学逆向论坛

找回密码
立即注册

只需一步,快速开始

发新帖

2万

积分

41

好友

1171

主题
发表于 2020-6-15 20:55:16 | 查看: 5366| 回复: 1
  内存遍历,枚举数据,实现特征码扫描。
  内存遍历: 每次读入4096字节,然后每16个字符换一次行,遍历内存 0x00401000 - 0x7FFFFFFF。
#include <stdio.h>  
#include <stdlib.h>  
#include <windows.h>  

VOID ScanAddress(HANDLE process)
{
const DWORD beginAddr = 0x00401000;
const DWORD endAddr = 0x7FFFFFFF;
const DWORD pageSize = 4096;

BOOL _break = FALSE;
BYTE page[pageSize];
DWORD tmpAddr = beginAddr;
while (tmpAddr <= endAddr)
{
::ReadProcessMemory(process, (LPCVOID)tmpAddr, &page, pageSize, 0);

for (int x = 0; x < 4096; x++)
{

if (x % 16 != 0)
{
DWORD ch = page[x];

if (ch >= 0 && ch <= 15)
{
printf("0%x ", ch);
}
else
{
printf("%x ", ch);
}
}
else
printf(" | %x \n", tmpAddr);
}
tmpAddr += pageSize;
}
}

int main(int argc, char* argv[])
{
HANDLE process = ::OpenProcess(PROCESS_ALL_ACCESS, false, 4748);
ScanAddress(process);
::CloseHandle(process);

system("pause");
return 0;
}

C/C++ 内存遍历与KMP特征搜索

C/C++ 内存遍历与KMP特征搜索
  过程:
#include <stdio.h>  
#include <stdlib.h>  
#include <windows.h>  

VOID ScanAddress(HANDLE Process)
{
const DWORD beginAddr = 0x00401000;
const DWORD endAddr = 0x7FFFFFFF;

unsigned char shell[5] = {0x55,0x8b,0xec,0x6a,0xff};
unsigned char *read = new unsigned char[5];


for (int x = 0; x < beginAddr; x++)
{
DWORD addr = beginAddr + x;
ReadProcessMemory(Process, (LPVOID)addr, read, 5, 0);
printf("%x :", addr);
for (int y = 0; y < 5; y++)
printf("%02x ",read[y]);
printf("\n");
}
}

int main(int argc, char* argv[])
{
HANDLE process = ::OpenProcess(PROCESS_ALL_ACCESS, false, 1772);
ScanAddress(process);
/*
unsigned char set[] = { 4,41,55 };
unsigned char aa[] = { 4, 41, 55 };
int ret = memcmp(set, aa, 3);
printf("%d \n", ret);
*/
//ScanAddress(process);
//::CloseHandle(process);
system("pause");
return 0;
}

C/C++ 内存遍历与KMP特征搜索

C/C++ 内存遍历与KMP特征搜索
  寻找开始
#include <stdio.h>  
#include <stdlib.h>  
#include <windows.h>  

VOID ScanAddress(HANDLE Process)
{
const DWORD beginAddr = 0x00401000;
const DWORD endAddr = 0x7FFFFFFF;

unsigned char shell[6] = {0xff,0x75,0x10,0xff,0x75,0x0c};

unsigned char *read = new unsigned char[6];

for (int x = 0; x < 684032; x++)
{
DWORD addr = beginAddr + x;
ReadProcessMemory(Process, (LPVOID)addr, read, 6, 0);
int a = memcmp(read, shell, 6);

if (a == 0)
{
printf("%x :", addr);

for (int y = 0; y < 6; y++)
{
printf("%02x ", read[y]);
}

printf(" \n");
}
}
}
int main(int argc, char* argv[])
{
HANDLE process = ::OpenProcess(PROCESS_ALL_ACCESS, false, 1772);
ScanAddress(process);
system("pause");
return 0;
}

C/C++ 内存遍历与KMP特征搜索

C/C++ 内存遍历与KMP特征搜索
  KMP算法搜索特征码: KMP算法每次在4096字节中寻找特征,成功返回位置,失败返回-1
#include <iostream>
#include <string>

using namespace std;

/* P 为模式串,下标从 0 开始 */
void GetNextval(string SubString, int nextval[])
{
int SubStringLen = SubString.size();
int i = 0;
int j = -1;
nextval[0] = -1;

while (i < SubStringLen)
{
if (j == -1 || SubString[i] == SubString[j])
{
i++; j++;
if (SubString[i] != SubString[j])
nextval[i] = j;
else
nextval[i] = nextval[j];
}
else
{
j = nextval[j];
}
}
}

/* 在 MainString 中找到 SubString 第一次出现的位置 下标从0开始*/
int KMPSearchString(string MainString, string SubString, int next[])
{
GetNextval(SubString, next);

int MainStringIndex = 0;                 // 存储主字符串下标
int SubStringIndex = 0;                  // 存储子字符串下标
int MainStringLen = MainString.size();   // 主字符串大小
int SubStringLen = SubString.size();     // 子字符串大小

// 循环遍历字符串,因为末尾 '\0' 的存在,所以不会越界
while (MainStringIndex < MainStringLen && SubStringIndex < SubStringLen)
{
// MainString 的第一个字符不匹配或 MainString[] == SubString[]
if (SubStringIndex == -1 || MainString[MainStringIndex] == SubString[SubStringIndex])
{
MainStringIndex++; SubStringIndex++;
}
else   // 当字符串匹配失败则跳转
{
SubStringIndex = next[SubStringIndex];
}
}
// 最后匹配成功直接返回位置
if (SubStringIndex == SubStringLen)
return MainStringIndex - SubStringIndex;
return -1;
}

int main(int argc, char *argv[])
{
int next[100] = { 0 };

char *Str = "e5 8d 64 24 fc ba ff ff ff ff 92 f0 0f c1";
char *Search = "ba ff ff ff ff 92 f0";

// 在Str字符串中找Search子串,找到后返回位置
int ret = KMPSearchString(Str, Search,next);

printf("%d \n", ret);


system("pause");
return 0;
}

C/C++ 内存遍历与KMP特征搜索

C/C++ 内存遍历与KMP特征搜索
  将上方代码整合,可实现根据特征码动态打补丁:
int main(int argc, char* argv[])
{
HANDLE Process = OpenProcess(PROCESS_ALL_ACCESS, false, 2876);

// 搜索指定特征码的地址数据.
unsigned char FindCode[6] = { 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c };
DWORD ret = ScanAddress(Process, FindCode, 6);
printf("特征地址: %x \n", ret);

// 给指定位置动态打补丁
unsigned char Pack[6] = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
WriteProcessMemory(Process, (LPVOID)ret, Pack, 6, 0);

system("pause");
return 0;
}


温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046

    发表于 2021-12-14 07:28:50
    谢谢分享谢谢分享

    小黑屋|手机版|站务邮箱|学逆向论坛 ( 粤ICP备2021023307号 )|网站地图

    GMT+8, 2024-12-22 10:03 , Processed in 0.128134 second(s), 47 queries .

    Powered by Discuz! X3.4

    Copyright © 2001-2021, Tencent Cloud.

    快速回复 返回顶部 返回列表