Jump to content

Search a string in memory


FireFox
 Share

Recommended Posts

Hi,

I have already searched but found nothing wich was working to search a STRING in a process memory...

If it doesn't exists maybe someone has an idea in order to read all memory adresses until have found the good string; because the adress always change :D

Thanks for anyhelp :D

Cheers, FireFox.

Link to comment
Share on other sites

Have you tried dumping all the memory you want to search to a file and then searching there ? I know it's not the optimal way to do it, but it may be good enough.

Otherwise you could do a search loop with ReadProcessMemory using NomadMemory.au3. Of course you'll have to search for the first 4 ascii codes of the string and if found, then compare the rest etc, because you'll be working with dwords.

Link to comment
Share on other sites

Have you tried dumping all the memory you want to search to a file and then searching there ? I know it's not the optimal way to do it, but it may be good enough.

Otherwise you could do a search loop with ReadProcessMemory using NomadMemory.au3. Of course you'll have to search for the first 4 ascii codes of the string and if found, then compare the rest etc, because you'll be working with dwords.

Maybe could you explain me how to dump all the memory or redirect me to an autoit tutorial post :D

Cheers, FireFox.

Link to comment
Share on other sites

#include <NomadMemory.au3>
#include <MemoryGetBaseAddressUDF.au3>

$progname = "Memory Reader"

$target_pid = ProcessExists ("example.exe")
If $target_pid=0 Then 
    MsgBox (16, $progname, "Process not found !")
    Exit
EndIf

$Nomad_struct = _MemoryOpen($target_pid)
If Not @error=0 Then
    MsgBox (16, $progname, "Process could not be opened !")
    Exit
EndIf

$target_base = _MemoryGetBaseAddress($Nomad_struct)
MsgBox(0,"",$target_base)
MsgBox(4096, $progname, Hex(_MemoryRead( Dec($target_base),$Nomad_struct)))

That's a good example of how to get the base address of an executable and read memory from it. I'm sure you can adapt it, you're skilled in AutoIt ! Let me know how it goes, maybe I'll make a mem dumper, come to think of it :-D

Note : If you're on 64-bit it doesn't work on 64-bit executables.

Note2 : It also doesn't work if I compile it as 64-bit or if I execute the au3, obviously because it uses the 64bit autoit exe.

Edited by Inverted
Link to comment
Share on other sites

@Inverted

I have already a script like that, what do you mean about dumping ?

Maybe I have to search from 0x000000 to 0xFFFFFF ? But I dont know how to build a function like this.. :D

Cheers, FireFox.

Edited by FireFox
Link to comment
Share on other sites

Dumping means to save the memory to a file. Anyway, you don't need to do that. Why don't you just make a searching loop to search the memory and compare the 4 bytes you get with the first 4 ascii values of your string ?

If it's not the same, then increment the address you're looking at by one. (or by 4 if the string you're looking for is always dword-aligned.

Link to comment
Share on other sites

Dumping means to save the memory to a file. Anyway, you don't need to do that. Why don't you just make a searching loop to search the memory and compare the 4 bytes you get with the first 4 ascii values of your string ?

If it's not the same, then increment the address you're looking at by one. (or by 4 if the string you're looking for is always dword-aligned.

:D I understand anything, sorry...

The string that I need to search can have a different length, can you write me a little example (maybe then I will understand what to do :D)

Cheers, FireFox.

Link to comment
Share on other sites

#include <NomadMemory.au3>
#include <Array.au3>

$progname = "Memory_String_Search"
$search_start = 0x400000
$search_end = 0x7fffffff

$target_pid = ProcessExists ( InputBox ("Give process name, 32-bit exes only!", "example : example.exe","example.exe") )

If $target_pid=0 Then 
    MsgBox (16, $progname, "Process not found !")
    Exit
EndIf

$Nomad_struct = _MemoryOpen($target_pid)
If Not @error=0 Then
    MsgBox (16, $progname, "Process could not be opened !")
    Exit
EndIf

$search_string = InputBox ("Give search string", "","somestring")
$byte_pattern_array = StringToASCIIArray ($search_string)
$byte_pattern = Hex($byte_pattern_array[0]+256*$byte_pattern_array[1]+65536*$byte_pattern_array[2]+16777216*$byte_pattern_array[3])
MsgBox (4096, $progname, $byte_pattern)

For $search_address = $search_start To $search_end Step 4
    ;ToolTip (Hex($search_address))   ; I've commented out the tooltip because it is too slow
    If Hex(_MemoryRead( $search_address,$Nomad_struct)) = $byte_pattern Then
        MsgBox (4096, $progname, "String found at address : " & Hex($search_address))
        Exit
    EndIf
Next

That's where I am so far, it's not finished I will continue tomorrow. I've tested and it works fine, BUT it only searches for the first 4 bytes (and only with ascii strings,not unicode)

It's not that hard to do a comparison for the other bytes as needed. Anyway, the code is very cryptic.

Does anyone have a better idea to create an inverse dword out of the first 4 bytes of a string ? Not that it matters too much, since it's a one-time calculation ... it just looks funky

This code is only for 32-bit stuff.

P.S.: Array.au3 isn't needed for this code, I just use it for testing (_ArrayDisplay etc)

Edited by Inverted
Link to comment
Share on other sites

#include <NomadMemory.au3>
#include <Array.au3>

$progname = "Memory_String_Search"
$search_start = 0x400000
$search_end = 0x7fffffff

$target_pid = ProcessExists ( InputBox ("Give process name, 32-bit exes only!", "example : example.exe","example.exe") )

If $target_pid=0 Then 
    MsgBox (16, $progname, "Process not found !")
    Exit
EndIf

$Nomad_struct = _MemoryOpen($target_pid)
If Not @error=0 Then
    MsgBox (16, $progname, "Process could not be opened !")
    Exit
EndIf

$search_string = InputBox ("Give search string", "","somestring")
$byte_pattern_array = StringToASCIIArray ($search_string)
$byte_pattern = Hex($byte_pattern_array[0]+256*$byte_pattern_array[1]+65536*$byte_pattern_array[2]+16777216*$byte_pattern_array[3])
MsgBox (4096, $progname, $byte_pattern)

For $search_address = $search_start To $search_end Step 4
    ;ToolTip (Hex($search_address))   ; I've commented out the tooltip because it is too slow
    If Hex(_MemoryRead( $search_address,$Nomad_struct)) = $byte_pattern Then
        MsgBox (4096, $progname, "String found at address : " & Hex($search_address))
        Exit
    EndIf
Next

That's where I am so far, it's not finished I will continue tomorrow. I've tested and it works fine, BUT it only searches for the first 4 bytes (and only with ascii strings,not unicode)

It's not that hard to do a comparison for the other bytes as needed. Anyway, the code is very cryptic.

Does anyone have a better idea to create an inverse dword out of the first 4 bytes of a string ? Not that it matters too much, since it's a one-time calculation ... it just looks funky

This code is only for 32-bit stuff.

P.S.: Array.au3 isn't needed for this code, I just use it for testing (_ArrayDisplay etc)

It works fine ! (a little long but im sure we can improve it :D)

Maybe that's what you've said, I can't search a string that length is smaller than 4...

Anyway, thank you for your help :D

Edit1: Why is there two more numbers for the $search_end than for the $search_start ?

$search_start = 0x400000
$search_end =   0x7fffffff

Cheers, FireFox.

Edited by FireFox
Link to comment
Share on other sites

  • Moderators

Edit1: Why is there two more numbers for the $search_end than for the $search_start ?

$search_start = 0x400000
$search_end =   0x7fffffff

$search_start = 0x00400000
$search_end =   0x7fffffff

Better? ... :D

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

I think I have found a way to search a string in a process memory ! :D

Fixed script is at the #14 reply

Tell me if that works fine and I will post it in example scripts forum :D

Cheers, FireFox.

Edited by FireFox
Link to comment
Share on other sites

Have you tested it ? It didn't work here, whereas my script works. Also, it is uber-slow !!!

By the way, I got of the "step 4" in my script, turns out dword aligned strings aren't as common as I thought.

Oh, almost forgot, you should change the end address to a lot more, like 6fffffff, your 7fffff is ridiculously low, you're missing out on a lot of good memory :D

Edited by Inverted
Link to comment
Share on other sites

Have you tested it ? It didn't work here, whereas my script works. Also, it is uber-slow !!!

By the way, I got of the "step 4" in my script, turns out dword aligned strings aren't as common as I thought.

Oh, almost forgot, you should change the end address to a lot more, like 6fffffff, your 7fffff is ridiculously low, you're missing out on a lot of good memory :D

I have fixed what was wrong, but it's very,very,very long...

#include <NomadMemory.au3>
#include <Array.au3>
;

Local $s_pname = 'Memory_String_Search'
Local $s_start = 0x40000000
Local $s_end = 0x7fffffff


$n_pid = ProcessExists(InputBox('Give process name, 32-bit exes only!', 'Example : calc.exe', "", "", 200, 120))
If $n_pid < 1 Then Exit MsgBox(16, $s_pname, 'Process not found !')


$f_mopen = _MemoryOpen($n_pid)
If @error > 0 Then Exit MsgBox(16, $s_pname, 'Process could not be opened !')

$s_search = InputBox('Give search string', 'Example : Something', "", "", 200, 120)
ConsoleWrite('>Searching...' & @CRLF)

For $i_search = $s_start To $s_end
;~  ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit
    If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then
        $f_msg = MsgBox(33, $s_pname, 'String found at address : ' & Hex($i_search) & @CRLF & 'Continue searching ?')
        If $f_msg = 2 Then Exit
    EndIf
Next

MsgBox(16, $s_pname, 'String not found !')

Maybe someone has an idea to improve it :D

Your script it an 4 bytes search, mine is a text search.

Cheers, FireFox.

Link to comment
Share on other sites

  • 1 year later...

there are a lot of good ideas for searching in the memory, but one solution is to slow and the other tho short. i need somthing to search a large hex number: FFFFFF7F00000000000000000000000000000000FFFFFFFF01000000000000000000000001 as example. The value is always at another adress. with cheat engine i find this adress but i would like to have a script to do that for me, is there a solution to search fast in the memory from 00000000 to 7FFFFFFF?

thanks and best regards

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...