-
Notifications
You must be signed in to change notification settings - Fork 8
/
patternscan.cpp
65 lines (54 loc) · 1.89 KB
/
patternscan.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#include "pch.h"
#include "patternscan.h"
//Internal Pattern Scan
void* PatternScan::InternalScan(char* base, size_t size, char* pattern, char* mask) {
size_t patternLength = strlen(mask);
for (unsigned int i = 0; i < size - patternLength; i++) {
bool found = true;
for (unsigned int j = 0; j < patternLength; j++) {
if (mask[j] != '?' && pattern[j] != *(base + i + j)) {
found = false;
break;
}
}
if (found) {
return (void*)(base + i);
}
}
return nullptr;
}
//External Wrapper
void* PatternScan::ExternalScan(HANDLE hProcess, uintptr_t begin, uintptr_t end, char* pattern, char* mask) {
uintptr_t currentChunk = begin;
SIZE_T bytesRead;
while (currentChunk < end) {
char buffer[4096];
DWORD oldprotect;
VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), PAGE_EXECUTE_READWRITE, &oldprotect);
ReadProcessMemory(hProcess, (void*)currentChunk, &buffer, sizeof(buffer), &bytesRead);
VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), oldprotect, &oldprotect);
if (bytesRead == 0) {
return nullptr;
}
void* internalAddress = PatternScan::InternalScan((char*)&buffer, bytesRead, pattern, mask);
if (internalAddress != nullptr) {
//calculate from internal to external
uintptr_t offsetFromBuffer = (uintptr_t)internalAddress - (uintptr_t)&buffer;
return (void*)(currentChunk + offsetFromBuffer);
} else {
//advance to next chunk
currentChunk = currentChunk + bytesRead;
}
}
return nullptr;
}
//Module wrapper for external pattern scan
void* PatternScan::ExternalModuleScan(HANDLE hProcess, DWORD processID, wchar_t* module, char* pattern, char* mask) {
MODULEENTRY32 modEntry = GetModule(processID, module);
if (!modEntry.th32ModuleID) {
return nullptr;
}
uintptr_t begin = (uintptr_t)modEntry.modBaseAddr;
uintptr_t end = begin + modEntry.modBaseSize;
return PatternScan::ExternalScan(hProcess, begin, end, pattern, mask);
}