https://github.com/dasaav-dsv/pattern16

The fastest x86-64 signature matching library.
https://github.com/dasaav-dsv/pattern16

aob aob-scan aob-scanner cplusplus header-only memory-scanner pattern pattern-scanner reverse-engineering signature signature-scanner simd

Last synced: about 2 months ago
JSON representation

The fastest x86-64 signature matching library.

• Host: GitHub
• URL: https://github.com/dasaav-dsv/pattern16
• Owner: Dasaav-dsv
• License: mit
• Created: 2023-07-16T23:09:34.000Z (over 2 years ago)
• Default Branch: master
• Last Pushed: 2024-01-07T01:13:22.000Z (about 2 years ago)
• Last Synced: 2024-01-07T02:25:12.169Z (about 2 years ago)
• Topics: aob, aob-scan, aob-scanner, cplusplus, header-only, memory-scanner, pattern, pattern-scanner, reverse-engineering, signature, signature-scanner, simd
• Language: C++
• Homepage:
• Size: 83 KB
• Stars: 11
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

          
# Pattern16

The fastest x86-64 signature matching library.

### Features:

 - Faster than the fastest existing scanners by ~50%, with reliable singlethreaded speeds up to 25 GB/s for consecutive scans

 - Aids reverse engineering by targeting assembly bytecode

 - Designed and optimized for x86-64, with 32-bit support planned

 - Support for all new (and old) CPU features

 - Uses AVX1, SSE4.1, SSE2, CMOVE in order of availability, BMI2 and BMI1 (with fill-in functions)

 - Header only, written in modern C++

### Usage:

Include `Pattern16.h` and provide the address of a memory region's start, its length and the signature to search for formatted as a string:

```cpp

#include "Pattern16.h"

void* regionStart = (void*)0x140000000;

size_t regionSize = 0x4000000;

std::string signature = "00 11 ?? ?? ?? ?? 66 77 [?1?0??01] 99 AA BB C? ?D EE FF";

void* address = Pattern16::find(regionStart, regionSize, signature);

```

Pattern16 signature rules:

 - All byte values are represented in base16/hexadecimal notation

 - Space characters ` ` are ignored completely even inside bit masks, so use them for formatting

 - Symbols other than `0123456789ABCDEFabcdef[]` are wildcards and can stand in for any byte or bit

 - A sequence of symbols within sqare brackets `[]` represents a bit field. Don't forget there are 8 bits in a byte!

 - Bits inside a bitfield can be masked with wildcard symbols

 - A bitfield does not have to be limited to a single byte, `[01xx1100 xxx11xx0]` is a legal 2-byte masked bitfield