#pattern #scan #memory #signature #aob #hex-string #object-file

aobscan

AOBscan is a library for multi-threaded AOB memory scanning

8 releases

0.3.0 Nov 17, 2022
0.2.0 Oct 29, 2022
0.1.7 Oct 3, 2022
0.1.5 Sep 29, 2022

#1424 in Algorithms

Download history 1/week @ 2023-11-20 2/week @ 2023-11-27 28/week @ 2024-02-19 19/week @ 2024-02-26 13/week @ 2024-03-04

60 downloads per month
Used in 2 crates

MIT license

37KB
387 lines

AOBscan 📝


AOBscan is a library for multi-threaded AOB memory scanning, aimed at malware analysis and reverse engineering.

This library implements helpful features for scanning for patterns in data slices or object files sections. (allowing for extremely fast scans)

Features

  • Single-threaded and multi-threaded scanning
  • Match selection using callback functions
  • IDA-style patterns: 48 8b ? ? ? 48 8c ?? ?? ?? ??
  • Code-style signatures/masks: (\x48\x8b\x00\x00\x00, ..???)
  • Hexadecimal strings: 488b??????
  • Scan for pattern in an object file section (feature: object-scan)

Usage

Add this to your Cargo.toml:

[dependencies]
aobscan = "0.3"

Example: Scan for 48 8B ? ? ? in some.bin with all the available threads, and stop at the first match.

fn main() {
    let data = include_bytes!("some_file.bin");
    let result = aobscan::Pattern::from_ida_style("48 8B ? ? ? ?")
        .unwrap()
        .with_all_threads()
        .build()
        .scan(data, |offset| {
            println!("Found pattern at offset: 0x{:x}", offset);
            false
        });
}

For a real-world example, check out the AOBscan CLI twin project.

Benchmark

The results of the benchmark example are as follows:

CPU MT Average ST Average MT Peak
Apple M1 Pro (10C) 10.17 GB/s 1.42 GB/s 12.41 GB/s

Dependencies

~25–530KB
~11K SLoC