From b7bb1a6a8ecfb20dd53a874a76ad87100455c98c Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Tue, 24 Sep 2019 00:17:17 +0200 Subject: added pattern checker and memory mapping method callbacks and managment functions --- include/KInterface.h | 28 ------------------------ include/PatternScanner.h | 56 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 28 deletions(-) create mode 100644 include/PatternScanner.h (limited to 'include') diff --git a/include/KInterface.h b/include/KInterface.h index 1149fd3..e990f6c 100644 --- a/include/KInterface.h +++ b/include/KInterface.h @@ -92,32 +92,4 @@ public: return -1; return wr.SizeRes; } -}; - -template -struct Diff { - BYTE current_buffer[SIZE]; - BYTE old_buffer[SIZE]; - std::vector> diffs; -}; - -class KScan -{ -public: - template - static SSIZE_T ScanSimple(HANDLE targetPID, PVOID start_address, SIZE_T max_scansize, T(&a)[SIZE]) - { - return KScanSimple(targetPID, start_address, max_scansize, a, sizeof T * SIZE); - } - template - static SSIZE_T BinDiffSimple(HANDLE targetPID, PVOID start_address, Diff *diff) - { - return KBinDiffSimple(targetPID, start_address, diff->current_buffer, - diff->old_buffer, SIZE, &diff->diffs); - } -private: - static SSIZE_T KScanSimple(HANDLE targetPID, PVOID start_address, SIZE_T max_scansize, - PVOID scanbuf, SIZE_T scanbuf_size); - static SSIZE_T KBinDiffSimple(HANDLE targetPid, PVOID start_address, - BYTE *curbuf, BYTE *oldbuf, SIZE_T siz, std::vector> *diffs); }; \ No newline at end of file diff --git a/include/PatternScanner.h b/include/PatternScanner.h new file mode 100644 index 0000000..c2f1980 --- /dev/null +++ b/include/PatternScanner.h @@ -0,0 +1,56 @@ +#pragma once + +#include "KMemDriver.h" + +#include +#include + + +typedef bool(*map_file_cb)(IN MODULE_DATA&, OUT PVOID * const, + OUT SIZE_T * const, IN PVOID const); +typedef bool(*map_file_cleanup_cb)(IN MODULE_DATA&, + IN PVOID, IN PVOID const); + +struct map_file_data { + map_file_cb map_file; + map_file_cleanup_cb map_file_cleanup; + bool in_memory_module; +}; + +struct loadlib_user_data { + std::vector additionalDllSearchDirectories; +}; +bool map_file_loadlib(MODULE_DATA& module, PVOID * const buffer, + SIZE_T * const size, PVOID const user_ptr); +bool map_file_loadlib_cleanup(MODULE_DATA& module, PVOID buffer, + PVOID const user_ptr); +bool map_file_kmem(MODULE_DATA& module, PVOID * const buffer, + SIZE_T * const size, PVOID const user_ptr); +bool map_file_kmem_cleanup(MODULE_DATA& module, PVOID buffer, + PVOID const user_ptr); + +extern const struct map_file_data loadlib_data; +extern const struct map_file_data kmem_data; + +class PatternScanner +{ +public: + explicit PatternScanner(struct map_file_data const * const mfd = &loadlib_data, PVOID map_file_user_data = NULL); + ~PatternScanner(); + void SetScanLowAddress(UINT64 startAddress) { + m_LowAddress = startAddress; + } + void SetScanAddress(UINT64 startAddress) { + m_LowAddress = startAddress; + } + bool Scan(MODULE_DATA& module, const char * const pattern); +private: + bool checkPattern(MODULE_DATA& module, const char * const pattern, std::string& result); + bool doScan(UINT8 *buf, SIZE_T size, std::vector& foundOffsets); + + struct map_file_data const * const mfd; + UINT64 m_LowAddress = 0x0; + UINT64 m_HighAddress = ((UINT64)-1); + PVOID map_file_user_data; +}; + -- cgit v1.2.3