0

Im trying to find out if there is a simple way of searching for a sequence of bytes in a programs memory. More specifically, I want to search through a dll that is loaded into memory and find the VA/RVA of the address where those bytes are. Is this possible?

I know I can read the contents of a dll and then search, but I not sure how I can get the VA/RVA of the location.

Thanks

Zeller33
  • 181
  • 2
  • 4
  • 16
  • What is VA/RVA.... anyway why cant you use something like https://www.jetbrains.com/decompiler/ to look at the dll... is this cozs you have a requirement to do this at run time? – Seabizkit Feb 11 '16 at 11:45
  • Virtual address/relative virtual address..... and yes, it to be done at runtime – Zeller33 Feb 11 '16 at 20:54
  • VA/RVA of the contents... you not making much sense.... surely there is an easier way of doing... what ever you are trying to achieve. You know you can dynamically load .dll into your app, you could then search through it... for what eva to see if it exists.. you could then dynamically create and instance... but what has this got to do with (Virtual address/relative virtual address) – Seabizkit Feb 12 '16 at 07:42

1 Answers1

0

I don't know exactly how you manage to acces memory but if you know pattern of things you search and have access to memory chunks you can pretty much find everything through ORegex.

var memory_bytes = new byte[] {0, 0, 0, 0, 254, 255, 254, 0, 0, 0, 254};

var oregex = new ORegex<byte>("{0}{1}{0}",x=> x==254, x=> x==255);
var matches = oregex.Matches(memory_bytes);

///OUTPUT: [254,255,254]
eocron
  • 6,885
  • 1
  • 21
  • 50