v1.1 release

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Decryller (decryller@gmail.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,17 @@
+### alma
+a linux memory analyzer.\
+alma provides:
+* Memory reading and writing functions.
+* A wildcard-supporting pattern scanning function.
+* Easy memory page retrieval based on access permissions.
+
+Requires root permissions and `/proc` to be mounted.\
+The `rvmt` folder and its contents are necessary just for the example.
+### Running the example
+```
+g++ -lX11 rvmt/rvmt.cpp alma.cpp example.cpp -o alma && sudo ./alma
+```
+Latest version: alma v1.1
+### Contact
+E-mail: decryller@gmail.com\
+Discord: decryller

alma.cpp

@@ -0,0 +1,86 @@
+// alma v1.1
+#include "alma.hpp"
+#include <fstream>
+#include <sstream>
+
+char memPath[64];
+char mapsPath[64];
+
+unsigned int currentPID;
+
+std::vector<unsigned char> alma::memRead(const memAddr address, const unsigned int count) {
+
+    std::ifstream mem(memPath, std::ios::in | std::ios::binary);
+    std::vector<unsigned char> retVec(count);
+
+    mem.seekg(address);
+    mem.read(reinterpret_cast<char*>(&retVec[0]), count);
+    return retVec;
+}
+
+void alma::memWrite(const memAddr address, const std::vector<unsigned char> values) {
+    std::ofstream mem(memPath, std::ios::out | std::ios::binary);
+
+    mem.seekp(address);
+    mem.write(reinterpret_cast<const char*>(&values[0]), values.size());            
+}
+
+std::vector<memoryPage> alma::getMemoryPages(const int targetPerms, const int excludedPerms) {
+    std::vector<memoryPage> retVec;
+    std::ifstream maps_file(mapsPath);
+    std::string line;
+
+    // Iterate through each line
+    while (std::getline(maps_file, line)) {
+        std::istringstream sstream(line);
+
+        memAddr pageBegin, pageEnd;
+        char dash;
+        char pagePerms[4];
+
+        // Parse the line
+        sstream >> std::hex >> pageBegin >> dash >> pageEnd >> pagePerms;
+
+        memoryPage page {
+            memoryPermission_NONE,
+            pageBegin,
+            pageEnd
+        };
+
+        if (pagePerms[0] == 'r') page.permissions |= memoryPermission_READ;
+        if (pagePerms[1] == 'w') page.permissions |= memoryPermission_WRITE;
+        if (pagePerms[2] == 'x') page.permissions |= memoryPermission_EXECUTE;
+        if (pagePerms[3] == 's') page.permissions |= memoryPermission_SHARED;
+        if (pagePerms[3] == 'p') page.permissions |= memoryPermission_PRIVATE;
+
+        // Check for excluded permissions
+        if (page.permissions & excludedPerms)
+            continue;
+
+        // If target permissions are not specified, push back every page.
+        if (targetPerms == memoryPermission_NONE)
+            retVec.push_back(page);
+
+        // If target permissions specified, only push back pages that meet the filter
+        else if (targetPerms & page.permissions)
+            retVec.push_back(page);
+    }
+
+    return retVec;
+}
+
+bool alma::openProcess(const unsigned int pid) {
+    snprintf(memPath, 64, "/proc/%i/mem", pid);
+    snprintf(mapsPath, 64, "/proc/%i/maps", pid);
+
+    std::ifstream existsCheck(memPath, std::ios::in | std::ios::binary); 
+
+    if (existsCheck.is_open())
+        currentPID = pid;
+
+    return currentPID == pid;
+}
+
+unsigned int alma::getCurrentlyOpenPID() {
+    return currentPID;
+}

alma.hpp

@@ -0,0 +1,126 @@
+// alma v1.1
+#ifndef ALMA_HPP
+#define ALMA_HPP
+#include <vector>
+typedef unsigned long long memAddr;
+
+enum memoryPermission_ {
+    memoryPermission_NONE = 0,
+    memoryPermission_READ = 1 << 0,
+    memoryPermission_WRITE = 1 << 1,
+    memoryPermission_EXECUTE = 1 << 2,
+    memoryPermission_PRIVATE = 1 << 3,
+    memoryPermission_SHARED = 1 << 4,
+};
+
+struct memoryPage {
+    int permissions = memoryPermission_NONE;
+    memAddr begin = 0;
+    memAddr end = 0;
+};
+
+namespace alma {
+    // Read bytes at a specific address.
+    // Returns values residing at the specified address.
+    extern std::vector<unsigned char> memRead(const memAddr address, const unsigned int count);
+
+    // Write bytes to a specific address.
+    extern void memWrite(const memAddr address, const std::vector<unsigned char> values);
+
+    // Get memory pages
+    // Can return an empty vector.
+    extern std::vector<memoryPage> getMemoryPages(const int targetPerms, const int excludedPerms);
+
+    // Sets up "memPath" and "mapsPath"
+    // Returns true if pid's mem file is accessible.
+    extern bool openProcess(const unsigned int pid);
+
+    // Scan between a given range for a specific byte pattern.
+    // Use 0x420 for wildcards.
+    // If no matches were found, {0xBAD} will be returned.
+    template <typename val>
+    std::vector<memAddr> patternScan(const memAddr minLimit, const memAddr maxLimit, std::vector<val> pattern, const unsigned int alignment = 4, const unsigned int maxOcurrences = 0) {
+        std::vector<memAddr> retVec{0xBAD};
+        int chunkSize = 0x100000; // Optimal chunk size. Not much difference when increased / decreased away from this.
+
+        const int patternSize = pattern.size(); // Use a variable instead of calling the function.
+        for (memAddr currentAddress = minLimit; currentAddress < maxLimit; currentAddress += chunkSize) {
+
+            // Prevent going out of maxLimit bounds.
+            if (currentAddress + chunkSize >= maxLimit)
+                chunkSize = maxLimit - currentAddress;
+
+            const std::vector<unsigned char> chars = memRead(currentAddress, chunkSize);
+
+            for (int x = 0; x < chunkSize - patternSize; x += alignment) // Chunk reading loop
+                for (int y = 0; y < patternSize; y++) { // Pattern matching loop
+                    // Skip wildcards
+                    if (pattern[y] == 0x420)
+                        continue;
+
+                    if (chars[x + y] != pattern[y])
+                        break;
+
+                    // Successful match
+                    if (y == patternSize - 1) {
+                        if (retVec[0] == 0xBAD) // Replace error element
+                            retVec[0] = currentAddress + x;
+
+                        else
+                            retVec.push_back(currentAddress + x);
+
+                        if (retVec.size() == maxOcurrences)
+                            return retVec;
+                    }
+                }
+        }
+        return retVec;
+    }
+    // Scan all pages that have a permission included in targetPerms.
+    // Ignores all pages that have a permission included in excludedPerms.
+    // Use 0x420 for wildcards.
+    // If no matches were found, {0xBAD} will be returned.
+    template <typename val>
+    std::vector<memAddr> patternScanPerms(const int targetPerms, const int excludedPerms, std::vector<val> pattern, const unsigned int alignment = 4, const unsigned int maxOcurrences = 0) {
+        std::vector<memAddr> retVec{0xBAD};
+        for (const memoryPage page : getMemoryPages(targetPerms, excludedPerms)) {
+            const auto result = patternScan(page.begin, page.end, pattern, alignment, maxOcurrences);
+
+            if (result[0] == 0xBAD)
+                continue;
+
+            if (retVec[0] == 0xBAD)
+                retVec = result; // Replace error element.
+            else
+                retVec.insert(retVec.end(), result.begin(), result.end());
+        }
+        return retVec;
+    }
+
+    // Get PID of currently open process.
+    // Returns 0 if none is open.
+    extern unsigned int getCurrentlyOpenPID();
+
+    // Use this only if you know what you're doing.
+    template <typename varType>
+    varType hexToVar(std::vector<unsigned char> bytes) {
+        varType rvalue;
+
+        for (int i = 0; i < bytes.size(); i++)
+            ((char*)&rvalue)[i] = bytes[i];
+
+        return rvalue;
+    };
+
+    // Use this only if you know what you're doing.
+    template <typename varType>
+    std::vector<unsigned char> varToHex(varType &var, unsigned int varMemSize) {
+        std::vector<unsigned char> rvalue(varMemSize);
+
+        for (int i = 0; i < varMemSize; i++)
+            rvalue[i] = ((char*)&var)[i];
+
+        return rvalue;
+    };
+}
+#endif