-
Notifications
You must be signed in to change notification settings - Fork 10
/
procsearch.cpp
90 lines (67 loc) · 3.23 KB
/
procsearch.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#include <windows.h>
#include <iostream>
#include <vector>
bool IsPrintableASCII(char ch) {
return ch >= 32 && ch <= 126;
}
void SearchStringInProcessMemory(DWORD processId, const char* searchString, DWORD range){ //std::vector<std::string>& foundStrings) {
HANDLE processHandle = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, processId);
if (processHandle == NULL) {
printf("Failed to open process with ID %lu. Error code: %lu\n", processId, GetLastError());
return;
}
SYSTEM_INFO sysInfo;
GetSystemInfo(&sysInfo);
MEMORY_BASIC_INFORMATION memInfo;
std::vector<char> buffer;
char* currentAddress = reinterpret_cast<char*>(sysInfo.lpMinimumApplicationAddress);
while (VirtualQueryEx(processHandle, currentAddress, &memInfo, sizeof(memInfo)) == sizeof(memInfo)) {
if (memInfo.State == MEM_COMMIT && memInfo.Protect != PAGE_NOACCESS) {
buffer.resize(memInfo.RegionSize);
SIZE_T bytesRead;
if (ReadProcessMemory(processHandle, memInfo.BaseAddress, buffer.data(), memInfo.RegionSize, &bytesRead) && bytesRead > 0) {
std::string pageContent(buffer.begin(), buffer.begin() + bytesRead);
size_t found = pageContent.find(searchString);
while (found != std::string::npos) {
// get X chars of printable characters around search string
size_t startPos = (found > range) ? found - range : 0;
size_t endPos = (found + strlen(searchString) + range < pageContent.length()) ? found + strlen(searchString) + range : pageContent.length();
// extract substring from buffer around found position
std::string printableChars;
for (size_t i = startPos; i < endPos; ++i) {
if (IsPrintableASCII(pageContent[i])) {
printableChars += pageContent[i];
}
}
// save to array
//foundStrings.push_back(printableChars);
printf("[+] Search string \"%s\" FOUND: %s\n", searchString, printableChars.c_str());
// search next occurance
found = pageContent.find(searchString, found + 1);
}
}
else {
printf("[-] Failed to read process memory. Error code: %lu\n", GetLastError());
}
}
// next mem region
currentAddress = reinterpret_cast<char*>(memInfo.BaseAddress) + memInfo.RegionSize;
}
CloseHandle(processHandle);
}
int main(int argc, char* argv[]) {
if (argc != 4) {
printf("Usage: procsearch.exe <processId> <searchString> <range>\n");
return 1;
}
DWORD targetProcessId = atoi(argv[1]);
const char* searchString = argv[2];
DWORD range = atoi(argv[3]);
SearchStringInProcessMemory(targetProcessId, searchString, range);
/*std::vector<std::string> foundStrings;
SearchStringInProcessMemory(targetProcessId, searchString, range, foundStrings);
for (const auto& str : foundStrings) {
printf("[+] Search string \"%s\" FOUND: %s\n", searchString, str.c_str());
}*/
return 0;
}