markhc · November 29, 2017 01:37
diff --git a/utils.c b/utils.c
 NTSTATUS KapFindKernelPattern(
    _In_ PUCHAR Pattern,
    _In_ PUCHAR Mask,
    _In_ ULONG  PatternLength,
    _Out_ PVOID* Result
 )
 {
    PIMAGE_NT_HEADERS       NtHeaders;
    PIMAGE_SECTION_HEADER   FirstSection;
    
    PAGED_CODE();

    if(!Pattern)       return STATUS_INVALID_PARAMETER_1;
    if(!Mask)          return STATUS_INVALID_PARAMETER_2;
    if(!PatternLength) return STATUS_INVALID_PARAMETER_3;

    if(!PsNtosImageBase) return STATUS_UNSUCCESSFUL;

    NtHeaders       = RtlImageNtHeader(PsNtosImageBase);
    FirstSection    = (PIMAGE_SECTION_HEADER)(NtHeaders + 1);

    for(PIMAGE_SECTION_HEADER Section = FirstSection;
        Section < FirstSection + NtHeaders->FileHeader.NumberOfSections;
        Section++) {

        if( RtlCompareMemory(Section->Name, ".text", 5)  == 5||
            RtlCompareMemory(Section->Name, "PAGE", 4) == 4) {

            NTSTATUS Status = KapFindPattern(
                (PUCHAR)PsNtosImageBase + Section->VirtualAddress, 
                Section->Misc.VirtualSize, 
                Pattern,
                Mask, 
                PatternLength, 
                Result);
            if(NT_SUCCESS(Status))
                return Status;
        }
    }

    return STATUS_UNSUCCESSFUL;
 }

 NTSTATUS KapFindPattern(
    _In_ PVOID Base,
    _In_ ULONG Size,
    _In_ PUCHAR Pattern,
    _In_ PUCHAR Mask,
    _In_ ULONG PatternLength,
    _Out_ PVOID* Result
 )
 {
    PAGED_CODE();

    if(!Base || !Pattern || !Mask || !Result)
        return STATUS_INVALID_PARAMETER;

    for(ULONG i = 0u; i < Size - PatternLength; i++) {
        BOOLEAN Found = TRUE;
        for(ULONG_PTR j = 0; j < PatternLength; j++) {
            if(Mask[j] == 'x' && Pattern[j] != ((PCUCHAR)Base)[i + j]) {
                Found = FALSE;
                break;
            }
        }

        if(Found) {
            *Result = (PUCHAR)Base + i;
            return STATUS_SUCCESS;
        }
    }

    return STATUS_NOT_FOUND;
 }
	NTSTATUS KapFindKernelPattern(
	_In_ PUCHAR Pattern,
	_In_ PUCHAR Mask,
	_In_ ULONG PatternLength,
	_Out_ PVOID* Result
	)
	{
	PIMAGE_NT_HEADERS NtHeaders;
	PIMAGE_SECTION_HEADER FirstSection;

	PAGED_CODE();

	if(!Pattern) return STATUS_INVALID_PARAMETER_1;
	if(!Mask) return STATUS_INVALID_PARAMETER_2;
	if(!PatternLength) return STATUS_INVALID_PARAMETER_3;

	if(!PsNtosImageBase) return STATUS_UNSUCCESSFUL;

	NtHeaders = RtlImageNtHeader(PsNtosImageBase);
	FirstSection = (PIMAGE_SECTION_HEADER)(NtHeaders + 1);

	for(PIMAGE_SECTION_HEADER Section = FirstSection;
	Section < FirstSection + NtHeaders->FileHeader.NumberOfSections;
	Section++) {

	if( RtlCompareMemory(Section->Name, ".text", 5) == 5\|\|
	RtlCompareMemory(Section->Name, "PAGE", 4) == 4) {

	NTSTATUS Status = KapFindPattern(
	(PUCHAR)PsNtosImageBase + Section->VirtualAddress,
	Section->Misc.VirtualSize,
	Pattern,
	Mask,
	PatternLength,
	Result);
	if(NT_SUCCESS(Status))
	return Status;
	}
	}

	return STATUS_UNSUCCESSFUL;
	}

	NTSTATUS KapFindPattern(
	_In_ PVOID Base,
	_In_ ULONG Size,
	_In_ PUCHAR Pattern,
	_In_ PUCHAR Mask,
	_In_ ULONG PatternLength,
	_Out_ PVOID* Result
	)
	{
	PAGED_CODE();

	if(!Base \|\| !Pattern \|\| !Mask \|\| !Result)
	return STATUS_INVALID_PARAMETER;

	for(ULONG i = 0u; i < Size - PatternLength; i++) {
	BOOLEAN Found = TRUE;
	for(ULONG_PTR j = 0; j < PatternLength; j++) {
	if(Mask[j] == 'x' && Pattern[j] != ((PCUCHAR)Base)[i + j]) {
	Found = FALSE;
	break;
	}
	}

	if(Found) {
	*Result = (PUCHAR)Base + i;
	return STATUS_SUCCESS;
	}
	}

	return STATUS_NOT_FOUND;
	}