Sign in to follow this  
Followers 0
Digisoul

Search the binary

18 posts in this topic

#1 ·  Posted (edited)

Hello Guys,

I am trying to search some bytes in .exe files, Well i know about stringregexp , file open & other stuff , now my problem is that i have a 30 types of bytes blocks (in a external file) which i want to check in every .exe file, so my app works fine but it takes a much time if the file is > 1MB .

Can some1 plzzzzzzzz tell me any solution ?

I tried to search, only 1 topic i found which can fullfill my requirement but its actually not complete(my bad luck).

the atractive thing in this topic is :

Note!
Searching the binary data in the string mode very slowly procedure. For quick searching use a buffer created through a DllStructCreate() function.

topic ref: http://www.autoitscript.com/forum/index.ph...6&hl=binary

how can i creat buffer through a DllStructCreate() ?

Please help me out guys, if no1 want 2 help show me any rite example!

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Note!

Searching the binary data in the string mode very slowly procedure. For quick searching use a buffer created through a DllStructCreate() function.

Also you can find more examples from my little tools  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< :mellow:

@Digisoul

Although example is for reading 512 bytes from a drive, it can easily be modified to work for a file.

You may or may not see an increase in speed, depends on how you intend to parse the data.

Posting some of your own code may increase other responses.

Vlad

Edited by Mobius

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

@Digisoul

Posting some of your own code may increase other responses.

Vlad

I am useing normal process to search the bytes.

Thats my orignal code that iam Useing.

$h = FileOpen($scan_file, 16)
If $h <> -1 Then
$file_data = FileRead($h)
FileClose($h)
endif

For $i = 1 To $sig[0][0]
If $iDel = 1 Then Sleep(20)
$search = StringRegExp($file_data, $sig[$i][0], 0)
$l += 1
$fper = Round($l / $sig[0][0] * 100, 1); set per
_AU3COM_SendData('nad' & $Delimiters & 'file' & $Delimiters & $scan_file & " [ " & $fper & "% ]", $prc_id)
If $search = 1 Then
;~                      MsgBox(0,"V",$sig[$i][1])
_AU3COM_SendData('nad' & $Delimiters & 'infec' & $Delimiters & $scan_file & "> " & $sig[$i][1], $prc_id)
NEXT

all the bytes block save in external ini file ($sig) .

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

@Digisoul

Although example is for reading 512 bytes from a drive, it can easily be modified to work for a file.

Vlad

I checked this example but how can use it to search some thing & where the data is actually stored ? :mellow:


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Hello Guys,

I am trying to search some bytes in .exe files, Well i know about stringregexp , file open & other stuff , now my problem is that i have a 30 types of bytes blocks (in a external file) which i want to check in every .exe file, so my app works fine but it takes a much time if the file is > 1MB .

Can some1 plzzzzzzzz tell me any solution ?

I tried to search, only 1 topic i found which can fullfill my requirement but its actually not complete(my bad luck).

the atractive thing in this topic is :

Note!
Searching the binary data in the string mode very slowly procedure. For quick searching use a buffer created through a DllStructCreate() function.

topic ref: http://www.autoitscript.com/forum/index.ph...6&hl=binary

how can i creat buffer through a DllStructCreate() ?

Please help me out guys, if no1 want 2 help show me any rite example!

Rough example:

#include <WinAPI.au3>

$sFile = 'file.bin'
$nFileSize = FileGetSize($sFile)

$bBuffer = DllStructCreate("byte[" & $nFileSize & "]")

$hFile = _WinAPI_CreateFile($sFile, 2, 2)

_WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize)

_WinAPI_CloseHandle($hFile)

Share this post


Link to post
Share on other sites

Rough example:

#include <WinAPI.au3>

$sFile = 'file.bin'
$nFileSize = FileGetSize($sFile)

$bBuffer = DllStructCreate("byte[" & $nFileSize & "]")

$hFile = _WinAPI_CreateFile($sFile, 2, 2)

_WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize)

_WinAPI_CloseHandle($hFile)
Thank you very much rasim for your usefull example, but how can i use the _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) i tried very much but did'nt find anything. :(

i mean to say how can i use any function to find from the API_ READ FILE ? please please give me 1 favour, can you add your example in this code

$h = FileOpen($scan_file, 16)
If $h <> -1 Then
$file_data = FileRead($h)
FileClose($h)
endif

For $i = 1 To $sig[0][0]
If $iDel = 1 Then Sleep(20)
$search = StringRegExp($file_data, $sig[$i][0], 0)
$l += 1
$fper = Round($l / $sig[0][0] * 100, 1); set per
_AU3COM_SendData('nad' & $Delimiters & 'file' & $Delimiters & $scan_file & " [ " & $fper & "% ]", $prc_id)
If $search = 1 Then
;~                       MsgBox(0,"V",$sig[$i][1])
_AU3COM_SendData('nad' & $Delimiters & 'infec' & $Delimiters & $scan_file & "> " & $sig[$i][1], $prc_id)
NEXT

hope so you will help me :mellow:


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Rough example:

#include <WinAPI.au3>

$sFile = 'file.bin'
$nFileSize = FileGetSize($sFile)

$bBuffer = DllStructCreate("byte[" & $nFileSize & "]")

$hFile = _WinAPI_CreateFile($sFile, 2, 2)

_WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize)

_WinAPI_CloseHandle($hFile)oÝ÷ Ûú®¢×ºÇ²¢êÞÅ©©ébëaÆ®¶­sb6æ6ÇVFRfÇCµväæS2fwC° ¢b33c·CÒFÖW$æB ¢b33c·4fÆRÒgV÷C´S¢b3#´FFb3#¶FW6²b3#³3#b3#´Dt4õTÂb3#´7'7FÂFVÖRb3#¶WÆ÷&W"æWRgV÷C° ¢b33c¶äfÆU6¦RÒfÆTvWE6¦Rb33c·4fÆR ¢b33c¶$'VffW"ÒFÆÅ7G'V7D7&VFRgV÷C¶'FU²gV÷C²fײb33c¶äfÆU6¦RfײgV÷CµÒgV÷C² ¢b33c¶fÆRÒõväô7&VFTfÆRb33c·4fÆRÂ"Â" ¥õväõ&VDfÆRb33c¶fÆRÂFÆÅ7G'V7DvWEG"b33c¶$'VffW"Âb33c¶äfÆU6¦RÂb33c¶äfÆU6¦R ¢b33c¶FFÒFÆÅ7G'V7DvWDFFb33c´$%TddU" ¢b33c·6rÒæ&VE6V7FöâFW6·F÷F"fײgV÷C²b3#·76Çbç"gV÷C²ÂgV÷C·6rgV÷C² ¤f÷"b33c¶ÒFòb33c·6u³Õ³Ð ¢b33c·6V&6Ò7G&æu&VtWb33c¶FFÂb33c·6u²b33c¶Õ³Ò¢b33c¶gW"Ò&÷VæBb33c¶òb33c·6u³Õ³Ò¢Â²6WBW ¤6öç6öÆUw&FRgV÷C²²gV÷C²fײb33c¶gW"fײgV÷C²RÒgV÷C²f×´5$Äb¢bb33c·6V&6ÒFVà¤6öç6öÆUw&FRb33c·6u²b33c¶Õ³Òf×´5$Äb¤WDÆö÷¤VæD` ¤æW@ ¤6öç6öÆUw&FRgV÷CµvF¢gV÷C²f×´6VÆærFÖW$Ffbb33c·Bf×´5$Äb¥õväô6Æ÷6TæFÆRb33c¶fÆR

but this method is slow then FileOpen() , is there any fast method to search the bytes ?

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Just use, StringInStr() with CASE_SENSITIVE option.

Share this post


Link to post
Share on other sites

Digisoul

but this method is slow then FileOpen() , is there any fast method to search the bytes?

Something like this:

#include <WinAPI.au3>

$t= TimerInit()

$sFile = "E:\Data\desk\321\DIGISOUL (H)\Crystal Theme\explorer.exe"

$nFileSize = FileGetSize($sFile)

$bBuffer = DllStructCreate("byte[" & $nFileSize & "]")

$hFile = _WinAPI_CreateFile($sFile, 2, 2)

_WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize)

;$data = DllStructGetData($BBUFFER, 1)

$sig = IniReadSection(@DesktopDir & "\spclv.xr", "sig")

For $i = 1 To $sig[0][0]
    For $j = 1 To $nFileSize
        If DllStructGetData($bBuffer, 1, $j) = $sig[$i][0] Then ConsoleWrite($sig[$i][0] & @LF)
    Next
Next

_WinAPI_CloseHandle($hFile)

Share this post


Link to post
Share on other sites

Something like this:

#include <WinAPI.au3>

$t= TimerInit()

$sFile = "E:\Data\desk\321\DIGISOUL (H)\Crystal Theme\explorer.exe"

$nFileSize = FileGetSize($sFile)

$bBuffer = DllStructCreate("byte[" & $nFileSize & "]")

$hFile = _WinAPI_CreateFile($sFile, 2, 2)

_WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize)

;$data = DllStructGetData($BBUFFER, 1)

$sig = IniReadSection(@DesktopDir & "\spclv.xr", "sig")

For $i = 1 To $sig[0][0]
    For $j = 1 To $nFileSize
        If DllStructGetData($bBuffer, 1, $j) = $sig[$i][0] Then ConsoleWrite($sig[$i][0] & @LF)
    Next
Next

_WinAPI_CloseHandle($hFile)
If DllStructGetData($bBuffer, 1, $j) allways return "-112,77,90,0" but the thing i want to search is "29C0FEC808C0740475F8EB67E8" actually i did'nt get the method?

thanks for your help.


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

OK close this topic, its IMpossible :mellow:


73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

Likely it can't be faster than this:

$bBinary = "0x001211678900412A3F33"
$offset = BinaryInBinary($bBinary, "0x00", 2)
ConsoleWrite("Second occurrence of 0x00 at offset: " & $offset & @CRLF)


Func BinaryInBinary($bBinary, $bBinaryToFind, $occurrence = 1)

    $bBinary = Binary($bBinary)
    $bBinaryToFind = Binary($bBinaryToFind)
    
    Return StringInStr(BinaryToString($bBinary), BinaryToString($bBinaryToFind), 2, $occurrence) - 1

EndFunc

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

plz explain this code

$bBinary = "0x001211678900412A3F33"

asume the data that we get.

$offset = BinaryInBinary($bBinary, "0x00", 2)

this will perform the search. OK

now quection is, if i only want to search 3F33 ?

Edited by Digisoul

73 108 111 118 101 65 117 116 111 105 116

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

plz explain this code

$bBinary = "0x001211678900412A3F33"

asume the data that we get.

$offset = BinaryInBinary($bBinary, "0x00", 2)

this will perform the search. OK

now quection is, if i only want to search 3F33 ?

You will do this:

$bBinary = "0x001211678900412A3F33"
$offset = BinaryInBinary($bBinary, "0x3F33")
ConsoleWrite("0x3F33 at offset: " & $offset & @CRLF)


Func BinaryInBinary($bBinary, $bBinaryToFind, $occurrence = 1)

    $bBinary = Binary($bBinary)
    $bBinaryToFind = Binary($bBinaryToFind)
    
    Return StringInStr(BinaryToString($bBinary), BinaryToString($bBinaryToFind), 2, $occurrence) - 1

EndFunc
Edited by trancexx

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

StringInStr() with CASE_SENSITIVE option, It is faster way.

My bot program always search to Game Memory when game stated, as FULL_SCAN.

Giving to 'good search condition', got to 'fast search result', just it.

Game Memory contains 400 MB in my 1GB RAM.

Search needs to find some pointers.

[2008-11-20(Thu) 19:24:15.171] -162< SRC_LINE[07763] ycmMemSearch[0x014B0000 , 0x014B0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] EXCEPT[8]=0xC8000000A3010000 in 0s014 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.875] -162> SRC_LINE[07763] ycmMemSearch[0x0A4B0000 , 0x0A4B0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] EXCEPT[8]=0x0800000000010001 in 0s706 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.875] -162< SRC_LINE[07763] ycmMemSearch[0x0A5F0000 , 0x0A5F0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s724 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.890] -162> SRC_LINE[07763] ycmMemSearch[0x0AD90000 , 0x0AD90000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s732 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.906] -162< SRC_LINE[07763] ycmMemSearch[0x0B7A0000 , 0x0B7A0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s746 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.906] -162> SRC_LINE[07763] ycmMemSearch[0x0B8A0000 , 0x0B8A0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s751 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.906] -162< SRC_LINE[07763] ycmMemSearch[0x0B9A0000 , 0x0B9A0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s755 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.921] -162> SRC_LINE[07763] ycmMemSearch[0x0BAA0000 , 0x0BAA0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s760 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.921] -161< SRC_LINE[07763] ycmMemSearch[0x0FDD0000 , 0x0FDD0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s770 Value '4023000000000000'

[2008-11-20(Thu) 19:24:15.984] -161> SRC_LINE[07763] ycmMemSearch( ARRAY[3 , 252] , 0x00F81D38 , 0x00073EF0 , 0x00074FFF , 0x00100000 , 0 , 0x00002340 , 0x00000000 ) found[1] at limit[0x12F81D38] in 0s819 Value '4023000000000000'

[Addr=0FE00000 Base=0FE00000 A.Prot=00000004 Size=00100000 State=00001000 P.Prot=00000004 P.Type=00020000] => A.Prot[page_READWRITE] P.Prot[page_READWRITE]

Edited by GoodMan

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

I never quoted +180KB of text post.

I'm doing it just to see if something is gonna break.

edit:

ahhh... it appears to be unquotable

Edited by trancexx

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

I never quoted +180KB of text post.

I'm doing it just to see if something is gonna break.

edit:

ahhh... it appears to be unquotable

Edited, :-)

Have a good saturday,

Share this post


Link to post
Share on other sites

I hope you are aware of erroneousness of such method.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0