-
Notifications
You must be signed in to change notification settings - Fork 6
/
signature.cpp
78 lines (62 loc) · 1.63 KB
/
signature.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#pragma once
#include <Windows.h>
#include <string>
#define BUF_SCAN_SIZE 4096
typedef DWORD Address;
namespace Signature {
BYTE* _FindPattern(BYTE* buf, size_t datasize, BYTE* find, std::string mask, bool search_rewind=true)
{
int pos = 0;
size_t size = mask.size();
for(Address i = 0; i < datasize; i++) {
if(mask[pos]=='.' || buf[i] == find[pos]) {
pos++;
if(pos == size) {
return &buf[i-pos+1];
}
}
else {
if(search_rewind)
i -= pos;
pos = 0;
}
}
return NULL;
}
Address FindSignature(BYTE* signature, const std::string& mask, const Address start, const Address end, bool search_rewind, HANDLE my_proc)
{
Address curr_addr = start;
size_t mask_size = mask.size();
BYTE buf[BUF_SCAN_SIZE];
size_t current_size = 0;
while(curr_addr < end)
{
MEMORY_BASIC_INFORMATION mbi;
if(!VirtualQueryEx(my_proc, reinterpret_cast<PVOID>(curr_addr), &mbi, sizeof(MEMORY_BASIC_INFORMATION))) {
return NULL;
}
Address end = reinterpret_cast<Address>(mbi.BaseAddress) + mbi.RegionSize;
size_t remainder = end - curr_addr;
if(remainder > BUF_SCAN_SIZE) {
remainder = BUF_SCAN_SIZE;
}
if(mbi.State == MEM_COMMIT)
{
if(current_size < remainder) {
current_size = remainder;
}
if(!ReadProcessMemory(my_proc, reinterpret_cast<PVOID>(curr_addr), buf, remainder, NULL)) {
curr_addr += remainder;
continue;
}
BYTE* ptr = _FindPattern(buf, remainder, signature, mask, search_rewind);
Address actptr = (curr_addr+(ptr-buf));
if(ptr != NULL) {
return actptr;
}
}
curr_addr += remainder;
}
return NULL;
}
}