forked from XIV-Tools/CustomizePlus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSignatureScanner.cs
275 lines (233 loc) · 8.19 KB
/
SignatureScanner.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
// © Anamnesis.
// Developed by W and A Walsh.
// Licensed under the MIT license.
namespace Anamnesis.Core.Memory
{
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Globalization;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Text;
using Anamnesis.Memory;
using Serilog;
#pragma warning disable SA1011
/// <summary>
/// based on Dalamud's signature scanner: https://github.com/goatcorp/Dalamud/blob/master/Dalamud/Game/SigScanner.cs.
/// </summary>
public sealed class SignatureScanner
{
/// <param name="module">The ProcessModule to be used for scanning.</param>
public SignatureScanner(ProcessModule module)
{
this.Module = module;
this.Is32BitProcess = !Environment.Is64BitProcess;
// Limit the search space to .text section.
this.SetupSearchSpace(module);
Log.Information($"Module base: {this.TextSectionBase}");
Log.Information($"Module size: {this.TextSectionSize}");
}
public bool IsCopy { get; private set; }
public bool Is32BitProcess { get; }
public IntPtr SearchBase => this.Module.BaseAddress;
public IntPtr TextSectionBase => new IntPtr(this.SearchBase.ToInt64() + this.TextSectionOffset);
public long TextSectionOffset { get; private set; }
public int TextSectionSize { get; private set; }
public IntPtr DataSectionBase => new IntPtr(this.SearchBase.ToInt64() + this.DataSectionOffset);
public long DataSectionOffset { get; private set; }
public int DataSectionSize { get; private set; }
public ProcessModule Module { get; }
private IntPtr TextSectionTop => this.TextSectionBase + this.TextSectionSize;
/// <summary>
/// Scan for a byte signature in the .text section.
/// </summary>
/// <param name="signature">The signature.</param>
/// <returns>The real offset of the found signature.</returns>
public IntPtr ScanText(string signature)
{
IntPtr mBase = this.TextSectionBase;
IntPtr scanRet = this.Scan(mBase, this.TextSectionSize, signature);
if (ReadByte(scanRet) == 0xE8)
return this.ReadCallSig(scanRet);
return scanRet;
}
/// <summary>
/// Scan for a .data address using a .text function.
/// This is intended to be used with IDA sigs.
/// Place your cursor on the line calling a static address, and create and IDA sig.
/// </summary>
/// <param name="signature">The signature of the function using the data.</param>
/// <param name="offset">The offset from function start of the instruction using the data.</param>
/// <returns>An IntPtr to the static memory location.</returns>
public IntPtr GetStaticAddressFromSig(string signature, int offset = 0)
{
IntPtr instrAddr = this.ScanText(signature);
instrAddr = IntPtr.Add(instrAddr, offset);
long bAddr = (long)this.Module.BaseAddress;
long num;
int steps = 1000;
do
{
instrAddr = IntPtr.Add(instrAddr, 1);
num = ReadInt32(instrAddr) + (long)instrAddr + 4 - bAddr;
steps--;
}
while (steps > 0 && !(num >= this.DataSectionOffset && num <= this.DataSectionOffset + this.DataSectionSize));
return IntPtr.Add(instrAddr, ReadInt32(instrAddr) + 4);
}
/// <summary>
/// Scan for a byte signature in the .data section.
/// </summary>
/// <param name="signature">The signature.</param>
/// <returns>The real offset of the found signature.</returns>
public IntPtr ScanData(string signature)
{
IntPtr scanRet = this.Scan(this.DataSectionBase, this.DataSectionSize, signature);
return scanRet;
}
/// <summary>
/// Scan for a byte signature in the whole module search area.
/// </summary>
/// <param name="signature">The signature.</param>
/// <returns>The real offset of the found signature.</returns>
public IntPtr ScanModule(string signature)
{
IntPtr scanRet = this.Scan(this.SearchBase, this.Module.ModuleMemorySize, signature);
return scanRet;
}
public IntPtr Scan(IntPtr baseAddress, int size, string signature)
{
if (!MemoryService.GetIsProcessAlive())
return IntPtr.Zero;
byte?[]? needle = this.SigToNeedle(signature);
// Fast
byte[] bigBuffer = new byte[size];
MemoryService.Read(baseAddress, bigBuffer, size);
unsafe
{
for (long offset = 0; offset < size - needle.Length; offset++)
{
if (this.IsMatch(needle, bigBuffer, offset))
{
UIntPtr ptr = new UIntPtr(Convert.ToUInt64(baseAddress.ToInt64() + offset));
return (IntPtr)ptr.ToPointer();
}
}
}
throw new KeyNotFoundException($"Can't find a signature of {signature}");
}
public IntPtr ResolveRelativeAddress(IntPtr nextInstAddr, int relOffset)
{
if (this.Is32BitProcess)
throw new NotSupportedException("32 bit is not supported.");
return nextInstAddr + relOffset;
}
private static byte ReadByte(IntPtr baseAddress, int offset = 0)
{
byte[] buffer = new byte[1];
MemoryService.Read(baseAddress + offset, buffer, 1);
return buffer[0];
}
private static int ReadInt32(IntPtr baseAddress, int offset = 0)
{
byte[] buffer = new byte[4];
MemoryService.Read(baseAddress + offset, buffer, 4);
return BitConverter.ToInt32(buffer);
}
private static short ReadInt16(IntPtr baseAddress, int offset = 0)
{
byte[] buffer = new byte[2];
MemoryService.Read(baseAddress + offset, buffer, 2);
return BitConverter.ToInt16(buffer);
}
private static long ReadInt64(IntPtr baseAddress, int offset = 0)
{
byte[] buffer = new byte[8];
MemoryService.Read(baseAddress + offset, buffer, 8);
return BitConverter.ToInt64(buffer);
}
private void SetupSearchSpace(ProcessModule module)
{
IntPtr baseAddress = module.BaseAddress;
// We don't want to read all of IMAGE_DOS_HEADER or IMAGE_NT_HEADER stuff so we cheat here.
int ntNewOffset = ReadInt32(baseAddress, 0x3C);
IntPtr ntHeader = baseAddress + ntNewOffset;
// IMAGE_NT_HEADER
IntPtr fileHeader = ntHeader + 4;
short numSections = ReadInt16(ntHeader, 6);
// IMAGE_OPTIONAL_HEADER
IntPtr optionalHeader = fileHeader + 20;
IntPtr sectionHeader;
if (this.Is32BitProcess) // IMAGE_OPTIONAL_HEADER32
sectionHeader = optionalHeader + 224;
else // IMAGE_OPTIONAL_HEADER64
sectionHeader = optionalHeader + 240;
// IMAGE_SECTION_HEADER
IntPtr sectionCursor = sectionHeader;
for (int i = 0; i < numSections; i++)
{
long sectionName = ReadInt64(sectionCursor);
// .text
switch (sectionName)
{
case 0x747865742E: // .text
this.TextSectionOffset = ReadInt32(sectionCursor, 12);
this.TextSectionSize = ReadInt32(sectionCursor, 8);
break;
case 0x617461642E: // .data
this.DataSectionOffset = ReadInt32(sectionCursor, 12);
this.DataSectionSize = ReadInt32(sectionCursor, 8);
break;
}
sectionCursor += 40;
}
}
/// <summary>
/// Helper for ScanText to get the correct address for
/// IDA sigs that mark the first CALL location.
/// </summary>
/// <param name="sigLocation">The address the CALL sig resolved to.</param>
/// <returns>The real offset of the signature.</returns>
private IntPtr ReadCallSig(IntPtr sigLocation)
{
int jumpOffset = ReadInt32(IntPtr.Add(sigLocation, 1));
return IntPtr.Add(sigLocation, 5 + jumpOffset);
}
[MethodImpl(MethodImplOptions.AggressiveInlining)]
private unsafe bool IsMatch(byte?[] needle, byte[] buffer, long offset)
{
for (int i = 0; i < needle.Length; i++)
{
byte? expected = needle[i];
if (expected == null)
continue;
byte actual = buffer[offset + i];
if (expected != actual)
return false;
}
return true;
}
[MethodImpl(MethodImplOptions.AggressiveInlining)]
private byte?[] SigToNeedle(string signature)
{
// Strip all whitespaces
signature = signature.Replace(" ", string.Empty);
if (signature.Length % 2 != 0)
throw new ArgumentException("Signature without whitespaces must be divisible by two.", nameof(signature));
int needleLength = signature.Length / 2;
byte?[]? needle = new byte?[needleLength];
for (int i = 0; i < needleLength; i++)
{
string? hexString = signature.Substring(i * 2, 2);
if (hexString == "??" || hexString == "**")
{
needle[i] = null;
continue;
}
needle[i] = byte.Parse(hexString, NumberStyles.AllowHexSpecifier);
}
return needle;
}
}
}