{"id":67,"date":"2013-11-27T18:00:44","date_gmt":"2013-11-27T14:00:44","guid":{"rendered":"http:\/\/sasablog.ru\/prof\/?p=67"},"modified":"2020-12-19T19:10:46","modified_gmt":"2020-12-19T15:10:46","slug":"findinmemory","status":"publish","type":"post","link":"http:\/\/sasablog.ru\/prof\/findinmemory\/","title":{"rendered":"\u0411\u044b\u0441\u0442\u0440\u044b\u0439 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c \u043f\u043e\u0438\u0441\u043a\u0430 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u043e \u0445\u0435\u0448\u0443 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u044b"},"content":{"rendered":"

\u0412\u044b\u0434\u0440\u0430\u043d\u043e \u0438\u0437 \u0438\u0441\u0445\u043e\u0434\u043d\u0438\u043a\u043e\u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b DecomAs \u043e\u0442 PEKill:
\n\u0414\u043e\u043f\u0443\u0441\u043a\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u044b \u0441\u043e \u0437\u043d\u0430\u043a\u043e\u043c ‘?’ \u0435\u0441\u043b\u0438 \u043d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u0435\u043d \u043a\u0430\u043a\u043e\u0439 \u043b\u0438\u0431\u043e \u0431\u0430\u0439\u0442 \u0432 \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u0435:
\n


\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\n\/\/ \u0423\u043b\u0443\u0447\u0448\u0435\u043d\u044b\u0439 \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c \u043f\u043e\u0438\u0441\u043a\u0430 \u0432 \u0431\u0443\u0444\u0435\u0440\u0435...
\n\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\nfunction Find(dwScanStart,dwScanSize:dword;s:string):DWORD;
\nType
\n  TEl = packed record
\n          B: BYTE; \/\/ \u0427\u0442\u043e \u0438\u0449\u0435\u043c
\n          X: BYTE; \/\/ \u041c\u0430\u0441\u043a\u0430
\n        end;
\nVar
\n    i,j:integer;
\n    aHash:ARRAY [0..1024] of TEl; \/\/ \u0421\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u0430 \u0432 \u0432\u0438\u0434\u0435 \u0445\u0435\u0448\u0430
\n    dwScanEnd:DWORD;
\nbegin
\n  Result:=0;
\n  if S='' then exit;
\n  if Length(S) mod 2 <>0 then S:=S+'?'; \/\/ \u0427\u0435\u0442\u043d\u043e\u0441\u0442\u044c
\n  dwScanEnd:=dwScanStart+dwScanSize;
\n  ZeroMemory(@aHash,1024);
\n  i:=1; j:=0;
\n  \/\/ \u0411\u0438\u043b\u0434\u0438\u043c \u0445\u0435\u0448
\n  repeat
\n    aHash[j].X:=$FF;
\n    if S[i]='?' then
\n    begin
\n      aHash[j].X:=$0F;
\n      S[i]:='0';
\n    end;
\n    if S[i+1]='?' then
\n    begin
\n      aHash[j].X:=aHash[j].X and $F0;
\n      S[i+1]:='0';
\n    end;
\n    aHash[j].B:=StrToInt('$'+S[i]+S[i+1]);
\n    Inc(i,2);
\n    Inc(j);
\n  until i>Length(S);
\n  \/\/ \u041f\u043e\u0438\u0441\u043a
\n  for i:=dwScanStart to dwScanEnd-Length(s) div 2 do
\n  begin
\n    for j:=0 to (Length(S) div 2)-1 do
\n      if BYTE(Pointer(i+j)^) and aHash[j].X <> aHash[j].B \/\/ \u0423\u0447\u0435\u0442 \u043c\u0430\u0441\u043a\u0438
\n        then break;
\n    if j=(Length(S) div 2) then break;
\n  end;
\n  if i < (dwScanEnd-Length(s) div 2) then Result:=i;
\nend;
\n<\/code><\/pre><\/p>\n
\u041f\u043e\u0438\u0441\u043a \u0432 \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d\u043d\u043e\u043c \u0444\u0430\u0439\u043b\u0435. \u041f\u0440\u0438\u043c\u0435\u0440 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f 1<\/strong>:
\n

\nprogram Project1;
\nuses
\n  Windows,
\n  SysUtils,
\n  Classes;
\nvar mmFile: TMemoryStream;
\n    HelloPos: Cardinal;
\nbegin
\n   \/\/ \u0417\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u043c \u0442\u0435\u043a\u0441\u0442\u043e\u0432\u044b\u0439 \u0444\u0430\u0439\u043b
\n   mmFile:=TMemoryStream.Create; mmFile.LoadFromFile('C:\\1.txt');
\n   \/\/ \u0418\u0449\u0435\u043c \u0441\u043b\u043e\u0432\u043e H?llo (\u044d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c Hello, Hillo, Hullo \u0438 \u0442.\u0434.)
\n   HelloPos:=Find(DWORD(mmFile.Memory),mmFile.Size, '48??6C6C6F');
\n   if HelloPos<>0 then
\n      MessageBox(0, PChar('\u0421\u043b\u043e\u0432\u043e H?llo \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u0432 \u043f\u043e\u0437\u0438\u0446\u0438\u0438 ' + IntToStr(HelloPos-DWORD(mmFile.Memory))),'', 0)
\n   else
\n      MessageBox(0, '\u0421\u043b\u043e\u0432\u043e H?llo \u043d\u0435 \u043d\u0430\u0439\u0434\u0435\u043d\u043e','', 0);
\nend.
\n<\/code><\/pre><\/p>\n
\u041f\u043e\u0438\u0441\u043a \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u044b \u0432 \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d\u043d\u043e\u0439 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0435. \u041f\u0440\u0438\u043c\u0435\u0440 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f 2<\/strong>:
\n

\nprogram Project2;
\nuses
\n  Windows,
\n  SysUtils;
\ntype
\n   TSections = array [0..2] of TImageSectionHeader;
\nvar HMod: THandle;
\n    ImageNtHeaders: PImageNtHeaders;
\n    PSections: ^TSections;
\n    SAddr: DWORD;
\nbegin
\n   \/\/ \u0417\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u043c DLL
\n   HMod := LoadLibrary('kernel32.dll');
\n   \/\/ \u041e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u043c \u0441\u0435\u043a\u0446\u0438\u044e \u043f\u043e\u0438\u0441\u043a\u0430
\n   ImageNtHeaders := pointer(HMod + dword(PImageDosHeader(HMod)._lfanew));
\n   PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
\n   \/\/ \u0418\u0449\u0435\u043c MZ \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0435
\n   SAddr := Find (Hmod, PSections[0].VirtualAddress, '4D5A');
\n   if SAddr<>0 then
\n      MessageBox(0,PChar('\u0421\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u0430 \u043d\u0430\u0439\u0434\u0435\u043d\u0430 \u043f\u043e \u0430\u0434\u0440\u0435\u0441\u0443: ' + IntToHex(SAddr, 8)),'',0);
\nend.
\n<\/code><\/pre><\/p>\n","protected":false},"excerpt":{"rendered":"
\u0412\u044b\u0434\u0440\u0430\u043d\u043e \u0438\u0437 \u0438\u0441\u0445\u043e\u0434\u043d\u0438\u043a\u043e\u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b DecomAs \u043e\u0442 PEKill: \u0414\u043e\u043f\u0443\u0441\u043a\u0430\u0435\u0442\u0441\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u044b \u0441\u043e \u0437\u043d\u0430\u043a\u043e\u043c ‘?’ \u0435\u0441\u043b\u0438 \u043d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u0435\u043d \u043a\u0430\u043a\u043e\u0439 \u043b\u0438\u0431\u043e \u0431\u0430\u0439\u0442 \u0432 \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u0435:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[24,23,15,27,25],"_links":{"self":[{"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/posts\/67"}],"collection":[{"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/comments?post=67"}],"version-history":[{"count":21,"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/posts\/67\/revisions"}],"predecessor-version":[{"id":219,"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/posts\/67\/revisions\/219"}],"wp:attachment":[{"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/media?parent=67"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/categories?post=67"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/sasablog.ru\/prof\/wp-json\/wp\/v2\/tags?post=67"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}