PDA

View Full Version : [SNIPPET] Memory Scan With Wild Cards



Departure
08-02-2011, 03:48 AM
Ported to Delphi from C++ sorry I don't recall the original Author.

Snippet:


//Compair bytes
function bDataCompare(pData, bMask: PByte; szMask: Pointer): Boolean;
begin
While (Byte(szMask^) <> $00) Do
begin
If (Byte(szMask^) = Byte('x')) and (pData^ <> bMask^) Then
begin
result := false;
exit;
end;
pData := PByte(DWORD(pData)+1);
bMask := PByte(DWORD(bMask)+1);
szMask := Pointer(DWORD(szMask)+1);
end;
result := (Byte(szMask^) = $00);
end;

//Search through looking for the pattern(calls DataCompair)
function dwFindPattern(dwAddress, dwLen: DWORD; bMask: PByte; szMask: Pointer): DWORD;
var
i: Integer;
begin
result := 0;
For i := 0 To dwLen-1 Do
begin
If bDataCompare(PByte(dwAddress+i),bMask,szMask) Then
begin
result := dwAddress+i;
Exit;
end;
end;
end;


Example:


var
cAddress: Cardinal;
const
//Pattern Used To scan for bytes
baVtablePattern: array[0..13] of Byte = ($C7,$06,$00,$00,$00,$00,$89,$86,$00,$00,$00,$00,$ 89,$86);
sigVTableMask: PChar = 'xx????xx????xx';
begin
//Wild Card Search For Pointer To VTable Address
cAddress:= dwFindPattern(GetModuleHandleA('d3d9.dll'),828000, @baVtablePattern,sigVTableMask);//WildCardSearch
......
......

Protocol
08-03-2011, 07:58 PM
Hey i like the implementation of the pattern scanning might try that for the wildcard patching method for a pe, confused to why you have two loops thou maybe recursive might be good?

6748222
07-12-2013, 11:40 AM
i feel so stupid... But brains not working tday.
So i got ask u, how can search for pattern starting at certain memory..

Eg: start search pattern begin at offset $09C44000 and end here $01185000 (size of section);

PS. from injected DLL (search in target)

cracksman
07-13-2013, 03:57 AM
look at the example, are you have trouble(error or something?); something like this?

size := DWORD($01185000) - ($09C44000); // Size := EndAddress - StartAddress;
Result := dwFindPattern(DWORD($01185000) ,Size , @Pattern, Mask);

from a dll, so?

startaddress := GetModuleHandleA('interesting.dll') + offset;// where offset is DWORD($01185000)?

6748222
07-17-2013, 03:10 PM
i meant.. from dll. example in firefox.exe or ie.exe

cracksman
07-17-2013, 10:09 PM
get the base address of firefox or IE and add the offset to that.