12 Ekim 2016 Çarşamba

C# Pattern Scan(Array Of Byte Scan) Class

using System;using System.Collections.Generic;using System.Diagnostics;using System.Linq;using System.Runtime.InteropServices;using System.Text;using Microsoft.Win32.SafeHandles;//
// sigScan C# Implementation - Written by atom0s [aka Wiccaan]
// Class Version: 2.0.0
//
// [ CHANGE LOG ] -------------------------------------------------------------------------
//
//      2.0.0
//          - Updated to no longer require unsafe or fixed code.
//          - Removed unneeded methods and code.
//
//      1.0.0
//          - First version written and release.
//
// [ CREDITS ] ----------------------------------------------------------------------------
//
// sigScan is based on the FindPattern code written by
// dom1n1k and Patrick at GameDeception.net
//
// Full credit to them for the purpose of this code. I, atom0s, simply
// take credit for converting it to C#.
//
// [ USAGE ] ------------------------------------------------------------------------------
//
// Examples:
//
//      SigScan _sigScan = new SigScan();
//      _sigScan.Process = someProc;
//      _sigScan.Address = new IntPtr(0x123456);
//      _sigScan.Size = 0x1000;
//      IntPtr pAddr = _sigScan.FindPattern(new byte[]{ 0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x55, 0xFC, 0x11 }, "xxxx?xx?", 12);
//
//      SigScan _sigScan = new SigScan(someProc, new IntPtr(0x123456), 0x1000);
//      IntPtr pAddr = _sigScan.FindPattern(new byte[]{ 0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x55, 0xFC, 0x11 }, "xxxx?xx?", 12);
//
// ----------------------------------------------------------------------------------------
namespace SigScan.Classes{
    public class 
SigScan
    
{
        
/// <summary>
        /// ReadProcessMemory
        ///
        ///     API import definition for ReadProcessMemory.
        /// </summary>
        /// <param name="hProcess">Handle to the process we want to read from.</param>
        /// <param name="lpBaseAddress">The base address to start reading from.</param>
        /// <param name="lpBuffer">The return buffer to write the read data to.</param>
        /// <param name="dwSize">The size of data we wish to read.</param>
        /// <param name="lpNumberOfBytesRead">The number of bytes successfully read.</param>
        /// <returns></returns>
        
[DllImport("kernel32.dll"SetLastError true)]
        private static 
extern bool ReadProcessMemory(
            
IntPtr hProcess,
            
IntPtr lpBaseAddress,
            [
Out()] byte[] lpBuffer,
            
int dwSize,
            
out int lpNumberOfBytesRead
            
);

        
/// <summary>
        /// m_vDumpedRegion
        ///
        ///     The memory dumped from the external process.
        /// </summary>
        
private byte[] m_vDumpedRegion;

        
/// <summary>
        /// m_vProcess
        ///
        ///     The process we want to read the memory of.
        /// </summary>
        
private Process m_vProcess;

        
/// <summary>
        /// m_vAddress
        ///
        ///     The starting address we want to begin reading at.
        /// </summary>
        
private IntPtr m_vAddress;

        
/// <summary>
        /// m_vSize
        ///
        ///     The number of bytes we wish to read from the process.
        /// </summary>
        
private Int32 m_vSize;


        
#region "sigScan Class Construction"
        /// <summary>
        /// SigScan
        ///
        ///     Main class constructor that uses no params.
        ///     Simply initializes the class properties and
        ///     expects the user to set them later.
        /// </summary>
        
public SigScan()
        {
            
this.m_vProcess null;
            
this.m_vAddress IntPtr.Zero;
            
this.m_vSize 0;
            
this.m_vDumpedRegion null;
        }
        
/// <summary>
        /// SigScan
        ///
        ///     Overloaded class constructor that sets the class
        ///     properties during construction.
        /// </summary>
        /// <param name="proc">The process to dump the memory from.</param>
        /// <param name="addr">The started address to begin the dump.</param>
        /// <param name="size">The size of the dump.</param>
        
public SigScan(Process procIntPtr addrint size)
        {
            
this.m_vProcess proc;
            
this.m_vAddress addr;
            
this.m_vSize size;
        }
        
#endregion

        #region "sigScan Class Private Methods"
        /// <summary>
        /// DumpMemory
        ///
        ///     Internal memory dump function that uses the set class
        ///     properties to dump a memory region.
        /// </summary>
        /// <returns>Boolean based on RPM results and valid properties.</returns>
        
private bool DumpMemory()
        {
            try
            {
                
// Checks to ensure we have valid data.
                
if (this.m_vProcess == null)
                    return 
false;
                if (
this.m_vProcess.HasExited == true)
                    return 
false;
                if (
this.m_vAddress == IntPtr.Zero)
                    return 
false;
                if (
this.m_vSize == 0)
                    return 
false;

                
// Create the region space to dump into.
                
this.m_vDumpedRegion = new byte[this.m_vSize];

                
bool bReturn false;
                
int nBytesRead 0;

                
// Dump the memory.
                
bReturn ReadProcessMemory(
                    
this.m_vProcess.Handlethis.m_vAddressthis.m_vDumpedRegionthis.m_vSizeout nBytesRead
                    
);

                
// Validation checks.
                
if (bReturn == false || nBytesRead != this.m_vSize)
                    return 
false;
                return 
true;
            }
            catch (
Exception ex)
            {
                return 
false;
            }
        }

        
/// <summary>
        /// MaskCheck
        ///
        ///     Compares the current pattern byte to the current memory dump
        ///     byte to check for a match. Uses wildcards to skip bytes that
        ///     are deemed unneeded in the compares.
        /// </summary>
        /// <param name="nOffset">Offset in the dump to start at.</param>
        /// <param name="btPattern">Pattern to scan for.</param>
        /// <param name="strMask">Mask to compare against.</param>
        /// <returns>Boolean depending on if the pattern was found.</returns>
        
private bool MaskCheck(int nOffsetbyte[] btPatternstring strMask)
        {
            
// Loop the pattern and compare to the mask and dump.
            
for (int x 0btPattern.Lengthx++)
            {
                
// If the mask char is a wildcard, just continue.
                
if (strMask[x] == '?')
                    continue;

                
// If the mask char is not a wildcard, ensure a match is made in the pattern.
                
if ((strMask[x] == 'x') && (btPattern[x] != this.m_vDumpedRegion[nOffset x]))
                    return 
false;
            }

            
// The loop was successful so we found the pattern.
            
return true;
        }
        
#endregion

        #region "sigScan Class Public Methods"
        /// <summary>
        /// FindPattern
        ///
        ///     Attempts to locate the given pattern inside the dumped memory region
        ///     compared against the given mask. If the pattern is found, the offset
        ///     is added to the located address and returned to the user.
        /// </summary>
        /// <param name="btPattern">Byte pattern to look for in the dumped region.</param>
        /// <param name="strMask">The mask string to compare against.</param>
        /// <param name="nOffset">The offset added to the result address.</param>
        /// <returns>IntPtr - zero if not found, address if found.</returns>
        
public IntPtr FindPattern(byte[] btPatternstring strMaskint nOffset)
        {
            try
            {
                
// Dump the memory region if we have not dumped it yet.
                
if (this.m_vDumpedRegion == null || this.m_vDumpedRegion.Length == 0)
                {
                    if (!
this.DumpMemory())
                        return 
IntPtr.Zero;
                }

                
// Ensure the mask and pattern lengths match.
                
if (strMask.Length != btPattern.Length)
                    return 
IntPtr.Zero;

                
// Loop the region and look for the pattern.
                
for (int x 0this.m_vDumpedRegion.Lengthx++)
                {
                    if (
this.MaskCheck(xbtPatternstrMask))
                    {
                        
// The pattern was found, return it.
                        
return new IntPtr((int)this.m_vAddress + (nOffset));
                    }
                }

                
// Pattern was not found.
                
return IntPtr.Zero;
            }
            catch (
Exception ex)
            {
                return 
IntPtr.Zero;
            }
        }

        
/// <summary>
        /// ResetRegion
        ///
        ///     Resets the memory dump array to nothing to allow
        ///     the class to redump the memory.
        /// </summary>
        
public void ResetRegion()
        {
            
this.m_vDumpedRegion null;
        }
        
#endregion

        #region "sigScan Class Properties"
        
public Process Process
        
{
            
get { return this.m_vProcess; }
            
set this.m_vProcess value; }
        }
        public 
IntPtr Address
        
{
            
get { return this.m_vAddress; }
            
set this.m_vAddress value; }
        }
        public 
Int32 Size
        
{
            
get { return this.m_vSize; }
            
set this.m_vSize value; }
        }
        
#endregion

    
}

C# GetKeyState Example

 public abstract class Keyboard
    {
        [Flags]
        private enum KeyStates
        {
            None = 0,
            Down = 1,
            Toggled = 2
        }

        [DllImport("user32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
        private static extern short GetKeyState(int keyCode);

        private static KeyStates GetKeyState(Keys key)
        {
            KeyStates state = KeyStates.None;

            short retVal = GetKeyState((int)key);

       
            //otherwise, it is up.
            if ((retVal & 0x8000) == 0x8000)
                state |= KeyStates.Down;

              if ((retVal & 1) == 1)
                state |= KeyStates.Toggled;

            return state;
        }

        public static bool IsKeyDown(Keys key)
        {
            return KeyStates.Down == (GetKeyState(key) & KeyStates.Down);
        }

        public static bool IsKeyToggled(Keys key)
        {
            return KeyStates.Toggled == (GetKeyState(key) & KeyStates.Toggled);
        }
    }






Add Form Code.


Example;




private void timer1_Tick(object sender, EventArgs e)
        {
            bool status = IsKeyDown(Keys.B);//set keys
            if (status == true) { MessageBox.Show("B pressed."); }
        }