Jump to content

MemoryUDF v1.0

   (2 reviews)
Trong
 Share

1 Screenshot

About This File

MemoryUDF - AutoIt Memory Management & Assembly Library

A comprehensive AutoIt User Defined Function (UDF) library for advanced memory manipulation and inline assembly execution. This library provides powerful tools for reading/writing process memory, pointer chain traversal, pattern scanning, and assembly code injection.

Features

Memory Operations

  • Process Memory Access: Read/write memory from external processes
  • Pointer Chain Support: Navigate complex pointer structures with x86/x64 compatibility
  • Module Management: Get base addresses and sizes of loaded modules
  • Memory Protection: Change memory protection flags
  • Memory Utilities: Copy, fill, compare, and dump memory regions

Assembly & Code Injection

  • Inline Assembly: Compile and execute machine code directly
  • Code Injection: Inject assembly code into remote processes
  • Function Hooking: Hook and unhook functions with jump patches
  • Code Cave Creation: Create NOP sleds for code modification
  • Assembly Helpers: Generate common x86 instructions programmatically

Pattern Scanning & Search

  • Pattern Scanning: Search for byte patterns with wildcard support
  • String Search: Find ASCII/Unicode strings in memory (case-sensitive/insensitive)
  • Value Search: Search for integers, floats, and hex sequences
  • AOB Scanning: Array of Bytes scanning with wildcard support
  • Region Scanning: Scan entire module memory regions

Advanced Features

  • Memory Snapshots: Compare memory states to detect changes
  • Array Operations: Read/write arrays of values efficiently
  • String Operations: Handle null-terminated strings (ASCII/Unicode)
  • Memory Freezing: Continuously write values to addresses
  • Page Information: Query memory page properties

Requirements

  • AutoIt Version: 3.3.14+
  • Operating System: Windows (x86/x64)
  • Required DLLs: Kernel32.dll, Psapi.dll, User32.dll
  • Privileges: SeDebugPrivilege recommended for external process access

Installation

  1. Download MemoryUDF.au3
  2. Include in your AutoIt script: 
#include "MemoryUDF.au3"

Quick Start

Basic Memory Reading 

; Enable debug privilege for external process access
_Memory_SetPrivilege("SeDebugPrivilege", True)

; Open process handle
Local $ahHandle = _Memory_Open("notepad.exe")
If Not @error Then
    ; Read a 4-byte integer from memory
    Local $iValue = _Memory_Read($ahHandle, 0x12345678, "int")
    ConsoleWrite("Value: " & $iValue & @CRLF)
    
    ; Close handle when done
    _Memory_Close($ahHandle)
EndIf

Pointer Chain Navigation 

Local $ahHandle = _Memory_Open("game.exe")
If Not @error Then
    ; Get module base address
    Local $iModuleBase = _Memory_GetModuleBaseAddress($ahHandle, "game.dll")
    
    ; Define pointer chain offsets
    Local $aOffsets[3] = [0x28, 0x1D8, 0x6C0]
    
    ; Read value through pointer chain
    Local $iValue = _Memory_ReadPointer($ahHandle, $iModuleBase + 0x123456, $aOffsets, "int")
    ConsoleWrite("Player Health: " & $iValue & @CRLF)
    
    _Memory_Close($ahHandle)
EndIf

Assembly Code Execution 

; Execute inline assembly (MOV EAX, 42; RET)
Local $iResult = _ASM_QuickExecute("B82A000000C3")
ConsoleWrite("Assembly result: " & $iResult & @CRLF) ; Output: 42

Pattern Scanning 

Local $ahHandle = _Memory_Open("game.exe")
If Not @error Then
    Local $iModuleBase = _Memory_GetModuleBaseAddress($ahHandle, "game.exe")
    
    ; Search for byte pattern with wildcards
    Local $iAddress = _Memory_PatternScan($ahHandle, $iModuleBase, 0x100000, "8B 0D ?? ?? ?? ?? 85 C9")
    
    If Not @error Then
        ConsoleWrite("Pattern found at: 0x" & Hex($iAddress) & @CRLF)
    EndIf
    
    _Memory_Close($ahHandle)
EndIf

Core Functions

Memory Management

  • _Memory_Open($vProcess, $iAccess, $bInherit) - Open process handle
  • _Memory_Close($ahHandle) - Close process handle
  • _Memory_Read($ahHandle, $iAddress, $sType) - Read memory value
  • _Memory_Write($ahHandle, $iAddress, $vData, $sType) - Write memory value
  • _Memory_ReadPointer($ahHandle, $iBaseAddress, $aOffsets, $sType) - Read through pointer chain
  • _Memory_WritePointer($ahHandle, $iBaseAddress, $aOffsets, $vData, $sType) - Write through pointer chain

Module Operations

  • _Memory_GetModuleBaseAddress($ahHandle, $sModule) - Get module base address
  • _Memory_GetProcessBaseAddress($ahHandle) - Get main executable base address
  • _Memory_GetProcessModules($ahHandle) - List all process modules
  • _Memory_GetModuleSize($ahHandle, $sModule) - Get module size

Assembly Functions

  • _ASM_Compile($sHexCode) - Compile hex machine code to executable memory
  • _ASM_Execute($pCode, $iParam1, $iParam2, $iParam3, $iParam4) - Execute compiled code
  • _ASM_Free($pCode) - Free compiled code memory
  • _ASM_QuickExecute($sHexCode) - Compile and execute in one call
  • _ASM_Inject($ahHandle, $sHexCode, $bAutoFree) - Inject code into remote process

Pattern Scanning

  • _Memory_PatternScan($ahHandle, $iStartAddress, $iSize, $sPattern) - Find first pattern match
  • _Memory_PatternScanAll($ahHandle, $iStartAddress, $iSize, $sPattern, $iMaxResults) - Find all matches
  • _Memory_StringSearch($ahHandle, $iStartAddress, $iSize, $sString, $bUnicode, $bCaseSensitive) - Search for strings
  • _Memory_IntegerSearch($ahHandle, $iStartAddress, $iSize, $iValue, $sType) - Search for integer values
  • _Memory_FloatSearch($ahHandle, $iStartAddress, $iSize, $fValue, $bDouble) - Search for float values

Assembly Helpers

  • _ASM_CreateJump($iFrom, $iTo, $bShort) - Generate JMP instruction
  • _ASM_CreateCall($iFrom, $iTo) - Generate CALL instruction
  • _ASM_CreatePush($iValue) - Generate PUSH instruction
  • _ASM_CreateMov($iRegister, $iValue) - Generate MOV instruction
  • _ASM_CreateNOP($iCount) - Generate NOP sled
  • _ASM_CreateRet($iPopBytes) - Generate RET instruction

Function Hooking

  • _ASM_HookFunction($ahHandle, $iTargetAddress, $iHookAddress, $iNOPCount) - Hook function
  • _ASM_UnhookFunction($ahHandle, $iTargetAddress, $sOriginalBytes) - Restore original function

Utility Functions

  • _Memory_Protect($ahHandle, $iAddress, $iSize, $iProtection) - Change memory protection
  • _Memory_ReadString($ahHandle, $iAddress, $iMaxLength, $bUnicode) - Read null-terminated string
  • _Memory_WriteString($ahHandle, $iAddress, $sString, $bUnicode, $bNullTerminate) - Write string
  • _Memory_ReadArray($ahHandle, $iAddress, $iCount, $sType) - Read array of values
  • _Memory_WriteArray($ahHandle, $iAddress, $aArray, $sType) - Write array of values
  • _Memory_Copy($ahHandle, $iSourceAddress, $iDestAddress, $iSize) - Copy memory region
  • _Memory_Fill($ahHandle, $iAddress, $iSize, $iByte) - Fill memory with byte value
  • _Memory_Compare($ahHandle, $iAddress1, $iAddress2, $iSize) - Compare memory regions
  • _Memory_DumpRegion($ahHandle, $iAddress, $iSize) - Dump memory to hex string

Data Types

Supported data types for memory operations:

  • "byte" - 1 byte (0-255)
  • "word", "short" - 2 bytes
  • "int", "dword" - 4 bytes (default)
  • "int64", "uint64" - 8 bytes
  • "float" - 4-byte floating point
  • "double" - 8-byte floating point
  • "ptr" - Pointer size (4 bytes on x86, 8 bytes on x64)

Constants

Process Access Rights

  • $PROCESS_ALL_ACCESS - Full access rights
  • $PROCESS_VM_READ - Read memory access
  • $PROCESS_VM_WRITE - Write memory access
  • $PROCESS_VM_OPERATION - Memory operation access

Memory Protection

  • $PAGE_EXECUTE_READWRITE - Execute, read, and write access
  • $MEM_COMMIT - Commit memory pages
  • $MEM_RESERVE - Reserve memory pages
  • $MEM_RELEASE - Release memory pages

Assembly Registers

  • 8-bit: $AL, $CL, $DL, $BL, $AH, $CH, $DH, $BH
  • 16-bit: $AX, $CX, $DX, $BX, $SP, $BP, $SI, $DI
  • 32-bit: $EAX, $ECX, $EDX, $EBX, $ESP, $EBP, $ESI, $EDI
  • 64-bit: $RAX, $RCX, $RDX, $RBX, $RSP, $RBP, $RSI, $RDI, $R8-$R15

Error Handling

All functions use AutoIt's @error system for error reporting:

  • @error = 0 - Success
  • @error > 0 - Error occurred (check function documentation for specific error codes)

Always check @error after function calls: 

Local $iValue = _Memory_Read($ahHandle, $iAddress, "int")
If @error Then
    ConsoleWrite("Error reading memory: " & @error & @CRLF)
Else
    ConsoleWrite("Value: " & $iValue & @CRLF)
EndIf

Best Practices

  1. Enable Debug Privilege: Call _Memory_SetPrivilege("SeDebugPrivilege", True) before accessing external processes
  2. Handle Cleanup: Always call _Memory_Close() to free resources
  3. Check Errors: Verify @error after each function call
  4. Use Appropriate Types: Choose the correct data type for your memory operations
  5. Validate Addresses: Ensure memory addresses are valid before access
  6. Test Patterns: Verify pattern strings are correctly formatted with spaces

Security Considerations

  • This library requires elevated privileges for external process access
  • Memory manipulation can cause application crashes or system instability
  • Always validate input parameters and memory addresses
  • Use appropriate error handling to prevent unexpected behavior
  • Be cautious when injecting code into critical system processes

Compatibility

  • Architecture: Supports both x86 and x64 processes
  • AutoIt: Compatible with AutoIt 3.3.14 and later versions
  • Windows: Works on Windows Vista and later versions
  • Processes: Can access both 32-bit and 64-bit processes (with appropriate AutoIt version)

Author

Dao Van Trong - TRONG.PRO

License

This UDF is provided as-is for educational and development purposes. Use responsibly and in accordance with applicable laws and regulations.

Edited by Trong
Update document!

 Share
Previous File ImageSearch Automation Suite
Next File ImageSearchUDF

User Feedback

You may only provide a review once you have downloaded the file.

tubaba

tubaba 6

· Edited by tubaba

  

First of all, thank you for providing a great user experience. However, I do have an issue to bring up. It seems that your DLL automatically corrects parts that exceed the screen, confining them within the frame of 0,0,@DesktopWidth,@DesktopHeight. But there are many application scenarios with multiple screens, which means that screen coordinates should not be limited to the range of the first screen. In earlier versions, I found that the coordinate correction was done in the UDF.444.png.4b2f8d4a6c4c6ee7d970b3d025412f7e.png

Steven2025

Steven2025 0

  

Thank you for sharing the updated version. I noticed the reference to wrapper functions like _ImageSearch_Wait and _ImageInImageSearch in your post. Could you please clarify:

  1. Are these functions meant to be implemented in AutoIt (AU3) or are they part of a C++ extension?

  2. If they're AutoIt functions, would you be able to share:

    • The required function prototypes

    • Key parameters they should accept

  3. If they're C++ based:

    • Is there a header file or DLL interface we should reference?

Response from the author:

All the functionality is done by c++ dll, AuttoIt is just the user and handler of the results.

 

×
×
  • Create New...