[Feature Request] AoB Scanning

[vars1ty]

Hello!
First and foremost- Great project!

It has basically everything I need, although I wanted to check if you could potentially implement a function for performing AoB (Array of Byte) scans? Since that's what I'm working with over SIG/Pattern ones.

[pseuxide]

Hi there, im contented with it. Thanks! I thought the term pattern scan and array of byte scan is identical. sorry if im not correct Do u mean pattern scan with "/x01/x02/x03" this type of signature? If so, it's probably easy thing to implement. However since it's too obvious to code, i dont feel like im motivated enough.😔 Im rather looking forward to your Pull request😳(iwould be happy) or u can write the code in your project to convert from /x style into IDA style pattern.

[vars1ty]

Hi!

Doesn't seem like it in my case, for example: I can search for this hex string in Cheat Engine:
67 6C 6F 62 61 6C 2F 4D 61 70 57 69 6E 64 6F 77 2E 53 74 61 72 74 28 29 3B
But if I do it through pattern_scan it returns 0 results 🤔 Unless I'm doing something wrong by chance?

[pseuxide]

Oh... that could be my fault i apologize.
Ive been fixing the scan code over and over everytime i find a bug. pattern scan is full of edge case haha.
May I see your code and what architecture the module is?

[vars1ty]

Here's with find_pattern which also gives off no results:

let process = Process::from_process_name("SSOClient.exe").unwrap();

// You can get module information by using 
let mut client = process.get_module_info("SSOClient.exe").unwrap();

let address = client.find_pattern("67 6C 6F 62 61 6C 2F 4D 61 70 57 69 6E 64 6F 77 2E 53 74 61 72 74 28 29 3B");
match address {
    Some(i) => println!("[+] found pattern at 0x{:x}", i),
    None => println!("[-] NOTHING FOUND"),
}

[pseuxide]

Im sorry for responding so freakin late.
Maybe u dont need the solution anymore, but in case u do ill write down instructions for me to grasp the situation. i want u to follow them so that i might be work on it.

1. Could you check if client.data is populated (it shouldn't consist of bunch of 0, but has to be massive amount of integer value).
2. And check whether its size is identical to client.size. I think u can check the size with client.data.len(). Therefore following code prolly do work client.size == client.data.len().

btw, there is no naming convention or something for module handle. I named client in example cuz it was the handle of client.dll thats it haha.

[vars1ty]

Well I did narrow down the problem to an extent.
It doesn't find the addresses with the AoB/Pattern at all, whereas a C# Library I use does find it.
The main difference I can see is that toy-arms doesn't scan the whole memory (from start to finish), which might be the cause.

Here's the library I'm talking about if you want to take a look at it: https://github.com/erfg12/memory.dll/blob/master/Memory/Methods/AoB.cs

[pseuxide]

Thanks for letting me know it. I think I found that there is a gap between my expectation of usage, and yours.( or maybe ive been misunderstanding the term AoBscan till now.)
I read the code a bit and notice the C# lib allow u to specify from sys_info.minimumApplicationAddress to sys_info.maximumApplicationAddress in a scan.

Toy-arms scan is limiting its scan range to one PE unit only at once. Let's say if the pattern is not in SSOClient.exe, but actually in SomeSupportLib.dll then the toy-arms doesnt find it unless u pass SomeSupportLib.dll to get_module_info(). I designed so cuz people often does know what PE image they wanna scan by the prior analysis.

Does that make sence to you? I hope my assumption has a point. I tried the whole memory scan but it was buggy (due to lack of my knowledge). I think the C# library give me some hints about it and i feel like its good to implement it by myself too.

Anyways, I'm absolutely grateful that you do the comparison on your own and informed me that.