public static unsafe IntPtr FindPattern(string module, string pattern)
{
IntPtr moduleHandle = Kernel32.GetModuleHandle(module);
if (moduleHandle == IntPtr.Zero)
{
return(IntPtr.Zero);
}
Psapi.MODULEINFO moduleInfo;
if (!Psapi.GetModuleInformation(Kernel32.GetCurrentProcess(), moduleHandle, out moduleInfo, sizeof(Psapi.MODULEINFO)))
{
return(IntPtr.Zero);
}
uint moduleStart = (uint)moduleInfo.lpBaseOfDll;
uint moduleLen = moduleInfo.SizeOfImage;
string[] patternStrParts = pattern.Split(' ');
bool[] mask = patternStrParts.Select(x => x != "?").ToArray();
byte[] patternBytes = patternStrParts.Select(x => (byte)((x != "?") ? (byte)(Convert.ToInt32(x, 16)) : 0)).ToArray();
for (uint i = 0; i < moduleLen - patternBytes.Length; i++)
{
if (Compare((byte *)(moduleStart + i), patternBytes, mask))
{
return(new IntPtr(moduleStart + i));
}
}
return(IntPtr.Zero);
}
public static bool LoadModules(IntPtr hProcess, ListModules ModuleType)
{
//Initialize parameters for EPM
uint cbNeeded = 0;
Psapi.EnumProcessModulesEx(hProcess, IntPtr.Zero, 0, out cbNeeded, ModuleType);
long ArraySize = cbNeeded / IntPtr.Size;
IntPtr[] hModules = new IntPtr[ArraySize];
GCHandle GCh = GCHandle.Alloc(hModules, GCHandleType.Pinned); // Don't forget to free this later
IntPtr lphModules = GCh.AddrOfPinnedObject();
uint cb = cbNeeded;
Psapi.EnumProcessModulesEx(hProcess, lphModules, cb, out cbNeeded, ModuleType);
for (int i = 0; i < ArraySize; i++)
{
MODULE_INFO ModInfo = new MODULE_INFO();
System.Text.StringBuilder lpFileName = new System.Text.StringBuilder(256);
System.Text.StringBuilder lpModuleBaseName = new System.Text.StringBuilder(32);
Psapi.GetModuleFileNameExW(hProcess, hModules[i], lpFileName, (uint)(lpFileName.Capacity));
Psapi.GetModuleInformation(hProcess, hModules[i], out ModInfo, (uint)(Marshal.SizeOf(ModInfo)));
Psapi.GetModuleBaseNameW(hProcess, hModules[i], lpModuleBaseName, (uint)(lpModuleBaseName.Capacity));
DbgHelp.SymLoadModuleEx(hProcess, IntPtr.Zero, lpFileName.ToString(), lpModuleBaseName.ToString(),
ModInfo.lpBaseOfDll, (int)ModInfo.SizeOfImage, IntPtr.Zero, 0);
}
GCh.Free();
return(false);
}
public static int FindInBaseModule(Process process, byte[] pattern, out IntPtr[] offsets, bool wildcard = false, byte wildcardChar = 0xff, bool findAll = false)
{
List <IntPtr> offsetList = new List <IntPtr>();
offsets = new IntPtr[] { (IntPtr)0 };
//Create a handle to the process
IntPtr processHandle = Processthreadsapi.OpenProcess(0x0010 | 0x0020 | 0x0008, false, process.Id);
//Initialize the a modInfo struct as new so the size can be safely obtained
var modInfo = new Psapi.ModuleInfo();
//Allocated some memory for a ptr
IntPtr modInfoPtr = Marshal.AllocHGlobal(Marshal.SizeOf(modInfo));
//Get the module info for the process base
bool ntStatus = Psapi.GetModuleInformation(processHandle, process.MainModule.BaseAddress, modInfoPtr, (uint)Marshal.SizeOf(modInfo));
if (!ntStatus)
{
return(Marshal.GetLastWin32Error());
}
//Convert the ptr to the structure
modInfo = (Psapi.ModuleInfo)Marshal.PtrToStructure(modInfoPtr, typeof(Psapi.ModuleInfo));
//Allocate a new buffer based on the size of the image
byte[] lpBuffer = new byte[modInfo.SizeOfImage];
//Read the entire image into the buffer
ntStatus = Memoryapi.ReadProcessMemory(processHandle, process.MainModule.BaseAddress, lpBuffer, (int)modInfo.SizeOfImage, out IntPtr _);
if (!ntStatus)
{
return(Marshal.GetLastWin32Error());
}
for (int i = 0; i < lpBuffer.Length; i++)
{
//Create a new array to copy potential matches to
byte[] tempArray = new byte[pattern.Length];
if (lpBuffer[i] == pattern[0])
{
if ((lpBuffer.Length - lpBuffer[i]) < pattern.Length)
{
continue;
}
for (int x = 0; x < pattern.Length; x++)
{
tempArray[x] = lpBuffer[i + x];
}
if (wildcard)
{
bool match = true;
for (int x = 0; x < pattern.Length; x++)
{
if (pattern[x] == tempArray[x] || pattern[x] == wildcardChar)
{
continue;
}
else
{
match = false;
break;
}
}
if (match)
{
offsetList.Add((IntPtr)i);
}
}
else
{
if (Enumerable.SequenceEqual(tempArray, pattern))
{
//Add the index of the byte[] to the offset list
offsetList.Add((IntPtr)i);
if (!findAll)
{
break;
}
}
}
}
}
offsets = offsetList.ToArray();
Handleapi.CloseHandle(processHandle);
Marshal.FreeHGlobal(modInfoPtr);
return(0);
}
