Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-15-2002, 08:11
merlin
 
Posts: n/a
Need to find a pattern in a running file

Hi all!
Can anyone tell me how find a byte pattern in a running file, almost the way procdump is working.
In the script.ini in procdump one can add a new section where
you type in "the" byte procdump shall look for.
What I need is to find those bytes "on the fly" and dump them to disk.
Anyone??

meRlin
Reply With Quote
  #2  
Old 07-15-2002, 16:26
Vox Humana
 
Posts: n/a
You can use the search function of SoftICE
Reply With Quote
  #3  
Old 07-15-2002, 18:21
merlin
 
Posts: n/a
Well yes, I know that but I want to do a generic patch not using
any tool at all (just some sort of loader to run 1 time on the file).

I need to know how to search for the pattern one time
(using the loader)and from the findings create a patch for the offset where the bytes was found.
Maybe over my head but could be fun anyway.
meRlin
Reply With Quote
  #4  
Old 07-16-2002, 03:53
Vox Humana
 
Posts: n/a
The first idea that comes to my mind is the use of ReadProcessMemory and WriteProcessMemory on a process opened with PROCESS_VM_READ and PROCESS_VM_WRITE access flags set.
Reply With Quote
  #5  
Old 07-16-2002, 04:09
merlin
 
Posts: n/a
Have a nice tut about the subject
"_masta_'s Tutorial on Win95 ASM Coding" but how do find the bytes?
The offset differ but byte pattern is the same, this is really where
my problem lies.
Have not found anything useful yet.
Maybe I have to figure out another way to do the patching, but sounds really nice if it's possible to do it (I'm sure it is)

meRlin
Reply With Quote
  #6  
Old 07-16-2002, 07:55
tehktik
 
Posts: n/a
Teraphy [PC] made a good (imo) patcher that supported different types of patching, and if i'm correct, even supporting the method that you are looking for -- but I just can't find the website anymore, I'll look some more. The program was created in 100% win32asm, that I recall. Perhaps if you are persistent enough you may be able to contact Teraphy and they'll be able to help you out. Or, you can just download the patcher + disassembler and analyze that part of the routine and try to implement it.

If someone has the patcher, please upload it here, I might "analyze" it myself







STOP"
Reply With Quote
  #7  
Old 07-16-2002, 13:15
tehktik
 
Posts: n/a
Talking

Yeah, Athlon that's the one... I just discovered that I did have the patcher after all *silly rabbit* heh

It's pretty good for reference imo..
Reply With Quote
  #8  
Old 07-16-2002, 16:31
merlin
 
Posts: n/a
Thank you boyz!
I found this myself yesterday.

tehktik if you find something usefull please tell me, I want to try
implement the search routine in my patcher.

Whoa!!

I found an even more intresting application which does exacly
the things I need.
There is only one thing, I need to reverse it before I can "steal" the function needed in my own patcher.

Take a look at it
h**p://mrdario.tripod.com/tools/prohack11.zip

meRlin

Last edited by merlin; 07-16-2002 at 20:29.
Reply With Quote
  #9  
Old 07-17-2002, 02:44
tehktik
 
Posts: n/a
Downloading it now...


I'll see if I can find some src. Oh, and what language are you trying to program it in?

If it is in win32asm, the guys (and girls) over at hxxp://www.win32asmcommunity.net have a very good board, and are very helpful. If not, you can still check it out and post your question and I'll bet someone can help you out still..





"
DSGNKLTR
Reply With Quote
  #10  
Old 07-18-2002, 15:11
xobor xobor is offline
Friend
 
Join Date: May 2002
Location: Slovakia
Posts: 115
Rept. Given: 6
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 19 Times in 14 Posts
xobor Reputation: 5
from wxw.collakesoftware.com you may download source of implementation of boyer-moore string search (also as DLL), and use it in your own program (as I do )

HTH

PS : Sorry for direct link, Athlon was damn fast

Last edited by xobor; 07-18-2002 at 15:33.
Reply With Quote
  #11  
Old 07-18-2002, 17:20
snaker
 
Posts: n/a
searching

merlin, actually searching is not a problem.
Like VOX said, you must use ReadProcessMemory
If you see the description of the function, you'll find that it starts searching from a *BASE*address, now you do your string search using any alog( boyer moore is you like ) and you find the location.
Add it to the base and you get the virtual address in the running process.

If you still have a problem maybe you could be a bit more specific?
Reply With Quote
  #12  
Old 07-18-2002, 19:04
merlin
 
Posts: n/a
Hi and thanks!
Actually I'm new to coding in asm, well start doing it several times but got short on time then.
Now back in cracking again it's time to learn it, I'm pretty sure now how to find the pattern needed but not how I shall do the coding.
Maybe someone can help me with it in FASM.

Any help is appreciated regarding the coding, a template how to read and write a file is a good start, the rest I maybe can figure out myself, please in FASM.

meRlin
Reply With Quote
  #13  
Old 07-19-2002, 01:50
tehktik
 
Posts: n/a
Post

Fasm?!

Use Masm and I'd really suggest you go to the hxxp://www.win32asmcommunity.net board -- you can get great help there (even if you aren't using masm).
Reply With Quote
  #14  
Old 07-19-2002, 23:18
Vox Humana
 
Posts: n/a
merlin
are you sure about your intention? And do you know exactly what you are doing?
Your original request was about a method to "find a pattern in a RUNNING file".
This means that your file:

1) is executable
2) is already mapped in memory
3) could be compressed.

then

1) you must forget about offsets and start thinking in Virtual Addresses terms
2) you don't need any procedure that reads or writes a file

and this because a running file is no more a file; it's part of a process

As previosly recommended, and subsequently stressed by snaker, the easiest way to access the addressing space of a process is, in Win32, the use of the debug API supplied by Windows itself; otherwise, you'll have to write a R0 module.

If you're learning ASM just now, trying to write your program in ASM simply will make your life more difficult; it isn't impossible, only unadvisable. If you'll try to accomplish your task by a C program, your life will be undoubtely easier. You'll be able to call directly API functions; on the other hand, in C a buffer is simply a variable, and so on.
You've mentioned Procdump; open its Import Table, and you'll find that it (obviously) imports ReadProcessMemory and WriteProcessMemory.

As stated by snaker, the search routine is the least of your problems; you can use the Boyer Moore Algoritm, the Tuned Boyer Moore Algoritm, or whatever you want: there are millions of string search algorithms.

Search on the Web 'EXACT STRING MATCHING ALGORITHMS'; it's a text in HTML format that contains the description of several algorithms, and the related C code.

Regards
Reply With Quote
  #15  
Old 07-20-2002, 06:59
merlin
 
Posts: n/a
I know what is needed to be done..

A small example:
Add some function (this is the pattern to find, (757A3C00) to notepad.exe pack the file with some packer UPX, Neolite or whatever you can patch in a nice way without unpacking.

Add 3318 (random value another time)bytes to the pe, correct the header (unpacked one) pack the file again using the same packer as before.

Oep is for sure the same as it is the same file, but where is my
EB7A3C00 bytes in the second file, yes as this is the example we
know where the bytes is but think as we didn't?
You'll not find them on the packed exe on disc but will in memory.
I'm not looking for VA to patch just the pattern to read the VA from.


Yes I do need CreateFile, when the byte pattern is found I need it plus some other information down to disc using CreateFile.

Asm, yes seems to be a nice project (maybe too big)where I can learn some asm, not doing this snooping around in s-i on somebody elses code.

meRlin
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[DnSpy] - Find out running threads tusk General Discussion 3 04-17-2017 03:06
Writing to a running (in-use) executable file omidgl General Discussion 20 11-17-2005 00:54


All times are GMT +8. The time now is 15:29.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )