Difference between revisions of "Auto Assembler:aobScanModule"
m |
|||
| Line 2: | Line 2: | ||
'''Auto Assembler''' aobScanModule(''SymbolName'', ''ModuleName'', ''AOBString'') | '''Auto Assembler''' aobScanModule(''SymbolName'', ''ModuleName'', ''AOBString'') | ||
| − | Scans the memory | + | Scans the memory used by the module ''ModuleName'' for a specific byte pattern defined by ''AOBString'' and sets the resulting address to the symbol ''SymbolName''. |
| − | 'x', '?', | + | |
| + | '''Note:''' ''AOBString'' definition is composed by a list of one or several bytes optionally separated by spaces. Each byte definition has 2 variants: | ||
| + | |||
| + | - A group of 2 characters, where the first character is the high order nibble and the second is the low order nibble. Each character can be an hexadecimal digit (from '0' to 'F') or a wildcard character (interpreted as any hexadecimal value from 0 to 15) | ||
| + | |||
| + | - An unique wildcard surrounded by spaces (interpreted as any value from 0 to 255) | ||
| + | |||
| + | The wildcards are defined by any of these 3 characters: 'x', '?', or '*'. | ||
| + | Some valid patterns: | ||
| − | |||
| − | |||
| − | |||
5x 48 8D 6x 24 E0 | 5x 48 8D 6x 24 E0 | ||
5? 48 8D 6? 24 E0 | 5? 48 8D 6? 24 E0 | ||
| Line 17: | Line 22: | ||
? 48 8D ? 24 E0 | ? 48 8D ? 24 E0 | ||
* 48 8D * 24 E0 | * 48 8D * 24 E0 | ||
| + | |||
| + | '''Tip:''' One can use for ''ModuleName'' the variable '''$process''' defined as the current open process. | ||
=== Command Parameters === | === Command Parameters === | ||
| Line 26: | Line 33: | ||
|SymbolName | |SymbolName | ||
|string | |string | ||
| − | |The symbol name to | + | |The symbol name to define if ''AOBString'' is found |
|- | |- | ||
|ModuleName | |ModuleName | ||
| Line 34: | Line 41: | ||
|AOBString | |AOBString | ||
|string | |string | ||
| − | |The | + | |The byte pattern, as hex, to scan for |
|} | |} | ||
| Line 60: | Line 67: | ||
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00??8D6424E0) | aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00??8D6424E0) | ||
| + | |||
| + | aobScanModule(SomeSymbol, $process, 00 1? 8D 64 24 *) | ||
== See also == | == See also == | ||
Latest revision as of 16:33, 22 April 2022
Auto Assembler aobScanModule(SymbolName, ModuleName, AOBString)
Scans the memory used by the module ModuleName for a specific byte pattern defined by AOBString and sets the resulting address to the symbol SymbolName.
Note: AOBString definition is composed by a list of one or several bytes optionally separated by spaces. Each byte definition has 2 variants:
- A group of 2 characters, where the first character is the high order nibble and the second is the low order nibble. Each character can be an hexadecimal digit (from '0' to 'F') or a wildcard character (interpreted as any hexadecimal value from 0 to 15)
- An unique wildcard surrounded by spaces (interpreted as any value from 0 to 255)
The wildcards are defined by any of these 3 characters: 'x', '?', or '*'. Some valid patterns:
5x 48 8D 6x 24 E0 5? 48 8D 6? 24 E0 5* 48 8D 6* 24 E0 xx 48 8D xx 24 E0 ?? 48 8D ?? 24 E0 ** 48 8D ** 24 E0 x 48 8D x 24 E0 ? 48 8D ? 24 E0 * 48 8D * 24 E0
Tip: One can use for ModuleName the variable $process defined as the current open process.
Command Parameters[edit]
| Parameter | Type | Description |
|---|---|---|
| SymbolName | string | The symbol name to define if AOBString is found |
| ModuleName | string | The name of the module to scan in |
| AOBString | string | The byte pattern, as hex, to scan for |
Examples[edit]
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 53 48 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 xx xx 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 x x 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 ** ** 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 * * 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 ?? ?? 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 ? ? 8D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00 5* 48 *D 64 24 E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00xx8D6424E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00**8D6424E0)
aobScanModule(SomeSymbol, Tutorial-x86_64.exe, 00??8D6424E0)
aobScanModule(SomeSymbol, $process, 00 1? 8D 64 24 *)
