C++ Code to Find an Address by Signature
This code includes:
A function to compare bytes against a signature and mask.
A function to iterate over the memory of the module and find the pattern.
cpp
Copy code
#include <Windows.h>
#include <Psapi.h>
#include <iostream>
// Function to compare memory bytes with the pattern and mask
bool CompareBytes(const BYTE* data, const BYTE* pattern, const char* mask) {
for (; *mask; ++mask, ++data, ++pattern) {
if (*mask == 'x' && *data != *pattern) {
return false; // Byte mismatch
}
}
return (*mask == 0); // Pattern fully matched
}
// Function to find the pattern in the memory of the module
DWORD64 FindSignature(HMODULE hModule, const BYTE* pattern, const char* mask) {
MODULEINFO moduleInfo = { 0 };
GetModuleInformation(GetCurrentProcess(), hModule, &moduleInfo, sizeof(MODULEINFO));
DWORD64 baseAddress = (DWORD64)moduleInfo.lpBaseOfDll; // Base address of the module
DWORD64 moduleSize = (DWORD64)moduleInfo.SizeOfImage; // Size of the module
BYTE* moduleBytes = (BYTE*)baseAddress;
for (DWORD64 i = 0; i < moduleSize; i++) {
if (CompareBytes(moduleBytes + i, pattern, mask)) {
return (DWORD64)(moduleBytes + i); // Return address if pattern found
}
}
return 0; // Pattern not found
}
// Example usage of the pattern scanner
int main() {
// Example signature (byte pattern) and mask
const BYTE pattern[] = { 0x89, 0x45, 0xFC, 0x48, 0x89 };
const char* mask = "xxxxx"; // 'x' indicates exact match; '?' indicates any byte
// Replace with the target module handle (e.g., "example.exe" or a DLL)
HMODULE hModule = GetModuleHandleA("example.dll");
if (hModule == NULL) {
std::cerr << "Module not found!" << std::endl;
return -1;
}
// Find the address of the pattern in the module
DWORD64 foundAddress = FindSignature(hModule, pattern, mask);
if (foundAddress != 0) {
std::cout << "Pattern found at address: 0x" << std::hex << foundAddress << std::endl;
} else {
std::cout << "Pattern not found!" << std::endl;
}
return 0;
}
Explanation:
CompareBytes():
This function checks whether the bytes in memory match the pattern provided. The mask string is used to define how strictly each byte should match. An 'x' in the mask indicates that the corresponding byte should match exactly, while a '?' allows for any byte to be considered valid in that position.
FindSignature():
This function scans through the memory of the module (hModule), comparing each section of memory against the provided pattern and mask. If it finds a match, it returns the address where the pattern starts.
Usage:
In the main() function, we search for a simple example byte pattern ({ 0x89, 0x45, 0xFC, 0x48, 0x89 }) in a module (example.dll). The mask xxxxx indicates that all bytes in the pattern must match exactly.
Replace "example.dll" with the actual module you want to scan (e.g., the target process or DLL you're interested in).
Notes:
GetModuleHandleA() is used to obtain the handle of the module (DLL or EXE). If you're scanning an external process, you will need to obtain the module handle from the target process using methods like EnumProcessModules() or CreateToolhelp32Snapshot().
You may want to adjust memory protections or handle reading memory from other processes using functions like ReadProcessMemory() if you are working with a process other than your own.