public long PatternScan(IMemoryPattern pattern, long startAddress, int scanBufferSize, long scanSize, int ms)
{
Stopwatch stopwatch = new Stopwatch();
stopwatch.Start();
long address = -1;
do
{
// long startAddress = (long)process.MainModule.EntryPointAddress;
long endAddress = startAddress + scanSize;
long currentAddress = startAddress;
byte[] buffer = new byte[scanBufferSize];
while (currentAddress < endAddress && stopwatch.ElapsedMilliseconds < ms)
{
ReadMemory(currentAddress, buffer, scanBufferSize);
long index = pattern.FindMatch(buffer, buffer.Length);
if (index != -1)
{
// return currentAddress + index;
address = currentAddress + index;
break;
}
currentAddress += scanBufferSize;
}
} while (address == -1 && stopwatch.ElapsedMilliseconds < ms);
stopwatch.Stop();
return(address);
}
private PatternScanResult FindDataPattern(IMemoryPattern pattern)
{
var patternData = Data;
var patternBytes = pattern.GetBytes();
var patternMask = pattern.GetMask();
var result = new PatternScanResult();
for (var offset = 0; offset < patternData.Length; offset++)
{
if (patternMask.Where((m, b) => m == 'x' && patternBytes[b] != patternData[b + offset]).Any())
{
continue;
}
// If this area is reached, the pattern has been found.
result.Found = true;
result.ReadAddress = _module.Read <IntPtr>(offset + pattern.Offset);
result.BaseAddress = new IntPtr(result.ReadAddress.ToInt64() - _module.BaseAddress.ToInt64());
result.Offset = offset;
return(result);
}
// If this is reached, the pattern was not found.
result.Found = false;
result.Offset = 0;
result.ReadAddress = IntPtr.Zero;
result.BaseAddress = IntPtr.Zero;
return(result);
}
private PatternScanResult FindFunctionPattern(IMemoryPattern pattern)
{
var patternData = Data;
var patternDataLength = patternData.Length;
for (var offset = 0; offset < patternDataLength; offset++)
{
if (
pattern.GetMask()
.Where((m, b) => m == 'x' && pattern.GetBytes()[b] != patternData[b + offset])
.Any())
{
continue;
}
return(new PatternScanResult
{
BaseAddress = _module.BaseAddress + offset,
ReadAddress = _module.BaseAddress + offset,
Offset = offset,
Found = true
});
}
return(new PatternScanResult
{
BaseAddress = IntPtr.Zero,
ReadAddress = IntPtr.Zero,
Offset = 0,
Found = false
});
}
public Procedure(
string name,
CallingConventions callingConvention,
IMemoryPattern pattern)
{
CallingConvention = callingConvention;
Pattern = pattern;
Name = name;
Invoke = GenerateDelegate();
}
private int GetOffset(IMemoryPattern pattern)
{
switch (pattern.Algorithm)
{
case PatternScannerAlgorithm.BoyerMooreHorspool:
return(Utilities.BoyerMooreHorspool.IndexOf(Data, pattern.GetBytes().ToArray()));
case PatternScannerAlgorithm.Naive:
return(Utilities.Naive.GetIndexOf(pattern, Data, _module));
}
throw new NotImplementedException("GetOffset encountered an unknown PatternScannerAlgorithm: " + pattern.Algorithm + ".");
}
public PatternScanResult Find(IMemoryPattern pattern)
{
switch (pattern.PatternType)
{
case MemoryPatternType.Function:
return(FindFunctionPattern(pattern));
case MemoryPatternType.Data:
return(FindDataPattern(pattern));
}
throw new NotImplementedException("PatternScanner encountered an unknown MemoryPatternType: " + pattern.PatternType + ".");
}
public NativeAction GetNativeAction(IMemoryPattern pattern)
{
var scanRes = Scanner.Find(pattern);
if (scanRes.Found == false)
{
return(null);
}
return(t => new Action(() => Execute(scanRes.BaseAddress,
t)).ExceptionToDefault());
}
public NativeFunc <TRet> GetNativeFunc <TRet>(IMemoryPattern pattern)
{
var scanRes = Scanner.Find(pattern);
if (scanRes.Found == false)
{
return(null);
}
return((t) => new Func <TRet>(() => Execute <TRet>(scanRes.BaseAddress,
t)).ExceptionToDefault());
}
private PatternScanResult FindFunctionPattern(IMemoryPattern pattern)
{
var offset = GetOffset(pattern);
if (offset != -1)
{
return(new PatternScanResult
{
BaseAddress = _module.BaseAddress + offset + _offsetFromBaseAddress,
ReadAddress = _module.BaseAddress + offset + _offsetFromBaseAddress,
Offset = offset + _offsetFromBaseAddress,
Found = true
});
}
return(EmptyPatternScanResult);
}
public PatternScanResult Find(IMemoryPattern pattern, int hintAddr = 0)
{
switch (pattern.PatternType)
{
case MemoryPatternType.Function:
return(FindFunctionPattern(pattern, hintAddr));
case MemoryPatternType.Data:
return(FindDataPattern(pattern, hintAddr));
case MemoryPatternType.Call:
return(FindCallPattern(pattern, hintAddr));
default:
throw new InvalidOperationException($"Invalid MemoryPatternType {pattern.PatternType}");
}
}
private PatternScanResult FindDataPattern(IMemoryPattern pattern)
{
var result = new PatternScanResult();
var offset = GetOffset(pattern);
if (offset != -1)
{
// If this area is reached, the pattern has been found.
result.Found = true;
result.ReadAddress = _module.Read <IntPtr>(offset + pattern.Offset);
result.BaseAddress = new IntPtr(result.ReadAddress.ToInt64() - _module.BaseAddress.ToInt64());
result.Offset = offset;
return(result);
}
// If this is reached, the pattern was not found.
return(EmptyPatternScanResult);
}
private PatternScanResult FindFunctionPattern(IMemoryPattern pattern, int hintAddr = 0)
{
var patternData = Data;
var patternDataLength = patternData.Length;
var patternBytes = pattern.GetBytes();
if (hintAddr > 0)
{
if (hintAddr + patternBytes.Count > patternDataLength ||
pattern.GetMask()
// ReSharper disable once AccessToModifiedClosure
.AnyEx((m, b) => m == 'x' && patternBytes[b] != patternData[b + hintAddr]))
{
hintAddr = 0;
}
}
for (var offset = hintAddr; offset < patternDataLength; offset++)
{
if (pattern.GetMask()
// ReSharper disable once AccessToModifiedClosure
.AnyEx((m, b) => m == 'x' && patternBytes[b] != patternData[b + offset]))
{
continue;
}
return(new PatternScanResult
{
BaseAddress = _module.BaseAddress + offset,
ReadAddress = _module.BaseAddress + offset,
Offset = offset,
Found = true
});
}
return(new PatternScanResult
{
BaseAddress = IntPtr.Zero,
ReadAddress = IntPtr.Zero,
Offset = 0,
Found = false
});
}
private PatternScanResult FindCallPattern(IMemoryPattern pattern, int hintAddr = 0)
{
var patternData = Data;
var patternBytes = pattern.GetBytes();
var patternMask = pattern.GetMask();
if (hintAddr > 0)
{
if (hintAddr + patternBytes.Count > patternData.Length ||
patternMask.AnyEx((m,
// ReSharper disable once AccessToModifiedClosure
b) => m == 'x' && patternBytes[b] != patternData[b + hintAddr]))
{
hintAddr = 0;
}
}
var result = new PatternScanResult();
for (var offset = hintAddr; offset < patternData.Length; offset++)
{
if (patternMask.AnyEx((m,
// ReSharper disable once AccessToModifiedClosure
b) => m == 'x' && patternBytes[b] != patternData[b + offset]))
{
continue;
}
// If this area is reached, the pattern has been found.
result.Found = true;
result.ReadAddress = _module.Read <IntPtr>(offset + pattern.Offset);
result.BaseAddress = new IntPtr(result.ReadAddress.ToInt64() + pattern.Offset + MarshalType <IntPtr> .Size + offset + _module.BaseAddress.ToInt64());
result.Offset = offset;
return(result);
}
// If this is reached, the pattern was not found.
result.Found = false;
result.Offset = 0;
result.ReadAddress = IntPtr.Zero;
result.BaseAddress = IntPtr.Zero;
return(result);
}
public static int GetIndexOf(IMemoryPattern pattern, byte[] Data, IProcessModule module)
{
var patternData = Data;
var patternDataLength = patternData.Length;
for (var offset = 0; offset < patternDataLength; offset++)
{
if (
pattern.GetMask()
.Where((m, b) => m == 'x' && pattern.GetBytes()[b] != patternData[b + offset])
.Any())
{
continue;
}
return(offset);
}
return(-1);
}
public long PatternScan(IMemoryPattern pattern, int scanBufferSize, long scanSize)
{
long startAddress = (long)process.MainModule.EntryPointAddress;
long endAddress = startAddress + scanSize;
long currentAddress = startAddress;
byte[] buffer = new byte[scanBufferSize];
while (currentAddress < endAddress)
{
ReadMemory(currentAddress, buffer, scanBufferSize);
long index = pattern.FindMatch(buffer, buffer.Length);
if (index != -1)
{
return(currentAddress + index);
}
currentAddress += scanBufferSize;
}
return(-1);
}
internal static PatternScanResult Find(string moduleName, IMemoryPattern pattern, ProcessSharp prcss)
{
var scanner = new PatternScanner(prcss[moduleName]);
return(scanner.Find(pattern));
}
public long PatternScan(IMemoryPattern pattern)
{
return(PatternScan(pattern, 4096 * 2, 0x100000000));
}
public PatternScanResult Find(IMemoryPattern pattern)
{
return(pattern.PatternType == MemoryPatternType.Function
? FindFunctionPattern(pattern)
: FindDataPattern(pattern));
}
