Signature Scanning (Chinese temporarily translated as "signature Scan") is a good way to develop in C + + (at least I'm using C + + ^^)

1. Introduction

This paper mainly introduces how to get the address of a function from a dynamic link library without the code. The main implementation mode is signature scanning (signature scan)

2. What is signature scanning (signature scan)

I will simply explain that, in fact, from the beginning of a binary file scanning, until the end of the file of such a work, when swept to a paragraph and we need to match,

Then the address of the target is found. (Feel not good enough to say, here everyone fill it up ^^.https://wiki.alliedmods.net/signature_scanning#what_is_sigscanning.3f,

Of course there is a C + + bottom, you should be able to use my code below to understand the ha ^ ^)

3. Preparatory work

1). Through the reverse tool, here I recommend Ida, if you have other tools to get the signature, that is OK. As for IDA, I'm not offering it here.

2). Review this article to learn how to get signatures.

3). Required binary files, with signature

4. Official start

1. Obtain the base address and size of a binary file, which may be obtained through the following function

1 DWORD mh_getmodulebase (hmodule hmodule)//Get the base address of a binary file2 { 3 memory_basic_information mem;4 5     if(! VirtualQuery (hmodule, &mem,sizeof(memory_basic_information))) 6         return 0;7 8     return(DWORD) mem. Allocationbase; 9 }Ten  One DWORD mh_getmodulesize (hmodule hmodule)//Get the size of a binary file A {  -     return((Image_nt_headers *) ((DWORD) Hmodule + (((Image_dos_header *) hmodule)->e_lfanew))Optionalheader.sizeofimage; -}

2. The following function can then be scanned after loading the binary file

1 void*mh_searchpattern (void*pstartsearch, DWORD Dwsearchlen,Char*Ppattern, DWORD Dwpatternlen)2 { 3DWORD dwstartaddr =(DWORD) pstartsearch;4DWORD dwendaddr = dwstartaddr + Dwsearchlen-Dwpatternlen;5 6      while(Dwstartaddr < DWENDADDR)//This is scanned from the beginning of the file, and if the location of the specified signature is not found, it will jump out of the loop and end the scan, otherwise it will return the address found7     { 8         BOOLFound =true;9 Ten          for(DWORD i =0; i < Dwpatternlen; i++)  One         {  A             CharCode = * (Char*) (DWSTARTADDR +i); -             //0X2A is the conversion of a jump code, such as when a part is E8 AB CD 2E sub_xxxxxxxx, -             //so at this time except E8, the other should be replaced by 2A the             if(Ppattern[i]! =0x2A&& Ppattern[i]! =code) -             {  -Found =false;  -                  Break;  +             }  -         } +  A         if(found) at             return(void*) dwstartaddr; -  -dwstartaddr++;  -     } -  -     return 0;  in}

If the scan succeeds, it returns the address where the signature exists or returns an empty

5. What is the use of this?

For the function hook has a very big role, may through the inline hook directly hook function, what to do next do it ^ ^, welcome spit

Slot

Supplementary approximate usage:

1 #defineSig_func "\x55\x8b\xec\x53\x56\x8b\xf1\x57\x8b\x4e\x2a\xe8\x2a\x2a\x2a\x2a\x56\xb9\x2a\x2a\x2a\x2a\xe8\x2a\x2a\ X2A\X2A\X6A "2 3 4 void*g_porigin =NULL;5Hmodule G_hmodule =NULL;6 DWORD g_dwbase, g_dwsize;7 8G_hmodule = LoadLibrary ("My.dll");9G_dwbase =mh_getmodulebase (g_hmodule);TenG_dwsize =mh_getmodulesize (g_hmodule); OneG_porigin = Mh_searchpattern (G_dwbase, G_dwsize, Sig_func,sizeof(Sig_func)-1); A  -Normally, the G_porigin return is the function address pointed to by the feature ^ ^

Signature Scanning (Chinese temporarily translated as "signature Scan") is a good way to develop in C + + (at least I'm using C + + ^^)