/// <summary> /// <para>Searches the loaded process for the given byte signature.</para> /// <para>Uses the character ? as a wildcard</para> /// </summary> /// <param name="signature">The hex pattern to search for</param> /// <param name="offset">An offset to add to the pointer VALUE</param> /// <param name="searchType">What type os result to return</param> /// <returns>The pointer found at the matching location</returns> private static IntPtr FindSignature(string signature, int offset, ScanResultType searchType) { try { if (signature.Length == 0 || signature.Length % 2 != 0) { throw new Exception("FindSignature(): Invalid signature"); } foreach (var region in _regions) { var buffer = new byte[region.RegionSize]; if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.Process.Handle, (IntPtr)region.BaseAddress, buffer, region.RegionSize, 0)) { var errorCode = Marshal.GetLastWin32Error(); throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]"); } var searchResult = FindSignature(buffer, signature, offset, searchType); if (IntPtr.Zero != searchResult) { if (ScanResultType.AddressStartOfSig == searchType) { searchResult = new IntPtr(region.BaseAddress + searchResult.ToInt32()); } return(searchResult); } } } catch (Exception ex) { } return(IntPtr.Zero); }
//public IniResultItem(ScanResultType resultType, RegistryHive hive, RegistryView view, string keyName, // string valueName = null, string value = null) //{ // ResultType = resultType; // RegistryHive = hive; // RegistryView = view; // KeyName = keyName; // ValueName = valueName; // Value = value; //} public IniResultItem(ScanResultType resultType, string fileName, string sectionName, string valueName = null, string value = null, string defaultValue = null) { ResultType = resultType; SecionName = sectionName; ValueName = valueName; Value = value; DefaultValue = defaultValue; FileName = fileName; }
public RegistryResultItem(ScanResultType resultType, RegistryHive hive, RegistryView view, string registryPath, string valueName = null, string value = null) { ResultType = resultType; RegistryInformation = new RegistryInformation(hive, view, registryPath, valueName, value); //RegistryHive = hive; //RegistryView = view; //KeyName = registryPath; //ValueName = valueName; //Value = value; }
public static string FormatToString(this ScanResultType scanResultType, bool includeHeader = false) { var member = typeof(ScanResultType).GetMember(scanResultType.ToString()).FirstOrDefault(); if (member == null) { return(null); } var attribute = member.GetCustomAttributes(typeof(ScanResultSectionAttribute), false).FirstOrDefault() as ScanResultSectionAttribute; return(string.Format("{0}{1}", attribute == null ? "??" : attribute.SectionId, includeHeader ? string.Format(" - {0}", attribute == null ? "(undefined)" : attribute.Text) : string.Empty)); }
public RegistryResultItem(ScanResultType resultType, RegistryHive hive, RegistryView view, string registryPath, string text, string fileName, string valueName = null, string value = null) : this(resultType, hive, view, registryPath, valueName, value) { ResultType = resultType; //RegistryHive = hive; //RegistryView = view; //KeyName = registryPath; //ValueName = valueName; //Value = value; Text = text; FileName = fileName; }
/// <summary> /// Search the loaded regions for all signatures at once and remove from list once found /// </summary> /// <param name="signatures"></param> /// <param name="searchType"></param> private void FindSignatures(IEnumerable <Signature> signatures, ScanResultType searchType) { try { var notFound = new List <Signature>(signatures); var temp = new List <Signature>(); foreach (var region in _regions) { try { var buffer = new byte[region.RegionSize.ToInt32()]; IntPtr lpNumberOfByteRead; if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.ProcessHandle, region.BaseAddress, buffer, region.RegionSize, out lpNumberOfByteRead)) { var errorCode = Marshal.GetLastWin32Error(); throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]"); } foreach (var signature in notFound) { var searchResult = FindSignature(buffer, signature.Value, signature.Offset, searchType); if (IntPtr.Zero == searchResult) { temp.Add(signature); continue; } if (ScanResultType.AddressStartOfSig == searchType) { searchResult = IntPtr.Add(searchResult, (int)region.BaseAddress); } Locations.Add(signature.Key, (uint)searchResult); } notFound = new List <Signature>(temp); temp.Clear(); } catch (Exception ex) { } } } catch (Exception ex) { } }
/// <summary> /// Searches the buffer for the given hex string and returns the pointer matching the first wildcard location, or the pointer following the pattern if not using wildcards. /// Prefix with << to always return the pointer preceding the match or >> to always return the pointer following (regardless of wildcards) /// </summary> /// <param name="buffer">The source binary buffer to search within</param> /// <param name="signature">A hex string representation of a sequence of bytes to search for</param> /// <param name="offset">An offset to where in buffer to start search for pattern.</param> /// <param name="searchType">Search before, at or after wildcard</param> /// <returns>A pointer at the matching location</returns> private static IntPtr FindSignature(byte[] buffer, string signature, int offset, ScanResultType searchType) { // Since this is a hex string make sure the characters are entered in pairs. if (signature.Length == 0 || signature.Length % 2 != 0) { return(IntPtr.Zero); } // Convert the signature text to a binary array byte[] pattern = SigToByte(signature, WildcardChar); if (pattern == null) { return(IntPtr.Zero); } //Find the start index of the first wildcard. if no wildcards then the bytes following the match var pos = 0; for (pos = 0; pos < pattern.Length; pos++) { if (pattern[pos] == WildcardChar) { break; } } //Search for the pattern in the buffer. Convert the bytes to an int and return as a pointer //If not using wildcards then use the faster Horspool algorithm var idx = -1; idx = pos == pattern.Length ? Horspool(buffer, pattern, offset) : BNDM(buffer, pattern, WildcardChar, offset); // If the sig was not found then exit if (idx < 0) { return(IntPtr.Zero); } // Grab the 4 byte pointer at the location requested switch (searchType) { case ScanResultType.ValueBeforeSig: //always grab the pointer in front of the sig return((IntPtr)(BitConverter.ToInt32(buffer, idx - 4))); case ScanResultType.ValueAfterSig: // always grab the pointer following the sig return((IntPtr)(BitConverter.ToInt32(buffer, idx + pattern.Length))); case ScanResultType.AddressStartOfSig: // return the address at the end of where the signature was found return((IntPtr)(idx)); case ScanResultType.ValueAtWildCard: default: // always pointer starting at the first wildcard. if no wildcard is being used, then the rear return((IntPtr)(BitConverter.ToInt32(buffer, idx + pos))); } }
/// <summary> /// Searches the buffer for the given hex string and returns the pointer matching the first wildcard location, or the /// pointer following the pattern if not using wildcards. /// Prefix with << to always return the pointer preceding the match or >> to always return the pointer /// following (regardless of wildcards) /// </summary> /// <param name="buffer">The source binary buffer to search within</param> /// <param name="signature">A hex string representation of a sequence of bytes to search for</param> /// <param name="offset">An offset to add to the found pointer VALUE.</param> /// <param name="searchType"></param> /// <returns>A pointer at the matching location</returns> private static IntPtr FindSignature(byte[] buffer, string signature, int offset, ScanResultType searchType) { try { if (signature.Length == 0 || signature.Length % 2 != 0) { return IntPtr.Zero; } var pattern = SigToByte(signature, WildCardChar); if (pattern != null) { var pos = 0; for (pos = 0; pos < pattern.Length; pos++) { if (pattern[pos] == WildCardChar) { break; } } var idx = -1; if (pattern.Length > 32) { idx = FindSuperSig(buffer, pattern); } else { idx = pos == pattern.Length ? Horspool(buffer, pattern) : BNDM(buffer, pattern, WildCardChar); } if (idx < 0) { return IntPtr.Zero; } switch (searchType) { case ScanResultType.ValueBeforeSig: return (IntPtr) (BitConverter.ToInt32(buffer, idx - 4) + offset); case ScanResultType.ValueAfterSig: return (IntPtr) (BitConverter.ToInt32(buffer, idx + pattern.Length) + offset); case ScanResultType.AddressStartOfSig: return (IntPtr) (idx + offset); case ScanResultType.ValueAtWildCard: default: return (IntPtr) (BitConverter.ToInt32(buffer, idx + pos) + offset); } } } catch (Exception ex) { } return IntPtr.Zero; }
/// <summary> /// <para>Searches the loaded process for the given byte signature.</para> /// <para>Uses the character ? as a wildcard</para> /// </summary> /// <param name="signature">The hex pattern to search for</param> /// <param name="offset">An offset to add to the pointer VALUE</param> /// <param name="searchType">What type os result to return</param> /// <returns>The pointer found at the matching location</returns> private IntPtr FindSignature(string signature, int offset, ScanResultType searchType) { try { if (signature.Length == 0 || signature.Length % 2 != 0) { throw new Exception("FindSignature(): Invalid signature"); } foreach (var region in _regions) { try { var buffer = new byte[region.RegionSize]; int lpNumberOfByteRead; if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.ProcessHandle, (IntPtr) region.BaseAddress, buffer, region.RegionSize, out lpNumberOfByteRead)) { var errorCode = Marshal.GetLastWin32Error(); throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]"); } var searchResult = FindSignature(buffer, signature, offset, searchType); if (IntPtr.Zero == searchResult) { continue; } if (ScanResultType.AddressStartOfSig == searchType) { searchResult = new IntPtr(region.BaseAddress + searchResult.ToInt32()); } return searchResult; } catch (Exception ex) { } } } catch (Exception ex) { } return IntPtr.Zero; }
/// <summary> /// Searches the loaded process for the given byte signature /// </summary> /// <param name="signature">The hex pattern to search for</param> /// <param name="searchType"></param> /// <returns>The pointer found at the matching location</returns> private IntPtr FindSignature(string signature, ScanResultType searchType) { return FindSignature(signature, 0, searchType); }
/// <summary> /// Search the loaded regions for all signatures at once and remove from list once found /// </summary> /// <param name="signatures"></param> /// <param name="searchType"></param> private void FindSignatures(IEnumerable<Signature> signatures, ScanResultType searchType) { try { var notFound = new List<Signature>(signatures); var temp = new List<Signature>(); foreach (var region in _regions) { try { var buffer = new byte[region.RegionSize]; int lpNumberOfByteRead; if (!UnsafeNativeMethods.ReadProcessMemory(MemoryHandler.Instance.ProcessHandle, (IntPtr) region.BaseAddress, buffer, region.RegionSize, out lpNumberOfByteRead)) { var errorCode = Marshal.GetLastWin32Error(); throw new Exception("FindSignature(): Unable to read memory. Error Code [" + errorCode + "]"); } foreach (var signature in notFound) { var searchResult = FindSignature(buffer, signature.Value, signature.Offset, searchType); if (IntPtr.Zero == searchResult) { temp.Add(signature); continue; } if (ScanResultType.AddressStartOfSig == searchType) { searchResult = new IntPtr(region.BaseAddress + searchResult.ToInt32()); } Locations.Add(signature.Key, (uint) searchResult); } notFound = new List<Signature>(temp); temp.Clear(); } catch (Exception ex) { } } } catch (Exception ex) { } }
/// <summary> /// Searches the buffer for the given hex string and returns the pointer matching the first wildcard location, or the /// pointer following the pattern if not using wildcards. /// Prefix with << to always return the pointer preceding the match or >> to always return the pointer /// following (regardless of wildcards) /// </summary> /// <param name="buffer">The source binary buffer to search within</param> /// <param name="signature">A hex string representation of a sequence of bytes to search for</param> /// <param name="offset">An offset to add to the found pointer VALUE.</param> /// <param name="searchType"></param> /// <returns>A pointer at the matching location</returns> private static IntPtr FindSignature(byte[] buffer, string signature, int offset, ScanResultType searchType) { try { if (signature.Length == 0 || signature.Length % 2 != 0) { return(IntPtr.Zero); } var pattern = SigToByte(signature, WildCardChar); if (pattern != null) { var pos = 0; for (pos = 0; pos < pattern.Length; pos++) { if (pattern[pos] == WildCardChar) { break; } } var idx = -1; if (pattern.Length > 32) { idx = FindSuperSig(buffer, pattern); } else { idx = pos == pattern.Length ? Horspool(buffer, pattern) : BNDM(buffer, pattern, WildCardChar); } if (idx < 0) { return(IntPtr.Zero); } switch (searchType) { case ScanResultType.ValueBeforeSig: if (MemoryHandler.Instance.ProcessModel.IsWin64) { return((IntPtr)(BitConverter.ToInt64(buffer, idx - 8) + offset)); } return((IntPtr)(BitConverter.ToInt32(buffer, idx - 4) + offset)); case ScanResultType.ValueAfterSig: if (MemoryHandler.Instance.ProcessModel.IsWin64) { return((IntPtr)(BitConverter.ToInt64(buffer, idx + pattern.Length) + offset)); } return((IntPtr)(BitConverter.ToInt32(buffer, idx + pattern.Length) + offset)); case ScanResultType.AddressStartOfSig: return((IntPtr)(idx + offset)); case ScanResultType.ValueAtWildCard: default: return((IntPtr)(BitConverter.ToInt32(buffer, idx + pos) + offset)); } } } catch (Exception ex) { } return(IntPtr.Zero); }
public ScanResult(string text, ScanResultType type) : this(text) { _isPlaceholder = true; }
public UefiBinaryResult(ScanResultType type, string text) { _resultType = type; _text = text; }
/// <summary> /// Searches the loaded process for the given byte signature /// </summary> /// <param name="signature">The hex pattern to search for</param> /// <param name="searchType">What type of result to return</param> /// <returns>The pointer found at the matching location</returns> public IntPtr FindSignature(string signature, ScanResultType searchType) { return(FindSignature(signature, 0, searchType)); }
/// <summary> /// <para>Searches the loaded process for the given byte signature.</para> /// <para>Uses the character ? as a wildcard</para> /// </summary> /// <param name="signature">The hex pattern to search for</param> /// <param name="startAddress">An startAddress to add to the pointer VALUE</param> /// <param name="searchType">What type of result to return</param> /// <returns>The pointer found at the matching location</returns> public IntPtr FindSignature(string signature, int startAddress, ScanResultType searchType) { // make sure we have a valid signature if (signature.Length == 0 || signature.Length % 2 != 0) { throw new Exception("FindSignature(): Invalid signature"); } for (var index = 0; index < _memoryRegionsSortedIndices.Count; index++) { int workingIndex = _memoryRegionsSortedIndices.Values[index]; MemoryApi.MemoryBasicInformation region = MemoryRegions[_memoryRegionsSortedIndices.Values[index]]; // Skip memory regions until we find one that contains the startAddress but startAddress of zero means skip none if (startAddress > 0) { if (region.BaseAddress.ToInt32() + region.RegionSize < startAddress || region.BaseAddress.ToInt32() > startAddress) { continue; } } var buffer = new byte[region.RegionSize]; var bytesRead = 0; // ReadProcessMemory will return 0 if some form of error occurs if ( !MemoryApi.ReadProcessMemory(_process.Handle, region.BaseAddress, buffer, (int)region.RegionSize, out bytesRead)) { // get the error code thrown from ReadProcessMemory int errorCode = Marshal.GetLastWin32Error(); // For now, if error reading, we will still search what amount was able to be read so no exception throwing. } var bufferOffset = 0; if (startAddress > 0 && region.BaseAddress.ToInt32() < startAddress && region.BaseAddress.ToInt32() + bytesRead > startAddress) { // Since requested startAddress is somewhere in the current regions address space, set startAddress from beginning of region bufferOffset = startAddress - region.BaseAddress.ToInt32(); } IntPtr searchResult = FindSignature(buffer, signature, bufferOffset, searchType); // If we found our signature, we're done if (IntPtr.Zero == searchResult) { continue; } // if we passed the ! flag we want the beginning address of where it found the sig if (ScanResultType.AddressStartOfSig == searchType) { searchResult = new IntPtr(region.BaseAddress.ToInt32() + searchResult.ToInt32()); } return(searchResult); } return(IntPtr.Zero); }
public SampleResult(ScanResultType type, string text) { _resultType = type; _text = text; }