如何加快我的记忆扫描程序？ [英] How to speed up my memory scan program?

问题描述

我目前正在写一个内存扫描器，扫描在另一个过程中的AOB。该AOB包含通配符并且是看起来像 39 35字符串psented重新$ P $？ ?? ?? ?? 75 10 01 6A E8

I'm currently writing an Memory Scanner that scans for an AOB in ANOTHER process. The aob contains wild card and is represented by a string that looks like39 35 ?? ?? ?? ?? 75 10 6A 01 E8

下面是我到目前为止有：

Here's what I have so far:

1. 我只需要扫描相匹配的具体保护常量记忆的区域。如PAGE_READWRITE。


2. 然而，因为我必须扫描大范围的内存，这是不可能读取整个一节中一次我的地址空间。我必须用一个缓冲区做到了;每次我读了一大块和过程小块。在我的计划，我拿着它存储我看现在的地址 currentAddress 变量。


3. 与＃2的方法的问题是，在AOB可能在于两个块之间。我对解决这个问题的办法是：每当搜索，因为缓冲区，但字节匹配月底结束至今，取N回步骤（其中N是字节匹配的数量）



4. 我的算法，采取原始的方法;它野蛮势力对所有可能位置的问题，并搜索。在code如下：

1. I only have to scan memories regions that matches a specific protection constants. Such as PAGE_READWRITE.
2. However, since I have to scan for large range of memory, it is impossible to read the whole section in to my address space one time. I must do it with a buffer; each time I read in a chunk and process that small chunk. In my program, I held a currentAddress variable which stores the address I'm looking at now.
3. Problem with the approach in #2 is that, the aob could lie in between two chunks. My approach to solve this problem is: Whenever the search ended because of end of buffer but the bytes match so far, take N back steps.(Where N is the number of bytes matches.)

4. My algorithm take the naive way; it brute forces the problem and searches for all possible positions. The code looks like:

char *haystack = .....
short *needle = .... //"39 35 ?? ?? ?? ?? 75 10 6A 01 E8"
outer:for(int i = 0; i < lengthOfHayStack - lengthOfNeedle; i ++)
{
    for(int j = 0; j < lengthOfNeedle; j ++)
    {
        if(buffer[i+j] != needle[j] && needle[j] != WILDCARD)
             continue outer;
    }
    //found one?
}

这是算法明智的。实施明智的，我第一次使用 REPNE SCASB 寻找针在草堆的第一个字节。这个过程是通过内联组件完成。该指数被发现后，我用c code，比较它的休息，因为我需要照顾外卡的。

That was algorithm wise. Implementation wise, I first use repne scasb to look for the first byte of needle in the haystack. This process is done by inline assembly. After the index is found, I use c code to compare the rest of it because I need to take care of the wild card.

我的记忆扫描仪的性能是不错，但我还是希望能改进。有什么办法，既明智的算法和实现明智的，我能加快我的记忆扫描仪？

The performance of my Memory Scanner is okay but I still hope to improve it. What are some ways, both algorithm wise and implementation wise, that I could speed up my memory scanner?

PS：该AOB的模块是未知的。因此，我必须扫描整个存储区。

PS: Module of the AOB is unknown. Thus I have to scan the entire memory region.

推荐答案

1）其他的答案在这里建议建立一个DFA，这是线性时间。
你可以建立一个克努特莫里斯普拉特搜索来代替，实现的次线性的在许多情况下多次。它会跳过不能包含模式的基础上，它只是跳过块之前已经看到比特的内存块。如果你想这是非常快，我想你会发现，核心算法必须处于汇编codeD。

1) Other answers here suggest building a DFA, which is linear time. You can build a Knuth-Morris-Pratt search instead, and achieve sublinear times in many cases. It skips over chunks of memory that can't contain the pattern, based on bits it has already seen just before the skipped chunk. If you want this to be really fast, I think you'll find that the core algorithm has to be coded in assembler.

2），而不是读取目标进程空间块（需要通过内核复制），我会忍不住从目标空间到搜索的空间的虚拟页面映射。您可以通过这些页面pretty大（16Mb的？），它的摊销成本的映射;有零拷贝的​​成本。

2) Rather than read chunks from the target process space (requires copying through the kernel), I'd be tempted to map virtual pages from the target space into the searcher's space. You can make these pages pretty big (16Mb?) which amortizes the mapping cost; there is zero copying cost.

这篇关于如何加快我的记忆扫描程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！