skidscan-macros
| Crates.io | skidscan-macros |
| lib.rs | skidscan-macros |
| version | 0.1.2 |
| created_at | 2021-09-09 19:10:17.603677+00 |
| updated_at | 2021-09-10 18:19:42.053034+00 |
| description | Proc macros for skidscan |
| homepage | |
| repository | https://github.com/WilliamVenner/skidscan |
| max_upload_size | |
| id | 448984 |
| size | 5,089 |
William (WilliamVenner)
documentation
README
skidscan
Quick & dirty Rust sigscanning crate.
Features
- Cross-platform
- Scan for patterns from a pointer
- Scan for patterns in a byte slice
- Scan for patterns in a loaded shared library (.so/.dll)
- "Obfuscated signatures" using obfstr
Usage
let sig = signature!("40 53 48 83 EC 20 48 8B 01 48 8B D9 48 89 91 ? ? ? ? FF 90 ? ? ? ? 33 D2");
let sig = obfsignature!("40 53 48 83 EC 20 48 8B 01 48 8B D9 48 89 91 ? ? ? ? FF 90 ? ? ? ? 33 D2"); // "Obfuscated" signature
let result: Result<*mut u8, ModuleSigScanError> = sig.scan_module("path or module name");
let result: Option<usize> = sig.scan_ptr(0xDEADBEEF as *mut u8);
let result: Option<usize> = sig.scan(&[0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x01, 0x48, 0x8B, 0xD9, 0x48, 0x89, 0x91, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x90, 0x00, 0x00, 0x00, 0x00, 0x33, 0xD2]);
Signatures
Signatures are constructed as a series of Option<u8>.
None represents a ?: any byte, so long as it is present.
Some(u8) represents this byte exactly.
For example, signature!("48 89 91 ? ? ?") becomes [Some(0x48), Some(0x89), Some(0x91), None, None, None]
Obfuscated Signatures
You can construct an "obfuscated" signature using obfstr with the obfuscate crate feature.
Obfuscated signatures are constructed, for each byte: Some(obfstr!("0xFF").parse::<u8>())
For example, signature!("48 89 91 ? ? ?") becomes [Some(obfstr!("0x48").parse::<u8>()), Some(obfstr!("0x89").parse::<u8>()), Some(obfstr!("0x91").parse::<u8>()), None, None, None]