4 releases
| 0.1.3 | Mar 6, 2024 |
|---|---|
| 0.1.2 | Mar 6, 2024 |
| 0.1.1 | Mar 6, 2024 |
| 0.1.0 | Mar 6, 2024 |
#63 in Windows APIs
47 downloads per month
22KB
340 lines
sigmatch
A memory signature search library for the Windows platform written in Rust.
It's a basic version migrated from another C++ project of mine, with more features coming soon!
Quick Use
Assuming you've obtained the signatures via IDA-Pro-SigMaker.
| Signature type | Example preview |
|---|---|
| IDA Signature | E8 ? ? ? ? 45 33 F6 66 44 89 34 33 |
| x64Dbg Signature | E8 ?? ?? ?? ?? 45 33 F6 66 44 89 34 33 |
| C Byte Array Signature + String mask | \xE8\x00\x00\x00\x00\x45\x33\xF6\x66\x44\x89\x34\x33 x????xxxxxxxx |
| C Raw Bytes Signature + Bitmask | 0xE8, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xF6, 0x66, 0x44, 0x89, 0x34, 0x33 0b1111111100001 |
[dependencies]
anyhow = "1.0"
sigmatch = "0.1"
fn main() {
let Ok(mut sker) = sigmatch::Seeker::with_name("user32.dll") else {
return;
};
// IDA sig
let Ok(_ida_example) = sker.search("E8 ? ? ? ? 45 33 F6 66 44 89 34 33") else {
return;
};
// x64dbg sig
let Ok(_x64dbg_example) = sker.search("E8 ?? ?? ?? ?? 45 33 F6 66 44 89 34 33") else {
return;
};
// c sig + mask
let Ok(_c_example) = sker.raw_search(
b"\xE8\x00\x00\x00\x00\x45\x33\xF6\x66\x44\x89\x34\x33",
"x????xxxxxxxx",
) else {
return;
};
// rebind and reversese_search
let _ = || -> anyhow::Result<()> {
// If the module name is "main", then retrieve the main module.
let _rebind_example = sker.bind("main")?.reverse_search("ab cd ?? ef")?;
Ok(())
}();
// new Seeker
let mut sker1 = sigmatch::Seeker::new();
if sker1.bind("ntdll.dll").is_err() {
return;
}
}
todo
-
supports chaining calls.
-
allows specifying search addresses.
-
section-based search support.
-
support for limiting the search.
-
unit testing
-
improved file organization
examples
More than examples can see examples.
Dependencies
~144MB
~2.5M SLoC