Лидеры

Привет всем! Решил поделиться сканером сигнатур написанный мною на Delphi. Материал чисто для ознакомительных целей. В качестве основы и принципа работы были взяты функции с C++. Пример написан для новичков и любителей WINAPI в виде консольного приложения, для большего удобства и понимания кода program signaturescanner;{$APPTYPE CONSOLE}usesWindows, SysUtils, TlHelp32;varm_pID: integer;m_hProc: THandle;module: TModuleEntry32;m_Sign: integer;constprocName = 'D3D9Test.exe';procedure GetPID;varsnapshot: THandle;pInfo: PROCESSENTRY32;beginsnapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);pInfo.dwSize := sizeof(PROCESSENTRY32);if (Process32First(snapshot, pInfo)) thenbeginwhile (Process32Next(snapshot, pInfo)) dobeginif pInfo.szExeFile = procName thenbeginm_pID := pInfo.th32ProcessID;CloseHandle(snapshot);exit;end;end;end;m_pID := 0;CloseHandle(snapshot);exit;end;function GetModuleInfo(const module_name: PChar; main_process: boolean): TModuleEntry32;varsnapshot: THandle;module: TModuleEntry32;beginsnapshot := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, m_pID);module.dwSize := sizeof(TModuleEntry32);if (Module32First(snapshot, module)) thenbeginif (main_process) thenbeginCloseHandle(snapshot);result := module;end;while (Module32Next(snapshot, module)) dobeginif (StrIComp(PChar(ExtractFileName(module.szModule)), PChar(module_name)) = 0) thenbeginCloseHandle(snapshot);result := module;end;end;end;result := module;end;function DataCompare(data: PByte; sign: PByte; mask: PAnsiChar): boolean;beginwhile mask^ <> #0 dobeginif ((mask^ = 'x') and (data^ <> sign^)) thenbeginresult := false;exit;end;inc(mask);inc(data);inc(sign);end;result := true;end;function ScanSignature(base: Dword; size: Dword; sign: PByte; mask: PAnsiChar): integer;varmbi: MEMORY_BASIC_INFORMATION;offset: integer;buffer: PByte;BytesRead: Dword;i: integer;beginoffset := 0;while (offset < size) dobeginVirtualQueryEx(m_hProc, Pointer(base + offset), &mbi, sizeof(MEMORY_BASIC_INFORMATION));if (mbi.State <> MEM_FREE) thenbeginGetMem(buffer, mbi.RegionSize);ReadProcessMemory(m_hProc, mbi.BaseAddress, buffer, mbi.RegionSize, BytesRead);for i := 0 to mbi.RegionSize dobeginif (DataCompare(buffer + i, sign, mask)) thenbeginFreeMem(buffer);result := integer(mbi.BaseAddress) + i;exit;end;end;FreeMem(buffer);end;offset := offset + mbi.RegionSize;end;result := 0;end;constSign: array [0 .. 22] of byte = ($68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $68, $00, $00, $00, $00, $FF, $15, $00, $00, $00, $00, $6A, $20);Mask = 'x????x????x????xx????xx';beginGetPID();if (m_pID <> 0) thenbeginmodule := GetModuleInfo(nil, true);m_hProc := OpenProcess(PROCESS_ALL_ACCESS, false, m_pID);m_Sign := ScanSignature(integer(module.modBaseAddr), module.modBaseSize, @Sign, Mask);writeln(' *************************************************************');writeln(' * Signature Scanner for Delphi *');writeln(' * Coded by ArxLex (2014) *');writeln(' *************************************************************'+#10#13#10#13);writeln(' Handle Process: $', inttohex(m_hProc, sizeof(m_hProc)));writeln(' Pid: $', inttohex(m_pID, sizeof(m_pID)));writeln(' Process Base Address: $', inttohex(integer(module.modBaseAddr), sizeof(module.modBaseAddr)));writeln(' Process Base Size: $', inttohex(module.modBaseSize, sizeof(module.modBaseSize)));writeln(' Signature Address: $', inttohex(m_Sign, sizeof(m_Sign)));readln;CloseHandle(m_hProc);end;end.P.S. Еще раз спасибо участнику Coder за видео уроки и общее развите гэймхакинга