Jump to content
Tuts 4 You
Sign in to follow this  
Matrix

How To Search Bytes In Process ?

Recommended Posts

david_2000

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

Share this post


Link to post
Share on other sites
CondZero

If anyone is interested, I coded a c program "BMSEARCH" Which utilizes

the Boyer-Moore type search string algorithm which is extremely fast.

In it are functions to read forwards / backwards for a string, also using

wildcards (slows down the search a bit).

You can get it on the Arteam releases page over at www.accessroot.com.

The program is designed to read from a running process by using ReadProcessMemory to

load a buffer, then you search the buffer for the string. By knowing the size of the

buffer, you can determine the offset of the search string found in order to use

WriteProcessMemory to patch /replace.

peace

Share this post


Link to post
Share on other sites
atom0s

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:


/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018

Share this post


Link to post
Share on other sites
david_2000

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:


/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018

thank you very much.

i'll check it out.

Share this post


Link to post
Share on other sites
beBoss™

Mirror of delphi sorce, please :(

Share this post


Link to post
Share on other sites
Departure

BeBoss, While the source is a nice example of how to search bytes, there is a faster example written by Ghandi of ARTeam, his search class is very quick and by memory mapping the executable its even faster...


/>http://www.accessroot.com/arteam/forums/index.php?showtopic=9904

Share this post


Link to post
Share on other sites
beBoss™

Departure, Thank you !!!

Share this post


Link to post
Share on other sites
skdpeka

Hey atmom0s,

i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte

eg.

c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0

because when im doing it like this:

_ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00");

at the found adress the bytes dont match my searchpattern:

681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff
681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000

i think the nullbytes are causing this and i dont know how to solve this problem.

Hope there is a way :)

Share this post


Link to post
Share on other sites
skdpeka

sry for doublepost, there was an errorpage and i thought the reply wasnt sent :(

Edited by skdpeka (see edit history)

Share this post


Link to post
Share on other sites
chickenbutt

I think pretty much anything this would be fun to use on has a protection that has it hooked. Most from ring0. It's fun to use on flash and JVM.

Edited by chickenbutt (see edit history)

Share this post


Link to post
Share on other sites
atom0s

Hey atmom0s,

i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte

eg.

c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0

because when im doing it like this:

_ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00");

at the found adress the bytes dont match my searchpattern:

681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff
681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000

i think the nullbytes are causing this and i dont know how to solve this problem.

Hope there is a way :)

You are better off using a different method that uses patterns as well. This method is used inside an injected DLL, but you can alter it to do the same thing with dumped memory too from an external process. I can't write up any examples at the moment since I'm a bit busy, sorry.

/**
* MaskCheck / FindPattern
*
* Credits:
* dom1n1k, Patrick, GameDeception
*/
BOOL MaskCheck( const unsigned char* lpData, const unsigned char* lpMask, const char* szMask )
{
for( ; *tszMask; ++tszMask, ++lpData, ++lpMask )
if( *tszMask == 'x' && *lpData != *lpMask )
return FALSE;
return (*tszMask) == NULL;
}unsigned long FindPattern( unsigned long ulStartAddr, unsigned long ulLength, unsigned char* szPattern, char* szMask )
{
for( unsigned long i = 0; i < ulLength; i++ )
{
if( MaskCheck( (unsigned char*)( ulStartAddr + i ), szPattern, szMask ) )
return (unsigned long)( ulStartAddr + i );
}
return 0;
}

To use it, you can do:

unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "xxxxxxxxxx" );

Each x in the last bit is one byte. You can use ? for wildcards for a single byte if you need to. So:

\xc7 = x

This is one byte in the pattern. If you want c7 to be able to be anything when you scan you can change it to:

unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "?xxxxxxxxx" );

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×