Signature Scanning(中文暂时译为"特征码扫描")是在C++(起码我是用C++^^)开发中很好的一种方式

 1 DWORD MH_GetModuleBase(HMODULE hModule) //获取二进制文件的基地址
 2 { 
 3     MEMORY_BASIC_INFORMATION mem;
 4 
 5     if (!VirtualQuery(hModule, &mem, sizeof(MEMORY_BASIC_INFORMATION))) 
 6         return 0;
 7 
 8     return (DWORD)mem.AllocationBase; 
 9 }
10 
11 DWORD MH_GetModuleSize(HMODULE hModule) //获取二进制文件的大小
12 { 
13     return ((IMAGE_NT_HEADERS *)((DWORD)hModule + ((IMAGE_DOS_HEADER *)hModule)->e_lfanew))->OptionalHeader.SizeOfImage; 
14 }

 1 void *MH_SearchPattern(void *pStartSearch, DWORD dwSearchLen, char *pPattern, DWORD dwPatternLen) 
 2 { 
 3     DWORD dwStartAddr = (DWORD)pStartSearch; 
 4     DWORD dwEndAddr = dwStartAddr + dwSearchLen - dwPatternLen;
 5 
 6     while (dwStartAddr < dwEndAddr) //这里从文件的开始位置扫描,如果没有找到指定特征码的位置的话,就会跳出循环并结束扫描工作;否则会返回所查到的址
 7     { 
 8         bool found = true;
 9 
10         for (DWORD i = 0; i < dwPatternLen; i++) 
11         { 
12             char code = *(char *)(dwStartAddr + i);
13             //0x2A为跳转码的转换,比如当某一部分为 E8 AB CD 2E 76     call sub_xxxxxxxx时,
14             //那么此时除了E8之外,其它的应该更换为2A
15             if (pPattern[i] != 0x2A && pPattern[i] != code) 
16             { 
17                 found = false; 
18                 break; 
19             } 
20         }
21 
22         if (found) 
23             return (void *)dwStartAddr;
24 
25         dwStartAddr++; 
26     }
27 
28     return 0; 
29 }

 1 #define SIG_FUNC "\x55\x8B\xEC\x53\x56\x8B\xF1\x57\x8B\x4E\x2A\xE8\x2A\x2A\x2A\x2A\x56\xB9\x2A\x2A\x2A\x2A\xE8\x2A\x2A\x2A\x2A\x6A"
 2 
 3 
 4 void *g_pOrigin = NULL;
 5 HMODULE g_hModule = NULL;
 6 DWORD g_dwBase, g_dwSize;
 7 
 8 g_hModule = LoadLibrary("my.dll");
 9 g_dwBase = MH_GetModuleBase(g_hModule);
10 g_dwSize = MH_GetModuleSize(g_hModule);
11 g_pOrigin = MH_SearchPattern(g_dwBase, g_dwSize, SIG_FUNC, sizeof(SIG_FUNC) - 1);
12 
13 正常情况下,g_pOrigin返回就是特征所指向的函数地址了^^