-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathProcessHelper.cpp
More file actions
105 lines (88 loc) · 2.65 KB
/
ProcessHelper.cpp
File metadata and controls
105 lines (88 loc) · 2.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#include "MemorySDK.h"
void GetModuleEntryList(std::vector<MODULEENTRY32W>& vModuleEntryList)
{
DWORD pid = GetCurrentProcessId();
if (!pid) {
return;
}
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return;
}
MODULEENTRY32W me32;
memset(&me32, 0, sizeof(me32));
me32.dwSize = sizeof(me32);
if (!Module32FirstW(hSnapshot, &me32)) {
CloseHandle(hSnapshot);
return;
}
vModuleEntryList.clear();
do {
vModuleEntryList.push_back(me32);
} while (Module32NextW(hSnapshot, &me32));
CloseHandle(hSnapshot);
}
bool FindModuleEntry(const std::wstring& wModuleName, BYTE** ppBaseAddr, ULONG_PTR& baseSize) {
std::vector<MODULEENTRY32W> vModuleEntryList;
GetModuleEntryList(vModuleEntryList);
if (vModuleEntryList.empty()) {
return false;
}
for (const auto& me32 : vModuleEntryList) {
if (_wcsicmp(me32.szModule, wModuleName.c_str()) == 0) {
*ppBaseAddr = me32.modBaseAddr;
baseSize = me32.modBaseSize;
return true;
}
}
return false;
}
bool IsModuleCalled(const std::wstring& wModuleName, void* pReturnAddress) {
if (!pReturnAddress) {
return false;
}
BYTE* pBaseAddr = nullptr;
ULONG_PTR baseSize = 0;
if (!FindModuleEntry(wModuleName, &pBaseAddr, baseSize)) {
DEBUG(wModuleName + L" hasn't been call yet");
return false;
}
if (!pBaseAddr || baseSize == 0) {
DEBUG(wModuleName + L" failed to get entry addr");
return false;
}
ULONG_PTR retAddr = (ULONG_PTR)pReturnAddress;
ULONG_PTR baseAddr = (ULONG_PTR)pBaseAddr;
ULONG_PTR endAddr = baseAddr + baseSize;
return retAddr >= baseAddr && retAddr < endAddr;
}
bool ExtractSectionList(const std::wstring& wModuleName, std::vector<MEMORY_BASIC_INFORMATION>& vTextSection, std::vector<MEMORY_BASIC_INFORMATION>& vDataSection) {
BYTE* pBaseAddr = nullptr;
ULONG_PTR baseSize = 0;
if (!FindModuleEntry(wModuleName, &pBaseAddr, baseSize)) {
return false;
}
ULONG_PTR baseAddr = (ULONG_PTR)(pBaseAddr);
ULONG_PTR endAddr = baseAddr + baseSize;
MEMORY_BASIC_INFORMATION mbi;
memset(&mbi, 0, sizeof(mbi));
while (baseAddr < endAddr)
{
if (VirtualQuery((void*)baseAddr, &mbi, sizeof(mbi)) == sizeof(mbi)) {
// text section for aob scan
if (mbi.Protect & (PAGE_EXECUTE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)) {
vTextSection.push_back(mbi);
}
// data section for string search
if (vTextSection.size() && mbi.Protect & (PAGE_READWRITE | PAGE_WRITECOPY)) {
// PAGE_READONLY and EXECUTE are currently ignored
vDataSection.push_back(mbi);
}
baseAddr += mbi.RegionSize;
}
}
if (vTextSection.empty()) {
return false;
}
return true;
}