How to know the address range when searching for a function by its signature?

问题

I'm trying to search for a function by its "signature".

However I can't figure out what address range I'm supposed to be searching?

I've had a look at VirtualQuery() and GetNativeSystemInfo() but I'm not if I'm on the right path or not.

Edit: Question re-attempt.

Using Win32 API I'm trying to find out how to get the start and end address of the executable pages of the process my code is executing in.

This is what I've tried:

        SYSTEM_INFO info;
    ZeroMemory( &info, sizeof( SYSTEM_INFO ) );
    GetNativeSystemInfo( &info ); // GetSystemInfo() might be wrong on WOW64.

    info.lpMinimumApplicationAddress;
    info.lpMaximumApplicationAddress;

    HANDLE thisProcess = GetCurrentProcess();

    MEMORY_BASIC_INFORMATION memInfo;
    ZeroMemory( &memInfo, sizeof( memInfo )  );
    DWORD addr = (DWORD)info.lpMinimumApplicationAddress;
    do
    {
        if ( VirtualQueryEx( thisProcess, (LPVOID)addr, &memInfo, sizeof( memInfo ) ) == 0 )
        {
            DWORD gle = GetLastError();
            if ( gle != ERROR_INVALID_PARAMETER )
            {
                std::stringstream str;
                str << "VirtualQueryEx failed with: " << gle;
                MessageBoxA( NULL, str.str().c_str(), "Error", MB_OK );
            }
            break;
        }

        if ( memInfo.Type == MEM_IMAGE  )
        {
            // TODO: Scan this memory block for the the sigature
        }

        addr += info.dwPageSize;
    }
    while ( addr < (DWORD)info.lpMaximumApplicationAddress );

The reason for doing this is that I'm looking for an un-exported function by its signature as asked here:

Find a function by it signature in Windows DLL

See the answer about "code signature scanning".

While this is enumerating an address range I don't know if this is correct or not since I don't know what the expected range should be. Its just the best I could come up with from looking around MSDN.

回答1:

the address range when signature scanning a module is from the start of the code section to the start + the section size. the start of the code section and its size are in the PE. most tools take the lazy route and scan the entire module (again using the PE to get the size, but with the module handle as the start address).

来源：https://stackoverflow.com/questions/10771444/how-to-know-the-address-range-when-searching-for-a-function-by-its-signature