Patternscan

1. #include "patternscan.h"
2.  
3. AoBPattern PatternScan::StringToPattern(string Name, int Offset, uchar_t wildcard, string PatternStr)
4. {
5.     AoBPattern ret;
6.     char cWildcard[3] = { '\0' }; // 3 Null terminator
7.     sprintf_s(cWildcard, sizeof(cWildcard), "%x", wildcard);
8.     auto patternVec = Utils::PrasePattern(PatternStr, " ", cWildcard);
9.  
10.     ret.Pattern = patternVec;
11.     ret.Len = patternVec.size();
12.     ret.Name = Name;
13.     ret.Offset = Offset;
14.     ret.Wildcard = wildcard;
15.  
16.     return ret;
17. }
18.  
19. /*
20. uintptr_t FindMemPattern
21.  
22. HANDLE       hProc    - Handle to process
23. uintptr_t    dwStart  - Starting memory address
24. uintptr_t    dwSize   - How many bytes to read
25. uchar_t      uPattern - Attempt to match this string
26. int          nLen     - Length of the pattern string (string can contain null character so specfiy size)
27. unsigned int nOffset  - Amount of bytes to add (set to a negative value to sub)
28. */
29. vector<uintptr_t> PatternScan::FindMemPattern(BypaPH* ByPH, uintptr_t dwStart, uintptr_t dwEnd, AoBPattern Pattern, bool firstOnly)
30. {
31.     vector<uintptr_t> ret;
32.     SYSTEM_INFO si = { 0 };
33.     GetSystemInfo(&si);
34.  
35.     if (dwStart < (uintptr_t)si.lpMinimumApplicationAddress)
36.         dwStart = (uintptr_t)si.lpMinimumApplicationAddress;
37.  
38.     if (dwEnd > (uintptr_t)si.lpMaximumApplicationAddress)
39.         dwEnd = (uintptr_t)si.lpMaximumApplicationAddress /* - Pattern.Len */;
40.  
41.     SIZE_T dwOut = 0;
42.     uintptr_t dwSize = dwEnd - dwStart;
43.     uintptr_t dwLen = (dwStart + dwSize);
44.     const uchar_t *uPattern = Pattern.Pattern.data();
45.     int nLen = Pattern.Len;
46.  
47.     int k = 0;
48.     PBYTE pBuf = (PBYTE)malloc(si.dwPageSize);
49.  
50.     // Cycle through memory based on page size
51.     for (uintptr_t i = dwStart; i <= dwLen; i += si.dwPageSize)
52.     {
53.         if (!Program->Work) break;
54.  
55.         // Read one page or skip if failed
56.         if (ByPH->RWVM(ByPH->m_hTarget, (LPVOID)i, pBuf, si.dwPageSize, &dwOut) != STATUS_SUCCESS)
57.         {
58.             ZeroMemory(pBuf, si.dwPageSize);
59.             continue;
60.         }
61.  
62.         for (uintptr_t j = 0; j <= dwOut; j++)
63.         {
64.             // If the byte matches our pattern or wildcard
65.             if (pBuf[j] == uPattern[k] || uPattern[k] == Pattern.Wildcard)
66.             {
67.                 // Did we find it?
68.                 if (++k == nLen)
69.                 {
70.                     // Our match function places us at the begin of the pattern
71.                     // To locate the pointer we need to subtract nOffset bytes
72.                     ret.push_back(((i + j) - (nLen - 1)) + Pattern.Offset);
73.                     if (firstOnly)
74.                     {
75.                         free(pBuf);
76.                         return ret;
77.                     }
78.                 }
79.             }
80.             else
81.             {
82.                 k = 0;
83.             }
84.         }
85.         ZeroMemory(pBuf, si.dwPageSize);
86.     }
87.  
88.     free(pBuf);
89.     return ret;
90. }