Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

How To Search Bytes In Process ?

Matrix
Matrix
in Programming and Coding

Featured Replies

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

If anyone is interested, I coded a c program "BMSEARCH" Which utilizes

the Boyer-Moore type search string algorithm which is extremely fast.

In it are functions to read forwards / backwards for a string, also using

wildcards (slows down the search a bit).

You can get it on the Arteam releases page over at www.accessroot.com.

The program is designed to read from a running process by using ReadProcessMemory to

load a buffer, then you search the buffer for the string. By knowing the size of the

buffer, you can determine the offset of the search string found in order to use

WriteProcessMemory to patch /replace.

peace

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:


/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018

hi again

thanks for your replay

i mean this one:
/>http://forum.tuts4you.com/index.php?showtopic=16209&view=findpost&p=81103

thanks.

That specific example was requested to read inside of sections in a process. Instead, I suggest you look at the example above it which allows you to define the start address and size to scan at:


/>http://forum.tuts4you.com/index.php?showtopic=16209&st=0&p=81018entry81018

thank you very much.

i'll check it out.

  • 1 year later...

Mirror of delphi sorce, please :(

BeBoss, While the source is a nice example of how to search bytes, there is a faster example written by Ghandi of ARTeam, his search class is very quick and by memory mapping the executable its even faster...


/>http://www.accessroot.com/arteam/forums/index.php?showtopic=9904

Departure, Thank you !!!

  • 4 weeks later...

Hey atmom0s,

i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte

eg. 

c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0

because when im doing it like this:

_ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00");

at the found adress the bytes dont match my searchpattern:

681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff
681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000

i think the nullbytes are causing this and i dont know how to solve this problem.

Hope there is a way :)

sry for doublepost, there was an errorpage and i thought the reply wasnt sent :(

Edited by skdpeka

I think pretty much anything this would be fun to use on has a protection that has it hooked. Most from ring0. It's fun to use on flash and JVM.

Edited by chickenbutt

Hey atmom0s,

i am using your C code and i wonder if there is a chance to search for instructions that contain a nullbyte

eg. 

c7 81 fc 00 00 00 00 00 00 00 - mov [ecx+fc],0

because when im doing it like this:

_ScanForBytes( "example.exe", "\xC7\x81\xFC\x00\x00\x00\x00\x00\x00\x00\xC7\x81\xD8\x00\x00\x00\x00\x00\x00\x00\xC7\x81\x38\x01\x00\x00\x00\x00\x00\x00");

at the found adress the bytes dont match my searchpattern:

681A8FC8 - c7 81 fc 02 00 00 ff ff ff 7f - mov [ecx+000002fc],7fffffff
681A8FD2 - c7 81 44 03 00 00 00 00 00 00 - mov [ecx+00000344],00000000

i think the nullbytes are causing this and i dont know how to solve this problem.

Hope there is a way :)

You are better off using a different method that uses patterns as well. This method is used inside an injected DLL, but you can alter it to do the same thing with dumped memory too from an external process. I can't write up any examples at the moment since I'm a bit busy, sorry.

/**
 * MaskCheck / FindPattern
 *
 * Credits:
 * 	dom1n1k, Patrick, GameDeception
 */
BOOL MaskCheck( const unsigned char* lpData, const unsigned char* lpMask, const char* szMask )
{
	for( ; *tszMask; ++tszMask, ++lpData, ++lpMask )
		if( *tszMask == 'x' && *lpData != *lpMask )
			return FALSE;
	return (*tszMask) == NULL;
}unsigned long FindPattern( unsigned long ulStartAddr, unsigned long ulLength, unsigned char* szPattern, char* szMask )
{
    for( unsigned long i = 0; i < ulLength; i++ )
    {
        if( MaskCheck( (unsigned char*)( ulStartAddr + i ), szPattern, szMask ) )
            return (unsigned long)( ulStartAddr + i );
    }
    return 0;
}

To use it, you can do:

unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "xxxxxxxxxx" );

Each x in the last bit is one byte. You can use ? for wildcards for a single byte if you need to. So:

\xc7 = x

This is one byte in the pattern. If you want c7 to be able to be anything when you scan you can change it to:

unsigned long ulAddress = FindPattern( 0x00400000, 10, "\xc7\x81\xfc\x00\x00\x00\x00\x00\x00\x00", "?xxxxxxxxx" );

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.