Added DomitoMemorySearchPattern

2023-07-01 05:24:04 +02:00 · 2023-07-01 05:24:04 +02:00 · 1113a23f19
commit 1113a23f19
parent 0d9cc19fbd
2 changed files with 210 additions and 150 deletions
--- a/include/Domito.h
+++ b/include/Domito.h
@ -42,3 +42,19 @@ DomitoFindExportedFunctionAddress(
    _In_ STRING FunctionName,
    _Inout_opt_ PVOID * FunctionAddress
 );
+
+//
+// Scans a provided buffer for a memory pattern
+// 
+_Success_(return == STATUS_SUCCESS)
+_Must_inspect_result_
+_IRQL_requires_max_(DISPATCH_LEVEL)
+NTSTATUS
+DomitoMemorySearchPattern(
+    _In_ PCUCHAR pcPattern,
+    _In_ UCHAR uWildcard,
+    _In_ SIZE_T puLen,
+    _In_ PVOID pcBase,
+    _In_ SIZE_T puSize,
+    _Outptr_result_maybenull_ PVOID* ppMatch
+);
--- a/src/Domito.cpp
+++ b/src/Domito.cpp
@ -209,3 +209,47 @@ DomitoFindExportedFunctionAddress(

    return status;
 }
+
+_Success_(return == STATUS_SUCCESS)
+_Must_inspect_result_
+_IRQL_requires_max_(DISPATCH_LEVEL)
+NTSTATUS
+DomitoMemorySearchPattern(
+    _In_ PCUCHAR pcPattern,
+    _In_ UCHAR uWildcard,
+    _In_ SIZE_T puLen,
+    _In_ PVOID pcBase,
+    _In_ SIZE_T puSize,
+    _Outptr_result_maybenull_  PVOID * ppMatch
+)
+{
+    ASSERT(ppMatch != NULL && pcPattern != NULL && pcBase != NULL);
+
+    if (ppMatch == NULL || pcPattern == NULL || pcBase == NULL)
+    {
+        return STATUS_INVALID_PARAMETER;
+    }
+
+    *ppMatch = NULL;
+
+    for (SIZE_T i = 0; i < puSize - puLen; i++)
+    {
+        BOOLEAN found = TRUE;
+        for (SIZE_T j = 0; j < puLen; j++)
+        {
+            if (pcPattern[j] != uWildcard && pcPattern[j] != ((PCUCHAR)pcBase)[i + j])
+            {
+                found = FALSE;
+                break;
+            }
+        }
+
+        if (found)
+        {
+            *ppMatch = (PUCHAR)pcBase + i;
+            return STATUS_SUCCESS;
+        }
+    }
+
+    return STATUS_NOT_FOUND;
+}