Code:
#include "stdafx.h"
#include <iostream>
#include <windows.h>
#include <tlhelp32.h>
using namespace std;
char * process = "editplus.exe";
bool CompareData(const unsigned char* pbData, const unsigned char* pbMask, const char* pszString)
{
for( ; *pszString; ++pszString, ++pbData, ++pbMask)
{
if(*pszString == 'x' && *pbData != *pbMask)
return FALSE;
}
return (*pszString) == NULL;
}
unsigned long dwFindPattern(HANDLE hProcess, unsigned long dwAddress, unsigned long dwLength, unsigned char* pbMask, char* pszString)
{
unsigned long dwResult = NULL;
unsigned char* pbBuffer = (unsigned char*) malloc(dwLength);
if(pbBuffer)
{
if(ReadProcessMemory(hProcess, (void*) dwAddress, pbBuffer, dwLength, NULL))
{
for(unsigned long i = 0; i < dwLength; i++)
{
if(CompareData((BYTE*) (pbBuffer + i), pbMask, pszString))
{
dwResult = (unsigned long)(dwAddress + i);
break;
}
}
}
free(pbBuffer);
pbBuffer = NULL;
}
return dwResult;
}
unsigned long GetModuleSize(unsigned long dwPID, char* pszModuleName, unsigned long* pdwSize)
{
unsigned long dwResult;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if(hSnapshot)
{
MODULEENTRY32 moduleEntry = {sizeof(MODULEENTRY32)};
if(Module32First(hSnapshot, &moduleEntry))
{
do
{
if(strcmp(moduleEntry.szModule, pszModuleName) == 0)
{
dwResult = (unsigned long)moduleEntry.modBaseSize;
if(pdwSize)
*pdwSize = moduleEntry.modBaseSize;
break;
}
}
while(Module32Next( hSnapshot, &moduleEntry));
}
if(hSnapshot)
{
CloseHandle(hSnapshot);
hSnapshot = NULL;
}
}
return dwResult;
}
unsigned long GetModuleBase(unsigned long dwPID, char* pszModuleName, unsigned long* pdwSize)
{
unsigned long dwResult;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if(hSnapshot)
{
MODULEENTRY32 moduleEntry = {sizeof(MODULEENTRY32)};
if(Module32First(hSnapshot, &moduleEntry ))
{
do
{
if(strcmp(moduleEntry.szModule, pszModuleName) == 0)
{
dwResult = (unsigned long)moduleEntry.modBaseAddr;
if(pdwSize)
*pdwSize = moduleEntry.modBaseSize;
break;
}
}
while(Module32Next(hSnapshot, &moduleEntry));
}
if(hSnapshot)
{
CloseHandle(hSnapshot);
hSnapshot = NULL;
}
}
return dwResult;
}
unsigned long GetProcessId(char* pszProcessName)
{
unsigned long dwResult = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnapshot)
{
PROCESSENTRY32 processEntry = {sizeof(PROCESSENTRY32)};
if(Process32First(hSnapshot, &processEntry ))
{
do
{
if(strcmp(processEntry.szExeFile, pszProcessName) == 0)
{
dwResult = processEntry.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot, &processEntry));
}
if(hSnapshot)
{
CloseHandle(hSnapshot);
hSnapshot = NULL;
}
}
return dwResult;
}
bool setDebug()
{
HANDLE hToken;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = 0;
if(AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &tpPrevious, &cbPrevious))
{
tpPrevious.PrivilegeCount = 1;
tpPrevious.Privileges[0].Luid = luid;
tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
if(AdjustTokenPrivileges( hToken, FALSE, &tpPrevious, cbPrevious, NULL, NULL ))
{
CloseHandle(hToken);
return true;
}
}
}
}
CloseHandle(hToken);
return false;
}
int _tmain(int argc, _TCHAR* argv[])
{
unsigned long dwSize;
unsigned long dwPID1 = GetProcessId(process);
unsigned long dwBase = GetModuleBase(dwPID1, process, &dwSize);
unsigned long dwBaseSize = GetModuleSize(dwPID1, process, &dwSize);
if(setDebug())
{
char szBuffer[50];
char szBuffer2[50];
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, false, dwPID1);
sprintf_s(szBuffer, sizeof(szBuffer), "Base Address: 0x%X Base Size: 0x%X\n", dwBase, dwBaseSize);
cout << "Process ID: " << dwPID1 << ' ' << szBuffer << endl;
DWORD sigScan = dwFindPattern(hProcess, dwBase, dwBaseSize, (BYTE *)"\x83\xEC\x50\x8B\x41\x50", "xxxxxx");
if(sigScan != NULL)
{
sprintf_s(szBuffer2, sizeof(szBuffer2), "Pattern found at address: 0x%X\n", sigScan);
cout << szBuffer2 << endl;
}
CloseHandle(hProcess);
}
system("Pause");
return 0;
}