-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathScanner.cpp
More file actions
105 lines (86 loc) · 2.47 KB
/
Copy pathScanner.cpp
File metadata and controls
105 lines (86 loc) · 2.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#pragma once
#include "pch.h"
#include "Scanner.h"
char* FindPattern::ScanModIn(char* pattern, char* mask, std::string modName)
{
LDR_DATA_TABLE_ENTRY* ldr = FindPattern::GetLDREntry(modName);
char* match = FindPattern::ScanInternal(pattern, mask, (char*)ldr->DllBase, ldr->SizeOfImage);
return match;
}
char* FindPattern::TO_CHAR(wchar_t* string)
{
size_t len = wcslen(string) + 1;
char* c_string = new char[len];
size_t numCharsRead;
wcstombs_s(&numCharsRead, c_string, len, string, _TRUNCATE);
return c_string;
}
PEB* FindPattern::GetPEB()
{
#ifdef _WIN64
PEB* peb = (PEB*)__readgsqword(0x60);
#else
PEB* peb = (PEB*)__readfsdword(0x30);
#endif
return peb;
}
LDR_DATA_TABLE_ENTRY* FindPattern::GetLDREntry(std::string name)
{
LDR_DATA_TABLE_ENTRY* ldr = nullptr;
PEB* peb = GetPEB();
LIST_ENTRY head = peb->Ldr->InMemoryOrderModuleList;
head = peb->Ldr->InMemoryOrderModuleList;
LIST_ENTRY curr = head;
while (curr.Flink != head.Blink)
{
LDR_DATA_TABLE_ENTRY* mod = (LDR_DATA_TABLE_ENTRY*)CONTAINING_RECORD(curr.Flink, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (mod->FullDllName.Buffer)
{
char* cName = TO_CHAR(mod->BaseDllName.Buffer);
if (_stricmp(cName, name.c_str()) == 0)
{
ldr = mod;
break;
}
delete[] cName;
}
curr = *curr.Flink;
}
return ldr;
}
char* FindPattern::ScanBasic(char* pattern, char* mask, char* begin, intptr_t size)
{
intptr_t patternLen = strlen(mask);
for (int i = 0; i < size; i++)
{
bool found = true;
for (int j = 0; j < patternLen; j++)
{
if (mask[j] != '?' && pattern[j] != *(char*)((intptr_t)begin + i + j))
{
found = false;
break;
}
}
if (found)
{
return (begin + i);
}
}
return nullptr;
}
char* FindPattern::ScanInternal(char* pattern, char* mask, char* begin, intptr_t size)
{
char* match{ nullptr };
MEMORY_BASIC_INFORMATION mbi{};
for (char* curr = begin; curr < begin + size; curr += mbi.RegionSize)
{
if (!VirtualQuery(curr, &mbi, sizeof(mbi)) || mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS) continue;
match = ScanBasic(pattern, mask, curr, mbi.RegionSize);
if (match != nullptr)
{
break;
}
}
return match;
}