Introduction
If you want to find text, you can use "do find..." command in console. You can
also use vs.net IDE to find it. in IDE, you can use regexps to find what
you are interested in, it is very handy. But if you want to find binary bytes,
then you will write a little app like this.
Background
I was finding an interface sometime before I got its iid; I searched
the web and I used methods mentioned above. But I failed, so I guessed, maybe
it existed in binary format in some application in my local disk. So I
decided to write this app.
Using the code
For example, if you want to find in disk D, you should do like the following,
assign the byte array as you like.
TCHAR szDir[] = L"d:\\";
BYTE bt[16];
ZeroMemory(bt,sizeof(bt));
nRet = FindFile(szDir,bt,sizeof(bt)/sizeof(bt[0]));
FindFile
function will find the bytes you specified in all files recursively for
you.
int FindFile(LPTSTR szDir,BYTE* bt,UINT cch)
{
WIN32_FIND_DATA ds;
TCHAR szAim[MAX_PATH];
lstrcpy(szAim,szDir);
lstrcat(szAim,L"*");
HANDLE hDir = FindFirstFile(szAim,&ds);
if(hDir==INVALID_HANDLE_VALUE)
return (1);
do
{
if(ds.dwFileAttributes & FILE_ATTRIBUTE_ARCHIVE)
{
TCHAR szFile[MAX_PATH];
lstrcpy(szFile,szDir);
lstrcat(szFile,ds.cFileName);
HANDLE hFile = ::CreateFile(szFile,
GENERIC_READ,FILE_SHARE_WRITE,NULL,OPEN_EXISTING,NULL,NULL);
if (hFile == INVALID_HANDLE_VALUE)
continue;
ULARGE_INTEGER liFileSize;
liFileSize.LowPart = ::GetFileSize(hFile, &liFileSize.HighPart);
if (liFileSize.LowPart == 0xFFFFFFFF)
{
::CloseHandle(hFile);
continue;
}
ULONGLONG ullSum = 0;
while(ullSum < liFileSize.QuadPart)
{
BYTE* lpBytes = new BYTE[0x40000];
DWORD pdwRead = 0;
if(::ReadFile(hFile, lpBytes, 0x40000,&pdwRead,NULL))
{
ULONG i = 0;
while(pdwRead>cch&&i < pdwRead-cch)
{
for(UINT j=0;j<cch;j++)
if(lpBytes[i+j]!=bt[j])
break;
if(j==cch)
TraceOutPut(L"Found one %s Position 0x%016x\n", szFile,ullSum+i);
i++;
}
}
delete [] lpBytes;
if(pdwRead==0)
break;
ullSum += pdwRead;
}
::CloseHandle(hFile);
}
else if(ds.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if(lstrcmp(ds.cFileName,L".")!=0&&lstrcmp(ds.cFileName,L"..")!=0)
{
TCHAR szSubDir[MAX_PATH];
lstrcpy(szSubDir,szDir);
lstrcat(szSubDir,ds.cFileName);
lstrcat(szSubDir,L"\\");
FindFile(szSubDir,bt,cch);
}
}
} while(FindNextFile(hDir,&ds)==TRUE);
FindClose(hDir);
return 0;
}
If you want to monitoring the searching process, you can uncomment out the
TraceOutPut
function. it just sends output to console.
void TraceOutPut(const WCHAR *pszFormat, ...)
{
va_list arglist;
va_start(arglist, pszFormat);
const int nCount = 4096;
WCHAR szBuf[nCount] = {L'\0'};
_vsnwprintf(szBuf, nCount, pszFormat, arglist);
OutputDebugStringW(szBuf);
}
Points of Interest
I am curious about how those virus-protection applications work, but I am
really dislike them because they always decrease performance of my box.
I can find suspicious application in task manager. If I found one, I can regedit the run key or some key like that, and erase them easily.
Maybe somebody will say that the suggested search cannot detect email
attachment, my answer is the outlook express will prevent those application
from starting up. Any comments are appreciated.
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.