the target process in chunks, let's say 1024 bytes, and would run a pattern matching function on the chunks.

But this field is really not for a C++ beginner, unless you have worked with it before in other languages.