[SequenceInitiated]

Alright, so I'm porting my existing Memory Scanner from vb.net to C#, I've worked for months on this, and finally I've almost got this. After fucking around with ReadProcessMemory, and converting Int to IntPtr's and etc. I've come to my final problem (I hope).

I've got a for statement, I'm trying to get j++ to function, but it's coming back as "Unreachable code". I've tried removing the j = 0; at the start of the for loop, I've tried casting the int before calling it in the for loop, I've tried just about everything.

Here's the code:
(Ps: It's for a 'Botkiller' Commonly referred to as an Anti-Virus of sorts)

               for (int j = 0; j <= Signature.Length; j++)
                {
                    j++;
                    byte[] Bytes = ReadByte(curAddr + j, (Int32)2048);
                    if (!(Bytes[j] == Signature[j]))
                    {
                        j++;
                        if (j == Signature.Length - 1)
                        {
                            Functions.Respond("Found Malicious Signature in Process: " + GameName + " At address: " + curAddr + ". Attempting to Remove!");
                            EndProcess.CallExitProcess(ProcID, Path);
                        }
                        //else { continue; }
                    }
                    break;
                }

Now, you'll notice that I've also tried adding j++ within the for loop, but j is only added to once, and then never again.

This post has been edited by macosxnerd101: 30 August 2011 - 07:06 AM
Reason for edit:: Renamed title to be more descriptive

[ragingben]

Are you sure this is the code that is causing "Unreachable code"? I do not get that error (atleast at design time). Is this a warning or an error? If it is an error then is it design, compile or runtime? Does it give you a line number? I'm not sure I understand your final line "Now, you'll notice that I've also tried adding j++ within the for loop, but j is only added to once, and then never again." - are the additonal j++ statements there to prove a point? It is pretty strange practice to have this in a for loop otherwise.

This post has been edited by ragingben: 30 August 2011 - 07:10 AM

[SequenceInitiated]

ragingben, on 30 August 2011 - 07:09 AM, said:

Are you sure this is the code that is causing "Unreachable code"? I do not get that error (atleast at design time). Is this a warning or an error? If it is an error then is it design, compile or runtime? Does it give you a line number? I'm not sure I understand your final line "Now, you'll notice that I've also tried adding j++ within the for loop, but j is only added to once, and then never again." - are the additonal j++ statements there to prove a point? It is pretty strange practice to have this in a for loop otherwise.

It's a warning, not an error, but I'm treating it as an error because it won't add to j.

Those were just to prove a point, and to see if it actually worked, J doesn't get added to at all with those j++'s so they're not needed to be honest.

[Curtis Rutland]

Quote

J doesn't get added to at all with those j++'s so they're not needed to be honest.

I'm not sure how you're coming to that conclusion. j++ will increment the value of j.

Regardless, your break statement is unconditional, so you will always exit the loop after one iteration.

[ragingben]

And because of that break the if statement

if (j == Signature.Length - 1)

will only be true if j is -1 (i.e none, so the for loop will not be run), or in your case because of the additional j++'s, 1.

You sure you dont mean

if (j == Signature[Signature.Length - 1])

instead?

This post has been edited by Curtis Rutland: 30 August 2011 - 07:33 AM

[SequenceInitiated]

Curtis Rutland, on 30 August 2011 - 07:24 AM, said:

Quote

J doesn't get added to at all with those j++'s so they're not needed to be honest.

I'm not sure how you're coming to that conclusion. j++ will increment the value of j.

Regardless, your break statement is unconditional, so you will always exit the loop after one iteration.

Last time I checked (Int)++ means you're adding 1 to the int, so I don't understand how you're coming to the conclusion that it wouldn't increment j.

That's not all of the code, that's just the for statement. I'll post the entire function.

	public static int AOBSCAN(string GameName, string ModuleName, byte[] Signature, string Path, int ProcID)
	{
            IntPtr BaseAddress = IntPtr.Zero;
            IntPtr EndAddress = IntPtr.Zero;
                foreach (ProcessModule PM in Process.GetProcessesByName(GameName)[0].Modules)
                {
                    if (ModuleName == PM.ModuleName)
                    {
                        BaseAddress = PM.BaseAddress;
                        EndAddress = (IntPtr)(BaseAddress.ToInt32() + PM.ModuleMemorySize);
                    }
                }
            Int32 curAddr = BaseAddress.ToInt32();
            do
            {
               for (int j = 0; j <= Signature.Length; j++)
                {
                    j++;
                    byte[] Bytes = ReadByte(curAddr + j, (Int32)2048);
                    if (!(Bytes[j] == Signature[j]))
                    {
                        j++;
                        if (j == Signature.Length - 1)
                        {
                            Functions.Respond("Found Malicious Signature in Process: " + GameName + " At address: " + curAddr + ". Attempting to Remove!");
                            EndProcess.CallExitProcess(ProcID, Path);
                        }
                        //else { continue; }
                    }
                    break;
                }
                //curAddr += 1;
            } while (curAddr < EndAddress.ToInt32());
        return 0;
    }

ragingben, on 30 August 2011 - 07:29 AM, said:

And because of that break the if statement

if (j == Signature.Length - 1)

will only be true if j is -1 (i.e none, so the for loop will not be run), or in your case because of the additional j++'s, 1.

You sure you dont mean
[code]
if (j == Signature[Signature.Length - 1])
[code]
instead?

Signature is a list, it's compiled of byte patterns in the following format.

Signature.Add(new byte[] {0x01, 0x02, 0x03, etc. });

[ragingben]

SequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Last time I checked (Int)++ means you're adding 1 to the int, so I don't understand how you're coming to the conclusion that it wouldn't increment j.

I thought you were with

SequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Those were just to prove a point, and to see if it actually worked, J doesn't get added to at all with those j++'s so they're not needed to be honest.

[SequenceInitiated]

ragingben, on 30 August 2011 - 07:33 AM, said:

SequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Last time I checked (Int)++ means you're adding 1 to the int, so I don't understand how you're coming to the conclusion that it wouldn't increment j.

I thought you were with

SequenceInitiated, on 30 August 2011 - 03:30 PM, said:

Those were just to prove a point, and to see if it actually worked, J doesn't get added to at all with those j++'s so they're not needed to be honest.

Key words being "With those j++ statements" and I was incorrect, j = 1 at the end of the function, it should be greater than that.

PS: Here's the original code (VB.net)

Public Function AOBSCAN(ByVal GameName As String, ByVal ModuleName As String, ByVal Signature As Byte(), ByVal Path As String, ByVal ProcID As Integer) As Integer
        On Error Resume Next
        Dim BaseAddress, EndAddress As Int32
        For Each PM As ProcessModule In Process.GetProcessesByName(GameName)(0).Modules
            If ModuleName = PM.ModuleName Then
                BaseAddress = PM.BaseAddress
                EndAddress = BaseAddress + PM.ModuleMemorySize
            End If
        Next
        Dim curAddr As Int32 = BaseAddress
        Do
            For i As Integer = 0 To Signature.Length - 1
                If ReadByte(curAddr + i) = Signature(i) Then
                    If i = Signature.Length - 1 Then
                        If MD5Hash = Md5CalcFile(Path) Then
                            Resume Next
                        ElseIf Not MD5Hash = Md5CalcFile(Path) Then
                            ProcessesInfected += 1
                            EndProcess.CallExitProcess(ProcID, Path)
                        End If
                        Return curAddr
                    End If
                    Continue For
                End If
                Exit For
            Next
            curAddr += 1
        Loop While curAddr < EndAddress
        Return 0
    End Function

This post has been edited by SequenceInitiated: 30 August 2011 - 07:37 AM

[ragingben]

Does the VB work correctly?

I still don't get the point of the for loop, when you break out of it after one itteration regardless. I may be missing something, this just seems pointless. You might aswell just assume and idex of 0 and do away with the loop entirely.

Not to be pinickity, but "J doesn't get added to at all with those j++'s" is an incorrect statement no matter how you look at it.

Just to clarify, your code compile's and runs, but you get a warning, and this is what you are trying to do away with?

[modi123_1]

Is it too late to point out that 'antivirus' programs what not are not the best in managed code of say the .NET framework?

[AdamSpeight2008]

ragingben, on 30 August 2011 - 04:52 PM, said:

Does the VB work correctly?

I still don't get the point of the for loop, when you break out of it after one itteration regardless. I may be missing something, this just seems pointless.

Your misssing the Continue For it goes straight to the next iteration of the loop, skipping the rest of the following code inside the loop.

The

On Error Resume Next

doesn't help as it effectively ignores any errors.

[SequenceInitiated]

The vb.net code works just fine, and I know that it's not a good idea to program an anti-virus in .net, that's why I'm not doing it. It's a botkiller, it seeks out other malware running on the computer, and removes it, leaving the bot with my botkiller in it, running.

As for the On error resume next, that's only in there before you cannot access processes running as system/administrator, it'll throw an error and cause the program to crash, so just ignoring the error is the best way to go.

I fixed the j++ error by replacing the break; with a continue;. The problem now is, it's finding byte patterns in just about ever process, so I've gotta fix that now.

This post has been edited by SequenceInitiated: 30 August 2011 - 09:00 PM

[ragingben]

SequenceInitiated, on 31 August 2011 - 04:50 AM, said:

As for the On error resume next, that's only in there before you cannot access processes running as system/administrator, it'll throw an error and cause the program to crash, so just ignoring the error is the best way to go.

Just ignoring an error is never the best way to go. In this case, any error that is thrown here will be ignored, not just errors caused by not having administrator rights. You should look into the System.Security namespace, and more specifically the WindowsPrincipal and WindowsIdentity classes, to determine if the user has administrative rights. You should atleast catch the System.Security.SecurityException errors and handle them different to other errors if you want to ignore these.

SequenceInitiated, on 31 August 2011 - 04:50 AM, said:

I fixed the j++ error by replacing the break; with a continue;. The problem now is, it's finding byte patterns in just about ever process, so I've gotta fix that now.

Does this tell you something about the byte patterns you are using if it is finding them in every process? Maybe they aren't effective? I don't know, but I would be suspicious. Where have you got these from? If they appear in every process they are just as defective as if they aren't being detected in actual botkiller or whatever. Maybe the codition is incorrect? Have you tried putting break points and stepping through the code to check the values of the variables are what you would expect/that your conditions are being met/not met as you would expect?

This post has been edited by ragingben: 31 August 2011 - 01:28 AM

[SequenceInitiated]

ragingben, on 31 August 2011 - 01:27 AM, said:

SequenceInitiated, on 31 August 2011 - 04:50 AM, said:

As for the On error resume next, that's only in there before you cannot access processes running as system/administrator, it'll throw an error and cause the program to crash, so just ignoring the error is the best way to go.

Just ignoring an error is never the best way to go. In this case, any error that is thrown here will be ignored, not just errors caused by not having administrator rights. You should look into the System.Security namespace, and more specifically the WindowsPrincipal and WindowsIdentity classes, to determine if the user has administrative rights. You should atleast catch the System.Security.SecurityException errors and handle them different to other errors if you want to ignore these.

SequenceInitiated, on 31 August 2011 - 04:50 AM, said:

I fixed the j++ error by replacing the break; with a continue;. The problem now is, it's finding byte patterns in just about ever process, so I've gotta fix that now.

Does this tell you something about the byte patterns you are using if it is finding them in every process? Maybe they aren't effective? I don't know, but I would be suspicious. Where have you got these from? If they appear in every process they are just as defective as if they aren't being detected in actual botkiller or whatever. Maybe the codition is incorrect? Have you tried putting break points and stepping through the code to check the values of the variables are what you would expect/that your conditions are being met/not met as you would expect?

I love when people criticize my work without taking a look at it.

If you had taken a look at the code, you'd realize that it only checks 1 byte at a time against the signatures, and it only checks it once. That's why it's finding signatures in every process.

As for skipping errors, I've run this plenty of times, it doesn't throw an exceptions, and last time I checked on error resume next isn't supported in C#. You're commenting on my vb.net code, not my C# code.

To be honest, I've gotten everything done, I've just got to make/find a way to compare byte arrays, which I may have already found, and how to convert an Int[] to Byte[] without using Bitconverter.GetBytes(); considering it only returns 1 byte.

[ragingben]

It doesn't matter what language it is written in, the fact that both AdamSpeight2008 and myself were pointing out is that it is not good practice to have code, in any language, that ignores errors.

Anyway, moving on. Did you want to compare byte arrays for the bytes in the same order, or just checking they both contain the same bytes? I have quickly done you an example of both, inclusively and exclusively

Spoiler

/// <summary>
/// Compare two byte arrays to determine if they exclusively contain the same bytes
/// </summary>
/// <param name="a">The first byte array</param>
/// <param name="b">The second byte array</param>
/// <param name="checkInOrder">Specify if the bytes must appear in the correct order</param>
/// <returns>True if a and b contain the same elements exclusively, else false</returns>
private static Boolean checkTwoByteArraysExclusivelyContainTheSameBytes(Byte[] a, Byte[] b, Boolean checkInOrder)
{
    // if either array is null
    if ((a == null) || (b == null))
    {
        return false;
    }
    else if (a.Length != b.Length)
    {
        return false;
    }
    else
    {
        // same length, good start

        // itterate each byte in a
        for (Int32 index = 0; index < a.Length; index++)
        {
            // if checking in order
            if (checkInOrder)
            {
                // check by bytes in position in array
                if (a[index] != b[index])
                {
                    // bytes are different
                    return false;
                }
            }
            else
            {
                // if b doesn't contain byte
                if (!b.Contains<Byte>(a[index]))
                {
                    // fail - contains different bytes
                    return false;
                }
            }
        }

        // must contain the same bytes, or both arrays are empty
        return true;
    }
}

/// <summary>
/// Compare two byte arrays to determine if they inclusively contain the same bytes
/// </summary>
/// <param name="a">The first byte array</param>
/// <param name="b">The second byte array</param>
/// <param name="checkInOrder">Specify if the bytes must appear in the correct order</param>
/// <returns>True if a and b contain the same elements inclusively, else false</returns>
private static Boolean checkTwoByteArraysInclusivelyContainTheSameBytes(Byte[] a, Byte[] b, Boolean checkInOrder)
{
    // if either array is null
    if ((a == null) || (b == null))
    {
        return false;
    }
    else
    {
        // same length, good start

        // hold smallest array
        Byte[] smallestArray = a.Length < b.Length ? a : b;

        // hold largest array
        Byte[] largestArray = a.Length >= b.Length ? a : b;

        // itterate each byte in the smallest array
        for (Int32 index = 0; index < smallestArray.Length; index++)
        {
            // if checking in order
            if (checkInOrder)
            {
                // check by bytes in position in array
                if (smallestArray[index] != largestArray[index])
                {
                    // bytes are different
                    return false;
                }
            }
            else
            {
                // if b doesn't contain byte
                if (!largestArray.Contains<Byte>(smallestArray[index]))
                {
                    // fail - contains different bytes
                    return false;
                }
            }
        }

        // must contain the same bytes, or both arrays are empty
        return true;
    }
}

No offence meant, but I'm suprised you are having trouble comparing byte arrays if you are writing a bot killer. Did you write the VB code?