|
实现内存特征码扫描,此种扫描方式支持模糊匹配,可使用??代替模糊匹配数值。
#include
#include
#include
#include
using namespace std;
#define BLOCKMAXSIZE 409600//每次读取内存的最大大小
BYTE* MemoryData;//每次将读取的内存读入这里
short Next[260];
//特征码转字节集
WORD GetTzmArray(char* Tzm, WORD* TzmArray)
{
int len = 0;
WORD TzmLength = strlen(Tzm) / 3 + 1;
for (int i = 0; i < strlen(Tzm); )//将十六进制特征码转为十进制
{
char num[2];
num[0] = Tzm[i++];
num[1] = Tzm[i++];
i++;
if (num[0] != '?' && num[1] != '?')
{
int sum = 0;
WORD a[2];
for (int i = 0; i < 2; i++)
{
if (num[i] >= '0' && num[i] = 'a' && num[i] = 'A' && num[i] = size)
{
return;
}
int num = Next[MemoryData[i + TzmLength]];
if (num == -1)
i += (TzmLength - Next[256]);//如果特征码有问号,就从问号处开始匹配,如果没有就i+=-1
else
i += (TzmLength - num);
}
}
//搜索整个程序
int SearchMemory(HANDLE hProcess, char* Tzm, unsigned __int64 StartAddress, unsigned __int64 EndAddress, int InitSize, vector& ResultArray)
{
int i = 0;
unsigned long BlockSize;
MEMORY_BASIC_INFORMATION mbi;
WORD TzmLength = strlen(Tzm) / 3 + 1;
WORD* TzmArray = new WORD[TzmLength];
GetTzmArray(Tzm, TzmArray);
GetNext(Next, TzmArray, TzmLength);
//初始化结果数组
ResultArray.clear();
ResultArray.reserve(InitSize);
while (VirtualQueryEx(hProcess, (LPCVOID)StartAddress, &mbi, sizeof(mbi)) != 0)
{
//获取可读可写和可读可写可执行的内存块
if (mbi.Protect == PAGE_READWRITE || mbi.Protect == PAGE_EXECUTE_READWRITE)
{
i = 0;
BlockSize = mbi.RegionSize;
//搜索这块内存
while (BlockSize >= BLOCKMAXSIZE)
{
SearchMemoryBlock(hProcess, TzmArray, TzmLength, StartAddress + (BLOCKMAXSIZE * i), BLOCKMAXSIZE, ResultArray);
BlockSize -= BLOCKMAXSIZE; i++;
}
SearchMemoryBlock(hProcess, TzmArray, TzmLength, StartAddress + (BLOCKMAXSIZE * i), BlockSize, ResultArray);
}
StartAddress += mbi.RegionSize;
if (EndAddress != 0 && StartAddress > EndAddress)
{
return ResultArray.size();
}
}
free(TzmArray);
return ResultArray.size();
}
int main()
{
//初始化MemoryData大小
MemoryData = new BYTE[BLOCKMAXSIZE];
DWORD pid=0;
vector ResultArray;
cout pid;
//通过进程ID获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
int start = clock();
SearchMemory(hProcess, (char*)"FF 3F FF ?? FF F2", 0x410000, 0xFFFFFFFF, 30, ResultArray);
int end = clock();
cout |