/// <summary> /// Scans for a list of byte signatures and returns the result as a list of ScanResultData /// </summary> /// <param name="sigList"></param> /// <returns></returns> public void SignatureListScan(List <ByteSignature> sigList, Process proc, ProcessModule mod) { // create results list Results = new List <ScanResultData>(); // keep count of how many sigs we've scanned for int sigCt = 0; // open this process OpenProcess(proc); // go through eahc signatuer and scan foreach (ByteSignature sig in sigList) { try { // perform a signature scan ScanResultData scan = SignatureScan(sig, proc, mod); // add this scan result to results list Results.Add(scan); // increase sig count sigCt++; // report scan total progress changed ScanTotalProgressChanged(this, (Convert.ToSingle(sigCt) / Convert.ToSingle(sigList.Count) * 100)); } catch { } } // fire finished event ScanComplete(this, Results); }
/// <summary> /// Scans for the specified signature. /// </summary> /// <param name="sig">Byte signature to scan for.</param> /// <returns>ScanResultData object.</returns> private ScanResultData SignatureScan(ByteSignature sig, Process proc, ProcessModule mod) { // return new ScanResultData(); // create default 'failure' result ScanResultData result = new ScanResultData(); result.Name = sig.Name; // match Match match; Regex regex; uint BaseAddr = (uint)mod.BaseAddress.ToInt32(); uint StopAddr = (uint)(mod.BaseAddress.ToInt32() + mod.ModuleMemorySize); // current position in memory uint position = BaseAddr; uint searchMemSize = StopAddr - BaseAddr; // current scan progress float prog = 0f; string opcode = sig.Signature.Substring(0, 2); string curOpcode = string.Empty; string hexString; byte[] bytes; try { while (position < StopAddr) { // go through memory until we hit a byte matching our signatures first byte while (!ReadByte(position).ToString("X2").Equals(opcode)) { position++; } // read current position as hex string bytes = ReadBytes(position, sig.SignatureTrimmed.Length); hexString = ConvertUtil.BytesToHexString(bytes); // see if it matches regex = new Regex(sig.RegExpStr); match = regex.Match(hexString); if (match.Success) { // get the bytes of the value we're looking for string hexVal = hexString.Substring(sig.TargetByteStartIndex, sig.TargetByteCount); // reverse the bytes of this string string reversedHexVal = string.Empty; int bytesToReverse = hexVal.Length / 2; for (int i = bytesToReverse; i > 0; i--) { reversedHexVal += hexVal.Substring((i * 2) - 2, 2); } // subtract the base addr from this to get the offset int val = ConvertUtil.HexStringToInt(reversedHexVal); uint offset = (uint)val - BaseAddr; result.Values.Add(offset.ToString("X2")); // flag success result.Result = ScanResult.Success; // return result return(result); } // increase position position++; // report progress prog = (Convert.ToSingle(position - BaseAddr) / Convert.ToSingle(searchMemSize)) * 100; ScanSignatureProgressChanged(this, prog); } } catch { } // failure ScanSignatureProgressChanged(this, 100); return(result); }