Memory pattern scanning on Linux in C -

Memory pattern scanning on Linux in C -

i looking way scan program's memory specific pattern. programme loading our code library (.so).

here attempt:

unsigned long findpattern(char *pattern, char *mask) { void *address; unsigned long size, i; // null = want base of operations address of process loaded in address = dlopen(null, 0); // getmodulehandle(null) on windows // size of program, getmoduleinformation.sizeofimage on windows size = 0x128000; // didn't find way linux for(i = 0; < size; i++) { if(_compare((unsigned char *)(address + i), (unsigned char *)pattern, mask)) homecoming (unsigned long)(address + i); } homecoming 0; } int _compare(unsigned char *data, unsigned char *pattern, char *mask) { for(; *mask; ++mask, ++data, ++pattern) { if(*mask == 'x' && *data != *pattern) // crashes here according gdb homecoming 0; } homecoming (*mask) == 0; }

but of doesn't work. starting @ dlopen, not homecoming right base of operations address of programme loaded in. have tried link_map explained here. know addresses ida , gdb that's why know dlopen returns wrong values.

using gcc-4.4.7 on centos 6.5 64bit. programme 32bit executable binary.

dlopen returns handle library, not pointer memory containing library.

you need utilize dlsym address of function.

handle = dlopen(null, rtld_lazy); address = dlsym(handle, "main");

now you'll have address peek at.

"main" may not best place start, works demonstration here. sure find symbol located in programme allow total searching.

and bonus, speed search/compare loop:

// size of program, getmoduleinformation.sizeofimage on windows size = 0x128000; // didn't find way linux unsigned char* ptr = address; while (1) { /* hmmm, gets complicated if need mask src char compare pattern, punted * , compared first char of pattern. it's idea... */ ptr = memcmp(ptr, pattern[0], (size - ptr + address)); if (ptr==null) break; if (_compare(ptr, (unsigned char *)pattern, mask)) homecoming ptr; }

c linux gcc memory