memscan
Feature-rich C99 library for memory scanning purposes, designed for Windows running machines, meant to work on both 32-bit and 64-bit portable executables.
memscan has a modern C++ wrapper which abstracts the C contents in an user-friendly way. To look at the C example, press here, and, for the C++ example, press here.
✔
Features
-
🚶 Follow system
It is an internal concept which is exposed to every of the following memscan features.
- It expects a base address, bounds and a find sequence.
- Find sequences can be made of:
- A bytecode-style string:
- Example:
"AA BB CC DD EE FF"- This is converted back to a byte array with a size at run-time.
- Example:
- OR, byte array and it's size
- Example:
{0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, 6
- Example:
- And, universally:
- N-th match:
- Sequences may repeat within the specified range, so you can choose which match you want to select,
- Matches start at 0, implying the first match.
- Direction:
- You can go either backwards, or forwards, within the specified bounds, starting from the base address.
- N-th match:
- A bytecode-style string:
- Invalid inputs will be reflected in the return with the status variable. This carries to the user-level return.
-
🔎 Multi-paradigm pattern-scanning- It expects bounds, a pattern sequence and, optionally, a find sequence.
- Pattern sequences can be made of:
- A bytecode-style string:
- Example:
"AA BB CC DD EE FF"
- Example:
- OR, a byte array and it's size
- Example:
{0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, 6
- Example:
- Both of the aforementioned can contain a preset symbol to signal that a mismatch at said position is allowed. It is set here.
- And, universally:
- N-th match:
- Sequences may repeat within the specified range, so you can choose which match you want to select,
- Matches start at 0, implying the first match.
- N-th match:
- A bytecode-style string:
- Refer to Follow system to see find sequences.
- Every combination of the aforementioned is possible in the user-level API.
- The result of this process carries an address depending on the success of the process and a status. For documentation on the status, refer to this file.
-
❌ Cross-reference resolver- It expects bounds, either a base address or content, prompt to whether there should be an endianness swap, N-th match, based on which method you choose and, optionally, a find sequence.
- Refer to Follow system to see find sequences.
- Can resolve references from a given input, or, resolve references at the address where they're represented:
- An example for resolving references from a given input is inputting the following:
0xAABBCCDD.- We assume this is a pointer which we can resolve. When represented in memory, it'll have it's endianness swapped, so it'll look like
0xDDCCBBAA, therefore, we will ask for an endianness swap, - Then, for some reason, want to find the first instance where the contents at the pointer is referenced, so, we will input
0for the N-th match.
- We assume this is a pointer which we can resolve. When represented in memory, it'll have it's endianness swapped, so it'll look like
- We can also input the address where a pointer is referenced by choosing the right method:
- If the contents at our address look like this sequence:
8B 4D ? ? ? ?:- We'll have to add '
2'to the address (to skip over the8B 4Dbytes), - Then, we'll have to prompt an endianness swap,
- Then, for some reason, want to find the first instance where the contents at the address' pointer is referenced so, we will input
0for the N-th match.
- We'll have to add '
- If the contents at our address look like this sequence:
- An example for resolving references from a given input is inputting the following:
- Refer to Follow system to see find sequences.
- The result of this process carries an address depending on the success of the process and a status. For documentation on the status, refer to this file.
-
🗒️ String resolver
This component was built off the cross-reference resolver system.
- It expects bounds, a (compile-time) string, it's size, N-th match and, optionally, a find sequence.
- Refer to Follow system to see find sequences.
- The result of this process carries an address depending on the success of the process and a status. For documentation on the status, refer to this file.
- If the process was succesful, the address will be a pointer to the N-th match of the string.
-
🤷 Scalable- This project is designed to operate under any reasonable circumstance. This can be used alongside DLL-injection, or on copied memory buffers.
📚
Internal documentation
- The user-level API has up-to-date, Doxygen-compliant documentation, which, in most IDEs, should be displayed on hover.
- There's also implementation documentation which you can see here.
📈
Progression
- To do:
-
⚔️ C++ wrapper -
🦾 CMake package -
🧪 Standard tests -
🤝 Multi-platform support
-
⚖️
License
I couldn't care less.
