Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 07-15-2002, 08:11
Posts: n/a
Need to find a pattern in a running file

Hi all!
Can anyone tell me how find a byte pattern in a running file, almost the way procdump is working.
In the script.ini in procdump one can add a new section where
you type in "the" byte procdump shall look for.
What I need is to find those bytes "on the fly" and dump them to disk.

Reply With Quote
Old 07-15-2002, 16:26
Vox Humana
Posts: n/a
You can use the search function of SoftICE
Reply With Quote
Old 07-15-2002, 18:21
Posts: n/a
Well yes, I know that but I want to do a generic patch not using
any tool at all (just some sort of loader to run 1 time on the file).

I need to know how to search for the pattern one time
(using the loader)and from the findings create a patch for the offset where the bytes was found.
Maybe over my head but could be fun anyway.
Reply With Quote
Old 07-16-2002, 03:53
Vox Humana
Posts: n/a
The first idea that comes to my mind is the use of ReadProcessMemory and WriteProcessMemory on a process opened with PROCESS_VM_READ and PROCESS_VM_WRITE access flags set.
Reply With Quote
Old 07-16-2002, 04:09
Posts: n/a
Have a nice tut about the subject
"_masta_'s Tutorial on Win95 ASM Coding" but how do find the bytes?
The offset differ but byte pattern is the same, this is really where
my problem lies.
Have not found anything useful yet.
Maybe I have to figure out another way to do the patching, but sounds really nice if it's possible to do it (I'm sure it is)

Reply With Quote
Old 07-16-2002, 07:55
Posts: n/a
Teraphy [PC] made a good (imo) patcher that supported different types of patching, and if i'm correct, even supporting the method that you are looking for -- but I just can't find the website anymore, I'll look some more. The program was created in 100% win32asm, that I recall. Perhaps if you are persistent enough you may be able to contact Teraphy and they'll be able to help you out. Or, you can just download the patcher + disassembler and analyze that part of the routine and try to implement it.

If someone has the patcher, please upload it here, I might "analyze" it myself

Reply With Quote
Old 07-16-2002, 13:15
Posts: n/a

Yeah, Athlon that's the one... I just discovered that I did have the patcher after all *silly rabbit* heh

It's pretty good for reference imo..
Reply With Quote
Old 07-16-2002, 16:31
Posts: n/a
Thank you boyz!
I found this myself yesterday.

tehktik if you find something usefull please tell me, I want to try
implement the search routine in my patcher.


I found an even more intresting application which does exacly
the things I need.
There is only one thing, I need to reverse it before I can "steal" the function needed in my own patcher.

Take a look at it


Last edited by merlin; 07-16-2002 at 20:29.
Reply With Quote
Old 07-17-2002, 02:44
Posts: n/a
Downloading it now...

I'll see if I can find some src. Oh, and what language are you trying to program it in?

If it is in win32asm, the guys (and girls) over at hxxp://www.win32asmcommunity.net have a very good board, and are very helpful. If not, you can still check it out and post your question and I'll bet someone can help you out still..

Reply With Quote
Old 07-18-2002, 15:11
xobor xobor is offline
Join Date: May 2002
Location: Slovakia
Posts: 103
Rept. Given: 6
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 7 Posts
xobor Reputation: 5
from wxw.collakesoftware.com you may download source of implementation of boyer-moore string search (also as DLL), and use it in your own program (as I do )


PS : Sorry for direct link, Athlon was damn fast

Last edited by xobor; 07-18-2002 at 15:33.
Reply With Quote
Old 07-18-2002, 17:20
Posts: n/a

merlin, actually searching is not a problem.
Like VOX said, you must use ReadProcessMemory
If you see the description of the function, you'll find that it starts searching from a *BASE*address, now you do your string search using any alog( boyer moore is you like ) and you find the location.
Add it to the base and you get the virtual address in the running process.

If you still have a problem maybe you could be a bit more specific?
Reply With Quote
Old 07-18-2002, 19:04
Posts: n/a
Hi and thanks!
Actually I'm new to coding in asm, well start doing it several times but got short on time then.
Now back in cracking again it's time to learn it, I'm pretty sure now how to find the pattern needed but not how I shall do the coding.
Maybe someone can help me with it in FASM.

Any help is appreciated regarding the coding, a template how to read and write a file is a good start, the rest I maybe can figure out myself, please in FASM.

Reply With Quote
Old 07-19-2002, 01:50
Posts: n/a


Use Masm and I'd really suggest you go to the hxxp://www.win32asmcommunity.net board -- you can get great help there (even if you aren't using masm).
Reply With Quote
Old 07-19-2002, 23:18
Vox Humana
Posts: n/a
are you sure about your intention? And do you know exactly what you are doing?
Your original request was about a method to "find a pattern in a RUNNING file".
This means that your file:

1) is executable
2) is already mapped in memory
3) could be compressed.


1) you must forget about offsets and start thinking in Virtual Addresses terms
2) you don't need any procedure that reads or writes a file

and this because a running file is no more a file; it's part of a process

As previosly recommended, and subsequently stressed by snaker, the easiest way to access the addressing space of a process is, in Win32, the use of the debug API supplied by Windows itself; otherwise, you'll have to write a R0 module.

If you're learning ASM just now, trying to write your program in ASM simply will make your life more difficult; it isn't impossible, only unadvisable. If you'll try to accomplish your task by a C program, your life will be undoubtely easier. You'll be able to call directly API functions; on the other hand, in C a buffer is simply a variable, and so on.
You've mentioned Procdump; open its Import Table, and you'll find that it (obviously) imports ReadProcessMemory and WriteProcessMemory.

As stated by snaker, the search routine is the least of your problems; you can use the Boyer Moore Algoritm, the Tuned Boyer Moore Algoritm, or whatever you want: there are millions of string search algorithms.

Search on the Web 'EXACT STRING MATCHING ALGORITHMS'; it's a text in HTML format that contains the description of several algorithms, and the related C code.

Reply With Quote
Old 07-20-2002, 06:59
Posts: n/a
I know what is needed to be done..

A small example:
Add some function (this is the pattern to find, (757A3C00) to notepad.exe pack the file with some packer UPX, Neolite or whatever you can patch in a nice way without unpacking.

Add 3318 (random value another time)bytes to the pe, correct the header (unpacked one) pack the file again using the same packer as before.

Oep is for sure the same as it is the same file, but where is my
EB7A3C00 bytes in the second file, yes as this is the example we
know where the bytes is but think as we didn't?
You'll not find them on the packed exe on disc but will in memory.
I'm not looking for VA to patch just the pattern to read the VA from.

Yes I do need CreateFile, when the byte pattern is found I need it plus some other information down to disc using CreateFile.

Asm, yes seems to be a nice project (maybe too big)where I can learn some asm, not doing this snooping around in s-i on somebody elses code.

Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[DnSpy] - Find out running threads tusk General Discussion 3 04-17-2017 03:06
Writing to a running (in-use) executable file omidgl General Discussion 20 11-17-2005 00:54

All times are GMT +8. The time now is 00:11.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )