Single-header C library for signature scanning on Linux.
This library is for matching byte patterns (signatures) in the memory of a
process. This library scans the current process, but it should be easy to modify
for reading external processes by using /proc/PID/maps
.
It only supports linux, since it parses the /proc/self/maps
file to get the
start and end addresses of the loaded modules.
The library asumes all signatures are in IDA (DE AD ? EF
) or x64Dbg
(DE AD ?? EF
) format. See also the sigmaker plugin.
For more information on signature scanning and on how this library works, check out my Signature scanning in C blog entry.
To try the example, simply clone the repository, compile it, and run
libsigscan-test.out
. Please see src/main.c and the Usage section for an example
on how to use it.
$ git clone https://github.com/8dcc/libsigscan
$ cd libsigscan
$ make
$ ./libsigscan-test.out
Since this is a simple single-header library, you just need to copy the
libsigscan.h
file and #include
it on your sources.
For a full example, see src/main.c.
The library consists of just 2 functions: sigscan_module()
and sigscan()
.
This function scans all the memory blocks whose name matches the regex
parameter. It uses the Extended Regular Expression (ERE) syntax, so keep that in
mind before escaping certain characters like +
, ?
, etc. See also BRE vs. ERE.
#include "libsigscan.h"
#define MODULE_REGEX ".+/libc.so.6"
#define SIGNATURE "DE AD BE EF ? ? CA FE"
/* Search only in this module. */
void* match = sigscan_module(MODULE_REGEX, SIGNATURE);
This function scans the whole memory being used by the process (except the
regions that start with [
in /proc/self/maps
, like heap, stack, etc.). Keep in
mind that depending on the memory being used by the process, it might take a few
seconds, so it’s better to filter the module name whenever possible.
This function is just a wrapper, and calling it is the same as passing NULL
as
the first parameter to sigscan_module
.
#include "libsigscan.h"
#define SIGNATURE "DE AD BE EF ? ? CA FE"
/* Look for those bytes in all loaded modules. */
void* match = sigscan(SIGNATURE);