• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Results 1 to 3 of 3
    1. #1
      Newbie
      not a hacker
       
      Coding
       
      cascraft's Avatar
      Join Date
      Jan 2013
      Location
      German
      Posts
      33
      Thanks (-->)
      8
      Thanks (<--)
      6

      Signature Scanning With C#

      Advertise on GuidedHacking
      namespace YourNamespaceNameHere.Classes
      {
      using System;
      using System.Collections.Generic;
      using System.Diagnostics;
      using System.Linq;
      using System.Runtime.InteropServices;

      public class SigScan
      {
      /// <summary>
      /// ReadProcessMemory
      ///
      /// API import definition for ReadProcessMemory.
      /// </summary>
      /// <param name="hProcess">Handle to the process we want to read from.</param>
      /// <param name="lpBaseAddress">The base address to start reading from.</param>
      /// <param name="lpBuffer">The return buffer to write the read data to.</param>
      /// <param name="dwSize">The size of data we wish to read.</param>
      /// <param name="lpNumberOfBytesRead">The number of bytes successfully read.</param>
      /// <returns></returns>
      [DllImport("kernel32.dll", SetLastError = true)]
      private static extern bool ReadProcessMemory(
      IntPtr hProcess,
      IntPtr lpBaseAddress,
      [Out] byte[] lpBuffer,
      int dwSize,
      out int lpNumberOfBytesRead
      );

      /// <summary>
      /// m_vDumpedRegion
      ///
      /// The memory dumped from the external process.
      /// </summary>
      private byte[] m_vDumpedRegion;

      /// <summary>
      /// m_vProcess
      ///
      /// The process we want to read the memory of.
      /// </summary>
      private Process m_vProcess;

      /// <summary>
      /// m_vAddress
      ///
      /// The starting address we want to begin reading at.
      /// </summary>
      private IntPtr m_vAddress;

      /// <summary>
      /// m_vSize
      ///
      /// The number of bytes we wish to read from the process.
      /// </summary>
      private Int32 m_vSize;


      #region "sigScan Class Construction"
      /// <summary>
      /// SigScan
      ///
      /// Main class constructor that uses no params.
      /// Simply initializes the class properties and
      /// expects the user to set them later.
      /// </summary>
      public SigScan()
      {
      this.m_vProcess = null;
      this.m_vAddress = IntPtr.Zero;
      this.m_vSize = 0;
      this.m_vDumpedRegion = null;
      }
      /// <summary>
      /// SigScan
      ///
      /// Overloaded class constructor that sets the class
      /// properties during construction.
      /// </summary>
      /// <param name="proc">The process to dump the memory from.</param>
      /// <param name="addr">The started address to begin the dump.</param>
      /// <param name="size">The size of the dump.</param>
      public SigScan(Process proc, IntPtr addr, int size)
      {
      this.m_vProcess = proc;
      this.m_vAddress = addr;
      this.m_vSize = size;
      }
      #endregion

      #region "sigScan Class Private Methods"
      /// <summary>
      /// DumpMemory
      ///
      /// Internal memory dump function that uses the set class
      /// properties to dump a memory region.
      /// </summary>
      /// <returns>Boolean based on RPM results and valid properties.</returns>
      private bool DumpMemory()
      {
      try
      {
      // Checks to ensure we have valid data.
      if (this.m_vProcess == null)
      return false;
      if (this.m_vProcess.HasExited)
      return false;
      if (this.m_vAddress == IntPtr.Zero)
      return false;
      if (this.m_vSize == 0)
      return false;

      // Create the region space to dump into.
      this.m_vDumpedRegion = new byte[this.m_vSize];

      int nBytesRead;

      // Dump the memory.
      var ret = ReadProcessMemory(
      this.m_vProcess.Handle, this.m_vAddress, this.m_vDumpedRegion, this.m_vSize, out nBytesRead
      );

      // Validation checks.
      return ret && nBytesRead == this.m_vSize;
      }
      catch (Exception)
      {
      return false;
      }
      }

      /// <summary>
      /// MaskCheck
      ///
      /// Compares the current pattern byte to the current memory dump
      /// byte to check for a match. Uses wildcards to skip bytes that
      /// are deemed unneeded in the compares.
      /// </summary>
      /// <param name="nOffset">Offset in the dump to start at.</param>
      /// <param name="btPattern">Pattern to scan for.</param>
      /// <param name="strMask">Mask to compare against.</param>
      /// <returns>Boolean depending on if the pattern was found.</returns>
      private bool MaskCheck(int nOffset, IEnumerable<byte> btPattern, string strMask)
      {
      // Loop the pattern and compare to the mask and dump.
      return !btPattern.Where((t, x) => strMask[x] != '?' && ((strMask[x] == 'x') && (t != this.m_vDumpedRegion[nOffset + x]))).Any();

      // The loop was successful so we found the pattern.
      }

      #endregion

      #region "sigScan Class Public Methods"
      /// <summary>
      /// FindPattern
      ///
      /// Attempts to locate the given pattern inside the dumped memory region
      /// compared against the given mask. If the pattern is found, the offset
      /// is added to the located address and returned to the user.
      /// </summary>
      /// <param name="btPattern">Byte pattern to look for in the dumped region.</param>
      /// <param name="strMask">The mask string to compare against.</param>
      /// <param name="nOffset">The offset added to the result address.</param>
      /// <returns>IntPtr - zero if not found, address if found.</returns>
      public IntPtr FindPattern(byte[] btPattern, string strMask, int nOffset)
      {
      try
      {
      // Dump the memory region if we have not dumped it yet.
      if (this.m_vDumpedRegion == null || this.m_vDumpedRegion.Length == 0)
      {
      if (!this.DumpMemory())
      return IntPtr.Zero;
      }

      // Ensure the mask and pattern lengths match.
      if (strMask.Length != btPattern.Length)
      return IntPtr.Zero;

      // Loop the region and look for the pattern.
      for (int x = 0; x < this.m_vDumpedRegion.Length; x++)
      {
      if (this.MaskCheck(x, btPattern, strMask))
      {
      // The pattern was found, return it.
      return new IntPtr((int)this.m_vAddress + (x + nOffset));
      }
      }

      // Pattern was not found.
      return IntPtr.Zero;
      }
      catch (Exception)
      {
      return IntPtr.Zero;
      }
      }

      /// <summary>
      /// ResetRegion
      ///
      /// Resets the memory dump array to nothing to allow
      /// the class to redump the memory.
      /// </summary>
      public void ResetRegion()
      {
      this.m_vDumpedRegion = null;
      }
      #endregion

      #region "sigScan Class Properties"
      public Process Process
      {
      get { return this.m_vProcess; }
      set { this.m_vProcess = value; }
      }
      public IntPtr Address
      {
      get { return this.m_vAddress; }
      set { this.m_vAddress = value; }
      }
      public Int32 Size
      {
      get { return this.m_vSize; }
      set { this.m_vSize = value; }
      }
      #endregion

      }
      }
      Last edited by cascraft; 08-12-2017 at 04:03 PM.
      Signature Scanning With C#

    2. Thanks Teuvin thanked for this post
    3. #2
      Administrator
      Hacked By Jesus
       
      Reversing
       
      [GH]Rake's Avatar
      Join Date
      Jan 2014
      Location
      USA
      Posts
      3,365
      Thanks (-->)
      770
      Thanks (<--)
      978
      Superb post, copy and pasted an entire .cs from github, no credits, wrong section, no explanation.

    4. #3
      Global Moderator
      Certified Asshole
       
      CodenzHub
       
      Traxin's Avatar
      Join Date
      Aug 2015
      Posts
      529
      Thanks (-->)
      83
      Thanks (<--)
      158
      Advertise on GuidedHacking
      /**
      * sigScan C# Implementation - Written by atom0s [aka Wiccaan]
      * Class Version: 2.0.0
      *
      * [ CHANGE LOG ] -------------------------------------------------------------------------
      *
      * 2.0.0
      * - Updated to no longer require unsafe or fixed code.
      * - Removed unneeded methods and code.
      *
      * 1.0.0
      * - First version written and release.
      *
      * [ CREDITS ] ----------------------------------------------------------------------------
      *
      * sigScan is based on the FindPattern code written by
      * dom1n1k and Patrick at GameDeception.net
      *
      * Full credit to them for the purpose of this code. I, atom0s, simply
      * take credit for converting it to C#.
      *
      */


      Just thought I'd add the missing credits for you.

    Similar Game Hacker Threads

    1. [VideoTutorial] C++ External Signature Scanning
      By [GH]Rake in forum GH Hack Video Tutorials
      Replies: 63
      Last Post: 07-24-2017, 02:03 PM
    2. [Source Code] FASM x86 Signature Scanning & NOP'ing - Full source
      By V-X in forum ASM
      Replies: 1
      Last Post: 02-07-2017, 10:20 PM
    3. [Help] Fleep's Signature Scanning Tutorial (C++)
      By WhiteHood in forum Hacking Help
      Replies: 2
      Last Post: 01-26-2016, 05:48 AM
    4. [Help] Signature scanning vs finding offset
      By PandoraBytes in forum Hacking Help
      Replies: 4
      Last Post: 11-03-2015, 05:37 PM
    5. [Help] Signature Scanning/Question
      By kn0cturnal in forum GH Tutorials Help
      Replies: 1
      Last Post: 05-12-2014, 12:04 AM