#1
|
|||
|
|||
Need to find a pattern in a running file
Hi all!
Can anyone tell me how find a byte pattern in a running file, almost the way procdump is working. In the script.ini in procdump one can add a new section where you type in "the" byte procdump shall look for. What I need is to find those bytes "on the fly" and dump them to disk. Anyone?? meRlin |
#2
|
|||
|
|||
You can use the search function of SoftICE
|
#3
|
|||
|
|||
Well yes, I know that but I want to do a generic patch not using
any tool at all (just some sort of loader to run 1 time on the file). I need to know how to search for the pattern one time (using the loader)and from the findings create a patch for the offset where the bytes was found. Maybe over my head but could be fun anyway. meRlin |
#4
|
|||
|
|||
The first idea that comes to my mind is the use of ReadProcessMemory and WriteProcessMemory on a process opened with PROCESS_VM_READ and PROCESS_VM_WRITE access flags set.
|
#5
|
|||
|
|||
Have a nice tut about the subject
"_masta_'s Tutorial on Win95 ASM Coding" but how do find the bytes? The offset differ but byte pattern is the same, this is really where my problem lies. Have not found anything useful yet. Maybe I have to figure out another way to do the patching, but sounds really nice if it's possible to do it (I'm sure it is) meRlin |
#6
|
|||
|
|||
Teraphy [PC] made a good (imo) patcher that supported different types of patching, and if i'm correct, even supporting the method that you are looking for -- but I just can't find the website anymore, I'll look some more. The program was created in 100% win32asm, that I recall. Perhaps if you are persistent enough you may be able to contact Teraphy and they'll be able to help you out. Or, you can just download the patcher + disassembler and analyze that part of the routine and try to implement it.
If someone has the patcher, please upload it here, I might "analyze" it myself STOP" |
#7
|
|||
|
|||
Yeah, Athlon that's the one... I just discovered that I did have the patcher after all *silly rabbit* heh
It's pretty good for reference imo.. |
#8
|
|||
|
|||
Thank you boyz!
I found this myself yesterday. tehktik if you find something usefull please tell me, I want to try implement the search routine in my patcher. Whoa!! I found an even more intresting application which does exacly the things I need. There is only one thing, I need to reverse it before I can "steal" the function needed in my own patcher. Take a look at it h**p://mrdario.tripod.com/tools/prohack11.zip meRlin Last edited by merlin; 07-16-2002 at 20:29. |
#9
|
|||
|
|||
Downloading it now...
I'll see if I can find some src. Oh, and what language are you trying to program it in? If it is in win32asm, the guys (and girls) over at hxxp://www.win32asmcommunity.net have a very good board, and are very helpful. If not, you can still check it out and post your question and I'll bet someone can help you out still.. " DSGNKLTR |
#10
|
|||
|
|||
from wxw.collakesoftware.com you may download source of implementation of boyer-moore string search (also as DLL), and use it in your own program (as I do )
HTH PS : Sorry for direct link, Athlon was damn fast Last edited by xobor; 07-18-2002 at 15:33. |
#11
|
|||
|
|||
searching
merlin, actually searching is not a problem.
Like VOX said, you must use ReadProcessMemory If you see the description of the function, you'll find that it starts searching from a *BASE*address, now you do your string search using any alog( boyer moore is you like ) and you find the location. Add it to the base and you get the virtual address in the running process. If you still have a problem maybe you could be a bit more specific? |
#12
|
|||
|
|||
Hi and thanks!
Actually I'm new to coding in asm, well start doing it several times but got short on time then. Now back in cracking again it's time to learn it, I'm pretty sure now how to find the pattern needed but not how I shall do the coding. Maybe someone can help me with it in FASM. Any help is appreciated regarding the coding, a template how to read and write a file is a good start, the rest I maybe can figure out myself, please in FASM. meRlin |
#13
|
|||
|
|||
Fasm?!
Use Masm and I'd really suggest you go to the hxxp://www.win32asmcommunity.net board -- you can get great help there (even if you aren't using masm). |
#14
|
|||
|
|||
merlin
are you sure about your intention? And do you know exactly what you are doing? Your original request was about a method to "find a pattern in a RUNNING file". This means that your file: 1) is executable 2) is already mapped in memory 3) could be compressed. then 1) you must forget about offsets and start thinking in Virtual Addresses terms 2) you don't need any procedure that reads or writes a file and this because a running file is no more a file; it's part of a process As previosly recommended, and subsequently stressed by snaker, the easiest way to access the addressing space of a process is, in Win32, the use of the debug API supplied by Windows itself; otherwise, you'll have to write a R0 module. If you're learning ASM just now, trying to write your program in ASM simply will make your life more difficult; it isn't impossible, only unadvisable. If you'll try to accomplish your task by a C program, your life will be undoubtely easier. You'll be able to call directly API functions; on the other hand, in C a buffer is simply a variable, and so on. You've mentioned Procdump; open its Import Table, and you'll find that it (obviously) imports ReadProcessMemory and WriteProcessMemory. As stated by snaker, the search routine is the least of your problems; you can use the Boyer Moore Algoritm, the Tuned Boyer Moore Algoritm, or whatever you want: there are millions of string search algorithms. Search on the Web 'EXACT STRING MATCHING ALGORITHMS'; it's a text in HTML format that contains the description of several algorithms, and the related C code. Regards |
#15
|
|||
|
|||
I know what is needed to be done..
A small example: Add some function (this is the pattern to find, (757A3C00) to notepad.exe pack the file with some packer UPX, Neolite or whatever you can patch in a nice way without unpacking. Add 3318 (random value another time)bytes to the pe, correct the header (unpacked one) pack the file again using the same packer as before. Oep is for sure the same as it is the same file, but where is my EB7A3C00 bytes in the second file, yes as this is the example we know where the bytes is but think as we didn't? You'll not find them on the packed exe on disc but will in memory. I'm not looking for VA to patch just the pattern to read the VA from. Yes I do need CreateFile, when the byte pattern is found I need it plus some other information down to disc using CreateFile. Asm, yes seems to be a nice project (maybe too big)where I can learn some asm, not doing this snooping around in s-i on somebody elses code. meRlin |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
[DnSpy] - Find out running threads | tusk | General Discussion | 3 | 04-17-2017 03:06 |
Writing to a running (in-use) executable file | omidgl | General Discussion | 20 | 11-17-2005 00:54 |