After research a DarkLinux sources i ported scanner to C# with some changes.
It works, but sometime crashes with random err codes (dunno why).
(I included a executebuffer crap, delete it if not need, just only for testing)
And yes, just remove patches before call original function and apply after - protection.
PHP Code:
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Threading;
namespace OffSpring
{
class Scan
{
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate IntPtr WardenDelegate(IntPtr ptr, uint adress, uint len);
[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
public delegate void LuaExecuteBufferDelegate(string lua, string fileName, uint pState);
private static LuaExecuteBufferDelegate LuaExecute;
private static uint baseAddress = (uint)Process.GetCurrentProcess().MainModule.BaseAddress;
private static uint moduleSize = (uint)Process.GetCurrentProcess().MainModule.ModuleMemorySize;
public Scan()
{
LuaExecute = Memory.Instance.RegisterDelegate<LuaExecuteBufferDelegate>(baseAddress + 0x50229);
SearchWarden(new byte[] { 0x74, 0x02, 0xF3, 0xA5, 0xB1, 0x03, 0x23, 0xCA });
}
private static void makeDetour(uint ptr)
{
Memory.Instance.Detours.RemoveAll();
Memory.Instance.Detours.CreateAndApply(Memory.Instance.RegisterDelegate<WardenDelegate>(ptr + 0xE), new WardenDelegate(WardenCave), "WardenHook");
}
#region pattern scan
private unsafe void SearchWarden(byte[] Signature)
{
uint currentAddr = baseAddress;
uint Max = 0;
int index = 0;
uint old;
Win32.MEMORY_BASIC_INFORMATION mbi = new Win32.MEMORY_BASIC_INFORMATION();
do
{
Win32.VirtualQuery(ref currentAddr, ref mbi, sizeof(Win32.MEMORY_BASIC_INFORMATION));
if ((mbi.RegionSize <= 0x9000) && (mbi.State == 4096) && (mbi.Type == 131072))
{
if (Win32.VirtualProtect(currentAddr, mbi.RegionSize, 0x40, out old))
{
if (currentAddr < Max)
return;
else
Max = currentAddr;
for (int x = (int)currentAddr; x < (currentAddr + mbi.RegionSize); x++)
{
if (*(byte*)x == Signature[index])
index++;
else
index = 0;
if (index >= Signature.Length)
{
makeDetour((uint)(x - Signature.Length + 1));
return;
}
}
}
}
currentAddr += mbi.RegionSize;
} while (true);
}
#endregion
private static IntPtr WardenCave(IntPtr ptr, uint adress, uint len)
{
if (adress < baseAddress + moduleSize)
{
LuaExecute("print('found: |cffff00000x" + (adress - baseAddress).ToString("X") + "|r, length: |cff00ff00" + len.ToString() + "b|r')", "mylua.lua", 0);
}
return (IntPtr)Memory.Instance.Detours["WardenHook"].CallOriginal(ptr, adress, len);
}
}
}