#1
|
||||
|
||||
[C++] C++11 Signature Scanning
One of the more modern methods of approaching an application for modifications and relocation of specific functions, data, pointers, etc. is through signature scanning. Rather then using raw offsets or addresses, signature scanning allows you to locate data through known instructions of a function that make use of that data. I wont get into the specifics of signature scanning in this topic though for those that do not understand it.
Read this full tutorial on my personal site here: Code:
http://atom0s.com/forums/viewtopic.php?f=5&t=4 PHP Code:
PHP Code:
|
The Following User Gave Reputation+1 to atom0s For This Useful Post: | ||
mm10121991 (01-18-2015) |
#2
|
|||
|
|||
Hi,
What I don't get is how your (linear) search (that uses all kinds of libraries) is faster than the linear search you say is slower at your website: Code:
bool Compare(const BYTE* pData, const BYTE* bMask, const char* szMask) { for (; *szMask; ++szMask, ++pData, ++bMask) if (*szMask == 'x' && *pData != *bMask) return 0; return (*szMask) == NULL; } DWORD Pattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask) { for (DWORD i = 0; i < dwLen; i++) if (Compare((BYTE*)(dwAddress + i), bMask, szMask)) return (DWORD)(dwAddress + i); return 0; } Greetings EDIT: Here is a combined version of our efforts to make pattern finding easier: https://gist.github.com/mrexodia/f058868b81b2f1cb011a Last edited by mr.exodia; 01-17-2015 at 08:15. |
#3
|
||||
|
||||
Here is a benchmark of mine vs the original typical FindPattern you posted:
Code:
FindPattern Benchmark Example (c) 2014 atom0s ================================================ Test Name : FindPattern Test Author : dom1n1k & Patrick (GameDeception) Test Time : 0.681074 ================================================ Test Name : FindPattern (C++11) w/ Async Test Author : atom0s Test Time : 0.235662 - Initialize - Release - RunTest Initialize is used to simply handle the basic stuff that the test may need to prepare itself for the test to be ran. Things that are not specific to the scanning directly. Such as any object creation and so on. Release is to allow the test to cleanup anything it created etc. RunTest is to allow the test to do its work to scan for all the signature in the given test data. About The Tests The test data is the Final Fantasy XI's main game file 'FFXiMain.dll'. I load the unpacked file into memory as the raw bytes, I do not actually load the game in any manner, so these are static scans from the files raw data. Each test is given a total of 26 signatures to scan for within the same memory data. So the benchmark is entirely fair in terms of what to look for and what it is looking within. I created the C++11 / async method I use solely for this game and decided to share it since others may find it useful for faster and threaded scans. In an application where you only need to scan for a few signatures and do not need threading, then yeah mine may not be the best bet however, so far it has performed the best for me outside of some other methods I discussed on my personal site that a friend of mine (devnull) and I came up with. There is definitely room for improvement and speed increases, this is just the fastest and cleanest method that devnull and I came up with so far that was easy to read and maintain while keeping speed and performance. |
The Following 5 Users Gave Reputation+1 to atom0s For This Useful Post: | ||
b30wulf (01-18-2015), DMichael (01-17-2015), MarcElBichon (01-17-2015), mr.exodia (01-17-2015), p4r4d0x (01-21-2015) |
#4
|
||||
|
||||
Quote:
is more about hardware and btw scanning speed won't be noticeable when the difference is measured only in millisecond plus another thing is about compiler optimization which affects most on the speed(after hardware of course) |
#5
|
|||
|
|||
I don't agree with you here. Maybe it doesn't matter for searching a few MBs of data, but it will start to matter if you have to find 20 patterns in 2GB of data
|
#6
|
|||
|
|||
I think both your implementations are still not perfect. Think about this: https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string_search_algorithm
or at least https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore%E2%80%93Horspool_algorithm This algorithm is even more efficient for byte search. Skip as many bytes as possible...
__________________
My blog: https://ntquery.wordpress.com |
#7
|
||||
|
||||
Quote:
Implementing Boyer Moore will definitely be a bit faster though. Comparing my FindPattern to the original posted above, mine sees a lot of improvement when the data being scanned within is large and the number of scans being done is high. For low amounts of scanning and where async is not required, then the original will tend to outperform mine. Overall it really depends on some specific factors: - The data size being scanned within. - The number of patterns being looked for. - Threading; is it required or not, (along with thread-safety). - Hardware can land up playing a roll as well etc. Another implementation that could make use of different hardware would be a GPU implementation, which could also have a handful of speed benefits depending on similar factors above. |
The Following 2 Users Gave Reputation+1 to atom0s For This Useful Post: | ||
DMichael (01-18-2015) |
#8
|
|||
|
|||
Quote:
BMH was second place when I checked (57ms): Code:
FindPattern benchmark Page size: 4096, allocating 22 pages (including 2 guard pages). Running tests on 9 different implementations =========== Running M-i-K-e ran outside the area FAILED =========== Running Trippeh Finding pattern 0 x 1000 took 1774.23 ms. Finding pattern 1 x 1000 took 1905.49 ms. =========== Running Trippeh v2 Finding pattern 0 x 1000 took 81.864 ms. Finding pattern 1 x 1000 took 81.937 ms. =========== Running Trippeh v3 Failed, cheating with the pattern length! FAILED =========== Running learn_more Finding pattern 0 x 1000 took 204.665 ms. Finding pattern 1 x 1000 took 164.068 ms. =========== Running learn_more v2 Finding pattern 0 x 1000 took 82.226 ms. Finding pattern 1 x 1000 took 82.679 ms. =========== Running afffsdd Finding pattern 0 x 1000 took 40.943 ms. Finding pattern 1 x 1000 took 40.968 ms. =========== Running DarthTon Finding pattern 0 x 1000 took 56.974 ms. Finding pattern 1 x 1000 took 57.045 ms. =========== Running kokole Finding pattern 0 x 1000 took 122.41 ms. Finding pattern 1 x 1000 took 122.646 ms. Done. Press any key to continue . . . |
The Following User Gave Reputation+1 to Nukem For This Useful Post: | ||
atom0s (01-19-2015) |
#9
|
||||
|
||||
Ah interesting, I'll take their examples and add it to my tester and see what I get out of them. I can post the results here later on too.
As for the portability / 64bit questions and comments, here is mine that should work on both now: PHP Code:
Code:
http://www.tutorialspoint.com/compile_cpp11_online.php |
The Following User Gave Reputation+1 to atom0s For This Useful Post: | ||
b30wulf (01-19-2015) |
#10
|
|||
|
|||
Updated benchmark with atom0s' pattern finder, my pattern finder (which has nibble support, so not really a fair comparison) and atom0s' pattern finder updated with nibble support:
https://github.com/mrexodia/findpattern-bench Code:
FindPattern benchmark Page size: 4096, allocating 22 pages (including 2 guard pages). Running tests on 10 different implementations =========== Running learn_more Finding pattern 0 x 1000 took 1103.94 ms. Finding pattern 1 x 1000 took 887.791 ms. =========== Running learn_more v2 Finding pattern 0 x 1000 took 467.905 ms. Finding pattern 1 x 1000 took 473.792 ms. =========== Running fdsasdf Finding pattern 0 x 1000 took 216.19 ms. Finding pattern 1 x 1000 took 217.753 ms. =========== Running DarthTon Finding pattern 0 x 1000 took 296.328 ms. Finding pattern 1 x 1000 took 293.352 ms. =========== Running kokole Finding pattern 0 x 1000 took 541.427 ms. Finding pattern 1 x 1000 took 587.715 ms. =========== Running mrexodia Finding pattern 0 x 1000 took 1089.7 ms. Finding pattern 1 x 1000 took 1037.04 ms. =========== Running atom0s Finding pattern 0 x 1000 took 2274.7 ms. Finding pattern 1 x 1000 took 2299.61 ms. =========== Running atom0s (mrexodia modification) Finding pattern 0 x 1000 took 1539.4 ms. Finding pattern 1 x 1000 took 1877.84 ms. =========== Running mrexodia (horspool) Finding pattern 0 x 1000 took 602.06 ms. Finding pattern 1 x 1000 took 572.722 ms. =========== Running dom1n1k_Patrick Finding pattern 0 x 1000 took 793.266 ms. Finding pattern 1 x 1000 took 765.38 ms. Done. Last edited by mr.exodia; 01-20-2015 at 11:10. Reason: fixes |
#11
|
||||
|
||||
hmm probably no one need it anyway i'm have modified the algorithm by patrick and dom1n1k in my old project for x64 compatibility here it is:
Quote:
|
#12
|
|||
|
|||
@DMichael: I recommend using a different algorithm, this one is the second-worst in time Thanks anyway.
|
#13
|
||||
|
||||
sure but you checks are meaning less since it mostly depend on compiler and hardware
|
#14
|
|||
|
|||
If anyone need a real example of signature search, I can recommend ClamAV source.
|
#15
|
|||
|
|||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
openssl signature for ida | skyper | General Discussion | 10 | 03-19-2012 17:33 |