Squalr：功能强大的高性能内存编辑工具

FB客服

发布于 2021-07-27 14:58:07

1.1K0

发布于 2021-07-27 14:58:07

文章被收录于专栏：FreeBuf

关于Squalr

Squalr是一款功能强大的高性能内存编辑工具，同时它也是一款采用C＃编写的黑客工具。它允许用户在windows桌面游戏中创建和分享作弊方案，其中的功能包括内存扫描、指针、x86/x64程序集注入等等。

Squalr通过多线程结合SIMD指令的方式实现快速扫描。为了利用这些优势，您的CPU需要支持SSE、AVX或AVX-512。

我们有以下三种方式来使用SqualrL：

前端GUI 脚本API 后端NuGet包

接下来，我们将详细介绍NuGet包提供的API接口。

NuGet包提供的API接口

接收引擎输出

如果使用的是NuGet包，最重要的是通过钩子挂接引擎的输出，并接收事件日志，这些数据对于诊断问题是非常重要的。

using Squalr.Engine.Logging;
...
// Receive logs from the engine
Logger.Subscribe(new EngineLogEvents());
...
class EngineLogEvents : ILoggerObserver
{
public void OnLogEvent(LogLevel logLevel, string message, string innerMessage)
{
Console.WriteLine(message);
Console.WriteLine(innerMessage);
}
}

绑定引擎

using Squalr.Engine.OS;
...
IEnumerable<Process> processes = Processes.Default.GetProcesses();
// Pick a process. For this example, we are just grabbing the first one.
Process process = processes.FirstOrDefault();
Processes.Default.OpenedProcess = process;

修改内存

using Squalr.Engine.Memory;
...
Reader.Default.Read<Int32>(address);
Writer.Default.Write<Int32>(address);
Allocator.Alloc(address, 256);
IEnumerable<NormalizedRegion> regions = Query.GetVirtualPages(requiredProtection, excludedProtection, allowedTypes, startAddress, endAddress);
IEnumerable<NormalizedModule> modules = Query.GetModules();

汇编/反汇编

Squalr可以对x86/x64程序集进行汇编和反汇编，此功能利用NASM实现：

using Squalr.Engine.Architecture;
using Squalr.Engine.Architecture.Assemblers;
...
// Perform assembly
AssemblerResult result = Assembler.Default.Assemble(assembly: "mov eax, 5", isProcess32Bit: true, baseAddress: 0x10000);
Console.WriteLine(BitConverter.ToString(result.Bytes).Replace("-", " "));
// Disassemble the result (we will get the same instructions back)
Instruction[] instructions = Disassembler.Default.Disassemble(bytes: result.Bytes, isProcess32Bit: true, baseAddress: 0x10000);
Console.WriteLine(instructions[0].Mnemonic);

扫描功能

Squalr提供了一个API来执行高性能的内存扫描：

using Squalr.Engine.Scanning;
using Squalr.Engine.Scanning.Scanners;
using Squalr.Engine.Scanning.Scanners.Constraints;
using Squalr.Engine.Scanning.Snapshots;
...
DataType dataType = DataType.Int32;
// Collect values
TrackableTask<Snapshot> valueCollectorTask = ValueCollector.CollectValues(
SnapshotManager.GetSnapshot(Snapshot.SnapshotRetrievalMode.FromActiveSnapshotOrPrefilter, dataType));
// Perform manual scan on value collection complete
valueCollectorTask.CompletedCallback += ((completedValueCollection) =>
{
Snapshot snapshot = completedValueCollection.Result;
// Constraints
ScanConstraintCollection scanConstraints = new ScanConstraintCollection();
scanConstraints.AddConstraint(new ScanConstraint(ScanConstraint.ConstraintType.Equal, 25));
TrackableTask<Snapshot> scanTask = ManualScanner.Scan(
snapshot,
allScanConstraints);
SnapshotManager.SaveSnapshot(scanTask.Result);
});
for (UInt64 index = 0; index < snapshot.ElementCount; index++)
{
SnapshotElementIndexer element = snapshot[index];
Object currentValue = element.HasCurrentValue() ? element.LoadCurrentValue() : null;
Object previousValue = element.HasPreviousValue() ? element.LoadPreviousValue() : null;
}

调试

// Example: Tracing write events on a float
BreakpointSize size = Debugger.Default.SizeToBreakpointSize(sizeof(float));
CancellationTokenSource cancellationTokenSource = Debugger.Default.FindWhatWrites(0x10000, size, this.CodeTraceEvent);
...
// When finished, cancel the instruction collection
cancellationTokenSource.cancel();
...
private void CodeTraceEvent(CodeTraceInfo codeTraceInfo)
{
Console.WriteLine(codeTraceInfo.Instruction.Address.ToString("X"));
Console.WriteLine(codeTraceInfo.Instruction.Mnemonic);
}