AGB  ·  Datenschutz  ·  Impressum  







Anmelden
Nützliche Links
Registrieren
Zurück Delphi-PRAXiS Programmierung allgemein Win32/Win64 API (native code) Delphi Signature Scanner for Delphi by ArxLex

Signature Scanner for Delphi by ArxLex

Ein Thema von arxlex · begonnen am 26. Mai 2014
Antwort Antwort
arxlex

Registriert seit: 19. Aug 2012
1 Beiträge
 
#1

Signature Scanner for Delphi by ArxLex

  Alt 26. Mai 2014, 06:00
Hi everyone! Decided to share the scanner signatures written by me aka ArxLex in Delphi. Material purely for informational purposes. As the basis and principle of operation functions were taken from C + +. Example is written for beginners and amateurs of WINAPI as a console application, for greater comfort and understand the code

zusammenfalten · markieren
Delphi-Quellcode:
program signaturescanner;
{$APPTYPE CONSOLE}
uses
  Windows, SysUtils, TlHelp32;
var
  m_pID: integer;
  m_hProc: THandle;
  module: TModuleEntry32;
  m_Sign: integer;
const
  procName = 'D3D9Test.exe';
procedure GetPID;
var
  snapshot: THandle;
  pInfo: PROCESSENTRY32;
begin
  snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  pInfo.dwSize := sizeof(PROCESSENTRY32);
  if (Process32First(snapshot, pInfo)) then
  begin
        while (Process32Next(snapshot, pInfo)) do
        begin
          if pInfo.szExeFile = procName then
          begin
                m_pID := pInfo.th32ProcessID;
                CloseHandle(snapshot);
                exit;
          end;
        end;
  end;
  m_pID := 0;
  CloseHandle(snapshot);
  exit;
end;
function GetModuleInfo(const module_name: PChar; main_process: boolean): TModuleEntry32;
var
  snapshot: THandle;
  module: TModuleEntry32;
begin
  snapshot := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, m_pID);
  module.dwSize := sizeof(TModuleEntry32);
  if (Module32First(snapshot, module)) then
  begin
        if (main_process) then
        begin
          CloseHandle(snapshot);
          result := module;
        end;
        while (Module32Next(snapshot, module)) do
        begin
          if (StrIComp(PChar(ExtractFileName(module.szModule)), PChar(module_name)) = 0) then
          begin
                CloseHandle(snapshot);
                result := module;
          end;
        end;
  end;
  result := module;
end;
function DataCompare(data: PByte; sign: PByte; mask: PAnsiChar): boolean;
begin
  while mask^ <> #0 do
  begin
        if ((mask^ = 'x') and (data^ <> sign^)) then
        begin
          result := false;
          exit;
        end;
        inc(mask);
        inc(data);
        inc(sign);
  end;
  result := true;
end;
function ScanSignature(base: Dword; size: Dword; sign: PByte; mask: PAnsiChar): integer;
var
  mbi: MEMORY_BASIC_INFORMATION;
  offset: integer;
  buffer: PByte;
  BytesRead: Dword;
  i: integer;
begin
  offset := 0;
  while (offset < size) do
  begin
        VirtualQueryEx(m_hProc, Pointer(base + offset), &mbi, sizeof(MEMORY_BASIC_INFORMATION));
        if (mbi.State <> MEM_FREE) then
        begin
          GetMem(buffer, mbi.RegionSize);
          ReadProcessMemory(m_hProc, mbi.BaseAddress, buffer, mbi.RegionSize, BytesRead);
          for i := 0 to mbi.RegionSize do
          begin
                if (DataCompare(buffer + i, sign, mask)) then
                begin
                  FreeMem(buffer);
                  result := integer(mbi.BaseAddress) + i;
                  exit;
                end;
          end;
          FreeMem(buffer);
        end;
        offset := offset + mbi.RegionSize;
  end;
  result := 0;
end;
const
  Sign: array [0 .. 22] of byte = ($68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $FF, $15, $00, $00, $00, $00, $6A, $20);
  Mask = 'x????x????x????xx????xx';
begin
  GetPID();
  if (m_pID <> 0) then
  begin
        module := GetModuleInfo(nil, true);
        m_hProc := OpenProcess(PROCESS_ALL_ACCESS, false, m_pID);
        m_Sign := ScanSignature(integer(module.modBaseAddr), module.modBaseSize, @Sign, Mask);
        writeln(' *************************************************************');
        writeln(' * Signature Scanner for Delphi *');
        writeln(' * Special for Cheat[ON].ru by ArxLex *');
        writeln(' *************************************************************'+#10#13#10#13);
        writeln(' Handle Process: $', inttohex(m_hProc, sizeof(m_hProc)));
        writeln(' Pid: $', inttohex(m_pID, sizeof(m_pID)));
        writeln(' Process Base Address: $', inttohex(integer(module.modBaseAddr), sizeof(module.modBaseAddr)));
        writeln(' Process Base Size: $', inttohex(module.modBaseSize, sizeof(module.modBaseSize)));
        writeln(' Signature Address: $', inttohex(m_Sign, sizeof(m_Sign)));
        readln;
        CloseHandle(m_hProc);
  end;
end.
Source: cheaton.ru
Geändert von mkinzler (26. Mai 2014 um 06:53 Uhr) Grund: Exchange of CODE-Tag with DELPHI-Tag
  Mit Zitat antworten Zitat
Antwort Antwort

« Vorheriges Thema | Nächstes Thema »
 
Themen-Optionen Thema durchsuchen
Thema durchsuchen:

Erweiterte Suche
Ansicht
Linear-Darstellung Linear-Darstellung

Forumregeln

Es ist dir nicht erlaubt, neue Themen zu verfassen.
Es ist dir nicht erlaubt, auf Beiträge zu antworten.
Es ist dir nicht erlaubt, Anhänge hochzuladen.
Es ist dir nicht erlaubt, deine Beiträge zu bearbeiten.
BB-Code ist an.
Smileys sind an.
[IMG] Code ist an.
HTML-Code ist aus.
Trackbacks are an
Pingbacks are an
Refbacks are aus
Gehe zu:

Impressum · AGB · Datenschutz · Nach oben
Alle Zeitangaben in WEZ +1. Es ist jetzt 19:42 Uhr.
Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO © 2011, Crawlability, Inc.
Delphi-PRAXiS (c) 2002 - 2023 by Daniel R. Wolf, 2024 by Thomas Breitkreuz