Jump to content
Tuts 4 You

How To Search Bytes In Process ?


Matrix

Recommended Posts

If anyone is interested, I coded a c program "BMSEARCH" Which utilizes

the Boyer-Moore type search string algorithm which is extremely fast.

In it are functions to read forwards / backwards for a string, also using

wildcards (slows down the search a bit).

You can get it on the Arteam releases page over at www.accessroot.com.

The program is designed to read from a running process by using ReadProcessMemory to

load a buffer, then you search the buffer for the string. By knowing the size of the

buffer, you can determine the offset of the search string found in order to use

WriteProcessMemory to patch /replace.

peace

Link to comment

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:


/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018

Link to comment

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:


/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018

thank you very much.

i'll check it out.

Link to comment
  • 1 year later...

BeBoss, While the source is a nice example of how to search bytes, there is a faster example written by Ghandi of ARTeam, his search class is very quick and by memory mapping the executable its even faster...


/>http://www.accessroot.com/arteam/forums/index.php?showtopic=9904

Link to comment
  • 4 weeks later...

Hey atmom0s,

i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte

eg.

c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0

because when im doing it like this:

_ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00");

at the found adress the bytes dont match my searchpattern:

681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff
681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000

i think the nullbytes are causing this and i dont know how to solve this problem.

Hope there is a way :)

Link to comment

I think pretty much anything this would be fun to use on has a protection that has it hooked. Most from ring0. It's fun to use on flash and JVM.

Edited by chickenbutt
Link to comment

Hey atmom0s,

i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte

eg.

c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0

because when im doing it like this:

_ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00");

at the found adress the bytes dont match my searchpattern:

681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff
681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000

i think the nullbytes are causing this and i dont know how to solve this problem.

Hope there is a way :)

You are better off using a different method that uses patterns as well. This method is used inside an injected DLL, but you can alter it to do the same thing with dumped memory too from an external process. I can't write up any examples at the moment since I'm a bit busy, sorry.

/**
* MaskCheck / FindPattern
*
* Credits:
* dom1n1k, Patrick, GameDeception
*/
BOOL MaskCheck( const unsigned char* lpData, const unsigned char* lpMask, const char* szMask )
{
for( ; *tszMask; ++tszMask, ++lpData, ++lpMask )
if( *tszMask == 'x' && *lpData != *lpMask )
return FALSE;
return (*tszMask) == NULL;
}unsigned long FindPattern( unsigned long ulStartAddr, unsigned long ulLength, unsigned char* szPattern, char* szMask )
{
for( unsigned long i = 0; i < ulLength; i++ )
{
if( MaskCheck( (unsigned char*)( ulStartAddr + i ), szPattern, szMask ) )
return (unsigned long)( ulStartAddr + i );
}
return 0;
}

To use it, you can do:

unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "xxxxxxxxxx" );

Each x in the last bit is one byte. You can use ? for wildcards for a single byte if you need to. So:

\xc7 = x

This is one byte in the pattern. If you want c7 to be able to be anything when you scan you can change it to:

unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "?xxxxxxxxx" );
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...