自己写的特征码搜索，怎么加快速度

李靖武

目前搜索出来差不多5分钟

阿白不爱吃菜

论坛搜特征 模糊 搜 这几个关键词就行了

dnxl

这样写不得搜到猴年马月

李靖武

dnxl 发表于 2025-11-7 17:25
这样写不得搜到猴年马月

我想x86和x64通用诶

dnxl

李靖武 发表于 2025-11-7 17:29
我想x86和x64通用诶

跟X86和X64也没什么关系啊，你这写法跟效率一点都粘不上边
内存能一次读完就一次读完再对比，不是一个个字节递增去读，这有一亿个字节你还不得读一亿次，还有那个字节集替换，你用的每一条指令都是重度封装效率低下的，再加上你逻辑又有问题.....能快就见鬼了。
还有，那个?号不是这样处理的

yab8012

模块里面不是有吗

补充内容 (2025-11-7 22:17):
编辑框1是特征码，编辑框2是偏移量，编辑框2是什么内存地址，call地址什么的

帅气与大侠

读内存思路

1.设置每次读字节集的长度，一般设置在1024*1024*2左右，2-4MB，如果内存不紧张可以适当再大

2.再这2mb内存里搜索关键字，找到返回，没找到再读下一块查找

缓冲区长度=1024*1024*2
如果真（缓冲区长度<特征码长度）
    ·则 缓冲区长度+=特征码长度

读字节集（句柄，开始位置，缓冲区长度，缓冲区）
替换工作
寻找字节集（缓冲区，特征码）
如果没找到
开始位置=开始位置+缓冲区长度-特征码长度 ‘防止特征码部分在该块内存末尾

一直循环，效率会高很多，也不会漏数据

LLXXLL

直接基于pe结构代码段节区搜索秒出

萧楚楠

  

bin ＝ 读入文件 (“C:\Windows\System32\kernel32.dll”)
sign ＝ “8B FF 55 8B EC ?? ?? ?? 51”  ' 有无空格和大小写 都不影响！
' 77B95DB0 > $  8BFF          mov edi,edi
' 77B95DB2   .  55            push ebp
' 77B95DB3   .  8BEC          mov ebp,esp
' 77B95DB5   .  83E4 F8       and esp,-0x8
' 77B95DB8   .  51            push ecx
签名寻找_字节集 (bin, sign, offset)
调试输出 (offset)
返回 (0)  ' 可以根据您的需要返回任意数值

子程序名	返回值类型	公开	备 注
签名寻找_指针版	整数型		返回 找到的数量。Code By:2962946246
参数名	类 型	参考	可空	数组	备 注
pdata	整数型
len	整数型
签名	文本型				无视空格和大小写！例如：8B FF 55 8B EC ?? ?? ?? 51
返回偏移数组	整数型				需自己加上jz！

变量名	类 型	静态	数组	备 注
i	整数型

置入代码 ({ 139, 125, 16, 139, 55, 49, 219, 137, 241, 133, 246, 15, 132, 3, 1, 0, 0, 138, 1, 65, 60, 32, 116, 249, 67, 132, 192, 117, 244, 131, 251, 1, 15, 134, 238, 0, 0, 0, 247, 195, 1, 0, 0, 0, 15, 132, 226, 0, 0, 0, 41, 241, 131, 193, 7, 131, 225, 252, 41, 204, 137, 231, 138, 6, 70, 60, 32, 116, 249, 136, 7, 71, 132, 192, 117, 242, 198, 7, 0, 137, 230, 139, 77, 8, 131, 235, 1, 133, 201, 15, 132, 181, 0, 0, 0, 209, 235, 139, 69, 12, 133, 192, 15, 132, 168, 0, 0, 0, 49, 210, 247, 243, 141, 80, 1, 137, 216, 131, 195, 7, 137, 85, 252, 131, 227, 252, 41, 220, 137, 231, 80, 131, 192, 3, 255, 12, 36, 193, 232, 2, 80, 87, 86, 82, 81, 232, 55, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 90, 49, 201, 131, 234, 48, 102, 139, 4, 14, 65, 102, 133, 192, 116, 43, 102, 61, 63, 63, 116, 27, 136, 199, 193, 232, 8, 138, 28, 16, 136, 248, 138, 60, 16, 198, 6, 255, 192, 231, 4, 70, 8, 223, 136, 63, 71, 235, 213, 198, 6, 0, 198, 7, 0, 70, 71, 235, 203, 199, 6, 0, 0, 0, 0, 199, 7, 0, 0, 0, 0 })
重定义数组 (返回偏移数组, 假, i)
置入代码 ({ 199, 64, 4, 0, 0, 0, 0, 85, 137, 68, 36, 8, 131, 125, 252, 0, 116, 114, 139, 117, 8, 139, 109, 12, 1, 245, 139, 92, 36, 12, 139, 124, 36, 16, 139, 27, 139, 63, 139, 6, 70, 33, 216, 49, 248, 116, 6, 57, 238, 114, 243, 235, 79, 139, 76, 36, 20, 73, 116, 43, 139, 92, 36, 12, 139, 124, 36, 16, 141, 86, 3, 131, 195, 4, 131, 199, 4, 139, 2, 131, 194, 4, 35, 3, 131, 195, 4, 51, 7, 117, 191, 141, 127, 4, 73, 116, 6, 57, 234, 114, 232, 235, 29, 141, 94, 255, 139, 68, 36, 8, 3, 116, 36, 24, 139, 72, 4, 43, 92, 36, 4, 255, 64, 4, 137, 92, 136, 8, 57, 238, 114, 150, 139, 68, 36, 8, 139, 64, 4, 93, 201, 194, 16, 0 })
返回 (0)

子程序名	返回值类型	公开	备 注
签名寻找_字节集	整数型		返回 找到的数量。Code By:2962946246
参数名	类 型	参考	可空	数组	备 注
数据	字节集
签名	文本型				无视空格和大小写！例如：8B FF 55 8B EC ?? ?? ?? 51
返回偏移数组	整数型				需自己加上jz！

变量名	类 型	静态	数组	备 注
i	整数型

置入代码 ({ 139, 125, 12, 139, 55, 49, 219, 137, 241, 133, 246, 15, 132, 8, 1, 0, 0, 138, 1, 65, 60, 32, 116, 249, 67, 132, 192, 117, 244, 131, 251, 1, 15, 134, 243, 0, 0, 0, 247, 195, 1, 0, 0, 0, 15, 132, 231, 0, 0, 0, 41, 241, 131, 193, 7, 131, 225, 252, 41, 204, 137, 231, 138, 6, 70, 60, 32, 116, 249, 136, 7, 71, 132, 192, 117, 242, 198, 7, 0, 137, 230, 139, 77, 8, 131, 235, 1, 139, 9, 209, 235, 133, 201, 15, 132, 182, 0, 0, 0, 139, 65, 4, 131, 193, 8, 133, 192, 15, 132, 168, 0, 0, 0, 49, 210, 247, 243, 141, 80, 1, 137, 216, 131, 195, 7, 131, 227, 252, 41, 220, 137, 231, 80, 131, 192, 3, 255, 12, 36, 193, 232, 2, 80, 87, 86, 82, 81, 137, 85, 252, 232, 55, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 90, 49, 201, 131, 234, 48, 102, 139, 4, 14, 65, 102, 133, 192, 116, 43, 102, 61, 63, 63, 116, 27, 136, 199, 193, 232, 8, 138, 28, 16, 136, 248, 138, 60, 16, 198, 6, 255, 192, 231, 4, 70, 8, 223, 136, 63, 71, 235, 213, 198, 6, 0, 198, 7, 0, 70, 71, 235, 203, 199, 6, 0, 0, 0, 0, 199, 7, 0, 0, 0, 0 })
重定义数组 (返回偏移数组, 假, i)
置入代码 ({ 199, 64, 4, 0, 0, 0, 0, 85, 137, 68, 36, 8, 131, 125, 252, 0, 116, 115, 139, 116, 36, 4, 139, 110, 252, 1, 245, 139, 92, 36, 12, 139, 124, 36, 16, 139, 27, 139, 63, 139, 6, 70, 33, 216, 49, 248, 116, 6, 57, 238, 114, 243, 235, 79, 139, 76, 36, 20, 73, 116, 43, 139, 92, 36, 12, 139, 124, 36, 16, 141, 86, 3, 131, 195, 4, 131, 199, 4, 139, 2, 131, 194, 4, 35, 3, 131, 195, 4, 51, 7, 117, 191, 141, 127, 4, 73, 116, 6, 57, 234, 114, 232, 235, 29, 141, 94, 255, 139, 68, 36, 8, 3, 116, 36, 24, 139, 72, 4, 43, 92, 36, 4, 255, 64, 4, 137, 92, 136, 8, 57, 238, 114, 150, 139, 68, 36, 8, 139, 64, 4, 93, 201, 194, 12, 0 })
返回 (0)

i支持库列表	支持库注释
spec	特殊功能支持库

.版本 2<br /> .支持库 spec<br /> <br /> bin ＝ 读入文件 (“C:\Windows\System32\kernel32.dll”)<br /> <br /> sign ＝ “8B FF 55 8B EC ?? ?? ?? 51”  ' 有无空格和大小写 都不影响！<br /> ' 77B95DB0 > $  8BFF          mov edi,edi<br /> ' 77B95DB2   .  55            push ebp<br /> ' 77B95DB3   .  8BEC          mov ebp,esp<br /> ' 77B95DB5   .  83E4 F8       and esp,-0x8<br /> ' 77B95DB8   .  51            push ecx<br /> <br /> <br /> 签名寻找_字节集 (bin, sign, offset)<br /> <br /> 调试输出 (offset)<br /> 返回 (0)  ' 可以根据您的需要返回任意数值<br /> <br /> .子程序 签名寻找_指针版, 整数型, , 返回 找到的数量。Code By:2962946246<br /> .参数 pdata, 整数型<br /> .参数 len, 整数型<br /> .参数 签名, 文本型, , 无视空格和大小写！例如：8B FF 55 8B EC ?? ?? ?? 51<br /> .参数 返回偏移数组, 整数型, 数组, 需自己加上jz！<br /> .局部变量 i, 整数型<br /> <br /> 置入代码 ({ 139, 125, 16, 139, 55, 49, 219, 137, 241, 133, 246, 15, 132, 3, 1, 0, 0, 138, 1, 65, 60, 32, 116, 249, 67, 132, 192, 117, 244, 131, 251, 1, 15, 134, 238, 0, 0, 0, 247, 195, 1, 0, 0, 0, 15, 132, 226, 0, 0, 0, 41, 241, 131, 193, 7, 131, 225, 252, 41, 204, 137, 231, 138, 6, 70, 60, 32, 116, 249, 136, 7, 71, 132, 192, 117, 242, 198, 7, 0, 137, 230, 139, 77, 8, 131, 235, 1, 133, 201, 15, 132, 181, 0, 0, 0, 209, 235, 139, 69, 12, 133, 192, 15, 132, 168, 0, 0, 0, 49, 210, 247, 243, 141, 80, 1, 137, 216, 131, 195, 7, 137, 85, 252, 131, 227, 252, 41, 220, 137, 231, 80, 131, 192, 3, 255, 12, 36, 193, 232, 2, 80, 87, 86, 82, 81, 232, 55, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 90, 49, 201, 131, 234, 48, 102, 139, 4, 14, 65, 102, 133, 192, 116, 43, 102, 61, 63, 63, 116, 27, 136, 199, 193, 232, 8, 138, 28, 16, 136, 248, 138, 60, 16, 198, 6, 255, 192, 231, 4, 70, 8, 223, 136, 63, 71, 235, 213, 198, 6, 0, 198, 7, 0, 70, 71, 235, 203, 199, 6, 0, 0, 0, 0, 199, 7, 0, 0, 0, 0 })<br /> 重定义数组 (返回偏移数组, 假, i)<br /> 置入代码 ({ 199, 64, 4, 0, 0, 0, 0, 85, 137, 68, 36, 8, 131, 125, 252, 0, 116, 114, 139, 117, 8, 139, 109, 12, 1, 245, 139, 92, 36, 12, 139, 124, 36, 16, 139, 27, 139, 63, 139, 6, 70, 33, 216, 49, 248, 116, 6, 57, 238, 114, 243, 235, 79, 139, 76, 36, 20, 73, 116, 43, 139, 92, 36, 12, 139, 124, 36, 16, 141, 86, 3, 131, 195, 4, 131, 199, 4, 139, 2, 131, 194, 4, 35, 3, 131, 195, 4, 51, 7, 117, 191, 141, 127, 4, 73, 116, 6, 57, 234, 114, 232, 235, 29, 141, 94, 255, 139, 68, 36, 8, 3, 116, 36, 24, 139, 72, 4, 43, 92, 36, 4, 255, 64, 4, 137, 92, 136, 8, 57, 238, 114, 150, 139, 68, 36, 8, 139, 64, 4, 93, 201, 194, 16, 0 })<br /> 返回 (0)<br /> <br /> .子程序 签名寻找_字节集, 整数型, , 返回 找到的数量。Code By:2962946246<br /> .参数 数据, 字节集<br /> .参数 签名, 文本型, , 无视空格和大小写！例如：8B FF 55 8B EC ?? ?? ?? 51<br /> .参数 返回偏移数组, 整数型, 数组, 需自己加上jz！<br /> .局部变量 i, 整数型<br /> <br /> 置入代码 ({ 139, 125, 12, 139, 55, 49, 219, 137, 241, 133, 246, 15, 132, 8, 1, 0, 0, 138, 1, 65, 60, 32, 116, 249, 67, 132, 192, 117, 244, 131, 251, 1, 15, 134, 243, 0, 0, 0, 247, 195, 1, 0, 0, 0, 15, 132, 231, 0, 0, 0, 41, 241, 131, 193, 7, 131, 225, 252, 41, 204, 137, 231, 138, 6, 70, 60, 32, 116, 249, 136, 7, 71, 132, 192, 117, 242, 198, 7, 0, 137, 230, 139, 77, 8, 131, 235, 1, 139, 9, 209, 235, 133, 201, 15, 132, 182, 0, 0, 0, 139, 65, 4, 131, 193, 8, 133, 192, 15, 132, 168, 0, 0, 0, 49, 210, 247, 243, 141, 80, 1, 137, 216, 131, 195, 7, 131, 227, 252, 41, 220, 137, 231, 80, 131, 192, 3, 255, 12, 36, 193, 232, 2, 80, 87, 86, 82, 81, 137, 85, 252, 232, 55, 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 11, 12, 13, 14, 15, 90, 49, 201, 131, 234, 48, 102, 139, 4, 14, 65, 102, 133, 192, 116, 43, 102, 61, 63, 63, 116, 27, 136, 199, 193, 232, 8, 138, 28, 16, 136, 248, 138, 60, 16, 198, 6, 255, 192, 231, 4, 70, 8, 223, 136, 63, 71, 235, 213, 198, 6, 0, 198, 7, 0, 70, 71, 235, 203, 199, 6, 0, 0, 0, 0, 199, 7, 0, 0, 0, 0 })<br /> 重定义数组 (返回偏移数组, 假, i)<br /> 置入代码 ({ 199, 64, 4, 0, 0, 0, 0, 85, 137, 68, 36, 8, 131, 125, 252, 0, 116, 115, 139, 116, 36, 4, 139, 110, 252, 1, 245, 139, 92, 36, 12, 139, 124, 36, 16, 139, 27, 139, 63, 139, 6, 70, 33, 216, 49, 248, 116, 6, 57, 238, 114, 243, 235, 79, 139, 76, 36, 20, 73, 116, 43, 139, 92, 36, 12, 139, 124, 36, 16, 141, 86, 3, 131, 195, 4, 131, 199, 4, 139, 2, 131, 194, 4, 35, 3, 131, 195, 4, 51, 7, 117, 191, 141, 127, 4, 73, 116, 6, 57, 234, 114, 232, 235, 29, 141, 94, 255, 139, 68, 36, 8, 3, 116, 36, 24, 139, 72, 4, 43, 92, 36, 4, 255, 64, 4, 137, 92, 136, 8, 57, 238, 114, 150, 139, 68, 36, 8, 139, 64, 4, 93, 201, 194, 12, 0 })<br /> 返回 (0)