Expand description
Scanner Patterns.
What are patterns?
A pattern is a sequence of atoms. An atom describes either a specific byte or a control instruction such as skipping the next X bytes.
In this regard a pattern looks a lot like a simple regular expression. But whereas regular expressions are designed to work with text, patterns are designed to work with executable code and binary data.
Patterns can encode more than just match exact byte and skip X bytes such as follow this 1 byte signed jump, follow this 4 byte signed jump and follow this pointer including the ability to continue matching after returning from following a relative jump or pointer.
Why use patterns?
Reverse engineering is hard. When you’ve found an interesting address (such as a function or global variable) you don’t want to spend all that effort again when the program is updated.
Luckily when programs update they usually don’t change all that much, some functions and data are changed but the rest has remained the same. However this means that the unchanged bits may be shuffled around to a different address.
Patterns let you track interesting parts of a program even as it is updated.
To find all matches of a pattern, eg. find all locations which call a function or reference some data, automating analysis.
How to use patterns?
Patterns can be created statically from its atoms or parsed from a string.
Create a scanner instance for PE32 or PE32+ and follow their documentation.
How to create patterns?
This requires knowledge with reverse engineering programs.
Here’s a resource to learn more about signature scanning: wiki.alliedmods.net.