Exemplo n.º 1
0
        public ScanResult PerformSignatureScan(byte[] pattern, string mask, ProcessModule module, bool codeOnly = true)
        {
            MemoryModule mmod = MemoryModule.FromMemory(this, module);

            byte[] buffer = new byte[4096];
            int    idx    = 0;

            bool found = false;
            long start = mmod.ImageBase;// codeOnly ? mmod.BaseOfCode : mmod.ImageBase;
            long size  = codeOnly ? mmod.SizeOfCode : mmod.MemorySize;

            while (true)
            {
                this.Position  = start + idx;
                this.Position -= this.Position % 4;

                int length = this.Read(buffer, 0, (int)Math.Min(buffer.Length, size - idx));

                for (int b = 0; b < buffer.Length - mask.Length; b++)
                {
                    found = true;
                    for (int i = 0; i < mask.Length; i++)
                    {
                        if (mask[i] != '?' && buffer[b + i] != pattern[i])
                        {
                            found = false;
                            break;
                        }
                    }
                    if (found)
                    {
                        byte[] data = new byte[mask.Length];
                        Array.Copy(buffer, b, data, 0, mask.Length);
                        return(ScanResult.Succeeded(start + idx + b, data));
                    }
                }

                if (length - mask.Length == 0)
                {
                    break;
                }
                idx += length - mask.Length;
                if (this.Position >= start + size)
                {
                    break;
                }
            }
            return(ScanResult.Failed());
        }