-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathMemoryPattern.cpp
More file actions
59 lines (46 loc) · 1.25 KB
/
MemoryPattern.cpp
File metadata and controls
59 lines (46 loc) · 1.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#include "MemoryPattern.h"
#include <ntddk.h>
#define FIND_MAX_SIZE 4096
typedef unsigned long DWORD;
typedef unsigned short WORD;
typedef unsigned char BYTE;
PVOID64 FindSignature2(IN ANSI_STRING pattern, IN ULONG64 ulAddressBeg, IN ULONG64 ulScanSize, IN CHAR chWildcard /*= '?'*/)
{
BOOLEAN bFound = FALSE;
ULONG64 ulAddressEnd = ulAddressBeg + ulScanSize;
BOOLEAN bValid = MmIsAddressValid((PVOID)ulAddressBeg);
PULONG64 pBeg = (PULONG64)ulAddressBeg;
DbgPrint("Valid: %d %X", bValid, pBeg);
for (BYTE* i = (BYTE*)ulAddressBeg; i < (BYTE*)(ulAddressEnd - pattern.Length); ++i)
{
bFound = TRUE;
for (int j = 0; j < pattern.Length; ++j)
{
CHAR a = pattern.Buffer[j];
CHAR b = i[j];
if (a != b && a != chWildcard)
{
bFound = FALSE;
break;
}
//if ((pattern.Buffer[j] != i[j]) && (pattern.Buffer[j] != chWildcard))
//{
// bFound = FALSE;
// break;
//}
}
if (bFound)
{
return (PVOID64)i;
}
}
return 0;
}
PVOID64 FindSignature1(IN ANSI_STRING pattern, IN ULONG64 ulAddressBeg, IN ULONG64 ulScanSize)
{
return FindSignature2(pattern, ulAddressBeg, ulScanSize, '?');
}
PVOID64 FindSignature(IN ANSI_STRING pattern, IN ULONG64 ulAddressBeg)
{
return FindSignature2(pattern, ulAddressBeg, 4096, '?');
}