Example #1
0
        /// <summary>
        ///     <para>Searches the loaded process for the given byte signature.</para>
        ///     <para>Uses the character ? as a wildcard</para>
        /// </summary>
        /// <param name="signature">The hex pattern to search for</param>
        /// <param name="offset">An offset to add to the pointer VALUE</param>
        /// <param name="searchType">What type os result to return</param>
        /// <returns>The pointer found at the matching location</returns>
        private static IntPtr FindSignature(string signature, int offset, ScanResultType searchType)
        {
            try
            {
                if (signature.Length == 0 || signature.Length % 2 != 0)
                {
                    throw new Exception("FindSignature(): Invalid signature");
                }
                foreach (var region in _regions)
                {
                    var buffer = new byte[region.RegionSize];
                    if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.Process.Handle, (IntPtr)region.BaseAddress, buffer, region.RegionSize, 0))
                    {
                        var errorCode = Marshal.GetLastWin32Error();
                        throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]");
                    }
                    var searchResult = FindSignature(buffer, signature, offset, searchType);
                    if (IntPtr.Zero != searchResult)
                    {
                        if (ScanResultType.AddressStartOfSig == searchType)
                        {
                            searchResult = new IntPtr(region.BaseAddress + searchResult.ToInt32());
                        }

                        return(searchResult);
                    }
                }
            }
            catch (Exception ex)
            {
            }
            return(IntPtr.Zero);
        }
Example #2
0
        //public IniResultItem(ScanResultType resultType, RegistryHive hive, RegistryView view, string keyName,
        //  string valueName = null, string value = null)
        //{
        //  ResultType = resultType;
        //  RegistryHive = hive;
        //  RegistryView = view;
        //  KeyName = keyName;
        //  ValueName = valueName;
        //  Value = value;
        //}

        public IniResultItem(ScanResultType resultType, string fileName, string sectionName,
                             string valueName = null, string value = null, string defaultValue = null)
        {
            ResultType   = resultType;
            SecionName   = sectionName;
            ValueName    = valueName;
            Value        = value;
            DefaultValue = defaultValue;
            FileName     = fileName;
        }
 public RegistryResultItem(ScanResultType resultType, RegistryHive hive, RegistryView view, string registryPath,
                           string valueName = null, string value = null)
 {
     ResultType          = resultType;
     RegistryInformation = new RegistryInformation(hive, view, registryPath, valueName, value);
     //RegistryHive = hive;
     //RegistryView = view;
     //KeyName = registryPath;
     //ValueName = valueName;
     //Value = value;
 }
Example #4
0
        public static string FormatToString(this ScanResultType scanResultType, bool includeHeader = false)
        {
            var member = typeof(ScanResultType).GetMember(scanResultType.ToString()).FirstOrDefault();

            if (member == null)
            {
                return(null);
            }

            var attribute = member.GetCustomAttributes(typeof(ScanResultSectionAttribute), false).FirstOrDefault() as ScanResultSectionAttribute;

            return(string.Format("{0}{1}", attribute == null ? "??" : attribute.SectionId, includeHeader ? string.Format(" - {0}", attribute == null ? "(undefined)" : attribute.Text) : string.Empty));
        }
 public RegistryResultItem(ScanResultType resultType, RegistryHive hive, RegistryView view, string registryPath,
                           string text, string fileName,
                           string valueName = null, string value = null)
     : this(resultType, hive, view, registryPath, valueName, value)
 {
     ResultType = resultType;
     //RegistryHive = hive;
     //RegistryView = view;
     //KeyName = registryPath;
     //ValueName = valueName;
     //Value = value;
     Text     = text;
     FileName = fileName;
 }
Example #6
0
        /// <summary>
        ///     Search the loaded regions for all signatures at once and remove from list once found
        /// </summary>
        /// <param name="signatures"></param>
        /// <param name="searchType"></param>
        private void FindSignatures(IEnumerable <Signature> signatures, ScanResultType searchType)
        {
            try
            {
                var notFound = new List <Signature>(signatures);
                var temp     = new List <Signature>();
                foreach (var region in _regions)
                {
                    try
                    {
                        var    buffer = new byte[region.RegionSize.ToInt32()];
                        IntPtr lpNumberOfByteRead;
                        if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.ProcessHandle, region.BaseAddress, buffer, region.RegionSize, out lpNumberOfByteRead))
                        {
                            var errorCode = Marshal.GetLastWin32Error();
                            throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]");
                        }
                        foreach (var signature in notFound)
                        {
                            var searchResult = FindSignature(buffer, signature.Value, signature.Offset, searchType);
                            if (IntPtr.Zero == searchResult)
                            {
                                temp.Add(signature);
                                continue;
                            }
                            if (ScanResultType.AddressStartOfSig == searchType)
                            {
                                searchResult = IntPtr.Add(searchResult, (int)region.BaseAddress);
                            }
                            Locations.Add(signature.Key, (uint)searchResult);
                        }
                        notFound = new List <Signature>(temp);
                        temp.Clear();
                    }
                    catch (Exception ex)
                    {
                    }
                }
            }
            catch (Exception ex)

            {
            }
        }
        /// <summary>
        /// Searches the buffer for the given hex string and returns the pointer matching the first wildcard location, or the pointer following the pattern if not using wildcards.
        /// Prefix with &lt;&lt; to always return the pointer preceding the match or &gt;&gt; to always return the pointer following (regardless of wildcards)
        /// </summary>
        /// <param name="buffer">The source binary buffer to search within</param>
        /// <param name="signature">A hex string representation of a sequence of bytes to search for</param>
        /// <param name="offset">An offset to where in buffer to start search for pattern.</param>
        /// <param name="searchType">Search before, at or after wildcard</param>
        /// <returns>A pointer at the matching location</returns>
        private static IntPtr FindSignature(byte[] buffer, string signature, int offset, ScanResultType searchType)
        {
            // Since this is a hex string make sure the characters are entered in pairs.
            if (signature.Length == 0 || signature.Length % 2 != 0)
            {
                return(IntPtr.Zero);
            }

            // Convert the signature text to a binary array
            byte[] pattern = SigToByte(signature, WildcardChar);

            if (pattern == null)
            {
                return(IntPtr.Zero);
            }

            //Find the start index of the first wildcard. if no wildcards then the bytes following the match
            var pos = 0;

            for (pos = 0; pos < pattern.Length; pos++)
            {
                if (pattern[pos] == WildcardChar)
                {
                    break;
                }
            }

            //Search for the pattern in the buffer. Convert the bytes to an int and return as a pointer
            //If not using wildcards then use the faster Horspool algorithm
            var idx = -1;

            idx = pos == pattern.Length
                ? Horspool(buffer, pattern, offset)
                : BNDM(buffer, pattern, WildcardChar, offset);

            // If the sig was not found then exit
            if (idx < 0)
            {
                return(IntPtr.Zero);
            }

            // Grab the 4 byte pointer at the location requested
            switch (searchType)
            {
            case ScanResultType.ValueBeforeSig:
                //always grab the pointer in front of the sig
                return((IntPtr)(BitConverter.ToInt32(buffer, idx - 4)));

            case ScanResultType.ValueAfterSig:
                // always grab the pointer following the sig
                return((IntPtr)(BitConverter.ToInt32(buffer, idx + pattern.Length)));

            case ScanResultType.AddressStartOfSig:
                // return the address at the end of where the signature was found
                return((IntPtr)(idx));

            case ScanResultType.ValueAtWildCard:
            default:
                // always pointer starting at the first wildcard. if no wildcard is being used, then the rear
                return((IntPtr)(BitConverter.ToInt32(buffer, idx + pos)));
            }
        }
Example #8
0
 /// <summary>
 ///     Searches the buffer for the given hex string and returns the pointer matching the first wildcard location, or the
 ///     pointer following the pattern if not using wildcards.
 ///     Prefix with &lt;&lt; to always return the pointer preceding the match or &gt;&gt; to always return the pointer
 ///     following (regardless of wildcards)
 /// </summary>
 /// <param name="buffer">The source binary buffer to search within</param>
 /// <param name="signature">A hex string representation of a sequence of bytes to search for</param>
 /// <param name="offset">An offset to add to the found pointer VALUE.</param>
 /// <param name="searchType"></param>
 /// <returns>A pointer at the matching location</returns>
 private static IntPtr FindSignature(byte[] buffer, string signature, int offset, ScanResultType searchType)
 {
     try
     {
         if (signature.Length == 0 || signature.Length % 2 != 0)
         {
             return IntPtr.Zero;
         }
         var pattern = SigToByte(signature, WildCardChar);
         if (pattern != null)
         {
             var pos = 0;
             for (pos = 0; pos < pattern.Length; pos++)
             {
                 if (pattern[pos] == WildCardChar)
                 {
                     break;
                 }
             }
             var idx = -1;
             if (pattern.Length > 32)
             {
                 idx = FindSuperSig(buffer, pattern);
             }
             else
             {
                 idx = pos == pattern.Length ? Horspool(buffer, pattern) : BNDM(buffer, pattern, WildCardChar);
             }
             if (idx < 0)
             {
                 return IntPtr.Zero;
             }
             switch (searchType)
             {
                 case ScanResultType.ValueBeforeSig:
                     return (IntPtr) (BitConverter.ToInt32(buffer, idx - 4) + offset);
                 case ScanResultType.ValueAfterSig:
                     return (IntPtr) (BitConverter.ToInt32(buffer, idx + pattern.Length) + offset);
                 case ScanResultType.AddressStartOfSig:
                     return (IntPtr) (idx + offset);
                 case ScanResultType.ValueAtWildCard:
                 default:
                     return (IntPtr) (BitConverter.ToInt32(buffer, idx + pos) + offset);
             }
         }
     }
     catch (Exception ex)
     {
     }
     return IntPtr.Zero;
 }
Example #9
0
 /// <summary>
 ///     <para>Searches the loaded process for the given byte signature.</para>
 ///     <para>Uses the character ? as a wildcard</para>
 /// </summary>
 /// <param name="signature">The hex pattern to search for</param>
 /// <param name="offset">An offset to add to the pointer VALUE</param>
 /// <param name="searchType">What type os result to return</param>
 /// <returns>The pointer found at the matching location</returns>
 private IntPtr FindSignature(string signature, int offset, ScanResultType searchType)
 {
     try
     {
         if (signature.Length == 0 || signature.Length % 2 != 0)
         {
             throw new Exception("FindSignature(): Invalid signature");
         }
         foreach (var region in _regions)
         {
             try
             {
                 var buffer = new byte[region.RegionSize];
                 int lpNumberOfByteRead;
                 if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.ProcessHandle, (IntPtr) region.BaseAddress, buffer, region.RegionSize, out lpNumberOfByteRead))
                 {
                     var errorCode = Marshal.GetLastWin32Error();
                     throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]");
                 }
                 var searchResult = FindSignature(buffer, signature, offset, searchType);
                 if (IntPtr.Zero == searchResult)
                 {
                     continue;
                 }
                 if (ScanResultType.AddressStartOfSig == searchType)
                 {
                     searchResult = new IntPtr(region.BaseAddress + searchResult.ToInt32());
                 }
                 return searchResult;
             }
             catch (Exception ex)
             {
             }
         }
     }
     catch (Exception ex)
     {
     }
     return IntPtr.Zero;
 }
Example #10
0
 /// <summary>
 ///     Searches the loaded process for the given byte signature
 /// </summary>
 /// <param name="signature">The hex pattern to search for</param>
 /// <param name="searchType"></param>
 /// <returns>The pointer found at the matching location</returns>
 private IntPtr FindSignature(string signature, ScanResultType searchType)
 {
     return FindSignature(signature, 0, searchType);
 }
Example #11
0
 /// <summary>
 ///     Search the loaded regions for all signatures at once and remove from list once found
 /// </summary>
 /// <param name="signatures"></param>
 /// <param name="searchType"></param>
 private void FindSignatures(IEnumerable<Signature> signatures, ScanResultType searchType)
 {
     try
     {
         var notFound = new List<Signature>(signatures);
         var temp = new List<Signature>();
         foreach (var region in _regions)
         {
             try
             {
                 var buffer = new byte[region.RegionSize];
                 int lpNumberOfByteRead;
                 if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.ProcessHandle, (IntPtr) region.BaseAddress, buffer, region.RegionSize, out lpNumberOfByteRead))
                 {
                     var errorCode = Marshal.GetLastWin32Error();
                     throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]");
                 }
                 foreach (var signature in notFound)
                 {
                     var searchResult = FindSignature(buffer, signature.Value, signature.Offset, searchType);
                     if (IntPtr.Zero == searchResult)
                     {
                         temp.Add(signature);
                         continue;
                     }
                     if (ScanResultType.AddressStartOfSig == searchType)
                     {
                         searchResult = new IntPtr(region.BaseAddress + searchResult.ToInt32());
                     }
                     Locations.Add(signature.Key, (uint) searchResult);
                 }
                 notFound = new List<Signature>(temp);
                 temp.Clear();
             }
             catch (Exception ex)
             {
             }
         }
     }
     catch (Exception ex)
     {
     }
 }
Example #12
0
        /// <summary>
        ///     Searches the buffer for the given hex string and returns the pointer matching the first wildcard location, or the
        ///     pointer following the pattern if not using wildcards.
        ///     Prefix with &lt;&lt; to always return the pointer preceding the match or &gt;&gt; to always return the pointer
        ///     following (regardless of wildcards)
        /// </summary>
        /// <param name="buffer">The source binary buffer to search within</param>
        /// <param name="signature">A hex string representation of a sequence of bytes to search for</param>
        /// <param name="offset">An offset to add to the found pointer VALUE.</param>
        /// <param name="searchType"></param>
        /// <returns>A pointer at the matching location</returns>
        private static IntPtr FindSignature(byte[] buffer, string signature, int offset, ScanResultType searchType)
        {
            try
            {
                if (signature.Length == 0 || signature.Length % 2 != 0)
                {
                    return(IntPtr.Zero);
                }
                var pattern = SigToByte(signature, WildCardChar);
                if (pattern != null)
                {
                    var pos = 0;
                    for (pos = 0; pos < pattern.Length; pos++)
                    {
                        if (pattern[pos] == WildCardChar)
                        {
                            break;
                        }
                    }
                    var idx = -1;
                    if (pattern.Length > 32)
                    {
                        idx = FindSuperSig(buffer, pattern);
                    }
                    else
                    {
                        idx = pos == pattern.Length ? Horspool(buffer, pattern) : BNDM(buffer, pattern, WildCardChar);
                    }
                    if (idx < 0)
                    {
                        return(IntPtr.Zero);
                    }
                    switch (searchType)
                    {
                    case ScanResultType.ValueBeforeSig:
                        if (MemoryHandler.Instance.ProcessModel.IsWin64)
                        {
                            return((IntPtr)(BitConverter.ToInt64(buffer, idx - 8) + offset));
                        }
                        return((IntPtr)(BitConverter.ToInt32(buffer, idx - 4) + offset));

                    case ScanResultType.ValueAfterSig:
                        if (MemoryHandler.Instance.ProcessModel.IsWin64)
                        {
                            return((IntPtr)(BitConverter.ToInt64(buffer, idx + pattern.Length) + offset));
                        }
                        return((IntPtr)(BitConverter.ToInt32(buffer, idx + pattern.Length) + offset));

                    case ScanResultType.AddressStartOfSig:
                        return((IntPtr)(idx + offset));

                    case ScanResultType.ValueAtWildCard:
                    default:
                        return((IntPtr)(BitConverter.ToInt32(buffer, idx + pos) + offset));
                    }
                }
            }
            catch (Exception ex)
            {
            }
            return(IntPtr.Zero);
        }
 public ScanResult(string text, ScanResultType type) : this(text)
 {
     _isPlaceholder = true;
 }
 public UefiBinaryResult(ScanResultType type, string text)
 {
     _resultType = type;
     _text       = text;
 }
Example #15
0
 /// <summary>
 /// Searches the loaded process for the given byte signature
 /// </summary>
 /// <param name="signature">The hex pattern to search for</param>
 /// <param name="searchType">What type of result to return</param>
 /// <returns>The pointer found at the matching location</returns>
 public IntPtr FindSignature(string signature, ScanResultType searchType)
 {
     return(FindSignature(signature, 0, searchType));
 }
Example #16
0
        /// <summary>
        /// <para>Searches the loaded process for the given byte signature.</para>
        /// <para>Uses the character ? as a wildcard</para>
        /// </summary>
        /// <param name="signature">The hex pattern to search for</param>
        /// <param name="startAddress">An startAddress to add to the pointer VALUE</param>
        /// <param name="searchType">What type of result to return</param>
        /// <returns>The pointer found at the matching location</returns>
        public IntPtr FindSignature(string signature, int startAddress, ScanResultType searchType)
        {
            // make sure we have a valid signature
            if (signature.Length == 0 || signature.Length % 2 != 0)
            {
                throw new Exception("FindSignature(): Invalid signature");
            }

            for (var index = 0; index < _memoryRegionsSortedIndices.Count; index++)
            {
                int workingIndex = _memoryRegionsSortedIndices.Values[index];

                MemoryApi.MemoryBasicInformation region = MemoryRegions[_memoryRegionsSortedIndices.Values[index]];

                // Skip memory regions until we find one that contains the startAddress but startAddress of zero means skip none
                if (startAddress > 0)
                {
                    if (region.BaseAddress.ToInt32() + region.RegionSize < startAddress ||
                        region.BaseAddress.ToInt32() > startAddress)
                    {
                        continue;
                    }
                }

                var buffer    = new byte[region.RegionSize];
                var bytesRead = 0;

                // ReadProcessMemory will return 0 if some form of error occurs
                if (
                    !MemoryApi.ReadProcessMemory(_process.Handle, region.BaseAddress, buffer, (int)region.RegionSize,
                                                 out bytesRead))
                {
                    // get the error code thrown from ReadProcessMemory
                    int errorCode = Marshal.GetLastWin32Error();

                    // For now, if error reading, we will still search what amount was able to be read so no exception throwing.
                }

                var bufferOffset = 0;
                if (startAddress > 0 && region.BaseAddress.ToInt32() < startAddress &&
                    region.BaseAddress.ToInt32() + bytesRead > startAddress)
                {
                    // Since requested startAddress is somewhere in the current regions address space, set startAddress from beginning of region
                    bufferOffset = startAddress - region.BaseAddress.ToInt32();
                }
                IntPtr searchResult = FindSignature(buffer, signature, bufferOffset, searchType);

                // If we found our signature, we're done
                if (IntPtr.Zero == searchResult)
                {
                    continue;
                }

                // if we passed the ! flag we want the beginning address of where it found the sig
                if (ScanResultType.AddressStartOfSig == searchType)
                {
                    searchResult = new IntPtr(region.BaseAddress.ToInt32() + searchResult.ToInt32());
                }

                return(searchResult);
            }
            return(IntPtr.Zero);
        }
Example #17
0
 public SampleResult(ScanResultType type, string text)
 {
     _resultType = type;
     _text       = text;
 }