public static unsafe IntPtr FindPattern(string module, string pattern) { IntPtr moduleHandle = Kernel32.GetModuleHandle(module); if (moduleHandle == IntPtr.Zero) { return(IntPtr.Zero); } Psapi.MODULEINFO moduleInfo; if (!Psapi.GetModuleInformation(Kernel32.GetCurrentProcess(), moduleHandle, out moduleInfo, sizeof(Psapi.MODULEINFO))) { return(IntPtr.Zero); } uint moduleStart = (uint)moduleInfo.lpBaseOfDll; uint moduleLen = moduleInfo.SizeOfImage; string[] patternStrParts = pattern.Split(' '); bool[] mask = patternStrParts.Select(x => x != "?").ToArray(); byte[] patternBytes = patternStrParts.Select(x => (byte)((x != "?") ? (byte)(Convert.ToInt32(x, 16)) : 0)).ToArray(); for (uint i = 0; i < moduleLen - patternBytes.Length; i++) { if (Compare((byte *)(moduleStart + i), patternBytes, mask)) { return(new IntPtr(moduleStart + i)); } } return(IntPtr.Zero); }
public static bool LoadModules(IntPtr hProcess, ListModules ModuleType) { //Initialize parameters for EPM uint cbNeeded = 0; Psapi.EnumProcessModulesEx(hProcess, IntPtr.Zero, 0, out cbNeeded, ModuleType); long ArraySize = cbNeeded / IntPtr.Size; IntPtr[] hModules = new IntPtr[ArraySize]; GCHandle GCh = GCHandle.Alloc(hModules, GCHandleType.Pinned); // Don't forget to free this later IntPtr lphModules = GCh.AddrOfPinnedObject(); uint cb = cbNeeded; Psapi.EnumProcessModulesEx(hProcess, lphModules, cb, out cbNeeded, ModuleType); for (int i = 0; i < ArraySize; i++) { MODULE_INFO ModInfo = new MODULE_INFO(); System.Text.StringBuilder lpFileName = new System.Text.StringBuilder(256); System.Text.StringBuilder lpModuleBaseName = new System.Text.StringBuilder(32); Psapi.GetModuleFileNameExW(hProcess, hModules[i], lpFileName, (uint)(lpFileName.Capacity)); Psapi.GetModuleInformation(hProcess, hModules[i], out ModInfo, (uint)(Marshal.SizeOf(ModInfo))); Psapi.GetModuleBaseNameW(hProcess, hModules[i], lpModuleBaseName, (uint)(lpModuleBaseName.Capacity)); DbgHelp.SymLoadModuleEx(hProcess, IntPtr.Zero, lpFileName.ToString(), lpModuleBaseName.ToString(), ModInfo.lpBaseOfDll, (int)ModInfo.SizeOfImage, IntPtr.Zero, 0); } GCh.Free(); return(false); }
public static int FindInBaseModule(Process process, byte[] pattern, out IntPtr[] offsets, bool wildcard = false, byte wildcardChar = 0xff, bool findAll = false) { List <IntPtr> offsetList = new List <IntPtr>(); offsets = new IntPtr[] { (IntPtr)0 }; //Create a handle to the process IntPtr processHandle = Processthreadsapi.OpenProcess(0x0010 | 0x0020 | 0x0008, false, process.Id); //Initialize the a modInfo struct as new so the size can be safely obtained var modInfo = new Psapi.ModuleInfo(); //Allocated some memory for a ptr IntPtr modInfoPtr = Marshal.AllocHGlobal(Marshal.SizeOf(modInfo)); //Get the module info for the process base bool ntStatus = Psapi.GetModuleInformation(processHandle, process.MainModule.BaseAddress, modInfoPtr, (uint)Marshal.SizeOf(modInfo)); if (!ntStatus) { return(Marshal.GetLastWin32Error()); } //Convert the ptr to the structure modInfo = (Psapi.ModuleInfo)Marshal.PtrToStructure(modInfoPtr, typeof(Psapi.ModuleInfo)); //Allocate a new buffer based on the size of the image byte[] lpBuffer = new byte[modInfo.SizeOfImage]; //Read the entire image into the buffer ntStatus = Memoryapi.ReadProcessMemory(processHandle, process.MainModule.BaseAddress, lpBuffer, (int)modInfo.SizeOfImage, out IntPtr _); if (!ntStatus) { return(Marshal.GetLastWin32Error()); } for (int i = 0; i < lpBuffer.Length; i++) { //Create a new array to copy potential matches to byte[] tempArray = new byte[pattern.Length]; if (lpBuffer[i] == pattern[0]) { if ((lpBuffer.Length - lpBuffer[i]) < pattern.Length) { continue; } for (int x = 0; x < pattern.Length; x++) { tempArray[x] = lpBuffer[i + x]; } if (wildcard) { bool match = true; for (int x = 0; x < pattern.Length; x++) { if (pattern[x] == tempArray[x] || pattern[x] == wildcardChar) { continue; } else { match = false; break; } } if (match) { offsetList.Add((IntPtr)i); } } else { if (Enumerable.SequenceEqual(tempArray, pattern)) { //Add the index of the byte[] to the offset list offsetList.Add((IntPtr)i); if (!findAll) { break; } } } } } offsets = offsetList.ToArray(); Handleapi.CloseHandle(processHandle); Marshal.FreeHGlobal(modInfoPtr); return(0); }