Find String Offsets in a file easily! (VB.Net)

by Killpot - 09-02-2016, 04:53 AM
Active Member
Supreme
Posts:
271
Joined:
Oct 2015
Likes:
11
Credits:
598
Reputation:
25
1 Year of Service
#1
OP
Posted: 09-02-2016, 04:53 AM (This post was last modified: 09-02-2016, 04:54 AM by Killpot.)
Yo.

So this is just something I whipped up and threw together to get this working, I imagine this could be much more efficient however I'm not worrying about parsing massive files so efficiency isn't a huge deal as long as it works relatively quickly.

It works by converting the inputted string into a Unicode encoded string, then from there converts it to a list of Hex bytes.

After that it loops through the desired file and will return the starting offset, and the ending offset once it finds all of the Hex bytes in a row. 

Super simple and amazingly useful for patching, I'll be personally using this in Ven0m to patch dll's before they're sent to the client.

Screenshot of it implemented:

Below is an example of a DLL opened in HxD and a simple console I made to scan for the desired Hex pattern. HxD has the string found and selected, and from there we can compare my function's starting and ending addresses vs. what HxD found. As you see they match.

[Image: UHCD42c.png]

Function:

Please register or login in order to unlock hidden content.
Junior Member
Posts:
57
Joined:
Jan 2016
Likes:
5
Credits:
32
Reputation:
-4
1 Year of Service
#2
Posted: 13-02-2016, 03:51 AM (This post was last modified: 13-02-2016, 03:53 AM by bitm0de.)
In C++ you can use std::search combined with std::async and std::shared_future for a fairly fast implementation for string pattern matching. I know because I wrote a similar implementation for memory scanning. Worked out fairly well but you need C++11 as a minimum.

Smile
Junior Member
Posts:
57
Joined:
Jan 2016
Likes:
5
Credits:
32
Reputation:
-4
1 Year of Service
#3
Posted: 14-02-2016, 11:26 AM (This post was last modified: 14-02-2016, 11:41 AM by bitm0de.)
Wrote this in C really quick:
[Image: ugVJ1D5.png]

Code:
#include <Windows.h>
#include <stdio.h>
#include <string.h>
#include <wchar.h>

#define SUCCESS_GOTO(x) { ret = (x); goto done; }
#define FAIL_GOTO(err) { ret = (err); goto done; }

#define READ_BUF_SIZE 1024

typedef struct _string_offset
{
size_t offset;
size_t length;
} string_offset;

int find_string_offset(const char *filepath, const char *src, string_offset *result)
{
int ret;
int offset, scanpos;
FILE *fp = NULL;
size_t bytes_read;
size_t len = strlen(src);
int byte_len = len << 1;
unsigned char buf[READ_BUF_SIZE];
WCHAR *wstr = malloc((len + 1) * 2);

if (!(fp = fopen(filepath, "rb")))
{
fputs("ERROR: failed to open file for read access\n", stderr);
return 0;
}

ret = MultiByteToWideChar(CP_OEMCP, 0, src, -1, wstr, len + 1);
if (ret == 0)
{
fputs("ERROR: failed to convert string to wide character string\n", stderr);
FAIL_GOTO(GetLastError());
}

offset = 0;
while (!feof(fp) && (bytes_read = fread(buf, 1, READ_BUF_SIZE, fp)))
{
if (bytes_read != READ_BUF_SIZE
&& (ret = ferror(fp)))
FAIL_GOTO(ret);

scanpos = 0;
while (scanpos < READ_BUF_SIZE - byte_len)
{
if (memcmp(&buf[scanpos], wstr, byte_len) == 0)
{
if (result)
{
result->offset = offset + scanpos;
result->length = byte_len;
}
ret = 1;
goto done;
}
++scanpos;
}

offset += bytes_read;
}

ret = 0;
done:
if (fp) fclose(fp);
if (wstr) free(wstr);
return ret;
}

int main(void)
{
string_offset result;
int ret = find_string_offset("pathtofilehere", "searchstring", &result);
if (ret)
{
printf("offset: 0x%.8X\n"
"length: 0x%X (%d bytes)\n",
result.offset,
result.length,
result.length
);
}
else
{
fputs("ERROR: Could not find string in file\n", stderr);
}

return 0;
}

Could use some improvements but it works. I took a .NET assembly as an example file and searched for "CompanyName" in the metadata. About ~20 seconds for a 700Mb file but with a modified approach that can be optimized.
Killpot
18-02-2016, 07:33 PM
The last reply on this thread is older than a month. Please do not unnecessarily bump it.
Register an account or login to reply
Create an account
Create a free account today and start posting right away. It only takes a few seconds.
Login
Log into an existing account.
1 Guest(s)