Memory Scanner

  • (2 Pages)
  • +
  • 1
  • 2

26 Replies - 2935 Views - Last Post: 01 September 2011 - 08:50 AM Rate Topic: -----

#1 SequenceInitiated  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 15
  • Joined: 30-August 11

Memory Scanner

Posted 30 August 2011 - 06:56 AM

Alright, so I'm porting my existing Memory Scanner from vb.net to C#, I've worked for months on this, and finally I've almost got this. After fucking around with ReadProcessMemory, and converting Int to IntPtr's and etc. I've come to my final problem (I hope).

I've got a for statement, I'm trying to get j++ to function, but it's coming back as "Unreachable code". I've tried removing the j = 0; at the start of the for loop, I've tried casting the int before calling it in the for loop, I've tried just about everything.

Here's the code:
(Ps: It's for a 'Botkiller' Commonly referred to as an Anti-Virus of sorts)
               for (int j = 0; j <= Signature.Length; j++)
                {
                    j++;
                    byte[] Bytes = ReadByte(curAddr + j, (Int32)2048);
                    if (!(Bytes[j] == Signature[j]))
                    {
                        j++;
                        if (j == Signature.Length - 1)
                        {
                            Functions.Respond("Found Malicious Signature in Process: " + GameName + " At address: " + curAddr + ". Attempting to Remove!");
                            EndProcess.CallExitProcess(ProcID, Path);
                        }
                        //else { continue; }
                    }
                    break;
                }



Now, you'll notice that I've also tried adding j++ within the for loop, but j is only added to once, and then never again.

This post has been edited by macosxnerd101: 30 August 2011 - 07:06 AM
Reason for edit:: Renamed title to be more descriptive


Is This A Good Question/Topic? 0
  • +

Replies To: Memory Scanner

#2 ragingben  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 170
  • View blog
  • Posts: 637
  • Joined: 07-October 08

Re: Memory Scanner

Posted 30 August 2011 - 07:09 AM

Are you sure this is the code that is causing "Unreachable code"? I do not get that error (atleast at design time). Is this a warning or an error? If it is an error then is it design, compile or runtime? Does it give you a line number? I'm not sure I understand your final line "Now, you'll notice that I've also tried adding j++ within the for loop, but j is only added to once, and then never again." - are the additonal j++ statements there to prove a point? It is pretty strange practice to have this in a for loop otherwise.

This post has been edited by ragingben: 30 August 2011 - 07:10 AM

Was This Post Helpful? 0
  • +
  • -

#3 SequenceInitiated  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 15
  • Joined: 30-August 11

Re: Memory Scanner

Posted 30 August 2011 - 07:13 AM

View Postragingben, on 30 August 2011 - 07:09 AM, said:

Are you sure this is the code that is causing "Unreachable code"? I do not get that error (atleast at design time). Is this a warning or an error? If it is an error then is it design, compile or runtime? Does it give you a line number? I'm not sure I understand your final line "Now, you'll notice that I've also tried adding j++ within the for loop, but j is only added to once, and then never again." - are the additonal j++ statements there to prove a point? It is pretty strange practice to have this in a for loop otherwise.


It's a warning, not an error, but I'm treating it as an error because it won't add to j.

Those were just to prove a point, and to see if it actually worked, J doesn't get added to at all with those j++'s so they're not needed to be honest.
Was This Post Helpful? 0
  • +
  • -

#4 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4469
  • View blog
  • Posts: 7,780
  • Joined: 08-June 10

Re: Memory Scanner

Posted 30 August 2011 - 07:24 AM

Quote

J doesn't get added to at all with those j++'s so they're not needed to be honest.


I'm not sure how you're coming to that conclusion. j++ will increment the value of j.

Regardless, your break statement is unconditional, so you will always exit the loop after one iteration.
Was This Post Helpful? 0
  • +
  • -

#5 ragingben  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 170
  • View blog
  • Posts: 637
  • Joined: 07-October 08

Re: Memory Scanner

Posted 30 August 2011 - 07:29 AM

And because of that break the if statement
if (j == Signature.Length - 1)


will only be true if j is -1 (i.e none, so the for loop will not be run), or in your case because of the additional j++'s, 1.

You sure you dont mean
if (j == Signature[Signature.Length - 1])


instead?

This post has been edited by Curtis Rutland: 30 August 2011 - 07:33 AM

Was This Post Helpful? 0
  • +
  • -

#6 SequenceInitiated  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 15
  • Joined: 30-August 11

Re: Memory Scanner

Posted 30 August 2011 - 07:32 AM

View PostCurtis Rutland, on 30 August 2011 - 07:24 AM, said:

Quote

J doesn't get added to at all with those j++'s so they're not needed to be honest.


I'm not sure how you're coming to that conclusion. j++ will increment the value of j.

Regardless, your break statement is unconditional, so you will always exit the loop after one iteration.


Last time I checked (Int)++ means you're adding 1 to the int, so I don't understand how you're coming to the conclusion that it wouldn't increment j.

That's not all of the code, that's just the for statement. I'll post the entire function.

	public static int AOBSCAN(string GameName, string ModuleName, byte[] Signature, string Path, int ProcID)
	{
            IntPtr BaseAddress = IntPtr.Zero;
            IntPtr EndAddress = IntPtr.Zero;
                foreach (ProcessModule PM in Process.GetProcessesByName(GameName)[0].Modules)
                {
                    if (ModuleName == PM.ModuleName)
                    {
                        BaseAddress = PM.BaseAddress;
                        EndAddress = (IntPtr)(BaseAddress.ToInt32() + PM.ModuleMemorySize);
                    }
                }
            Int32 curAddr = BaseAddress.ToInt32();
            do
            {
               for (int j = 0; j <= Signature.Length; j++)
                {
                    j++;
                    byte[] Bytes = ReadByte(curAddr + j, (Int32)2048);
                    if (!(Bytes[j] == Signature[j]))
                    {
                        j++;
                        if (j == Signature.Length - 1)
                        {
                            Functions.Respond("Found Malicious Signature in Process: " + GameName + " At address: " + curAddr + ". Attempting to Remove!");
                            EndProcess.CallExitProcess(ProcID, Path);
                        }
                        //else { continue; }
                    }
                    break;
                }
                //curAddr += 1;
            } while (curAddr < EndAddress.ToInt32());
        return 0;
    }



View Postragingben, on 30 August 2011 - 07:29 AM, said:

And because of that break the if statement
if (j == Signature.Length - 1)


will only be true if j is -1 (i.e none, so the for loop will not be run), or in your case because of the additional j++'s, 1.

You sure you dont mean
[code]
if (j == Signature[Signature.Length - 1])
[code]
instead?


Signature is a list, it's compiled of byte patterns in the following format.

Signature.Add(new byte[] {0x01, 0x02, 0x03, etc. });
Was This Post Helpful? 0
  • +
  • -

#7 ragingben  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 170
  • View blog
  • Posts: 637
  • Joined: 07-October 08

Re: Memory Scanner

Posted 30 August 2011 - 07:33 AM

View PostSequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Last time I checked (Int)++ means you're adding 1 to the int, so I don't understand how you're coming to the conclusion that it wouldn't increment j.

I thought you were with

View PostSequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Those were just to prove a point, and to see if it actually worked, J doesn't get added to at all with those j++'s so they're not needed to be honest.

Was This Post Helpful? 0
  • +
  • -

#8 SequenceInitiated  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 15
  • Joined: 30-August 11

Re: Memory Scanner

Posted 30 August 2011 - 07:37 AM

View Postragingben, on 30 August 2011 - 07:33 AM, said:

View PostSequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Last time I checked (Int)++ means you're adding 1 to the int, so I don't understand how you're coming to the conclusion that it wouldn't increment j.

I thought you were with

View PostSequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Those were just to prove a point, and to see if it actually worked, J doesn't get added to at all with those j++'s so they're not needed to be honest.


Key words being "With those j++ statements" and I was incorrect, j = 1 at the end of the function, it should be greater than that.

PS: Here's the original code (VB.net)

Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Path As String, ByVal ProcID As Integer) As Integer
        On Error Resume Next
        Dim BaseAddress, EndAddress As Int32
        For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
            If ModuleName = PM.ModuleName Then
                BaseAddress = PM.BaseAddress
                EndAddress = BaseAddress + PM.ModuleMemorySize
            End If
        Next
        Dim curAddr As Int32 = BaseAddress
        Do
            For i As Integer = 0 To Signature.Length - 1
                If ReadByte(curAddr + i) = Signature(i) Then
                    If i = Signature.Length - 1 Then
                        If MD5Hash = Md5CalcFile(Path) Then
                            Resume Next
                        ElseIf Not MD5Hash = Md5CalcFile(Path) Then
                            ProcessesInfected += 1
                            EndProcess.CallExitProcess(ProcID, Path)
                        End If
                        Return curAddr
                    End If
                    Continue For
                End If
                Exit For
            Next
            curAddr += 1
        Loop While curAddr < EndAddress
        Return 0
    End Function


This post has been edited by SequenceInitiated: 30 August 2011 - 07:37 AM

Was This Post Helpful? 0
  • +
  • -

#9 ragingben  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 170
  • View blog
  • Posts: 637
  • Joined: 07-October 08

Re: Memory Scanner

Posted 30 August 2011 - 08:52 AM

Does the VB work correctly?

I still don't get the point of the for loop, when you break out of it after one itteration regardless. I may be missing something, this just seems pointless. You might aswell just assume and idex of 0 and do away with the loop entirely.

Not to be pinickity, but "J doesn't get added to at all with those j++'s" is an incorrect statement no matter how you look at it.

Just to clarify, your code compile's and runs, but you get a warning, and this is what you are trying to do away with?
Was This Post Helpful? 0
  • +
  • -

#10 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9096
  • View blog
  • Posts: 34,161
  • Joined: 12-June 08

Re: Memory Scanner

Posted 30 August 2011 - 09:07 AM

Is it too late to point out that 'antivirus' programs what not are not the best in managed code of say the .NET framework?
Was This Post Helpful? 2
  • +
  • -

#11 AdamSpeight2008  Icon User is online

  • MrCupOfT
  • member icon


Reputation: 2257
  • View blog
  • Posts: 9,447
  • Joined: 29-May 08

Re: Memory Scanner

Posted 30 August 2011 - 10:41 AM

View Postragingben, on 30 August 2011 - 04:52 PM, said:

Does the VB work correctly?

I still don't get the point of the for loop, when you break out of it after one itteration regardless. I may be missing something, this just seems pointless.


Your misssing the Continue For it goes straight to the next iteration of the loop, skipping the rest of the following code inside the loop.

The
On Error Resume Next

doesn't help as it effectively ignores any errors.
Was This Post Helpful? 2
  • +
  • -

#12 SequenceInitiated  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 15
  • Joined: 30-August 11

Re: Memory Scanner

Posted 30 August 2011 - 08:50 PM

The vb.net code works just fine, and I know that it's not a good idea to program an anti-virus in .net, that's why I'm not doing it. It's a botkiller, it seeks out other malware running on the computer, and removes it, leaving the bot with my botkiller in it, running.

As for the On error resume next, that's only in there before you cannot access processes running as system/administrator, it'll throw an error and cause the program to crash, so just ignoring the error is the best way to go.

I fixed the j++ error by replacing the break; with a continue;. The problem now is, it's finding byte patterns in just about ever process, so I've gotta fix that now.

This post has been edited by SequenceInitiated: 30 August 2011 - 09:00 PM

Was This Post Helpful? 0
  • +
  • -

#13 ragingben  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 170
  • View blog
  • Posts: 637
  • Joined: 07-October 08

Re: Memory Scanner

Posted 31 August 2011 - 01:27 AM

View PostSequenceInitiated, on 31 August 2011 - 04:50 AM, said:

As for the On error resume next, that's only in there before you cannot access processes running as system/administrator, it'll throw an error and cause the program to crash, so just ignoring the error is the best way to go.

Just ignoring an error is never the best way to go. In this case, any error that is thrown here will be ignored, not just errors caused by not having administrator rights. You should look into the System.Security namespace, and more specifically the WindowsPrincipal and WindowsIdentity classes, to determine if the user has administrative rights. You should atleast catch the System.Security.SecurityException errors and handle them different to other errors if you want to ignore these.

View PostSequenceInitiated, on 31 August 2011 - 04:50 AM, said:

I fixed the j++ error by replacing the break; with a continue;. The problem now is, it's finding byte patterns in just about ever process, so I've gotta fix that now.

Does this tell you something about the byte patterns you are using if it is finding them in every process? Maybe they aren't effective? I don't know, but I would be suspicious. Where have you got these from? If they appear in every process they are just as defective as if they aren't being detected in actual botkiller or whatever. Maybe the codition is incorrect? Have you tried putting break points and stepping through the code to check the values of the variables are what you would expect/that your conditions are being met/not met as you would expect?

This post has been edited by ragingben: 31 August 2011 - 01:28 AM

Was This Post Helpful? 0
  • +
  • -

#14 SequenceInitiated  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 15
  • Joined: 30-August 11

Re: Memory Scanner

Posted 31 August 2011 - 01:39 AM

View Postragingben, on 31 August 2011 - 01:27 AM, said:

View PostSequenceInitiated, on 31 August 2011 - 04:50 AM, said:

As for the On error resume next, that's only in there before you cannot access processes running as system/administrator, it'll throw an error and cause the program to crash, so just ignoring the error is the best way to go.

Just ignoring an error is never the best way to go. In this case, any error that is thrown here will be ignored, not just errors caused by not having administrator rights. You should look into the System.Security namespace, and more specifically the WindowsPrincipal and WindowsIdentity classes, to determine if the user has administrative rights. You should atleast catch the System.Security.SecurityException errors and handle them different to other errors if you want to ignore these.

View PostSequenceInitiated, on 31 August 2011 - 04:50 AM, said:

I fixed the j++ error by replacing the break; with a continue;. The problem now is, it's finding byte patterns in just about ever process, so I've gotta fix that now.

Does this tell you something about the byte patterns you are using if it is finding them in every process? Maybe they aren't effective? I don't know, but I would be suspicious. Where have you got these from? If they appear in every process they are just as defective as if they aren't being detected in actual botkiller or whatever. Maybe the codition is incorrect? Have you tried putting break points and stepping through the code to check the values of the variables are what you would expect/that your conditions are being met/not met as you would expect?


I love when people criticize my work without taking a look at it.

If you had taken a look at the code, you'd realize that it only checks 1 byte at a time against the signatures, and it only checks it once. That's why it's finding signatures in every process.

As for skipping errors, I've run this plenty of times, it doesn't throw an exceptions, and last time I checked on error resume next isn't supported in C#. You're commenting on my vb.net code, not my C# code.

To be honest, I've gotten everything done, I've just got to make/find a way to compare byte arrays, which I may have already found, and how to convert an Int[] to Byte[] without using Bitconverter.GetBytes(); considering it only returns 1 byte.
Was This Post Helpful? 0
  • +
  • -

#15 ragingben  Icon User is offline

  • D.I.C Addict
  • member icon

Reputation: 170
  • View blog
  • Posts: 637
  • Joined: 07-October 08

Re: Memory Scanner

Posted 31 August 2011 - 02:21 AM

It doesn't matter what language it is written in, the fact that both AdamSpeight2008 and myself were pointing out is that it is not good practice to have code, in any language, that ignores errors.

Anyway, moving on. Did you want to compare byte arrays for the bytes in the same order, or just checking they both contain the same bytes? I have quickly done you an example of both, inclusively and exclusively
Spoiler

No offence meant, but I'm suprised you are having trouble comparing byte arrays if you are writing a bot killer. Did you write the VB code?
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2