Registration Code (Part 1): w%kQ6
Registration Code (Part 2): b<#$1[*(cw~
In order to register on this forum, you must use the codes above. Combine them into one code (copy paste).

Signature Scanning With C#

Programming topics that relate to the C# language.
Post Reply
User avatar
atom0s
Site Admin
Posts: 401
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Signature Scanning With C#

Post by atom0s » Tue Jan 06, 2015 8:32 pm

This code example is a port I made of the well known 'FindPattern' method that is written in C/C++. I ported it to C# for various older projects.
  1. /**
  2.  * sigScan C# Implementation - Written by atom0s [aka Wiccaan]
  3.  * Class Version: 2.0.0
  4.  *
  5.  * [ CHANGE LOG ] -------------------------------------------------------------------------
  6.  *
  7.  *      2.0.0
  8.  *          - Updated to no longer require unsafe or fixed code.
  9.  *          - Removed unneeded methods and code.
  10.  *          
  11.  *      1.0.0
  12.  *          - First version written and release.
  13.  *          
  14.  * [ CREDITS ] ----------------------------------------------------------------------------
  15.  *
  16.  *      sigScan is based on the FindPattern code written by
  17.  *      dom1n1k and Patrick at GameDeception.net
  18.  *      
  19.  *      Full credit to them for the purpose of this code. I, atom0s, simply
  20.  *      take credit for converting it to C#.
  21.  *
  22.  */
  23.  
  24. namespace YourNamespaceNameHere.Classes
  25. {
  26.     using System;
  27.     using System.Collections.Generic;
  28.     using System.Diagnostics;
  29.     using System.Linq;
  30.     using System.Runtime.InteropServices;
  31.  
  32.     public class SigScan
  33.     {
  34.         /// <summary>
  35.         /// ReadProcessMemory
  36.         ///  
  37.         ///     API import definition for ReadProcessMemory.
  38.         /// </summary>
  39.         /// <param name="hProcess">Handle to the process we want to read from.</param>
  40.         /// <param name="lpBaseAddress">The base address to start reading from.</param>
  41.         /// <param name="lpBuffer">The return buffer to write the read data to.</param>
  42.         /// <param name="dwSize">The size of data we wish to read.</param>
  43.         /// <param name="lpNumberOfBytesRead">The number of bytes successfully read.</param>
  44.         /// <returns></returns>
  45.         [DllImport("kernel32.dll", SetLastError = true)]
  46.         private static extern bool ReadProcessMemory(
  47.             IntPtr hProcess,
  48.             IntPtr lpBaseAddress,
  49.             [Out] byte[] lpBuffer,
  50.             int dwSize,
  51.             out int lpNumberOfBytesRead
  52.             );
  53.  
  54.         /// <summary>
  55.         /// m_vDumpedRegion
  56.         ///  
  57.         ///     The memory dumped from the external process.
  58.         /// </summary>
  59.         private byte[] m_vDumpedRegion;
  60.  
  61.         /// <summary>
  62.         /// m_vProcess
  63.         ///  
  64.         ///     The process we want to read the memory of.
  65.         /// </summary>
  66.         private Process m_vProcess;
  67.  
  68.         /// <summary>
  69.         /// m_vAddress
  70.         ///  
  71.         ///     The starting address we want to begin reading at.
  72.         /// </summary>
  73.         private IntPtr m_vAddress;
  74.  
  75.         /// <summary>
  76.         /// m_vSize
  77.         ///  
  78.         ///     The number of bytes we wish to read from the process.
  79.         /// </summary>
  80.         private Int32 m_vSize;
  81.  
  82.  
  83.         #region "sigScan Class Construction"
  84.         /// <summary>
  85.         /// SigScan
  86.         ///  
  87.         ///     Main class constructor that uses no params.  
  88.         ///     Simply initializes the class properties and  
  89.         ///     expects the user to set them later.
  90.         /// </summary>
  91.         public SigScan()
  92.         {
  93.             this.m_vProcess = null;
  94.             this.m_vAddress = IntPtr.Zero;
  95.             this.m_vSize = 0;
  96.             this.m_vDumpedRegion = null;
  97.         }
  98.         /// <summary>
  99.         /// SigScan
  100.         ///  
  101.         ///     Overloaded class constructor that sets the class
  102.         ///     properties during construction.
  103.         /// </summary>
  104.         /// <param name="proc">The process to dump the memory from.</param>
  105.         /// <param name="addr">The started address to begin the dump.</param>
  106.         /// <param name="size">The size of the dump.</param>
  107.         public SigScan(Process proc, IntPtr addr, int size)
  108.         {
  109.             this.m_vProcess = proc;
  110.             this.m_vAddress = addr;
  111.             this.m_vSize = size;
  112.         }
  113.         #endregion
  114.  
  115.         #region "sigScan Class Private Methods"
  116.         /// <summary>
  117.         /// DumpMemory
  118.         ///  
  119.         ///     Internal memory dump function that uses the set class
  120.         ///     properties to dump a memory region.
  121.         /// </summary>
  122.         /// <returns>Boolean based on RPM results and valid properties.</returns>
  123.         private bool DumpMemory()
  124.         {
  125.             try
  126.             {
  127.                 // Checks to ensure we have valid data.
  128.                 if (this.m_vProcess == null)
  129.                     return false;
  130.                 if (this.m_vProcess.HasExited)
  131.                     return false;
  132.                 if (this.m_vAddress == IntPtr.Zero)
  133.                     return false;
  134.                 if (this.m_vSize == 0)
  135.                     return false;
  136.  
  137.                 // Create the region space to dump into.
  138.                 this.m_vDumpedRegion = new byte[this.m_vSize];
  139.  
  140.                 int nBytesRead;
  141.  
  142.                 // Dump the memory.
  143.                 var ret = ReadProcessMemory(
  144.                     this.m_vProcess.Handle, this.m_vAddress, this.m_vDumpedRegion, this.m_vSize, out nBytesRead
  145.                     );
  146.  
  147.                 // Validation checks.
  148.                 return ret && nBytesRead == this.m_vSize;
  149.             }
  150.             catch (Exception)
  151.             {
  152.                 return false;
  153.             }
  154.         }
  155.  
  156.         /// <summary>
  157.         /// MaskCheck
  158.         ///  
  159.         ///     Compares the current pattern byte to the current memory dump
  160.         ///     byte to check for a match. Uses wildcards to skip bytes that
  161.         ///     are deemed unneeded in the compares.
  162.         /// </summary>
  163.         /// <param name="nOffset">Offset in the dump to start at.</param>
  164.         /// <param name="btPattern">Pattern to scan for.</param>
  165.         /// <param name="strMask">Mask to compare against.</param>
  166.         /// <returns>Boolean depending on if the pattern was found.</returns>
  167.         private bool MaskCheck(int nOffset, IEnumerable<byte> btPattern, string strMask)
  168.         {
  169.             // Loop the pattern and compare to the mask and dump.
  170.             return !btPattern.Where((t, x) => strMask[x] != '?' && ((strMask[x] == 'x') && (t != this.m_vDumpedRegion[nOffset + x]))).Any();
  171.  
  172.             // The loop was successful so we found the pattern.
  173.         }
  174.  
  175.         #endregion
  176.  
  177.         #region "sigScan Class Public Methods"
  178.         /// <summary>
  179.         /// FindPattern
  180.         ///  
  181.         ///     Attempts to locate the given pattern inside the dumped memory region
  182.         ///     compared against the given mask. If the pattern is found, the offset
  183.         ///     is added to the located address and returned to the user.
  184.         /// </summary>
  185.         /// <param name="btPattern">Byte pattern to look for in the dumped region.</param>
  186.         /// <param name="strMask">The mask string to compare against.</param>
  187.         /// <param name="nOffset">The offset added to the result address.</param>
  188.         /// <returns>IntPtr - zero if not found, address if found.</returns>
  189.         public IntPtr FindPattern(byte[] btPattern, string strMask, int nOffset)
  190.         {
  191.             try
  192.             {
  193.                 // Dump the memory region if we have not dumped it yet.
  194.                 if (this.m_vDumpedRegion == null || this.m_vDumpedRegion.Length == 0)
  195.                 {
  196.                     if (!this.DumpMemory())
  197.                         return IntPtr.Zero;
  198.                 }
  199.  
  200.                 // Ensure the mask and pattern lengths match.
  201.                 if (strMask.Length != btPattern.Length)
  202.                     return IntPtr.Zero;
  203.  
  204.                 // Loop the region and look for the pattern.
  205.                 for (int x = 0; x < this.m_vDumpedRegion.Length; x++)
  206.                 {
  207.                     if (this.MaskCheck(x, btPattern, strMask))
  208.                     {
  209.                         // The pattern was found, return it.
  210.                         return new IntPtr((int)this.m_vAddress + (x + nOffset));
  211.                     }
  212.                 }
  213.  
  214.                 // Pattern was not found.
  215.                 return IntPtr.Zero;
  216.             }
  217.             catch (Exception)
  218.             {
  219.                 return IntPtr.Zero;
  220.             }
  221.         }
  222.  
  223.         /// <summary>
  224.         /// ResetRegion
  225.         ///  
  226.         ///     Resets the memory dump array to nothing to allow
  227.         ///     the class to redump the memory.
  228.         /// </summary>
  229.         public void ResetRegion()
  230.         {
  231.             this.m_vDumpedRegion = null;
  232.         }
  233.         #endregion
  234.  
  235.         #region "sigScan Class Properties"
  236.         public Process Process
  237.         {
  238.             get { return this.m_vProcess; }
  239.             set { this.m_vProcess = value; }
  240.         }
  241.         public IntPtr Address
  242.         {
  243.             get { return this.m_vAddress; }
  244.             set { this.m_vAddress = value; }
  245.         }
  246.         public Int32 Size
  247.         {
  248.             get { return this.m_vSize; }
  249.             set { this.m_vSize = value; }
  250.         }
  251.         #endregion
  252.  
  253.     }
  254. }
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.me/atom0s
GloopPro
Posts: 1
Joined: Fri May 01, 2015 9:10 am

Re: Signature Scanning With C#

Post by GloopPro » Fri May 01, 2015 9:15 am

How to use?
Examples Project?
I was in Thailand I'm sorry I do not speak English
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest