#define _CRT_SECURE_NO_WARNINGS
#pragma warning(disable:4996)
#include <stdio.h>
#include <windows.h>
#include <string>
#pragma region FindSig
#include <vector>
#include <Psapi.h>
#include <iostream>
#include <tchar.h>
#include <tlhelp32.h>
unsigned char code[12];
unsigned char oldcode[12];
FARPROC addr;
DWORD pid;
using namespace std;
bool FHexCharValid(char c)
{
if (c >= '0' && c <= '9' ||
c >= 'A' && c <= 'F' ||
c >= 'a' && c <= 'f' ||
c == '?')
return true;
else
return false;
}
bool FHexDecoder(char* Dec, char* Src)
{
char HighC, LowC;
DWORD dwSrcLen = strlen(Src) / 2;
int i;
for (i = 0; i < dwSrcLen; i++) {
HighC = Src[i * 2], LowC = Src[i * 2 + 1];
if (!FHexCharValid(LowC) || !FHexCharValid(HighC))
return false;
HighC -= '0';
if (HighC > 9) HighC -= 7;
if (HighC > 0xf) HighC -= 0x20;
LowC -= '0';
if (LowC > 9) LowC -= 7;
if (LowC > 0xf) LowC -= 0x20;
Dec[i] = (HighC << 4) | LowC;
}
return true;
}
bool __SundayHexInit__(char* Sub, DWORD*p, char* HexSub, unsigned long dwSubLen)
{
if (!FHexDecoder(HexSub, Sub)) {
return false;
}
DWORD i;
for (i = 0; i < 0x100; i++) {
p[i] = -1;
}
int WildAddr = 0;
for (i = 0; i < dwSubLen; i++) {
if (Sub[i * 2] == '?')
WildAddr = i;
}
for (i = WildAddr + 1; i < dwSubLen; i++) { //扫描Sub,初始化 P 表
p[(BYTE)HexSub[i]] = dwSubLen - i;
}
for (i = 0; i < 0x100; i++) {
if (p[i] == -1)
p[i] = dwSubLen - WildAddr;
}
return true;
}
int __SundayHex__(char* Src, unsigned long dwSrcLen, char* Sub, DWORD* p, char* HexSub, DWORD dwSubLen)
{
//开始配对字符串
//j为 Sub位置指标, k为 当前匹配位置
DWORD j, k;
j = dwSubLen - 1; //初始化位置为 dwSubLen - 1,匹配顺序为从右到左
bool bContinue = true;
bool bSuccess;
while (bContinue) {
bSuccess = true;
for (k = 0; k < dwSubLen; k++) {
if (Sub[(dwSubLen - k - 1) * 2] != '?' && Src[j - k] != HexSub[dwSubLen - k - 1]) {
bSuccess = false;
break;
}
}
if (bSuccess)
bContinue = false;
else { //移动j指针
if (j < dwSrcLen - 1) //防止j+1 >= dwSrcLen造成溢出
j += p[(BYTE)Src[j + 1]];
else j++;
}
if (j >= dwSrcLen)
break;
}
if (j < dwSrcLen)
return j - dwSubLen + 1;
else
return -1;
}
int __SundayHexV__(char* Src, unsigned long dwSrcLen, char* Sub, DWORD* p, char* HexSub, DWORD dwSubLen, int v)
{
//开始配对字符串
//j为 Sub位置指标, k为 当前匹配位置
DWORD j, k;
j = dwSubLen - 1 + v; //初始化位置为 dwSubLen - 1,匹配顺序为从右到左
bool bContinue = true;
bool bSuccess;
while (bContinue) {
bSuccess = true;
for (k = 0; k < dwSubLen; k++) {
if (Sub[(dwSubLen - k - 1) * 2] != '?' && Src[j - k] != HexSub[dwSubLen - k - 1]) {
bSuccess = false;
break;
}
}
if (bSuccess)
bContinue = false;
else { //移动j指针
if (j < dwSrcLen - 1) //防止j+1 >= dwSrcLen造成溢出
j += p[(BYTE)Src[j + 1]];
else j++;
}
if (j >= dwSrcLen)
break;
}
if (j < dwSrcLen)
return j - dwSubLen + 1;
else
return -1;
}
int SundayHex(char* Src, unsigned long dwSrcLen, char* Sub)
{
DWORD dwSubLen = strlen(Sub);
if (dwSubLen % 2) //长度必须为2的倍数
return -1;
dwSubLen /= 2;
char* HexSub = new char[dwSubLen + 1];
DWORD* p = new DWORD[0x100]; //table P,标志距离
int i = -1;
if (__SundayHexInit__(Sub, p, HexSub, dwSubLen)) {
i = __SundayHex__(Src, dwSrcLen, Sub, p, HexSub, dwSubLen);
}
delete[]p;
delete[]HexSub;
return i;
}
vector< int> SundayHexV(char* Src, unsigned long dwSrcLen, char* Sub)
{
vector< int> v;
DWORD dwSubLen = strlen(Sub);
if (dwSubLen % 2) //长度必须为2的倍数
return v;
dwSubLen /= 2;
char* HexSub = new char[dwSubLen + 1];
DWORD* p = new DWORD[0x100]; //table P,标志距离
int i = -1;
if (__SundayHexInit__(Sub, p, HexSub, dwSubLen)) {
i = __SundayHexV__(Src, dwSrcLen, Sub, p, HexSub, dwSubLen, 0);
while (i != -1)
{
v.push_back(i);
i = __SundayHexV__(Src, dwSrcLen, Sub, p, HexSub, dwSubLen, i + dwSubLen);
}
}
delete[]p;
delete[]HexSub;
return v;
}
int Getpid(const char *name)
{
char szProcessName[MAX_PATH];
char *pName;
PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
printf("进程快照\n");
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
Process32First(hSnapshot, &pe);
printf("Pid=%d 进程名:%s\n", pe.th32ProcessID, pe.szExeFile);
while (Process32Next(hSnapshot, &pe))
{
pName = strrchr(pe.szExeFile, '\\');
if (pName != 0)
{
strcpy(szProcessName, pName + 1);
if (!strcmp(szProcessName, name))
return pe.th32ProcessID;
}
else
{
if (!strcmp(pe.szExeFile, name))
return pe.th32ProcessID;
}
}
CloseHandle(hSnapshot);
return 0;
}
DWORD64 __stdcall FindSig(const char* Value)
{
vector <DWORD> 保存数组;
DWORD64 区段大小 = 0;
ULONG64 Start = 0, End = 0x7fffffffffffffff;
//if (dwPid == 0) return 保存数组;
MEMORY_BASIC_INFORMATION 内存信息 = { 0 };
HANDLE hFake1 = OpenProcess(PROCESS_ALL_ACCESS, false, Getpid("my.exe"));//通过取pid取handle
if (hFake1 != NULL)
{
while (VirtualQueryEx(hFake1, (LPCVOID)Start, &内存信息, sizeof(内存信息)))
{
//cout << 内存信息.BaseAddress << endl;
if (内存信息.Protect != 1 && 内存信息.Protect != 16 && 内存信息.RegionSize != 1 && 内存信息.Protect != 512)
{
区段大小 = (DWORD64)内存信息.BaseAddress + 内存信息.RegionSize - Start;
//char tmpchar[255];
//sprintf_s(tmpchar, "0x%I64x", 区段大小);
//MessageBoxA(NULL, tmpchar, "Size", MB_OK);
char* buf = new char[区段大小 + 1];
if (ReadProcessMemory(hFake1, (LPCVOID)Start, buf, 区段大小, NULL))
{
vector<int> dwValue = SundayHexV(buf, 区段大小, (char*)Value);
for (size_t i = 0; i < dwValue.size(); i++)
{
//保存数组.push_back(Start + dwValue[i]);
char tmpchar[255];
sprintf_s(tmpchar, "0x%I64x", Start + dwValue[i]);
MessageBoxA(NULL, tmpchar, "Result", MB_OK);
return Start + dwValue[i];
}
//delete(buf);
}
//delete(buf);
}
if (End == 0) {
break;
}
Start += 内存信息.RegionSize;
if (Start > End)
break;
}
//CloseHandle(hProcess);
}
return 0;
}
int main()
{
FindSig("4533C944894C2420458BCF452BCC488BCF498BD5458BC4"); //特征码
//4533C944894C2420458BCC452BCD488BCB498BD7458BC5
}
通过搜集代码集合而成,觉得好用