Ejemplo n.º 1
0
        public void GetMemoryInfo(IntPtr pHandle)
        {
            memoryInfo.Clear();
            IntPtr current = (IntPtr)65536;

            while (true)
            {
                MemInfo memInfo = default(MemInfo);
                int     dump    = WinAPI.VirtualQueryEx(pHandle, current, out memInfo, Marshal.SizeOf(memInfo));
                if (dump == 0)
                {
                    break;
                }

                long regionSize = (long)memInfo.RegionSize;
                if (regionSize <= 0 || (int)regionSize != regionSize)
                {
                    if (MemoryReader.is64Bit)
                    {
                        current = (IntPtr)((ulong)memInfo.BaseAddress + (ulong)memInfo.RegionSize);
                        continue;
                    }
                    break;
                }

                if (MemoryFilter(memInfo))
                {
                    memoryInfo.Add(memInfo);
                }

                current = memInfo.BaseAddress + (int)regionSize;
            }
        }
Ejemplo n.º 2
0
        public List <IntPtr> FindSignatures(Process process, string signature)
        {
            GetSignature(signature, out byte[] pattern, out bool[] mask);
            GetMemoryInfo(process.Handle);
            int[] offsets = GetCharacterOffsets(pattern, mask);

            List <IntPtr> pointers = new List <IntPtr>();

            for (int i = 0; i < memoryInfo.Count; i++)
            {
                MemInfo info  = memoryInfo[i];
                int     index = 0;
                do
                {
                    int previousIndex = index;
                    index             = ReadMemory(process, i, index, out int bytesRead);
                    info.BaseAddress += previousIndex;
                    ScanMemory(pointers, info, buffer, bytesRead, pattern, mask, offsets);
                    info.BaseAddress -= previousIndex;

                    if (index > 0)
                    {
                        index -= pattern.Length - 1;
                    }
                } while (index > 0);
            }
            return(pointers);
        }
Ejemplo n.º 3
0
        public IntPtr FindSignature(Process process, string signature)
        {
            GetSignature(signature, out byte[] pattern, out bool[] mask);
            GetMemoryInfo(process.Handle);
            int[] offsets = GetCharacterOffsets(pattern, mask);

            for (int i = 0; i < memoryInfo.Count; i++)
            {
                MemInfo info  = memoryInfo[i];
                int     index = 0;
                do
                {
                    int previousIndex = index;
                    index = ReadMemory(process, i, index, out int bytesRead);

                    int result = ScanMemory(buffer, bytesRead, pattern, mask, offsets);
                    if (result != int.MinValue)
                    {
                        return(info.BaseAddress + result + previousIndex);
                    }

                    if (index > 0)
                    {
                        index -= pattern.Length - 1;
                    }
                } while (index > 0);
            }

            return(IntPtr.Zero);
        }
Ejemplo n.º 4
0
        public int ReadMemory(Process process, int index, int startIndex, out int bytesRead)
        {
            MemInfo info         = memoryInfo[index];
            int     returnIndex  = -1;
            int     amountToRead = (int)((uint)info.RegionSize - (uint)startIndex);

            if (amountToRead > BUFFER_SIZE)
            {
                returnIndex  = startIndex + BUFFER_SIZE;
                amountToRead = BUFFER_SIZE;
            }
            WinAPI.ReadProcessMemory(process.Handle, info.BaseAddress + startIndex, buffer, amountToRead, out bytesRead);
            return(returnIndex);
        }
Ejemplo n.º 5
0
        public bool VerifySignature(Process process, IntPtr pointer, string signature)
        {
            GetSignature(signature, out byte[] pattern, out bool[] mask);
            int[] offsets = GetCharacterOffsets(pattern, mask);

            MemInfo memInfoStart = default(MemInfo);

            if (WinAPI.VirtualQueryEx(process.Handle, pointer, out memInfoStart, Marshal.SizeOf(memInfoStart)) == 0 ||
                WinAPI.VirtualQueryEx(process.Handle, pointer + pattern.Length, out MemInfo memInfoEnd, Marshal.SizeOf(memInfoStart)) == 0 ||
                memInfoStart.BaseAddress != memInfoEnd.BaseAddress || !MemoryFilter(memInfoStart))
            {
                return(false);
            }

            byte[] buff = new byte[pattern.Length];
            WinAPI.ReadProcessMemory(process.Handle, pointer, buff, buff.Length, out _);
            return(ScanMemory(buff, buff.Length, pattern, mask, offsets) == 0);
        }
Ejemplo n.º 6
0
        private void ScanMemory(List <IntPtr> pointers, MemInfo info, byte[] data, int dataLength, byte[] search, bool[] mask, int[] offsets)
        {
            int current = 0;
            int end     = search.Length - 1;

            while (current <= dataLength - search.Length)
            {
                for (int i = end; data[current + i] == search[i] || mask[i]; i--)
                {
                    if (i == 0)
                    {
                        pointers.Add(info.BaseAddress + current);
                        break;
                    }
                }
                int offset = offsets[data[current + end]];
                current += offset;
            }
        }
Ejemplo n.º 7
0
 public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MemInfo lpBuffer, int dwLength);