This repository has been archived by the owner on Apr 24, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPatternScanner.cs
77 lines (63 loc) · 2.57 KB
/
PatternScanner.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
//https://github.com/Astrum-Project/AstralBypass
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
// writen by dom1n1k and Patrick
// converted to c# by atom0s [aka Wiccaan]
// adapted by Astral Astrum
// changes:
// works on 64 bit
// static instead of instance
// todo:
// cache result
public static class PatternScanner
{
private static bool MaskCheck(byte[] mem, int nOffset, string pattern)
{
for (int x = 0; x < pattern.Length / 2; x++)
{
string bite = pattern.Substring(x * 2, 2);
if (bite == "??") continue;
if (byte.Parse(bite, System.Globalization.NumberStyles.HexNumber) != mem[nOffset + x]) return false;
}
return true;
}
public static IntPtr Scan(string module, string pattern, int offset = 0)
{
Process process = Process.GetCurrentProcess();
IntPtr baseAddr = GetModuleHandle(module);
if (!GetModuleInformation(process.Handle, baseAddr, out MODULEINFO info, 24))
return IntPtr.Zero;
int size = (int)info.SizeOfImage;
pattern = pattern.Replace(" ", "");
try
{
if (baseAddr == IntPtr.Zero) return IntPtr.Zero;
if (size == 0) return IntPtr.Zero;
byte[] mem = new byte[size];
if (!ReadProcessMemory(process.Handle, baseAddr, mem, size, out int nBytesRead) || nBytesRead != size)
return IntPtr.Zero;
for (int x = 0; x < mem.Length; x++)
if (MaskCheck(mem, x, pattern))
return new IntPtr(baseAddr.ToInt64() + x + offset);
return IntPtr.Zero;
}
catch { return IntPtr.Zero; }
}
public static IntPtr OffsetToModule(string module, int offset = 0)
{
Process process = Process.GetCurrentProcess();
IntPtr baseAddr = GetModuleHandle(module);
return baseAddr + offset;
}
[DllImport("kernel32.dll", SetLastError = true)] private static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out()] byte[] lpBuffer, int dwSize, out int lpNumberOfBytesRead);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("psapi.dll", SetLastError = true)] static extern bool GetModuleInformation(IntPtr hProcess, IntPtr hModule, out MODULEINFO lpmodinfo, uint cb);
[StructLayout(LayoutKind.Sequential)]
public struct MODULEINFO
{
public IntPtr lpBaseOfDll;
public uint SizeOfImage;
public IntPtr EntryPoint;
}
}