alt Hacker NewsSignature scanning is just scanning for unique bytes from a compiled function that will remain consistent across builds. You search memory for those bytes and when you find them, you find the function you're interested in.
Here's an example from some shellcode loader I wrote: https://github.com/exploits-forsale/solstice/blob/c3fc9a55c6...
Thanks for explaining. How do you identify such byte patterns that are likely stable across builds? Is it experimental - i.e., look at a few versions of the binary and check if it has changed?