A pointer scanner for Windows written in Rust
APACHE-2.0 License
A memory scanner for Windows, written in Rust.
ptscan is a cli tool which allows you to scan and dissect memory using filters.
These filters are used in commands such as scan
and watch
.
All expressions support the following types:
none
- The special none
type. Any value of this type is undefined. See the section below for more details.pointer
- A pointer value, who's size depends on the process being attached to.u8
- An unsigned 8-bit number.i8
- A signed 8-bit number.u16
- An unsigned 16-bit number.i16
- A signed 16-bit number.u32
- An unsigned 32-bit number.i32
- A signed 32-bit number.u64
- An unsigned 64-bit number.i64
- A signed 64-bit number.u128
- An unsigned 128-bit number.i128
- A signed 128-bit number.f32
- A 32-bit floating point number.f64
- A 64-bit floating point number.string
- A null-terminated string with the default encoding (utf-8
).string/<encoding>
- A null-terminated string with the specified <encoding>
, as per the whatwg Encoding standard.bytes
- An unsized byte array.bytes/<len>
- A byte array of length <len>
.none
typeThe none
type is a special type which any value can assume.
Any comparison (==
, !=
, <
, >
, ..) except value is none
or value is not none
is false
.
Any expression (+
, -
, *
, /
) involving a value of the none
type results in another none
type.
For example, *value + 1
would be none
if *value
is not a valid pointer.
A value of type none
still retains the old type information to make sure it can be successfully refresh if needed.
Therefore you'll see things like:
none(u128)
Which means that an expression which was expected to evaluate to a u128
value, evaluated to none
.
Value expressions resolve to a specific value in memory. The take the following forms (the earlier it is listed, the higher its precedence):
value
- The current as-we-are-scanning value of the memory location.initial
- The initial value of the memory location, from the initial scan.last
- The last value of the memory location, from the previous scan.<number>
- A whole number literal. Default type is u32
.
42
<decimal>
- A decimal number literal. Default type is f32
.
42.42
<string>
- A string literal. Default type is string/utf-8
.
"ui_boot"
(<value>)
- Override default precedence.*<value>
- Dereference the given value. This treats it as an address and follows the pointer.
*value
&<value>
- Take the address of the given value. not every value has an address, like &(value + 42)
is not valid.
&value
*(&value + 0x40)
<value> as <ty>
- Explicitly treat the value of <value>
as the type <ty>
.
value as u64
value as u128 == 1
<value> * <value>
- Multiply two values from each other.
value * 42
<value> / <value>
- Divide two values.
value / 42
<value> + <value>
- Add two values together.
value + 42
<value> - <value>
- Subtract two values from each other.
value - 42
<a> ~ <b>
Test if <a>
matches the regular expression specified in <b>
.
<a> == <b>
Checks that <a>
is equal to value <b>
.
For the initial scan, this allows for the following optimization:
value == 42
- scan in batches for the exact memory pattern of 42
<a> != <b>
Checks that <a>
is not equal to value <b>
.
For the initial scan, this allows for the following optimization:
value != 0
- scans for non-zero memory addresses.<a> < <b>
Checks that <a>
is less than value <b>
.
For the initial scan, this allows for the following optimization:
value < 0
- scans for non-zero memory addresses.<a> <= <b>
Checks that <a>
is less or equal to the value <b>
.
For the initial scan, this allows for the following optimization:
value <= 1
- scans for non-zero memory addresses.<a> > <b>
Checks that <a>
is greater than the value <b>
.
For the initial scan, this allows for the following optimization:
value > 0
- scans for non-zero memory addresses.<a> >= <b>
Checks that <a>
is greater than or equal to the value <b>
.
For the initial scan, this allows for the following optimization:
value >= 1
- scans for non-zero memory addresses.This project bundles Adwaita icons parts of the GNOME Project under the Creative Commons Attribution-Share Alike 3.0 license (see [licenses]).
You can find them at http://www.gnome.org