v2.0.0

• Add support for external scanning by @8dcc in #1
• Add sigscan_pidof function.
• Read the process' memory with process_vm_readv.
• Scan memory using a buffered search method.
• Add GPLv3+ comments.
• Separate header and source.

---

Full Changelog: v1.2.0...v2.0.0

v1.2.0

• Generally improve whitespace handling when parsing /proc/PID/maps.
• Finish external signature scanning version in the external-scanning branch.

---

Full Changelog: v1.1.0...v1.2.0

v1.1.0

Added libsigscan_ida2code(), called once from libsigscan_do_scan(). Extracting the bytes from the IDA pattern once should greately increase performance.

---

Full Changelog: v1.0.0...v1.1.0

v1.0.0

sigscan_module()

This function scans all the memory blocks whose name matches the regex parameter. It uses the Extended Regular Expression (ERE) syntax, so keep that in mind before escaping certain characters like +, ?, etc. See also BRE vs. ERE.

#include "libsigscan.h"

#define MODULE_REGEX ".+/libc.so.6"
#define SIGNATURE    "DE AD BE EF ? ? CA FE"

/* Search only in this module. */
void* match = sigscan_module(MODULE_REGEX, SIGNATURE);

sigscan()

This function scans the whole memory being used by the process (except the regions that start with [ in /proc/self/maps, like heap, stack, etc.). Keep in mind that depending on the memory being used by the process, it might take a few seconds, so it's better to filter the module name whenever possible.

This function is just a wrapper, and calling it is the same as passing NULL as the first parameter to sigscan_module.

#include "libsigscan.h"

#define SIGNATURE "DE AD BE EF ? ? CA FE"

/* Look for those bytes in all loaded modules. */
void* match = sigscan(SIGNATURE);