[CODE]Signature Scanning

[iNTANGiBLE]

Basically, this searches for a byte pattern in a module in a process and returns the first address in that byte pattern. This was done with the corperate work of me and a friend of mine.
Add a module to your project, and insert the following code in it:

Public Declare Function OpenProcess Lib "KERNEL32" _
    (ByVal DesiredAccess As Int32, _
     ByVal InheritHandle As Boolean, _
     ByVal ProcessId As Int32) _
    As Int32

    Private Declare Function ReadProcessMemory Lib "KERNEL32" _
    (ByVal Handle As Int32, _
     ByVal address As Int32, _
     ByRef Value As Int32, _
     Optional ByVal Size As Int32 = 4, _
     Optional ByVal lpNumberOfBytesWritten As Int64 = 0) _
    As Long

    Public PROCESS_VM_OPERATION As Int32 = 8
    Public PROCESS_VM_READ As Int32 = 16
    Public PROCESS_VM_WRITE As Int32 = 32

 Private process_id As Int32 = 0
    Public pHandle As Integer = 0

    Public Function GetProcessId(ByVal game_name As String) As Boolean
        Dim Processes() As Process = Process.GetProcesses
        Dim process_name As String
        Dim i As Byte
        For i = LBound(Processes) To UBound(Processes)
            process_name = Processes(i).ProcessName
            If process_name = game_name Then
                process_id = Processes(i).Id
                pHandle = OpenProcess(PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, process_id)
                Return True
            End If
        Next
        If process_id = 0 Then
            Return False
        End If
        Return False
    End Function

 Public Function ReadByte(ByVal address As Int32) As Integer
        Dim value As Integer
        ReadProcessMemory(pHandle, address, value, 1, 0)
        Return value
    End Function

Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte()) As Integer
        Dim BaseAddress, EndAddress As Int32
        For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
            If ModuleName = PM.ModuleName Then
                BaseAddress = PM.BaseAddress
                EndAddress = BaseAddress + PM.ModuleMemorySize
            End If
        Next
        Dim curAddr As Int32 = BaseAddress
        Do
            For i As Integer = 0 To Signature.Length - 1
                If ReadByte(curAddr + i) = Signature(i) Then
                    If i = Signature.Length - 1 Then
                        MsgBox(curAddr.ToString("X"))
                        Return curAddr
                    End If
                    Continue For
                End If
                Exit For
            Next
            curAddr += 1
        Loop While curAddr < EndAddress
        Return 0
    End Function

Alright, so first I declared OpenProcess (a KERNEL32 function) used to get the process handle. Then I declared ReadProcessMemory (also a KERNEL32 function) which is for reading the value of a memory address in a process. PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE are for process access rights. I declare process_id and pHandle (to use them in the following function i.e. GetProcessId). GetProcessId sets the handle (pHandle) for the process. ReadByte is for reading a single byte value of a memory address. AOBSCAN is the function for doing an array of bytes scan (signature scan). It gets the base address and the end address of the specifed process module, then it searches for the byte pattern in that module; if it was found then a message box will pop with the address at the beginning of the byte pattern, and it will return that address.

As an example, add a button to your form, then double click it and add the following code:

If GetProcessId("ProcessName") = False Then
            Exit Sub
        Else : AOBSCAN("ProcessName", "ModuleName", New Byte() {Bytes})
        End If

GetProcessId must be in the code because it sets the process handle. An example of the above code would be (testing on Firefox):

If GetProcessId("firefox") = False Then
            Exit Sub
        Else : AOBSCAN("firefox", "firefox.exe", New Byte() {&HFF, &H25, &HBC, &H30, &HF, &H1, &H75, &H2})
        End If

The above code may or may not work, as I entered random bytes. This will search for the byte pattern FF 25 BC 30 0F 01 75 02 in the firefox.exe module, and if it was found, it will return the address at the beginning of that byte pattern.

Give feedback!

 

[codehpro]

wow thanks man this is truly great , Think you could make it so you could search for 4byte or float , or strings ?

 

[iNTANGiBLE]

I think I won't, but if anyone wants to, they're welcome!