Frawley

I'm trying to create a signature search that can find the address of whatever bytes you input. For example, if I set buffer to 0x04AF, the function will search through the process' memory untill it finds an address that holds that value. Unfotunatly, I've run into a lot of difficulty. Any Help would be greatly appreciated. Here is the full source code. The return value always seems to be zero, even when I know the buffer is equal to the memory.

Code Snippet

#include <windows.h>

#include <iostream>

using namespace std;

DWORD* FindSignature(HANDLE hProcess, byte* signature, DWORD* dwStartAddress, unsigned int length);

BOOL CompareBytes(byte* buffer1, byte* buffer2, unsigned int length);

int main()

{

byte buffer[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

DWORD* test = FindSignature(GetCurrentProcess(), buffer, NULL, 1000);

system("pause");

}

DWORD* FindSignature(HANDLE hProcess, byte* signature, DWORD* dwStartAddress, unsigned int length)

{

if(dwStartAddress == NULL)

{

dwStartAddress = (DWORD*)0x00400000;

}

byte buffer[sizeof(signature)];

for(unsigned int i = 0; i < length; i++)

{

ReadProcessMemory(hProcess, (LPVOID)dwStartAddress, buffer, sizeof(signature), NULL);

if(CompareBytes(buffer, signature, sizeof(signature)))

{

cout << "Match Found";

return (DWORD*)(dwStartAddress + i);

}

}

return 0;

}

BOOL CompareBytes(byte* buffer1, byte* buffer2, unsigned int length)

{

for(unsigned int i = 0; i < length; i++)

{

if(buffer1[i] != buffer2[i])

{

return false;

}

}

return true;

}



Re: Visual C++ General Help with memory functions etc

valikac

You need to consider the value read from the last parameter of ReadProcessMemory().

valikac







Re: Visual C++ General Help with memory functions etc

Frawley

I thought that only tells me how many bytes were read I dont understand how.





Re: Visual C++ General Help with memory functions etc

valikac

Pass in the returned value as the last parameter of the comparison function. Advance the start address as you traverse.

valikac




Re: Visual C++ General Help with memory functions etc

Frawley

That helped, but didn't work. I think the problem is "signature". When I breakpoint it, signature always has a zero length array. (It just comes out as a single byte). I can't understand why this happens. Even if I set the size of the byte array to 10 it stills reverts to 0.





Re: Visual C++ General Help with memory functions etc

Aleksandr Tokarev

Your code will not work.

You read the same adress in the memory in cycle.

dwStartAddress - never changed.

for(unsigned int i = 0; i < length; i++)

{

ReadProcessMemory(hProcess, (LPVOID)dwStartAddress, buffer, sizeof(signature), NULL);

if(CompareBytes(buffer, signature, sizeof(signature)))

{

cout << "Match Found";

return (DWORD*)(dwStartAddress + i);

}

}

byte buffer[sizeof(signature)]; // sizeof(signature) == 4 always.

So, it equals

byte buffer[4];

if(CompareBytes(buffer, signature, 4))

compares only for bytes.

Thus, you read and compare first 4 byte in cycle, so you never find anything.

And the last memory in Windows allocated by pages, some pages there can be a gap, thus scaning through all memory is not good idea.





Re: Visual C++ General Help with memory functions etc

Frawley

Wow, I fell like an idiot. How can I find the number of bytes that are in signature since sizeof() always returns 4 in this case.