unit FindPatterns;interfaceuses CodeSiteLogging, Winapi.Windows;

1. unit FindPatterns;
2.  
3. interface
4.  
5. uses
6.  CodeSiteLogging,
7.  Winapi.Windows;
8.  
9.  function FindPcore: DWORD;
10.  
11. implementation
12.  
13. function _Compare(R, L: Pointer; Mask: PAnsiChar): Boolean;
14. var
15.  K: Integer;
16. begin
17.  for K := 0 to Length(Mask) -1 do
18.   begin
19.    if (Mask[K] = 'x') and (PByte(Integer(R) + K)^ <> PByte(Integer(L) + K)^) then
20.     Exit(False)
21.   end;
22.  Result := True;
23. end;
24.  
25. function FindPattern (R, L: Pointer; Len: DWORD; Mask: PAnsiChar): DWORD;
26. var
27.  K: Integer;
28. begin
29.  Result := 0;
30.  for K := 0 to Len -1 do
31.   begin
32.    if _Compare(Ptr(Integer(R) + K), L, Mask) then
33.      Exit(Integer(R) + K);
34.   end;
35. end;
36.  
37. function Scan(Mode: DWORD; Pattern: Pointer; Mask: PAnsiChar): DWORD;
38. var
39.   PageSize: DWORD;
40.   SystemInfo: SYSTEM_INFO;
41.   K, Offset, lpAddr: size_t;
42.   MemInfo: TMemoryBasicInformation;
43. begin
44.   GetSystemInfo(SystemInfo);
45.   PageSize := SystemInfo.dwPageSize;
46.   lpAddr := 00401000;
47.  
48.   while lpAddr < $7FFFFFFF do
49.    begin
50.     K := VirtualQuery(Pointer(lpAddr), MemInfo, SizeOf(TMemoryBasicInformation));
51.    if (K = ERROR_INVALID_PARAMETER) or (K = 0) then
52.     Break;
53.  
54.    if (MemInfo.Type_9 = MEM_MAPPED) then
55.     begin
56.      inc(lpAddr, memInfo.RegionSize);
57.      Continue;
58.     end;
59.  
60.    if (K = SizeOf(TMemoryBasicInformation)) and
61.       (memInfo.State = MEM_COMMIT) and
62.       (memInfo.RegionSize > 0) and
63.       (memInfo.Protect = Mode)
64.    then
65.     begin
66.      Offset := FindPattern(Pointer(lpAddr), Pattern, memInfo.RegionSize, Mask);
67.      if not (Offset = 0) then
68.       begin
69.        Result := Offset;
70.  
71.        CodeSite.SendFmtMsg('%x - %x',[Offset, PDWORD(Ptr(Offset))^]);
72.        Break;
73.       end;
74.     end;
75.     inc(lpAddr, memInfo.RegionSize);
76.    end;
77. end;
78.  
79. function FindPCore: DWORD;
80. const
81. Str_B80EB6 : array [0 .. 80] of Byte = ($55, $8B, $EC, $51, $89, $4D, $FC, $8B, $4D, $FC, $E8, $5D, $05, $00, $00, $8B, $45, $FC, $C9, $C3, $55, $8B, $EC, $51, $89, $4D, $FC, $C9, $C3, $55, $8B, $EC, $51, $51, $89, $4D, $FC, $8B, $4D, $FC, $E8, $3F, $05, $00, $00, $6A, $00, $6A, $01, $8D, $45, $08, $50, $8B, $4D, $FC, $E8, $24, $03, $00, $00, $8A, $45, $08, $88, $45, $F8, $80, $7D, $F8, $C1, $74, $08, $80, $7D, $F8, $C2, $74, $13, $EB, $22);
82. var
83.  Mask: PAnsiChar;
84. begin
85.  Mask := 'xxxxxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxxxx????xxxxxxxxxxxx????xxxxxxxxxxxxxxxxxxxx';
86.  Result := Scan(PAGE_READWRITE, @Str_B80EB6, Mask);
87. end;
88.  
89. end.