C++特征码定位

创建时间：2014-10-28 投稿人：浏览次数：120

// BaseAddrTools.cpp : Defines the entry point for the DLL application.
//

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
BOOL GetProcessModuleHandle(DWORD PID,const char*szModuleName,MODULEENTRY32 *pModule);//获取模块信息的
BOOL StringToByte(const char *InBuff,unsigned char *OutBuff);//字符串转换为字节数组
BYTE *MemoryFind(BYTE *Buff1,BYTE *Buff2,DWORD Buff1Size,DWORD Buff2Size);//查找数组地址
void FindCallAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp);//查找CALL地址
void FindFunctionAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp);//查找函数头地址
void FindConstAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp);//查找常量的值

BOOL WINAPI DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved
					 )
{
	
	FindConstAddr("558B??83????5356578D????B9????????B8????????F3??",0XD,"BaseAddrTools.exe","0x%08X
");
	return TRUE;
}

void FindConstAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp)
{
	MODULEENTRY32 Module32;
	if (GetProcessModuleHandle(GetCurrentProcessId(),ModuleName,&Module32) == FALSE)
		return ;//如果没找到该模块则返回
	DWORD BuffLen = strlen(Buff)/2;//保存传入字符串的长度
	BYTE *OutBuff = new BYTE[BuffLen];//零时变量保存转换后的数组,+3是因为
	if(!StringToByte(Buff,OutBuff))
	{//如果转换失败则释放内存返回
		delete []OutBuff;
		return ;
	}
	BYTE *Temp = MemoryFind(Module32.modBaseAddr,OutBuff,Module32.modBaseSize,BuffLen);//保存一个零时变量来保存返回值的
	while (Temp)
	{
		char DbgOutBuff[MAX_PATH] = {0};
		sprintf(DbgOutBuff,Regexp,*(DWORD *)((int)Temp+OffsetSize));
		OutputDebugString(DbgOutBuff);
		Temp = MemoryFind(Temp+1,OutBuff,Module32.modBaseSize - (Temp - Module32.modBaseAddr),BuffLen);
	}
	delete []OutBuff;
}

void FindFunctionAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp)
{
	MODULEENTRY32 Module32;
	if (GetProcessModuleHandle(GetCurrentProcessId(),ModuleName,&Module32) == FALSE)
		return ;//如果没找到该模块则返回
	DWORD BuffLen = strlen(Buff)/2;//保存传入字符串的长度
	BYTE *OutBuff = new BYTE[BuffLen];//零时变量保存转换后的数组,+3是因为
	if(!StringToByte(Buff,OutBuff))
	{//如果转换失败则释放内存返回
		delete []OutBuff;
		return ;
	}
	BYTE *Temp = MemoryFind(Module32.modBaseAddr,OutBuff,Module32.modBaseSize,BuffLen);//保存一个零时变量来保存返回值的
	while (Temp)
	{
		char DbgOutBuff[MAX_PATH] = {0};
		sprintf(DbgOutBuff,Regexp,(int)Temp+OffsetSize);
		OutputDebugString(DbgOutBuff);
		Temp = MemoryFind(Temp+1,OutBuff,Module32.modBaseSize - (Temp - Module32.modBaseAddr),BuffLen);
	}
	delete []OutBuff;
}
void FindCallAddr(const char *Buff,int OffsetSize,const char *ModuleName,char *Regexp)
{
	MODULEENTRY32 Module32;
	if (GetProcessModuleHandle(GetCurrentProcessId(),ModuleName,&Module32) == FALSE)
		return ;//如果没找到该模块则返回
	DWORD BuffLen = strlen(Buff)/2;//保存传入字符串的长度
	BYTE *OutBuff = new BYTE[BuffLen];//零时变量保存转换后的数组,+3是因为
	if(!StringToByte(Buff,OutBuff))
	{//如果转换失败则释放内存返回
		delete []OutBuff;
		return ;
	}
	BYTE *Temp = MemoryFind(Module32.modBaseAddr,OutBuff,Module32.modBaseSize,BuffLen);//保存一个零时变量来保存返回值的
	while (Temp)
	{
		DWORD CallAddr = *(DWORD*)(Temp+OffsetSize+1) + (int)Temp+OffsetSize + 5;
		char DbgOutBuff[MAX_PATH] = {0};
		sprintf(DbgOutBuff,Regexp,CallAddr);
		OutputDebugString(DbgOutBuff);
		Temp = MemoryFind(Temp+1,OutBuff,Module32.modBaseSize - (Temp - Module32.modBaseAddr),BuffLen);
	}
	delete []OutBuff;
}

BYTE *MemoryFind(BYTE *Buff1,BYTE *Buff2,DWORD Buff1Size,DWORD Buff2Size)
{
	if (Buff1Size < Buff2Size)
		return NULL;
	for (DWORD Count1 = 0 ; Count1 + Buff2Size <= Buff1Size; Count1++)
	{
		for (DWORD Count2 = 0;Count2 < Buff2Size;Count2++)
		{
			if (Buff2[Count2] == 0)
				continue;
			if (Buff1[Count1 + Count2] != Buff2[Count2])
				break;
		}
		if (Count2 == Buff2Size)
		{
			return &Buff1[Count1];
		}
	}
	return NULL;
}
BOOL GetProcessModuleHandle(DWORD PID,const char*szModuleName,MODULEENTRY32 *pModule)
{
	BOOL FunctionRetn = FALSE;
	HANDLE handle;
	MODULEENTRY32  Module32;
	memset(&Module32,0,sizeof(Module32));
	Module32.dwSize = sizeof(Module32);
	BOOL bRet = FALSE;
	handle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
	if(handle == INVALID_HANDLE_VALUE) return FunctionRetn;
	bRet = Module32First(handle,&Module32);
	while(bRet)
	{
//		printf("%d	%s	%s
",Module32.th32ModuleID,Module32.szModule,Module32.szExePath);
		if(strcmp(szModuleName,Module32.szModule) == 0)
		{
			memcpy(pModule,&Module32,sizeof(MODULEENTRY32));
			FunctionRetn = TRUE;
			break;
		}
		//		OutputDebugString(buf);
		bRet = Module32Next(handle,&Module32);
	}
	CloseHandle(handle);
	return FunctionRetn;
}
BOOL StringToByte(const char *InBuff,unsigned char *OutBuff)
{
	DWORD BuffSize = strlen(InBuff);
	if (BuffSize%2 != 0)
	{
		MessageBox(0,"特征有误","",0);
		return FALSE;
	}
	//零时变量保存转换后的数组,+3是因为sscanf复制的是4个字节,最后一个字节时会访问越界
	BYTE *TMPBUF = new BYTE[BuffSize/2+3];
	memset(TMPBUF,0,BuffSize/2);
	for (DWORD Index = 0 ; Index < BuffSize ; Index+=2)
	{
		char buf[3] = {0};
		buf[0] = InBuff[Index];
		buf[1] = InBuff[Index+1];
		sscanf(buf,"%X",&TMPBUF[Index/2]);
	}
	memcpy(OutBuff,TMPBUF,BuffSize/2);
	delete []TMPBUF;
	return TRUE;
}

声明：该文观点仅代表作者本人，牛骨文系教育信息发布平台，牛骨文仅提供信息存储空间服务。

上一篇： Mina源码阅读笔记（五）—Mina对连接的操作IoSession
下一篇： Apache mina: IoSession.write(Object msg)剖析

热门文章: CTF writeup 2_南邮网络攻防训...; SSM框架——详细整合教程（...; Linux Shell脚本编程－－curl命...; HttpClient使用详解; Java面试题全集（上）; JAVA设计模式之单例模式; java.lang.OutOfMemoryError: PermGen ...; TCP协议中的三次握手和四次...; form表单的两种提交方式，su...; String,StringBuffer与StringBuilder...

最新文章: Java之品优购课程讲义_day20（7）; 剑指 Offer - 8：跳台阶; Netty权威指南_札记02_NIO编程; mysql时间属性之时间戳和datetime之...; 虚拟现实或许可以拯救古埃及的“...; spring cloud服务注册中心eureka---集群...; Java SE 第六章; HTTP请求+数据库; HIDL学习笔记之HIDL C++（第二天）; ubuntu系统下指定tomcat运行时为JDK1.8...