samedi 20 octobre 2018

C++ AOB scanner / full patern scann memory

I need scan full memory area in other process. Something like AOB scanner / pattern scan memory etc. but on full memory. My program work only in base area, from baseAdress to end base - i need scan full memory. If i set my custom values and i got no results.

What is wrong?

My code: (on line 160 & 161 i try set start/end values)

#include <windows.h>
#include <tlhelp32.h>
#include <iostream>
#include <string>
#include <tchar.h>

//internal patch
void Patch(void* dst, void*src, unsigned int size);
//external
void PatchEx(HANDLE hProcess, void* dst, void* src, unsigned int size);
//Internal Nop
void Nop(HANDLE hProcess, void* dest, unsigned int size);
//External
void NopEx(HANDLE hProcess, void* dst, unsigned int size);
//Internal Pattern Scan
void * PatternScan(char* base, size_t size, char* pattern, char*mask);
//External Wrapper
void * PatternScanEx(HANDLE hPRocess, uintptr_t begin, uintptr_t end, char* pattern, char*  mask);
//Module wrapper for external pattern scan
void * PatternScanExModule(HANDLE hProcess, const TCHAR *exeName, const TCHAR *module, char* pattern, char* mask);
//Get Process ID From an executable name using toolhelp32Snapshot
DWORD GetProcID(const TCHAR *exeName);
//Get ModuleEntry from module name, using toolhelp32snapshot
MODULEENTRY32 GetModule(DWORD dwProcID, const TCHAR *moduleName);

int main()
{
    //Get Process ID by enumerating the processes using tlhelp32snapshot
    DWORD processID = GetProcID("notepad.exe");

    std::cout << "Process id: " << processID << std::endl;

    //Get handle by OpenProcess
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processID);

    //PatternScan
    void * notepadAddress = PatternScanExModule(hProcess, "notepad.exe", "notepad.exe", "\x73\x00\x65\x00\x63\x00\x72\x00\x65\x00\x74", "xxxxxxxxxxx");

    std::cout << "Result: " << notepadAddress << std::endl;

    system("pause");
    return  0;
}
//internal patch
void Patch(void* dst, void* src, unsigned int size)
{
    DWORD oldprotect;
    VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy(dst, src, size);
    VirtualProtect(dst, size, oldprotect, &oldprotect);
}

//external
void PatchEx(HANDLE hProcess, void* dst, void* src, unsigned int size)
{
    DWORD oldprotect;
    VirtualProtectEx(hProcess, dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    WriteProcessMemory(hProcess, dst, src, size, NULL);
    VirtualProtectEx(hProcess, dst, size, oldprotect, &oldprotect);
}

//Internal Nop
void Nop(HANDLE hProcess, void* dst, unsigned int size)
{
    DWORD oldprotect;
    VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    memset(dst, 0x90, size);
    VirtualProtect(dst, size, oldprotect, &oldprotect);
}

//External
void NopEx(HANDLE hProcess, void* dst, unsigned int size)
{
    byte* nopArray = new byte[size];
    memset(nopArray, 0x90, size);

    DWORD oldprotect;
    VirtualProtectEx(hProcess, dst, size, PAGE_EXECUTE_READWRITE, &oldprotect);
    WriteProcessMemory(hProcess, dst, nopArray, size, NULL);
    VirtualProtectEx(hProcess, dst, size, oldprotect, &oldprotect);
    delete[] nopArray;
}

//Internal Pattern Scan
void * PatternScan(char* base, size_t size, char* pattern, char* mask)
{
    size_t patternLength = strlen(mask);

    for (unsigned int i = 0; i < size - patternLength; i++)
    {
        bool found = true;
        for (unsigned int j = 0; j < patternLength; j++)
        {
            if (mask[j] != '?' && pattern[j] != *(base + i + j))
            {
                found = false;
                break;
            }
        }
        if (found)
        {
            return (void*)(base + i);
        }
    }
    return nullptr;
}

//External Wrapper
void * PatternScanEx(HANDLE hProcess, uintptr_t begin, uintptr_t end, char* pattern, char*  mask)
{
    uintptr_t currentChunk = begin;

    SIZE_T bytesRead;

    while (currentChunk < end)
    {
        char buffer[4096];

        DWORD oldprotect;
        VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), PAGE_EXECUTE_READWRITE, &oldprotect);
        ReadProcessMemory(hProcess, (void*)currentChunk, &buffer, sizeof(buffer), &bytesRead);
        VirtualProtectEx(hProcess, (void*)currentChunk, sizeof(buffer), oldprotect, &oldprotect);

        if (bytesRead == 0)
        {
            return nullptr;
        }

        void* internalAddress = PatternScan((char*)&buffer, bytesRead, pattern, mask);

        if (internalAddress != nullptr)
        {
            //calculate from internal to external
            uintptr_t offsetFromBuffer = (uintptr_t)internalAddress - (uintptr_t)&buffer;
            return (void*)(currentChunk + offsetFromBuffer);
        }
        else
        {
            //advance to next chunk
            currentChunk = currentChunk + bytesRead;
        }
    }
    return nullptr;
}

//Module wrapper for external pattern scan
void * PatternScanExModule(HANDLE hProcess, const TCHAR *exeName, const TCHAR *module, char* pattern, char* mask)
{
    DWORD processID = GetProcID(exeName);
    MODULEENTRY32 modEntry = GetModule(processID, module);

    if (!modEntry.th32ModuleID)
    {
        return nullptr;
    }

    uintptr_t begin = (uintptr_t)modEntry.modBaseAddr;
    uintptr_t end = begin + modEntry.modBaseSize;

    //uintptr_t begin = 0x0;
    //uintptr_t end = 0x7FFFFFFF;

    std::cout << "Begin: " << std::hex << begin << std::endl;
    std::cout << "End: " << std::hex << end << std::endl;

    return PatternScanEx(hProcess, begin, end, pattern, mask);
}
//Get Process ID From an executable name using toolhelp32Snapshot
DWORD GetProcID(const TCHAR *exeName)
{
    PROCESSENTRY32 procEntry = { 0 };
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

    if (!hSnapshot)
    {
        return 0;
    }

    procEntry.dwSize = sizeof(procEntry);

    if (!Process32First(hSnapshot, &procEntry))
    {
        return 0;
    }

    do
    {
        if (_tcsicmp(procEntry.szExeFile, _T(exeName)) == 0)
        {
            CloseHandle(hSnapshot);
            return procEntry.th32ProcessID;
        }
    } while (Process32Next(hSnapshot, &procEntry));

    CloseHandle(hSnapshot);
    return 0;
}

//Get ModuleEntry from module name, using toolhelp32snapshot
MODULEENTRY32 GetModule(DWORD dwProcID, const TCHAR *moduleName)
{
    MODULEENTRY32 modEntry = { 0 };

    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);

    if (hSnapshot != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 curr = { 0 };

        curr.dwSize = sizeof(MODULEENTRY32);
        if (Module32First(hSnapshot, &curr))
        {
            do
            {
                if (_tcsicmp(curr.szModule, _T(moduleName)) == 0)
                {
                    modEntry = curr;
                    break;
                }
            } while (Module32Next(hSnapshot, &curr));
        }
        CloseHandle(hSnapshot);
    }
    return modEntry;
}

Program is compiled on mingw 64bit.

Aucun commentaire:

Enregistrer un commentaire