spriteovo / sigmatch Goto Github PK

View Code? Open in Web Editor NEW

87.0 4.0 14.0 52 KB

✨ Modern C++ 20 signature match / search library

License: Apache License 2.0

CMake 4.69% C++ 95.31%

signature match search library binary binary-analysis assembler pattern cpp cpp20

sigmatch's Introduction

sigmatch

Modern C++ 20 Signature Match / Search Library

✨ Features

🍃 Header-only, no dependencies, no exceptions.
☕ Compile-time literal signature string parsing.
❄️ Supports full-byte wildcards (?? or **) and semi-byte wildcards (1? or *B).
🚀 Supports blocking (chunking) and multi-threaded for fast search.
🎯 Supports searching in the current process, external processes and files.
🍄 Customizable reader and target allow you to search on more targets (e.g. network traffic packets).

🌠 Examples

A quick example:

using namespace sigmatch_literals;

sigmatch::this_process_target target;
sigmatch::search_result result = target.in_module("**module_name**").search("1A ?? 3C ** 5* ?F"_sig);
for (const std::byte *address : result.matches()) {
    std::cout << "matched: " << address << '\n';
}

See /examples for more.

🍰 Todo

Complete CI for testing and documentation deployment.
Host the documentation on GitHub Pages.
Statistical tests coverage.
Complete benchmarks.
Test compilers other than MSVC.
Implement class executable_file_target.
Port to Linux.

📜 License

sigmatch is licensed under the Apache-2.0 License.

sigmatch's People

Contributors

Stargazers

Watchers

Forkers

ezhangle airahc jhssugi yuaom chaoses-ib baajarmeh whyliuxing sluckywhh bb33bb crackercat hercul3s mattmills edisonh lat0ur

sigmatch's Issues

Problems compiling on the latest version of msvc

C:\PROGRA~1\MICROS~3\2022\ENTERP~1\VC\Tools\MSVC\1437~1.328\bin\HostX64\x64\cl.exe   /TP  -IE:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include /nologo /DWIN32 /D_WINDOWS /W3 /utf-8 /GR /EHsc /MP  /MD /O2 /Oi /Gy /DNDEBUG /Z7  -std:c++20 /showIncludes /Foexamples\CMakeFiles\02.custom_reader.dir\02.custom_reader.cpp.obj /Fdexamples\CMakeFiles\02.custom_reader.dir\ /FS -c E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\examples\02.custom_reader.cpp
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(624): error C2512: 'std::array<sigmatch::sig_byte,6>': no appropriate default constructor available
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(624): note: Invalid aggregate initialization
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(2926): note: while evaluating consteval function 'sigmatch::impl::parse_sig_str_compile_time'
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(624): note: the template instantiation context (the oldest one first) is
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\examples\02.custom_reader.cpp(105): note: see reference to function template instantiation 'sigmatch::signature sigmatch_literals::operator ""_sig<sigmatch::details::consteval_str_buffer<18>{sigmatch::details::consteval_str_buffer<18>::char_type49,65,32,50,66,32,63,63,32,63,63,32,53,69,32,54,70,0}>(void)' being compiled
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(2926): note: see reference to function template instantiation 'std::array<sigmatch::sig_byte,6> sigmatch::impl::parse_sig_str_compile_time<sigmatch::details::consteval_str_buffer<18>{sigmatch::details::consteval_str_buffer<18>::char_type49,65,32,50,66,32,63,63,32,63,63,32,53,69,32,54,70,0}>(void)' being compiled
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(1425): note: see reference to function template instantiation 'std::array<sigmatch::sig_byte,6> sigmatch::details::friendly_construct_array<sigmatch::sig_byte,6>(void) noexcept' being compiled
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(2926): error C7595: 'sigmatch::impl::parse_sig_str_compile_time': call to immediate function is not a constant expression
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(624): note: a non-constant (sub-)expression was encountered
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(2926): note: the call stack of the evaluation (the oldest call first) is
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(2926): note: while evaluating function 'std::array<sigmatch::sig_byte,6> sigmatch::impl::parse_sig_str_compile_time<sigmatch::details::consteval_str_buffer<18>{sigmatch::details::consteval_str_buffer<18>::char_type49,65,32,50,66,32,63,63,32,63,63,32,53,69,32,54,70,0}>(void)'
E:\vcpkg\buildtrees\sigmatch\src\v0.2.0-bf43ea0aed\include\sigmatch/sigmatch.hpp(1425): note: while evaluating function 'std::array<sigmatch::sig_byte,6> sigmatch::details::friendly_construct_array<sigmatch::sig_byte,6>(void) noexcept'

Environment:
windows 10
msvc 14.37.32822

Feature request: Ability to use sigmatch without compile time literals using runtime variables instead

Hello again @SpriteOvO,

Your code uses much newer C++ concepts than my brain does, and I'm at a complete loss while trying to build a Lua module that allows use of sigmatch searches from within Lua as I can't figure out how to use ""_sig with a variable std::string received from Lua...

Is this possible or would it require changes to the way the library works?

Thanks,
Matt.

Feature Request: compatibility with Ghidra instruction pattern search

Hello,

I'm curious if you'd be interested in making your tooling compatible with Ghidra's builtin instruction pattern search syntax, IE:

[01001...] 89 5c [..100100] 08 [01001...] 89 6c [..100100] 18 [01001...] 89 74 [..100100] 20 57 [01000...] 54 [01000...] 55 [01000...] 56 [01000...] 57 [01001...] 83 ec 70 [01001...] 8b [11......] [01000...] 32 [11......] [01001...] 8b [00...101] [........] [........] [........] [........] [01001...] 85 [11......] 74 [........] [01000...] 8b [10......] [........] [........] [........] [........] with full bytes in hex, binary bits within [ and ] and . as single bit wildcards... I'm not entirely sure why, but Ghidra seems to love to mask a lot of the instructions to a 5 bit wildcarded byte.

The original unmasked byte sequence for this was:

48 89 5c 24 08 48 89 6c 24 18 48 89 74 24 20 57 41 54 41 55 41 56 41 57 48 83 ec 70 48 8b e9 45 32 e4 48 8b 15 cf 11 f2 01 48 85 d2 74 2d 44 8b 89 a8 00 00 00

I was thinking about trying to add this in myself, but the newer C++ syntax is a bit out of my skill level at this point. Ghidra's instruction pattern search editor makes it very easy to find a good signature that matches well IMO.

C++ 20 Module Version

This is already a C++ 20 library so why not have a version of this library that comes as a single C++20 module interface definition file instead of a header, to benefit from faster compile times and other advantages modules have over headers.

Instead of a single header you would have a single .ixx (or whatever extension other compilers use, the extension doesn't matter)

spriteovo / sigmatch Goto Github PK

sigmatch's Introduction

sigmatch

✨ Features

🌠 Examples

🍰 Todo

📜 License

sigmatch's People

Contributors

Stargazers

Watchers

Forkers

sigmatch's Issues

Problems compiling on the latest version of msvc

Feature request: Ability to use sigmatch without compile time literals using runtime variables instead

Feature Request: compatibility with Ghidra instruction pattern search

C++ 20 Module Version

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs