![[Beatrice]'s Avatar](https://www.elitepvpers.com/forum/customavatars/avatar6192974_57.gif){kind=avatar}
old version
I rewrote somewhat the same code in C and used it as shellcode to achieve much faster scans.
Code:
You only need to get init one time, you can call many scans with the same return from InitializeScanner().
example/comparison attached
and please don't @ me for scanning LoadLibraryA i'm not retarded, it's just an example
Hey, I've seen UDFs that scan the memory for a pattern but they've been slow since they also try to scan inaccessible pages. I have no idea why this hasn't been posted yet but I wrote an edit of some public pattern scan function (credits? probably nomad) that skips pages with Free state and PAGE_NOACCESS using VirtualQueryEx.
FastScan
1.82 seconds
_MemoryScan
35.001 seconds
Obviously the difference probably will not be this tremendous in actual use, it depends on how your process maps pages and the address you're scanning; nevertheless it should be faster.
FastScan
1.82 seconds
_MemoryScan
35.001 seconds
Obviously the difference probably will not be this tremendous in actual use, it depends on how your process maps pages and the address you're scanning; nevertheless it should be faster.
I rewrote somewhat the same code in C and used it as shellcode to achieve much faster scans.
Code:
Code:
...
$dwInit = InitializeScanner()
$iResult = ScanPattern($dwInit,$hProcess,"8b??558bec83ec145633f657397508","x?xxxxxxxxxxxxx")
Func InitializeScanner()
; Create structures
Local $dwSearch = _MemVirtualAlloc(Null, 405, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
Local $dwScan_Memory = _MemVirtualAlloc(Null, 291, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
$struct_Search = DllStructCreate("Byte[405]",$dwSearch)
$struct_Scan_Memory = DllStructCreate("Byte[291]",$dwScan_Memory)
; Get external symbols
$hUcrtbase = _WinAPI_GetModuleHandle("ucrtbase.dll")
$hKernel32 = _WinAPI_GetModuleHandle("kernel32.dll")
$dwStrlen = _WinAPI_GetProcAddress($hUcrtbase,"strlen")
$dwStrtol = _WinAPI_GetProcAddress($hUcrtbase,"strtol")
$dwmalloc = _WinAPI_GetProcAddress($hUcrtbase,"malloc")
$dwfree = _WinAPI_GetProcAddress($hUcrtbase,"free")
$dwGetSystemInfo = _WinAPI_GetProcAddress($hKernel32,"GetSystemInfo")
$dwVirtualQueryEx = _WinAPI_GetProcAddress($hKernel32,"VirtualQueryEx")
$dwReadProcessMemory = _WinAPI_GetProcAddress($hKernel32,"ReadProcessMemory")
; Construct Scan_Memory - called by Search function
$sBytes = Calculate($dwScan_Memory, _
"0x558BEC83EC488B4518890424E8|" & $dwmalloc & "|8945E88D45E4894424108B45188944240C8B45E8894424088B450C894424048B4508890424B8-" & $dwReadProcessMemory _
& "-FFD083EC1485C075190F1F40008B45E8890424E8|" & $dwfree _
& "|B800000000E9C4000000C745F400000000E99C000000C745F001000000C745EC00000000EB560F1F008B55148B45EC01D00FB6003C7875330F1F40008B55F48B45EC01C28B45E801D00FB6108B4D108B45EC01C80FB60038C274100F1F4000C745F000000000EB240F1F008B55148B45EC01D00FB6003C3F8345EC018B4514890424E8|" & $dwStrlen _
& "|3945EC729D837DF000741C0F1F40008B45E8890424E8|" & $dwfree & "|8B550C8B45F401D0EB230F1F008345F4018B45E43945F40F8258FFFFFF8B45E8890424E8|" & $dwfree & "|B800000000C9C3")
DllStructSetData($struct_Scan_Memory,1,"0x" & $sBytes)
; Construct Search - queries appropriate memory pages and passes arguments to Scan_Memory
$sBytes = Calculate($dwSearch, _
"0x558BEC5381EC940000008BC48BD88B4510890424E8|" & $dwStrlen _
& "|8945E88B45E88BD083EA018955E4BA1000000083EA0101D0B910000000BA00000000F7F16BC01029C48D44241483C0008945E0C745F400000000EB530F1F008B45F401C08BD08B450C01D00FB6008845D68B45F401C08D50018B450C01D00FB6008845D7C744240810000000C7442404000000008D45D6890424E8|" _
& $dwStrtol & "|8BC88B55E08B45F401D088088345F4018B45F43B45E872A88B45108945DC8D45B0890424B8-"& $dwGetSystemInfo _
& "-FFD083EC048B45B88945F08B45BC8945D8E9A2000000C744240C1C0000008D4594894424088B45F0894424048B4508890424B8-" & $dwVirtualQueryEx _
& "-FFD083EC1085C0750E0F1F4000B800000000E97F0000008B45948945F08B45A00145F08B45A43D0010000075540F1F40008B45A83D0001000074460F1F40008B45A83DFF00000077380F1F40008B55A08B4594895424108B55DC8954240C8B55E089542408894424048B4508890424E8|" _
& $dwScan_Memory & "|8945EC837DEC0075150F1F40008B45F03B45D80F8252FFFFFFEB040F1F00908B45EC8BE38B5DFCC9C3")
DllStructSetData($struct_Search,1,"0x" & $sBytes)
; Return Search function base to call
Return $dwSearch
EndFunc
Func ScanPattern($dwFuncAddress,$hHandle,$sPattern,$sMask)
; Create structures
$struct_DummyCall = DllStructCreate("Byte[29]")
$dwDummyCall = DllStructGetPtr($struct_DummyCall)
$struct_Pattern = DllStructCreate("char[" & StringLen($sPattern)+1 &"]") ; +1 in length to get null terminated string
$struct_Mask = DllStructCreate("char[" & StringLen($sMask)+1 &"]")
$struct_Result = DllStructCreate("long")
DllStructSetData($struct_Pattern,1,$sPattern)
DllStructSetData($struct_Mask,1,$sMask)
; Construct a dummy call to avoid stack complications
$sBytes = Calculate($dwDummyCall,"0x68-" & DllStructGetPtr($struct_Mask) & "-68-" & DllStructGetPtr($struct_Pattern) & "-68-" & Hex($hHandle,8) & "-E8|" & $dwFuncAddress & "|A3-" & DllStructGetPtr($struct_Result) & "-83C40CC3")
DllStructSetData($struct_DummyCall,1,"0x" & $sBytes)
; Create a thread on dummy function that calls Search function
$hThread = CreateThread($dwDummyCall,Null)
; Wait until thread returns
_WinAPI_WaitForSingleObject($hThread)
Return Hex(DllStructGetData($struct_Result,1),8)
EndFunc
You only need to get init one time, you can call many scans with the same return from InitializeScanner().
example/comparison attached
and please don't @ me for scanning LoadLibraryA i'm not retarded, it's just an example
![[Beatrice] is offline](images/elitepvpers/statusicon/user_offline.gif){kind=small}
