arxlex Posted May 25, 2014 Share Posted May 25, 2014 Signature scanner written by ArxLex specifically for site members Cheaton.ru. Material purely for informational purposes. As a basis and work were taken functions from C++. Example is written for beginners and amateurs of WINAPI as a console application, for more comfort and understand the code. Enjoy! program signaturescanner; {$APPTYPE CONSOLE} uses Windows, SysUtils, TlHelp32; var m_pID: integer; m_hProc: THandle; module: TModuleEntry32; m_Sign: integer; const procName = 'D3D9Test.exe'; procedure GetPID; var snapshot: THandle; pInfo: PROCESSENTRY32; begin snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pInfo.dwSize := sizeof(PROCESSENTRY32); if (Process32First(snapshot, pInfo)) then begin while (Process32Next(snapshot, pInfo)) do begin if pInfo.szExeFile = procName then begin m_pID := pInfo.th32ProcessID; CloseHandle(snapshot); exit; end; end; end; m_pID := 0; CloseHandle(snapshot); exit; end; function GetModuleInfo(const module_name: PChar; main_process: boolean): TModuleEntry32; var snapshot: THandle; module: TModuleEntry32; begin snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, m_pID); module.dwSize := sizeof(TModuleEntry32); if (Module32First(snapshot, module)) then begin if (main_process) then begin CloseHandle(snapshot); result := module; end; while (Module32Next(snapshot, module)) do begin if (StrIComp(PChar(ExtractFileName(module.szModule)), PChar(module_name)) = 0) then begin CloseHandle(snapshot); result := module; end; end; end; result := module; end; function DataCompare(data: PByte; sign: PByte; mask: PAnsiChar): boolean; begin while mask^ <> #0 do begin if ((mask^ = 'x') and (data^ <> sign^)) then begin result := false; exit; end; inc(mask); inc(data); inc(sign); end; result := true; end; function ScanSignature(base: Dword; size: Dword; sign: PByte; mask: PAnsiChar): integer; var mbi: MEMORY_BASIC_INFORMATION; offset: integer; buffer: PByte; BytesRead: Dword; i: integer; begin offset := 0; while (offset < size) do begin VirtualQueryEx(m_hProc, Pointer(base + offset), &mbi, sizeof(MEMORY_BASIC_INFORMATION)); if (mbi.State <> MEM_FREE) then begin GetMem(buffer, mbi.RegionSize); ReadProcessMemory(m_hProc, mbi.BaseAddress, buffer, mbi.RegionSize, BytesRead); for i := 0 to mbi.RegionSize do begin if (DataCompare(buffer + i, sign, mask)) then begin FreeMem(buffer); result := integer(mbi.BaseAddress) + i; exit; end; end; FreeMem(buffer); end; offset := offset + mbi.RegionSize; end; result := 0; end; const Sign: array [0 .. 22] of byte = ($68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $FF, $15, $00, $00, $00, $00, $6A, $20); Mask = 'x????x????x????xx????xx'; begin GetPID(); if (m_pID <> 0) then begin module := GetModuleInfo(nil, true); m_hProc := OpenProcess(PROCESS_ALL_ACCESS, false, m_pID); m_Sign := ScanSignature(integer(module.modBaseAddr), module.modBaseSize, @Sign, Mask); writeln(' *************************************************************'); writeln(' * Signature Scanner for Delphi *'); writeln(' * Special for Cheat[ON].ru by ArxLex *'); writeln(' *************************************************************'+#10#13#10#13); writeln(' Handle Process: $', inttohex(m_hProc, sizeof(m_hProc))); writeln(' Pid: $', inttohex(m_pID, sizeof(m_pID))); writeln(' Process Base Address: $', inttohex(integer(module.modBaseAddr), sizeof(module.modBaseAddr))); writeln(' Process Base Size: $', inttohex(module.modBaseSize, sizeof(module.modBaseSize))); writeln(' Signature Address: $', inttohex(m_Sign, sizeof(m_Sign))); readln; CloseHandle(m_hProc); end; end.Source site: cheaton.ru 1 Link to comment
xSRTsect Posted May 29, 2014 Share Posted May 29, 2014 Save us some time , can you give a brief explanation of what this is supposed to do? thanks. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now