Jump to content


Photo
- - - - -

Does anyone have this?


  • Please log in to reply
3 replies to this topic

#1 K0D3R

K0D3R

    n00bie

  • Members
  • PipPip
  • 10 posts

Posted 18 December 2012 - 11:49 AM

I'm looking for a CreateToolHelp32Snapshot example for C# or C++. I've been getting into C#.NET and i'm trying to re-make some of my old VB6 trainers. Was just hoping some one had an example of it that i could work with.

Thanks much!

#2 KEMiCZA

KEMiCZA

    Administrator

  • Administrators
  • 400 posts
  • LocationBelgium

Posted 18 December 2012 - 06:53 PM

This is from an old source I made for scanning signatures. It has the implementation of CreateToolHelp32Snapshot. Code is in c++. I'm not sure if the code works 100%, but the CreateToolHelp32Snapshot part must work for sure.

sigScan.h
#pragma once
#include <stdlib.h>
using namespace std;

class sigScan {
public:
    sigScan() {result = new unsigned char[100];};
    ~sigScan() {delete result;};
    DWORD searchPattern(const wstring& procname, const wstring& modname, unsigned char* dataPoint, unsigned int length, int shiftAddr);
    unsigned char* parseStringToSignature(const string& str);
    int getLengthSignature(const string& str);
private:
    unsigned char* result;
    bool ComparePattern(unsigned char* p1, unsigned char* p2, unsigned int length);
    DWORD GetModuleBaseAddress(const wstring& procname, const wstring& modname);
    DWORD GetProcessID(const wstring& name);
    DWORD GetModuleBaseSize(const wstring& procname, const wstring& modname);
    HMODULE GetModuleHandle_(const wstring& procname, const wstring& modname);
    string processName;
    string moduleName;
};

sigScan.cpp
#include "stdafx.h"
#include "sigScan.h"
#include <Psapi.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <Windows.h>

DWORD sigScan::GetModuleBaseSize(const wstring& procname, const wstring& modname) {
    DWORD pid = GetProcessID(procname);
    HANDLE ph = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
    if ( ph == NULL ) {
        CloseHandle(ph);
        return 0;
    }

    MODULEINFO mi = {0};
    HMODULE hm = GetModuleHandle_(procname, modname);
    if ( GetModuleInformation(ph, hm, &mi, sizeof( MODULEINFO )) == false ) {
        CloseHandle(hm);
        CloseHandle(ph);
        return 0;
    }
    CloseHandle(ph);
    return mi.SizeOfImage;
}
HMODULE sigScan::GetModuleHandle_(const wstring& procname, const wstring& modname) {
    DWORD pid;
    pid = GetProcessID(procname);
    HANDLE ph = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
    if ( ph == NULL ) {
        CloseHandle(ph);
        return 0; //fayull
    }
    CloseHandle(ph);

    MODULEENTRY32 ml32;
    HANDLE hModuleSnap;
    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
    ml32.dwSize = sizeof(ml32);
    if ( !Module32First(hModuleSnap, &ml32) ) {
        CloseHandle(hModuleSnap);
        return 0;
    }
    do {
      if ( _wcsicmp(ml32.szModule, modname.c_str()) == 0 ) {
          CloseHandle( hModuleSnap ); 
          return ml32.hModule;// we found our process
      }
    } while( Module32Next( hModuleSnap, &ml32 ) );
    CloseHandle( hModuleSnap );
    return 0;
}
DWORD sigScan::GetModuleBaseAddress(const wstring& procname, const wstring& modname) {
    DWORD pid;
    pid = GetProcessID(procname);
    HANDLE ph = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
    if ( ph == NULL ) {
        CloseHandle(ph);
        return 0; //fayull
    }
    CloseHandle(ph);

    MODULEENTRY32 ml32;
    HANDLE hModuleSnap;
    hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
    ml32.dwSize = sizeof(ml32);
    if ( !Module32First(hModuleSnap, &ml32) ) {
        CloseHandle(hModuleSnap);
        return 0;
    }
    do {
      if ( _wcsicmp(ml32.szModule, modname.c_str()) == 0 ) {
          CloseHandle( hModuleSnap ); 
          return (DWORD)ml32.modBaseAddr;// we found our process
      }
    } while( Module32Next( hModuleSnap, &ml32 ) );
    CloseHandle( hModuleSnap );
    return 0;
}
DWORD sigScan::GetProcessID(const wstring& name) {
    PROCESSENTRY32 pe32;
    HANDLE hProcessSnap;
    pe32.dwSize = sizeof(pe32);
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if ( hProcessSnap == INVALID_HANDLE_VALUE  )
        return 0;
    if( !Process32First( hProcessSnap, &pe32 ) ) {
        CloseHandle( hProcessSnap );          // clean the snapshot object
        return 0;
    }

    do
    {
        if ( _wcsicmp(pe32.szExeFile, name.c_str()) == 0 ){
            CloseHandle( hProcessSnap ); // we found our process
            return pe32.th32ProcessID;
        }
    } while( Process32Next( hProcessSnap, &pe32 ) );

    CloseHandle( hProcessSnap );
    return 0;
}
DWORD sigScan::searchPattern(const wstring& procname, const wstring& modname, unsigned char* dataPoint, unsigned int length, int shiftAddr) {
    unsigned int baseAddr, sizeMod;
    DWORD dProtect;
    DWORD dProtectx;
    DWORD pid = GetProcessID(procname);
    HANDLE ph = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
    if (modname == L"") { 
        // if true, we're looking in the main module modname = procname;
        baseAddr = GetModuleBaseAddress(procname, procname);
        sizeMod = GetModuleBaseSize(procname, procname);
    }
    else {
        baseAddr = GetModuleBaseAddress(procname, modname);
        sizeMod = GetModuleBaseSize(procname, modname);
    }
    if ( (baseAddr == 0) || (sizeMod == 0))
        return false;
    //int* buffer = new int[sizeMod]; // init some space, to be able to copy the data
    unsigned char* buffer = (unsigned char*)VirtualAlloc(0,sizeMod,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    VirtualProtect((void*)baseAddr,sizeMod,PAGE_EXECUTE_READWRITE, &dProtect);
    if ( ReadProcessMemory(ph, (void*)baseAddr, buffer, sizeMod, 0) == 0) {
        VirtualFree(buffer, 0, MEM_RELEASE);
        CloseHandle(ph);
        return false; // something went wrong
    }
    VirtualProtect((void*)baseAddr,sizeMod,dProtect,&dProtectx);

    // we own the buffer now...
    unsigned char* tempbuf = buffer;
    unsigned int i = 0;
    while ( i < sizeMod) {
        if ( ComparePattern(tempbuf, dataPoint, length) ) {
            VirtualFree(buffer, 0, MEM_RELEASE);
            CloseHandle(ph);
            return baseAddr+i+shiftAddr;
        }
        tempbuf++;
        i++;
    }
    VirtualFree(buffer, 0, MEM_RELEASE);
    CloseHandle(ph);
    return false;
}
bool sigScan::ComparePattern(unsigned char* p1, unsigned char* p2, unsigned int length) {
    for (unsigned int i = 0; i < length; i++ ) {
        if ( p1[i] != p2[i] )
            return false;
    }
    return true;
}
unsigned char* sigScan::parseStringToSignature(const string& str) {
    unsigned char* sp = (unsigned char*)str.c_str();
    unsigned char twoBytesBuf[2];
    unsigned int checkByte = 0;
    unsigned int total = 0;
    for ( unsigned int i = 0; sp[i] != 0; i++) {
        if ( checkByte == 2 ) {
            checkByte = 0;
            sigScan::result[total] = (twoBytesBuf[0] << 4) + twoBytesBuf[1];
            total++;
        }

        //if ( sp[i] == '0' ) {
        //    // check if a letter comes after 0 !
        //    if ( !((sp[i+1] >= 65) && (sp[i+1] < 71)) || ((sp[i+1] >= 97) && (sp[i+1] < 103)) ){
        //            twoBytesBuf[checkByte] = 0; //if not then it's a real zero
        //            checkByte++;
        //    }
        //}
        if ( sp[i] == '0' ) {
            if ( sp[i+1] == '0' ) { // we have 00h
                checkByte = 2;
                twoBytesBuf[0] = 0;
                twoBytesBuf[1] = 0;
                i++;
            }
            else if ( (sp[i+1] >= 48) && (sp[i+1] < 58) ) {
                twoBytesBuf[checkByte] = 0; //if not then it's a real zero
                checkByte++; // we have 0xh, where x is number, it's valid
            }
            else if ( ((sp[i+1] >= 65) && (sp[i+1] < 71)) || ((sp[i+1] >= 97) && (sp[i+1] < 103)) ){ // check if a letter comes after 0 !
                if ( !( ((sp[i+2] >= 65) && (sp[i+2] < 71)) || ( (sp[i+2] >= 97) && (sp[i+2] < 103) ) || ((sp[i+2] >= 48) && (sp[i+2] < 58)) ) ) {
                    //check if a, letter comes after that letter... two pos: 0FFh and 0Ch
                    // ignore the zero
                    twoBytesBuf[checkByte] = 0; //if not then it's a real zero
                    checkByte++;
                }
            }
        }
        else if ( (sp[i] >= 48) && (sp[i] < 58) ) { // a number 0-9
            twoBytesBuf[checkByte] = (sp[i]) - 48; //if not then it's a real zero
            checkByte++;
        }
        else if ( (sp[i] >= 65) && (sp[i] < 71) ) { // a letter A-F
            twoBytesBuf[checkByte] = (sp[i]) - 65 + 10; //if not then it's a real zero
            checkByte++;
        }
        else if ( (sp[i] >= 97) && (sp[i] < 103) ) { // a letter a-f
            twoBytesBuf[checkByte] = (sp[i]) - 97 + 10; //if not then it's a real zero
            checkByte++;
        }
    }
    return sigScan::result;
}
int sigScan::getLengthSignature(const string& str) {
    unsigned char* sp = (unsigned char*)str.c_str();
    unsigned int checkByte = 0;
    int total = 0;
    for ( unsigned int i = 0; sp[i] != 0; i++) {
        if ( checkByte == 2 ) {
            checkByte = 0;
            total++;
        }

        if ( sp[i] == '0' ) {
            if ( sp[i+1] == '0' ) { // we have 00h
                checkByte = 2;
                i++;
            }
            else if ( (sp[i+1] >= 48) && (sp[i+1] < 58) ) {
                checkByte++; // we have 0xh, where x is number, it's valid
            }
            else if ( ((sp[i+1] >= 65) && (sp[i+1] < 71)) || ((sp[i+1] >= 97) && (sp[i+1] < 103)) ){ // check if a letter comes after 0 !
                if ( !( ((sp[i+2] >= 65) && (sp[i+2] < 71)) || ( (sp[i+2] >= 97) && (sp[i+2] < 103) ) || ((sp[i+2] >= 48) && (sp[i+2] < 58)) ) ) {
                    //check if a, letter comes after that letter... two pos: 0FFh and 0Ch
                    // ignore the zero
                    checkByte++;
                }
            }
        }
        else if ( (sp[i] >= 49) && (sp[i] < 58) ) { // a number 0-9
            checkByte++;
        }
        else if ( (sp[i] >= 65) && (sp[i] < 71) ) { // a letter A-F
            checkByte++;
        }
        else if ( (sp[i] >= 97) && (sp[i] < 103) ) { // a letter a-f
            checkByte++;
        }
    }
    return total;
}


#3 aqrit

aqrit

    Member

  • Members
  • 82 posts

Posted 19 December 2012 - 02:30 AM

http://msdn.microsof...5(v=vs.85).aspx

#4 K0D3R

K0D3R

    n00bie

  • Members
  • PipPip
  • 10 posts

Posted 19 December 2012 - 08:46 PM

wow kemi thx alot! looks good
and ty for the msdn link, was having trouble finding that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users