-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathMemorySearch.cpp
105 lines (90 loc) · 2.69 KB
/
MemorySearch.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#include "ProcessManager.hpp"
#define BLOCKMAXSIZE 409600
BYTE* MemoryData;
short Next[260];
WORD GetSignatureArray(std::string Signature, WORD* SignatureArray)
{
int len = 0;
WORD Length = Signature.length() / 3 + 1;
for (int i = 0; i < Signature.length(); )
{
char num[2];
num[0] = Signature[i++];
num[1] = Signature[i++];
i++;
if (num[0] != '?' && num[1] != '?')
{
int sum = 0;
WORD a[2];
for (int i = 0; i < 2; i++)
{
if (num[i] >= '0' && num[i] <= '9')
a[i] = num[i] - '0';
else if (num[i] >= 'a' && num[i] <= 'z')
a[i] = num[i] - 87;
else if (num[i] >= 'A' && num[i] <= 'Z')
a[i] = num[i] - 55;
}
sum = a[0] * 16 + a[1];
SignatureArray[len++] = sum;
}
else
SignatureArray[len++] = 256;
}
return Length;
}
void GetNext(short* next, WORD* Signature, WORD SignatureLength)
{
for (int i = 0; i < 260; i++)
next[i] = -1;
for (int i = 0; i < SignatureLength; i++)
next[Signature[i]] = i;
}
void SearchMemoryBlock(HANDLE hProcess, WORD* Signature, WORD SignatureLength, DWORD64 StartAddress, DWORD size, std::vector<DWORD64>& ResultArray)
{
if (!ReadProcessMemory(hProcess, (LPCVOID)StartAddress, MemoryData, size, NULL))
return;
for (int i = 0, j, k; i < size;)
{
j = i; k = 0;
for (; k < SignatureLength && j < size && (Signature[k] == MemoryData[j] || Signature[k] == 256); k++, j++);
if (k == SignatureLength)
ResultArray.push_back(StartAddress + i);
if ((i + SignatureLength) >= size)
return;
int num = Next[MemoryData[i + SignatureLength]];
if (num == -1)
i += (SignatureLength - Next[256]);
else
i += (SignatureLength - num);
}
}
std::vector<DWORD64> ProcessManager::SearchMemory(std::string Signature, DWORD64 StartAddress, DWORD64 EndAddress)
{
MemoryData = new BYTE[BLOCKMAXSIZE];
int i = 0;
unsigned long BlockSize;
MEMORY_BASIC_INFORMATION mbi;
WORD SignatureLength = Signature.length() / 3 + 1;
WORD* SignatureArray = new WORD[SignatureLength];
std::vector<DWORD64>ResultArray;
GetSignatureArray(Signature, SignatureArray);
GetNext(Next, SignatureArray, SignatureLength);
while (VirtualQueryEx(hProcess, (LPCVOID)StartAddress, &mbi, sizeof(mbi)) != 0)
{
i = 0;
BlockSize = mbi.RegionSize;
while (BlockSize >= BLOCKMAXSIZE)
{
SearchMemoryBlock(hProcess, SignatureArray, SignatureLength, StartAddress + (BLOCKMAXSIZE * i), BLOCKMAXSIZE, ResultArray);
BlockSize -= BLOCKMAXSIZE; i++;
}
SearchMemoryBlock(hProcess, SignatureArray, SignatureLength, StartAddress + (BLOCKMAXSIZE * i), BlockSize, ResultArray);
StartAddress += mbi.RegionSize;
if (EndAddress != 0 && StartAddress > EndAddress)
return ResultArray;
}
delete[] MemoryData;
delete[] SignatureArray;
return ResultArray;
}