/// <summary>
/// Scans for a list of byte signatures and returns the result as a list of ScanResultData
/// </summary>
/// <param name="sigList"></param>
/// <returns></returns>
public void SignatureListScan(List <ByteSignature> sigList, Process proc, ProcessModule mod)
{
// create results list
Results = new List <ScanResultData>();
// keep count of how many sigs we've scanned for
int sigCt = 0;
// open this process
OpenProcess(proc);
// go through eahc signatuer and scan
foreach (ByteSignature sig in sigList)
{
try
{
// perform a signature scan
ScanResultData scan = SignatureScan(sig, proc, mod);
// add this scan result to results list
Results.Add(scan);
// increase sig count
sigCt++;
// report scan total progress changed
ScanTotalProgressChanged(this, (Convert.ToSingle(sigCt) / Convert.ToSingle(sigList.Count) * 100));
}
catch { }
}
// fire finished event
ScanComplete(this, Results);
}
/// <summary>
/// Scans for the specified signature.
/// </summary>
/// <param name="sig">Byte signature to scan for.</param>
/// <returns>ScanResultData object.</returns>
private ScanResultData SignatureScan(ByteSignature sig, Process proc, ProcessModule mod)
{
// return new ScanResultData();
// create default 'failure' result
ScanResultData result = new ScanResultData();
result.Name = sig.Name;
// match
Match match;
Regex regex;
uint BaseAddr = (uint)mod.BaseAddress.ToInt32();
uint StopAddr = (uint)(mod.BaseAddress.ToInt32() + mod.ModuleMemorySize);
// current position in memory
uint position = BaseAddr;
uint searchMemSize = StopAddr - BaseAddr;
// current scan progress
float prog = 0f;
string opcode = sig.Signature.Substring(0, 2);
string curOpcode = string.Empty;
string hexString;
byte[] bytes;
try
{
while (position < StopAddr)
{
// go through memory until we hit a byte matching our signatures first byte
while (!ReadByte(position).ToString("X2").Equals(opcode))
{
position++;
}
// read current position as hex string
bytes = ReadBytes(position, sig.SignatureTrimmed.Length);
hexString = ConvertUtil.BytesToHexString(bytes);
// see if it matches
regex = new Regex(sig.RegExpStr);
match = regex.Match(hexString);
if (match.Success)
{
// get the bytes of the value we're looking for
string hexVal = hexString.Substring(sig.TargetByteStartIndex, sig.TargetByteCount);
// reverse the bytes of this string
string reversedHexVal = string.Empty;
int bytesToReverse = hexVal.Length / 2;
for (int i = bytesToReverse; i > 0; i--)
{
reversedHexVal += hexVal.Substring((i * 2) - 2, 2);
}
// subtract the base addr from this to get the offset
int val = ConvertUtil.HexStringToInt(reversedHexVal);
uint offset = (uint)val - BaseAddr;
result.Values.Add(offset.ToString("X2"));
// flag success
result.Result = ScanResult.Success;
// return result
return(result);
}
// increase position
position++;
// report progress
prog = (Convert.ToSingle(position - BaseAddr) / Convert.ToSingle(searchMemSize)) * 100;
ScanSignatureProgressChanged(this, prog);
}
}
catch { }
// failure
ScanSignatureProgressChanged(this, 100);
return(result);
}
