3 releases
| 0.1.2 | Sep 10, 2021 |
|---|---|
| 0.1.1 | Sep 9, 2021 |
| 0.1.0 | Sep 9, 2021 |
#32 in #dirty
189 downloads per month
Used in 6 crates
(via skidscan)
6KB
68 lines
skidscan
Quick & dirty Rust sigscanning crate.
Features
- Cross-platform
- Scan for patterns from a pointer
- Scan for patterns in a byte slice
- Scan for patterns in a loaded shared library (.so/.dll)
- "Obfuscated signatures" using obfstr
Usage
let sig = signature!("40 53 48 83 EC 20 48 8B 01 48 8B D9 48 89 91 ? ? ? ? FF 90 ? ? ? ? 33 D2");
let sig = obfsignature!("40 53 48 83 EC 20 48 8B 01 48 8B D9 48 89 91 ? ? ? ? FF 90 ? ? ? ? 33 D2"); // "Obfuscated" signature
let result: Result<*mut u8, ModuleSigScanError> = sig.scan_module("path or module name");
let result: Option<usize> = sig.scan_ptr(0xDEADBEEF as *mut u8);
let result: Option<usize> = sig.scan(&[0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x01, 0x48, 0x8B, 0xD9, 0x48, 0x89, 0x91, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x90, 0x00, 0x00, 0x00, 0x00, 0x33, 0xD2]);
Signatures
Signatures are constructed as a series of Option<u8>.
None represents a ?: any byte, so long as it is present.
Some(u8) represents this byte exactly.
For example, signature!("48 89 91 ? ? ?") becomes [Some(0x48), Some(0x89), Some(0x91), None, None, None]
Obfuscated Signatures
You can construct an "obfuscated" signature using obfstr with the obfuscate crate feature.
Obfuscated signatures are constructed, for each byte: Some(obfstr!("0xFF").parse::<u8>())
For example, signature!("48 89 91 ? ? ?") becomes [Some(obfstr!("0x48").parse::<u8>()), Some(obfstr!("0x89").parse::<u8>()), Some(obfstr!("0x91").parse::<u8>()), None, None, None]
Dependencies
~3.5MB
~74K SLoC