PatternScanner

Internal CSharp Pattern Scanner Library

A high-performance, developer-friendly pattern scanning library for .NET, designed for internal process memory analysis, debugging, reverse engineering, and security research.

Features

• Fast Pattern Scanning: Optimized scanning for efficient memory analysis
• Multiple Pattern Formats: Support for IDA Pro style byte patterns (48 8B 05 ?? ?? ?? ??) and string patterns
• Encoding Support: ASCII, UTF-8, UTF-16 (LE/BE), UTF-32 (LE/BE), and custom codepage support
• Memory Region Filtering: Target specific memory regions (readable, writable, executable)
• Module-Specific Scanning: Scan within specific loaded modules or the main process
• Offset Support: Apply offsets to scan results for easy memory navigation
• Performance Optimizations: Parallel scanning and chunked processing
• Developer-Friendly API: Fluent interface for easy configuration and use
• Multi-Target Support: Compatible with .NET Standard 2.0/2.1, .NET 6, 7, 8, and 9
• Unity Compatible: Works with Unity projects and game engines using .NET Standard 2.0 or newer

Installation

NuGet Package

dotnet add package PatternScanner

Package Manager Console

Install-Package PatternScanner

Manual Installation

Download the latest release from GitHub and add the DLL reference to your project.

Quick Start

using PatternScanner;
using PatternScanner.Core;

// Create a scanner instance
var scanner = PatternScannerFactory.Create();

// Scan for byte patterns (IDA Pro format)
var results = scanner.ScanForPattern("48 8B 05 ?? ?? ?? ??");

// Scan for strings with different encodings
var stringResults = scanner.ScanForString("Hello World", StringEncoding.Ascii);
var utf16Results = scanner.ScanForString("Unicode Text", StringEncoding.Utf16);

// Work with results
var firstResult = results.FirstOrDefault();
if (firstResult.Address != IntPtr.Zero)
{
    // Read values at the found address
    var value = firstResult.ReadValue<int>();
    var bytes = firstResult.ReadBytes(8);
    var pointer = firstResult.ReadPointer();
    
    // Apply offset and read
    var offsetResult = firstResult.WithOffset(4);
    var offsetValue = offsetResult.ReadValue<int>();
}

Advanced Usage

Module-Specific Scanning

// Scan only in the main module
var mainScanner = PatternScannerFactory.CreateForMainModule();
var mainResults = mainScanner.ScanForPattern("55 8B EC");

// Scan in a specific module
var moduleScanner = PatternScannerFactory.CreateForModule("kernel32.dll");
var moduleResults = moduleScanner.ScanForString("LoadLibrary");

Memory Region Filtering

// Scan only executable memory regions
var execResults = scanner.ScanForPattern("CC CC CC", MemoryRegionType.Executable);

// Scan only writable regions
var dataResults = scanner.ScanForString("Config", regionType: MemoryRegionType.Writable);

// Combine filters
var rwxResults = scanner.ScanForPattern("90 90", MemoryRegionType.ReadableWritableExecutable);

Performance Optimization

var optimizedScanner = PatternScannerFactory.Create()
    .UseParallelScanning(true)          // Enable parallel processing
    .SetChunkSize(2 * 1024 * 1024)      // 2MB chunks
    .SetMaxResults(100)                 // Limit results for speed
    .SetScanDirection(ScanDirection.Forward);

var results = optimizedScanner.ScanForPattern("E8 ?? ?? ?? ??");

Custom Address Ranges

// Scan within a specific address range
var rangeScanner = PatternScannerFactory.CreateForRange(
    new IntPtr(0x10000000), 
    new IntPtr(0x20000000));

var rangeResults = rangeScanner.ScanForPattern("48 89 5C 24");

Working with Offsets

var results = scanner.ScanForPattern("48 8B 05 ?? ?? ?? ??");

// Apply multiple offsets to each result
var offsetResults = results.WithOffsets(0, 4, 8, 12);

// Filter results by address range
var filteredResults = offsetResults
    .FilterByAddressRange(new IntPtr(0x1000000), new IntPtr(0x2000000))
    .FilterByModule("main.exe");

Security Analysis Examples

Detecting Code Modifications

var securityScanner = PatternScannerFactory.Create()
    .UseParallelScanning(true)
    .SetMaxResults(1);                   // Stop at first detection

// Common code modification signatures
var suspiciousPatterns = new[]
{
    "48 89 5C 24 08 57 48 83 EC 20",     // Hook pattern
    "E9 ?? ?? ?? ?? CC CC CC CC CC",      // Jump redirection
    "C7 05 ?? ?? ?? ?? ?? ?? ?? ?? C3"    // Memory patch pattern
};

foreach (var pattern in suspiciousPatterns)
{
    var detections = securityScanner.ScanForPattern(pattern, MemoryRegionType.Executable);
    if (detections.Any())
    {
        // Handle detection
        Console.WriteLine($"Suspicious pattern detected: {pattern}");
    }
}

Analyzing API Usage

// Scan for specific API calls
var targetAPIs = new[] { "LoadLibraryA", "LoadLibraryW", "CreateThread" };

foreach (var api in targetAPIs)
{
    var results = scanner.ScanForString(api, StringEncoding.Ascii, false);
    // Analyze results for research purposes
}

API Reference

Core Classes

• PatternScannerFactory: Factory class for creating scanner instances
• IPatternScanner: Main interface for pattern scanning operations
• ScanResult: Represents a pattern match result with address and metadata
• MemoryRegion: Information about a memory region
• ModuleInfo: Information about a loaded module

Enums

• MemoryRegionType: Filter for memory region types (Readable, Writable, Executable, etc.)
• StringEncoding: Supported string encodings (Ascii, Utf8, Utf16, etc.)
• ScanDirection: Scanning direction (Forward, Backward)

Extension Methods

• ReadValue<T>(): Read a value of type T from the result address
• ReadBytes(int count): Read a byte array from the result address
• ReadString(): Read a null-terminated string from the result address
• ReadPointer(): Read a pointer value from the result address
• WithOffset(int offset): Apply an offset to the result address
• WithOffsets(params int[] offsets): Apply multiple offsets to results
• FilterByModule(string moduleName): Filter results by module name
• FilterByAddressRange(IntPtr start, IntPtr end): Filter results by address range

Performance Considerations

• Use Parallel Scanning: Enable parallel processing for large memory scans
• Optimize Chunk Size: Larger chunks (1-4MB) are generally faster but use more memory
• Limit Results: Use SetMaxResults() when you only need a few matches
• Filter Memory Regions: Scan only relevant memory regions to reduce search space
• Use Module-Specific Scanning: Limit scans to specific modules when possible

Multi-Platform Support

This library supports multiple .NET implementations:

• .NET Standard 2.0: Compatible with .NET Framework 4.6.1+, .NET Core 2.0+, Unity 2018.1+
• .NET Standard 2.1: Compatible with .NET Core 3.0+, Unity 2021.2+
• .NET 6: Native support with latest performance improvements
• .NET 7: Full compatibility with .NET 7 runtime
• .NET 8: Optimized for .NET 8 LTS release
• .NET 9: Latest .NET version support

Contributing

Contributions are welcome! Please feel free to submit a Pull Request on GitHub.

Issues and Support

If you encounter any issues or have questions, please file them on the GitHub Issues page.

License

This project is licensed under the MIT License - see the LICENSE file for details.

This library is designed for legitimate security research, debugging, and memory analysis purposes. Use responsibly and in accordance with applicable laws and regulations.