This repository has been archived by the owner on Jan 13, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 39
/
memsearch.go
102 lines (85 loc) · 2.74 KB
/
memsearch.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// This is an example program that shows the usage of the memsearch package.
//
// With this program you can:
// - Search for a string in the memory of a process with a given PID
// - Print an arbitrary amount of bytes from the process memory.
package main
import (
"encoding/hex"
"flag"
"io/ioutil"
"log"
"regexp"
"strings"
"github.com/mozilla/masche/memaccess"
"github.com/mozilla/masche/memsearch"
"github.com/mozilla/masche/process"
)
var (
action = flag.String("action", "<nil>", "Action to perfom. One of: search, regexp-search, file-search, print")
pid = flag.Int("pid", 0, "Process id to analyze")
addr = flag.Int("addr", 0x0, "The initial address in the process address space to search/print")
// print action flags
size = flag.Int("n", 4, "Amount of bytes to print")
// search action flags
needle = flag.String("needle", "Find This!", "String to search for (interpreted as []byte)")
// regexp-search action flags
regexpString = flag.String("regexp", "regexp?", "Regexp to search for")
// file-search action flags
fileneedle = flag.String("fileneedle", "example.in", "Filename that contains hex-encoded needle (spaces are ignored)")
)
func logErrors(softerrors []error, harderror error) {
if harderror != nil {
log.Fatal(harderror)
}
for _, soft := range softerrors {
log.Print(soft)
}
}
func main() {
flag.Parse()
proc, softerrors, harderror := process.OpenFromPid(uint(*pid))
logErrors(softerrors, harderror)
switch *action {
case "<nil>":
log.Fatal("Missing action flag.")
case "file-search":
data, err := ioutil.ReadFile(*fileneedle)
if err != nil {
log.Fatal(err)
}
encoded := strings.Replace(strings.Replace(strings.TrimSpace(string(data)), " ", "", -1), "\n", "", -1)
data, err = hex.DecodeString(encoded)
if err != nil {
log.Fatal(err)
}
found, address, softerrors, harderror := memsearch.FindBytesSequence(proc, uintptr(*addr), data)
logErrors(softerrors, harderror)
if found {
log.Printf("Found in address: %x\n", address)
}
case "search":
found, address, softerrors, harderror := memsearch.FindBytesSequence(proc, uintptr(*addr), []byte(*needle))
logErrors(softerrors, harderror)
if found {
log.Printf("Found in address: %x\n", address)
}
case "regexp-search":
r, err := regexp.Compile(*regexpString)
if err != nil {
log.Fatal(err)
}
found, address, softerrors, harderror := memsearch.FindRegexpMatch(proc, uintptr(*addr), r)
logErrors(softerrors, harderror)
if found {
log.Printf("Found in address: %x\n", address)
}
case "print":
buf := make([]byte, *size)
softerrors, harderror = memaccess.CopyMemory(proc, uintptr(*addr), buf)
logErrors(softerrors, harderror)
log.Println(string(buf))
default:
log.Fatal("Unrecognized action ", *action)
}
}