memsearch.h
12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
#ifndef _MEMDBG_MEMSEARCH_H
#define _MEMDBG_MEMSEARCH_H
// memsearch.h
// 4/20/2014 jichi
#include "memdbg/memdbg.h"
#ifndef MEMDBG_NO_STL
# include <functional>
#endif // MEMDBG_NO_STL
MEMDBG_BEGIN_NAMESPACE
/// Estimated maximum size of the caller function, the same as ITH FindCallAndEntryAbs
enum { MaximumFunctionSize = 0x800 };
/// Offset added to the beginning of the searched address
enum { MemoryPaddingOffset = 0x1000 };
enum { MemoryAlignedStep = 0x10 };
#ifndef MEMDBG_NO_STL
/// Iterate address and return false if abort iteration.
typedef std::function<bool (dword_t)> address_fun_t;
typedef std::function<bool (dword_t, dword_t)> address2_fun_t;
/**
* Iterate all call and caller addresses
* @param fun the first parameter is the address of the caller, and the second parameter is the address of the call itself
* @return false if return early, and true if iterate all elements
*/
bool iterCallerAddress(const address2_fun_t &fun, dword_t funcAddr, dword_t funcInst, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
bool iterCallerAddressAfterInt3(const address2_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
bool iterUniqueCallerAddress(const address_fun_t &fun, dword_t funcAddr, dword_t funcInst, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
bool iterUniqueCallerAddressAfterInt3(const address_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
/**
* Iterate all call and caller addresses
* @param fun the parameter is the address of the call
* @return false if return early, and true if iterate all elements
*/
bool iterFarCallAddress(const address_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
bool iterNearCallAddress(const address_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
bool iterLongJumpAddress(const address_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
bool iterShortJumpAddress(const address_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
bool iterAlignedNearCallerAddress(const address_fun_t &fun, dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
bool iterFindBytes(const address_fun_t &fun, const void *pattern, dword_t patternSize, dword_t lowerBound, dword_t upperBound);
bool iterMatchBytes(const address_fun_t &fun, const void *pattern, dword_t patternSize, dword_t lowerBound, dword_t upperBound);
#endif // MEMDBG_NO_STL
/**
* Return the absolute address of the far caller function
* The same as ITH FindCallAndEntryAbs().
*
* @param funcAddr callee function address
* @param funcInst the machine code where the caller function starts
* @param lowerBound the lower memory address to search
* @param upperBound the upper memory address to search
* @param* callerSearchSize the maximum size of caller
* @return the caller absolute address if succeed or 0 if fail
*
* Example funcInst:
* 0x55: push ebp
* 0x81,0xec: sub esp XXOO (0xec81)
* 0x83,0xec: sub esp XXOO (0xec83)
*/
dword_t findCallerAddress(dword_t funcAddr, dword_t funcInst, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
dword_t findCallerAddressAfterInt3(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
dword_t findLastCallerAddress(dword_t funcAddr, dword_t funcInst, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
dword_t findLastCallerAddressAfterInt3(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
dword_t findMultiCallerAddress(dword_t funcAddr, const dword_t funcInsts[], dword_t funcInstCount, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
dword_t findAlignedNearCallerAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
dword_t findLastAlignedNearCallerAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t callerSearchSize = MaximumFunctionSize, dword_t offset = MemoryPaddingOffset);
/**
* Return the absolute address of the long jump (not short jump) instruction address.
* The same as ITH FindCallOrJmpAbs(false).
*
* @param funcAddr callee function address
* @param lowerBound the lower memory address to search
* @param upperBound the upper memory address to search
* @param* offset the relative address to search from the lowerBound
* @param* range the relative size to search, use lowerBound - upperBound when zero
* @return the call instruction address if succeed or 0 if fail
*/
dword_t findLongJumpAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
dword_t findShortJumpAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
dword_t findLastLongJumpAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
dword_t findLastShortJumpAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
/**
* Return the absolute address of the far call (inter-module) instruction address.
* The same as ITH FindCallOrJmpAbs(true).
*
* @param funcAddr callee function address
* @param lowerBound the lower memory address to search
* @param upperBound the upper memory address to search
* @param* offset the relative address to search from the lowerBound
* @param* range the relative size to search, use lowerBound - upperBound when zero
* @return the call instruction address if succeed or 0 if fail
*/
dword_t findFarCallAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
dword_t findLastFarCallAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
/// Near call (intra-module)
dword_t findNearCallAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
dword_t findLastNearCallAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0);
/// Default to far call, for backward compatibility
inline dword_t findCallAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0)
{ return findFarCallAddress(funcAddr, lowerBound, upperBound, offset, range); }
inline dword_t findLastCallAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0)
{ return findLastFarCallAddress(funcAddr, lowerBound, upperBound, offset, range); }
/// Default to long jump, for backward compatibility
inline dword_t findJumpAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0)
{ return findLongJumpAddress(funcAddr, lowerBound, upperBound, offset, range); }
inline dword_t findLastJumpAddress(dword_t funcAddr, dword_t lowerBound, dword_t upperBound, dword_t offset = MemoryPaddingOffset, dword_t range = 0)
{ return findLastLongJumpAddress(funcAddr, lowerBound, upperBound, offset, range); }
/// Push value >= 0xff
dword_t findPushDwordAddress(dword_t value, dword_t lowerBound, dword_t upperBound);
/// Push value <= 0xff
dword_t findPushByteAddress(byte_t value, dword_t lowerBound, dword_t upperBound);
/// Default to push DWORD
inline dword_t findPushAddress(dword_t value, dword_t lowerBound, dword_t upperBound)
{ return findPushDwordAddress(value, lowerBound, upperBound); }
/**
* Return the enclosing function address outside the given address.
* The same as ITH FindEntryAligned().
* "Aligned" here means the function must be after in3 (0xcc) or nop (0x90).
*
* If the function does NOT exist, this function might raise without admin privilege.
* It is safer to wrap this function within SEH.
*
* @param addr address within th function
* @param searchSize max backward search size
* @return beginning address of the function
* @exception illegal memory access
*/
dword_t findEnclosingAlignedFunction(dword_t addr, dword_t searchSize = MaximumFunctionSize);
dword_t findEnclosingFunctionBeforeDword(dword_t sig, dword_t addr, dword_t searchSize = MaximumFunctionSize, dword_t step = MemoryAlignedStep);
dword_t findEnclosingFunctionAfterDword(dword_t sig, dword_t addr, dword_t searchSize = MaximumFunctionSize, dword_t step = MemoryAlignedStep);
dword_t findEnclosingFunctionAfterInt3(dword_t addr, dword_t searchSize = MaximumFunctionSize, dword_t step = MemoryAlignedStep);
dword_t findEnclosingFunctionAfterNop(dword_t addr, dword_t searchSize = MaximumFunctionSize, dword_t step = MemoryAlignedStep);
/**
* Return the address of the first matched pattern.
* Return 0 if failed. The return result is ambiguous if the pattern address is 0.
* This function simpily traverse all bytes in memory range and would raise
* if no access to the region.
*
* @param pattern array of bytes to match
* @param patternSize size of the pattern array
* @param lowerBound search start address
* @param upperBound search stop address
* @return absolute address
* @exception illegal memory access
*/
dword_t findBytes(const void *pattern, dword_t patternSize, dword_t lowerBound, dword_t upperBound);
//dword_t reverseFindBytes(const void *pattern, dword_t patternSize, dword_t lowerBound, dword_t upperBound);
/**
* jichi 2/5/2014: The same as findBytes except it uses widecard to match everything.
* The widecard should use the byte seldom appears in the pattern.
* See: http://sakuradite.com/topic/124
*
* @param pattern array of bytes to match
* @param patternSize size of the pattern array
* @param lowerBound search start address
* @param upperBound search stop address
* @param* widecard the character to match everything
* @return absolute address
* @exception illegal memory access
*/
enum : byte_t { WidecardByte = 0x11 }; // jichi 7/17/2014: 0x11 seldom appear in PSP code pattern
//enum : WORD { WidecardWord = 0xffff };
dword_t matchBytes(const void *pattern, dword_t patternSize, dword_t lowerBound, dword_t upperBound,
byte_t wildcard = WidecardByte);
// User space: 0 - 2G (0 - 0x7ffeffff)
// Kernel space: 2G - 4G (0x80000000 - 0xffffffff)
//
// http://msdn.microsoft.com/en-us/library/windows/hardware/ff560042%28v=vs.85%29.aspx
// http://codesequoia.wordpress.com/2008/11/28/understand-process-address-space-usage/
// http://stackoverflow.com/questions/17244912/open-process-with-debug-privileges-and-read-write-memory
enum MemoryRange : dword_t {
UserMemoryStartAddress = 0, UserMemoryStopAddress = 0x7ffeffff
, KernelMemoryStartAddress = 0x80000000, KernelMemoryStopAddress = 0xffffffff
, MappedMemoryStartAddress = 0x01000000
, MemoryStartAddress = UserMemoryStartAddress, MemoryStopAddress = UserMemoryStopAddress
};
#if 0 // not used
/**
* Traverse memory continues pages and return the address of the first matched pattern.
*
* @param pattern array of bytes to match
* @param patternSize size of the pattern array
* @param lowerBound search start address
* @param upperBound search stop address
* @param* search search all pages (SearchAll) or stop on first illegal access (SearchFirst)
* @return absolute address
*/
enum SearchType : byte_t { SearchAll = 0 , SearchFirst };
dword_t findBytesInPages(const void *pattern, dword_t patternSize,
dword_t lowerBound = MemoryStartAddress, dword_t upperBound = MemoryStopAddress,
SearchType search = SearchAll);
dword_t matchBytesInPages(const void *pattern, dword_t patternSize,
dword_t lowerBound = MemoryStartAddress, dword_t upperBound = MemoryStopAddress,
byte_t wildcard = WidecardByte, SearchType search = SearchAll);
#endif // 0
MEMDBG_END_NAMESPACE
#endif // _MEMDBG_MEMSEARCH_H