1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
#pragma once
#include "KMemDriver.h"
#include <string>
#include <vector>
typedef bool(*map_file_cb)(SymbolResolver& symres, IN MODULE_DATA&, OUT PVOID * const,
OUT SIZE_T * const, IN PVOID const);
typedef bool(*map_file_cleanup_cb)(SymbolResolver& symres, IN MODULE_DATA&,
IN PVOID, IN PVOID const);
struct map_file_data {
explicit map_file_data(map_file_cb _mapfile, map_file_cleanup_cb _mapcleanup, bool _in_memory_module)
: mapfile(_mapfile), mapcleanup(_mapcleanup), in_memory_module(_in_memory_module) {}
map_file_cb mapfile;
map_file_cleanup_cb mapcleanup;
bool in_memory_module;
};
struct loadlib_user_data {
std::vector<std::string> additionalDllSearchDirectories;
};
extern const struct map_file_data map_loadlib;
extern const struct map_file_data map_kmem;
class PatternScanner
{
public:
explicit PatternScanner(SymbolResolver& symres,
struct map_file_data const * const mfd = &map_loadlib,
PVOID const map_file_user_data = NULL);
~PatternScanner();
void SetScanLowAddress(UINT64 startAddress) {
m_LowAddress = startAddress;
}
void SetScanAddress(UINT64 startAddress) {
m_LowAddress = startAddress;
}
bool Scan(MODULE_DATA& module, const char * const pattern);
private:
bool checkPattern(MODULE_DATA& module, const char * const pattern, std::string& result);
bool doScan(std::string& pattern, UINT8 *buf, SIZE_T size, std::vector<UINT64>& foundOffsets);
SymbolResolver& m_symbolResolver;
struct map_file_data const * const mfd;
PVOID const map_file_user_data;
UINT64 m_LowAddress = 0x0;
UINT64 m_HighAddress = ((UINT64)-1);
};
|