Digisoul Posted November 19, 2008 Share Posted November 19, 2008 (edited) Hello Guys,I am trying to search some bytes in .exe files, Well i know about stringregexp , file open & other stuff , now my problem is that i have a 30 types of bytes blocks (in a external file) which i want to check in every .exe file, so my app works fine but it takes a much time if the file is > 1MB .Can some1 plzzzzzzzz tell me any solution ? I tried to search, only 1 topic i found which can fullfill my requirement but its actually not complete(my bad luck).the atractive thing in this topic is : Note! Searching the binary data in the string mode very slowly procedure. For quick searching use a buffer created through a DllStructCreate() function. topic ref: http://www.autoitscript.com/forum/index.ph...6&hl=binaryhow can i creat buffer through a DllStructCreate() ?Please help me out guys, if no1 want 2 help show me any rite example! Edited November 19, 2008 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
Mobius Posted November 20, 2008 Share Posted November 20, 2008 (edited) Note!Searching the binary data in the string mode very slowly procedure. For quick searching use a buffer created through a DllStructCreate() function.Also you can find more examples from my little tools <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @DigisoulAlthough example is for reading 512 bytes from a drive, it can easily be modified to work for a file.You may or may not see an increase in speed, depends on how you intend to parse the data.Posting some of your own code may increase other responses.Vlad Edited November 20, 2008 by Mobius Link to comment Share on other sites More sharing options...
Digisoul Posted November 20, 2008 Author Share Posted November 20, 2008 (edited) @Digisoul Posting some of your own code may increase other responses. Vlad I am useing normal process to search the bytes. Thats my orignal code that iam Useing. $h = FileOpen($scan_file, 16) If $h <> -1 Then $file_data = FileRead($h) FileClose($h) endif For $i = 1 To $sig[0][0] If $iDel = 1 Then Sleep(20) $search = StringRegExp($file_data, $sig[$i][0], 0) $l += 1 $fper = Round($l / $sig[0][0] * 100, 1); set per _AU3COM_SendData('nad' & $Delimiters & 'file' & $Delimiters & $scan_file & " [ " & $fper & "% ]", $prc_id) If $search = 1 Then ;~ MsgBox(0,"V",$sig[$i][1]) _AU3COM_SendData('nad' & $Delimiters & 'infec' & $Delimiters & $scan_file & "> " & $sig[$i][1], $prc_id) NEXT all the bytes block save in external ini file ($sig) . Edited November 20, 2008 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
Digisoul Posted November 20, 2008 Author Share Posted November 20, 2008 @DigisoulAlthough example is for reading 512 bytes from a drive, it can easily be modified to work for a file.VladI checked this example but how can use it to search some thing & where the data is actually stored ? 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
rasim Posted November 20, 2008 Share Posted November 20, 2008 Hello Guys, I am trying to search some bytes in .exe files, Well i know about stringregexp , file open & other stuff , now my problem is that i have a 30 types of bytes blocks (in a external file) which i want to check in every .exe file, so my app works fine but it takes a much time if the file is > 1MB . Can some1 plzzzzzzzz tell me any solution ? I tried to search, only 1 topic i found which can fullfill my requirement but its actually not complete(my bad luck). the atractive thing in this topic is : Note! Searching the binary data in the string mode very slowly procedure. For quick searching use a buffer created through a DllStructCreate() function. topic ref: http://www.autoitscript.com/forum/index.ph...6&hl=binary how can i creat buffer through a DllStructCreate() ? Please help me out guys, if no1 want 2 help show me any rite example! Rough example: #include <WinAPI.au3> $sFile = 'file.bin' $nFileSize = FileGetSize($sFile) $bBuffer = DllStructCreate("byte[" & $nFileSize & "]") $hFile = _WinAPI_CreateFile($sFile, 2, 2) _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) _WinAPI_CloseHandle($hFile) Link to comment Share on other sites More sharing options...
Digisoul Posted November 21, 2008 Author Share Posted November 21, 2008 Rough example: #include <WinAPI.au3> $sFile = 'file.bin' $nFileSize = FileGetSize($sFile) $bBuffer = DllStructCreate("byte[" & $nFileSize & "]") $hFile = _WinAPI_CreateFile($sFile, 2, 2) _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) _WinAPI_CloseHandle($hFile) Thank you very much rasim for your usefull example, but how can i use the _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) i tried very much but did'nt find anything. i mean to say how can i use any function to find from the API_ READ FILE ? please please give me 1 favour, can you add your example in this code $h = FileOpen($scan_file, 16) If $h <> -1 Then $file_data = FileRead($h) FileClose($h) endif For $i = 1 To $sig[0][0] If $iDel = 1 Then Sleep(20) $search = StringRegExp($file_data, $sig[$i][0], 0) $l += 1 $fper = Round($l / $sig[0][0] * 100, 1); set per _AU3COM_SendData('nad' & $Delimiters & 'file' & $Delimiters & $scan_file & " [ " & $fper & "% ]", $prc_id) If $search = 1 Then ;~ MsgBox(0,"V",$sig[$i][1]) _AU3COM_SendData('nad' & $Delimiters & 'infec' & $Delimiters & $scan_file & "> " & $sig[$i][1], $prc_id) NEXT hope so you will help me 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
Digisoul Posted November 21, 2008 Author Share Posted November 21, 2008 (edited) Rough example: #include <WinAPI.au3> $sFile = 'file.bin' $nFileSize = FileGetSize($sFile) $bBuffer = DllStructCreate("byte[" & $nFileSize & "]") $hFile = _WinAPI_CreateFile($sFile, 2, 2) _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) _WinAPI_CloseHandle($hFile)oÝ÷ Ûú®¢×ºÇ²¢êÞÅ©©ébëaÆ®¶sb6æ6ÇVFRfÇCµväæS2fwC° ¢b33c·CÒFÖW$æB ¢b33c·4fÆRÒgV÷C´S¢b3#´FFb3#¶FW6²b3#³3#b3#´Dt4õTÂb3#´7'7FÂFVÖRb3#¶WÆ÷&W"æWRgV÷C° ¢b33c¶äfÆU6¦RÒfÆTvWE6¦Rb33c·4fÆR ¢b33c¶$'VffW"ÒFÆÅ7G'V7D7&VFRgV÷C¶'FU²gV÷C²fײb33c¶äfÆU6¦RfײgV÷CµÒgV÷C² ¢b33c¶fÆRÒõväô7&VFTfÆRb33c·4fÆRÂ"Â" ¥õväõ&VDfÆRb33c¶fÆRÂFÆÅ7G'V7DvWEG"b33c¶$'VffW"Âb33c¶äfÆU6¦RÂb33c¶äfÆU6¦R ¢b33c¶FFÒFÆÅ7G'V7DvWDFFb33c´$%TddU" ¢b33c·6rÒæ&VE6V7FöâFW6·F÷F"fײgV÷C²b3#·76Çbç"gV÷C²ÂgV÷C·6rgV÷C² ¤f÷"b33c¶ÒFòb33c·6u³Õ³Ð ¢b33c·6V&6Ò7G&æu&VtWb33c¶FFÂb33c·6u²b33c¶Õ³Ò¢b33c¶gW"Ò&÷VæBb33c¶òb33c·6u³Õ³Ò¢Â²6WBW ¤6öç6öÆUw&FRgV÷C²²gV÷C²fײb33c¶gW"fײgV÷C²RÒgV÷C²f×´5$Äb¢bb33c·6V&6ÒFVà¤6öç6öÆUw&FRb33c·6u²b33c¶Õ³Òf×´5$Äb¤WDÆö÷¤VæD` ¤æW@ ¤6öç6öÆUw&FRgV÷CµvF¢gV÷C²f×´6VÆærFÖW$Ffbb33c·Bf×´5$Äb¥õväô6Æ÷6TæFÆRb33c¶fÆR but this method is slow then FileOpen() , is there any fast method to search the bytes ? Edited November 21, 2008 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
ChangMinYang Posted November 21, 2008 Share Posted November 21, 2008 Just use, StringInStr() with CASE_SENSITIVE option. Link to comment Share on other sites More sharing options...
rasim Posted November 21, 2008 Share Posted November 21, 2008 Digisoul but this method is slow then FileOpen() , is there any fast method to search the bytes?Something like this: #include <WinAPI.au3> $t= TimerInit() $sFile = "E:\Data\desk\321\DIGISOUL (H)\Crystal Theme\explorer.exe" $nFileSize = FileGetSize($sFile) $bBuffer = DllStructCreate("byte[" & $nFileSize & "]") $hFile = _WinAPI_CreateFile($sFile, 2, 2) _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) ;$data = DllStructGetData($BBUFFER, 1) $sig = IniReadSection(@DesktopDir & "\spclv.xr", "sig") For $i = 1 To $sig[0][0] For $j = 1 To $nFileSize If DllStructGetData($bBuffer, 1, $j) = $sig[$i][0] Then ConsoleWrite($sig[$i][0] & @LF) Next Next _WinAPI_CloseHandle($hFile) Link to comment Share on other sites More sharing options...
Digisoul Posted November 21, 2008 Author Share Posted November 21, 2008 Something like this: #include <WinAPI.au3> $t= TimerInit() $sFile = "E:\Data\desk\321\DIGISOUL (H)\Crystal Theme\explorer.exe" $nFileSize = FileGetSize($sFile) $bBuffer = DllStructCreate("byte[" & $nFileSize & "]") $hFile = _WinAPI_CreateFile($sFile, 2, 2) _WinAPI_ReadFile($hFile, DllStructGetPtr($bBuffer), $nFileSize, $nFileSize) ;$data = DllStructGetData($BBUFFER, 1) $sig = IniReadSection(@DesktopDir & "\spclv.xr", "sig") For $i = 1 To $sig[0][0] For $j = 1 To $nFileSize If DllStructGetData($bBuffer, 1, $j) = $sig[$i][0] Then ConsoleWrite($sig[$i][0] & @LF) Next Next _WinAPI_CloseHandle($hFile) If DllStructGetData($bBuffer, 1, $j) allways return "-112,77,90,0" but the thing i want to search is "29C0FEC808C0740475F8EB67E8" actually i did'nt get the method? thanks for your help. 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
Digisoul Posted November 21, 2008 Author Share Posted November 21, 2008 OK close this topic, its IMpossible 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted November 21, 2008 Share Posted November 21, 2008 Likely it can't be faster than this: $bBinary = "0x001211678900412A3F33" $offset = BinaryInBinary($bBinary, "0x00", 2) ConsoleWrite("Second occurrence of 0x00 at offset: " & $offset & @CRLF) Func BinaryInBinary($bBinary, $bBinaryToFind, $occurrence = 1) $bBinary = Binary($bBinary) $bBinaryToFind = Binary($bBinaryToFind) Return StringInStr(BinaryToString($bBinary), BinaryToString($bBinaryToFind), 2, $occurrence) - 1 EndFunc ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Digisoul Posted November 21, 2008 Author Share Posted November 21, 2008 (edited) plz explain this code$bBinary = "0x001211678900412A3F33"asume the data that we get.$offset = BinaryInBinary($bBinary, "0x00", 2)this will perform the search. OKnow quection is, if i only want to search 3F33 ? Edited November 21, 2008 by Digisoul 73 108 111 118 101 65 117 116 111 105 116 Link to comment Share on other sites More sharing options...
trancexx Posted November 21, 2008 Share Posted November 21, 2008 (edited) plz explain this code $bBinary = "0x001211678900412A3F33" asume the data that we get. $offset = BinaryInBinary($bBinary, "0x00", 2) this will perform the search. OK now quection is, if i only want to search 3F33 ?You will do this: $bBinary = "0x001211678900412A3F33" $offset = BinaryInBinary($bBinary, "0x3F33") ConsoleWrite("0x3F33 at offset: " & $offset & @CRLF) Func BinaryInBinary($bBinary, $bBinaryToFind, $occurrence = 1) $bBinary = Binary($bBinary) $bBinaryToFind = Binary($bBinaryToFind) Return StringInStr(BinaryToString($bBinary), BinaryToString($bBinaryToFind), 2, $occurrence) - 1 EndFunc Edited November 21, 2008 by trancexx ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
ChangMinYang Posted November 22, 2008 Share Posted November 22, 2008 (edited) StringInStr() with CASE_SENSITIVE option, It is faster way.My bot program always search to Game Memory when game stated, as FULL_SCAN.Giving to 'good search condition', got to 'fast search result', just it.Game Memory contains 400 MB in my 1GB RAM.Search needs to find some pointers.[2008-11-20(Thu) 19:24:15.171] -162< SRC_LINE[07763] ycmMemSearch[0x014B0000 , 0x014B0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] EXCEPT[8]=0xC8000000A3010000 in 0s014 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.875] -162> SRC_LINE[07763] ycmMemSearch[0x0A4B0000 , 0x0A4B0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] EXCEPT[8]=0x0800000000010001 in 0s706 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.875] -162< SRC_LINE[07763] ycmMemSearch[0x0A5F0000 , 0x0A5F0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s724 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.890] -162> SRC_LINE[07763] ycmMemSearch[0x0AD90000 , 0x0AD90000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s732 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.906] -162< SRC_LINE[07763] ycmMemSearch[0x0B7A0000 , 0x0B7A0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s746 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.906] -162> SRC_LINE[07763] ycmMemSearch[0x0B8A0000 , 0x0B8A0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s751 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.906] -162< SRC_LINE[07763] ycmMemSearch[0x0B9A0000 , 0x0B9A0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s755 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.921] -162> SRC_LINE[07763] ycmMemSearch[0x0BAA0000 , 0x0BAA0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s760 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.921] -161< SRC_LINE[07763] ycmMemSearch[0x0FDD0000 , 0x0FDD0000 , 0x00000004 , 0x00100000 , 0x00001000 , 0x00000004 , 0x00020000] ACCEPT[8]=0x0000000000000000 in 0s770 Value '4023000000000000'[2008-11-20(Thu) 19:24:15.984] -161> SRC_LINE[07763] ycmMemSearch( ARRAY[3 , 252] , 0x00F81D38 , 0x00073EF0 , 0x00074FFF , 0x00100000 , 0 , 0x00002340 , 0x00000000 ) found[1] at limit[0x12F81D38] in 0s819 Value '4023000000000000'[Addr=0FE00000 Base=0FE00000 A.Prot=00000004 Size=00100000 State=00001000 P.Prot=00000004 P.Type=00020000] => A.Prot[page_READWRITE] P.Prot[page_READWRITE] Edited November 22, 2008 by GoodMan Link to comment Share on other sites More sharing options...
trancexx Posted November 22, 2008 Share Posted November 22, 2008 (edited) I never quoted +180KB of text post. I'm doing it just to see if something is gonna break. edit: ahhh... it appears to be unquotable Edited November 22, 2008 by trancexx ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
ChangMinYang Posted November 22, 2008 Share Posted November 22, 2008 I never quoted +180KB of text post.I'm doing it just to see if something is gonna break.edit:ahhh... it appears to be unquotableEdited, :-)Have a good saturday, Link to comment Share on other sites More sharing options...
trancexx Posted November 22, 2008 Share Posted November 22, 2008 I hope you are aware of erroneousness of such method. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now