Jump to content
Sign in to follow this  
ronmage

Multi-level Pointers

Recommended Posts

ronmage

Hi, I am hoping to get some help with Multi-level Pointers. i was looking online and i did find NomadMemory.au3 which is supposed to do it. when you open it up it states it is for "AutoIt Version: 3.1.127 (beta)" so i am not sure if it works, but looking around i did not find an update anywhere or anything to replace it. i did get it to work for just looking at one piece of memory but when i try to use it to look at a Multi-level Pointer i keep getting 0 as the output.

This is the pointer data

http://img16.imageshack.us/i/capturetv.png

this is my code

#include <NomadMemory.au3>      
        Global $WindowTitle = "Test.exe"
        Global $PID = WinGetProcess($WindowTitle)
        Global $Ptr = 0x012f25f0
        Global $Off1 = DEC("474")
        Global $Off2 = DEC("20")

        $Handle = _MemoryOpen($PID)
        $baseADDR = _MemoryRead($Ptr, $Handle)
        
        $LVL1 =  '0x' & Hex($baseADDR + $Off1)
        $baseADDR =  _MemoryRead($LVL1, $Handle)
    
        $LVL2 =  '0x' & Hex($baseADDR + $Off2)
        $baseADDR =  _MemoryRead($LVL2, $Handle)



        MsgBox("Info","data",  $baseADDR)

                _MemoryClose($Handle)

Share this post


Link to post
Share on other sites
ronmage

Looking at this it looks like i need to take and address and add the offset. doing that till all the offsets are added to get my address. but i am not sure.

Share this post


Link to post
Share on other sites
darkjohn20

Use the Pointer functions in NomadMemory.au3

;=================================================================================================
; Function:   _MemoryPointerRead ($iv_Address, $ah_Handle, $av_Offset[, $sv_Type])
; Description:  Reads a chain of pointers and returns an array containing the destination
;               address and the data at the address.
; Parameter(s):  $iv_Address - The static memory address you want to start at. It must be in
;                       hex format (0x00000000).
;               $ah_Handle - An array containing the Dll handle and the handle of the open
;                       process as returned by _MemoryOpen().
;               $av_Offset - An array of offsets for the pointers.  Each pointer must have an
;                       offset.  If there is no offset for a pointer, enter 0 for that
;                       array dimension.
;               $sv_Type - (optional) The "Type" of data you intend to read at the destination
;                       address.  This is set to 'dword'(32bit(4byte) signed integer) by
;                       default.  See the help file for DllStructCreate for all types.
; Requirement(s):   The $ah_Handle returned from _MemoryOpen.
; Return Value(s):  On Success - Returns an array containing the destination address and the value
;                       located at the address.
;               On Failure - Returns 0
;               @Error - 0 = No error.
;                   1 = $av_Offset is not an array.
;                   2 = Invalid $ah_Handle.
;                   3 = $sv_Type is not a string.
;                   4 = $sv_Type is an unknown data type.
;                   5 = Failed to allocate the memory needed for the DllStructure.
;                   6 = Error allocating memory for $sv_Type.
;                   7 = Failed to read from the specified process.
; Author(s):        Nomad
; Note(s):      Values returned are in Decimal format, unless a 'char' type is selected.
;               Set $av_Offset like this:
;               $av_Offset[0] = NULL (not used)
;               $av_Offset[1] = Offset for pointer 1 (all offsets must be in Decimal)
;               $av_Offset[2] = Offset for pointer 2
;               etc...
;               (The number of array dimensions determines the number of pointers)
;=================================================================================================
Func _MemoryPointerRead($iv_Address, $ah_Handle, $av_Offset, $sv_Type = 'dword')

    If IsArray($av_Offset) Then
        If IsArray($ah_Handle) Then
            Local $iv_PointerCount = UBound($av_Offset) - 1
        Else
            SetError(2)
            Return 0
        EndIf
    Else
        SetError(1)
        Return 0
    EndIf

    Local $iv_Data[2], $i
    Local $v_Buffer = DllStructCreate('dword')

    For $i = 0 To $iv_PointerCount

        If $i = $iv_PointerCount Then
            $v_Buffer = DllStructCreate($sv_Type)
            If @error Then
                SetError(@error + 2)
                Return 0
            EndIf

            $iv_Address = '0x' & Hex($iv_Data[1] + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @error Then
                SetError(7)
                Return 0
            EndIf

            $iv_Data[1] = DllStructGetData($v_Buffer, 1)

        ElseIf $i = 0 Then
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @error Then
                SetError(7)
                Return 0
            EndIf

            $iv_Data[1] = DllStructGetData($v_Buffer, 1)

        Else
            $iv_Address = '0x' & Hex($iv_Data[1] + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @error Then
                SetError(7)
                Return 0
            EndIf

            $iv_Data[1] = DllStructGetData($v_Buffer, 1)

        EndIf

    Next

    $iv_Data[0] = $iv_Address

    Return $iv_Data

EndFunc   ;==>_MemoryPointerRead



;=================================================================================================
; Function:         _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data[, $sv_Type])
; Description:      Reads a chain of pointers and writes the data to the destination address.
; Parameter(s):     $iv_Address - The static memory address you want to start at. It must be in
;                               hex format (0x00000000).
;                   $ah_Handle - An array containing the Dll handle and the handle of the open
;                               process as returned by _MemoryOpen().
;                   $av_Offset - An array of offsets for the pointers.  Each pointer must have an
;                               offset.  If there is no offset for a pointer, enter 0 for that
;                               array dimension.
;                   $v_Data - The data to be written.
;                   $sv_Type - (optional) The "Type" of data you intend to write at the destination
;                               address.  This is set to 'dword'(32bit(4byte) signed integer) by
;                               default.  See the help file for DllStructCreate for all types.
; Requirement(s):   The $ah_Handle returned from _MemoryOpen.
; Return Value(s):  On Success - Returns the destination address.
;                   On Failure - Returns 0.
;                   @Error - 0 = No error.
;                           1 = $av_Offset is not an array.
;                           2 = Invalid $ah_Handle.
;                           3 = Failed to read from the specified process.
;                           4 = $sv_Type is not a string.
;                           5 = $sv_Type is an unknown data type.
;                           6 = Failed to allocate the memory needed for the DllStructure.
;                           7 = Error allocating memory for $sv_Type.
;                           8 = $v_Data is not in the proper format to be used with the
;                               "Type" selected for $sv_Type, or it is out of range.
;                           9 = Failed to write to the specified process.
; Author(s):        Nomad
; Note(s):          Data written is in Decimal format, unless a 'char' type is selected.
;                   Set $av_Offset like this:
;                   $av_Offset[0] = NULL (not used, doesn't matter what's entered)
;                   $av_Offset[1] = Offset for pointer 1 (all offsets must be in Decimal)
;                   $av_Offset[2] = Offset for pointer 2
;                   etc...
;                   (The number of array dimensions determines the number of pointers)
;=================================================================================================

Func _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data, $sv_Type = 'dword')

    If IsArray($av_Offset) Then
        If IsArray($ah_Handle) Then
            Local $iv_PointerCount = UBound($av_Offset) - 1
        Else
            SetError(2)
            Return 0
        EndIf
    Else
        SetError(1)
        Return 0
    EndIf

    Local $iv_StructData, $i
    Local $v_Buffer = DllStructCreate('dword')

    For $i = 0 to $iv_PointerCount
        If $i = $iv_PointerCount Then
            $v_Buffer = DllStructCreate($sv_Type)
            If @Error Then
                SetError(@Error + 3)
                Return 0
            EndIf

            DllStructSetData($v_Buffer, 1, $v_Data)
            If @Error Then
                SetError(8)
                Return 0
            EndIf

            $iv_Address = '0x' & hex($iv_StructData + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'WriteProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @Error Then
                SetError(9)
                Return 0
            Else
                Return $iv_Address
            EndIf
        ElseIf $i = 0 Then
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @Error Then
                SetError(3)
                Return 0
            EndIf

            $iv_StructData = DllStructGetData($v_Buffer, 1)

        Else
            $iv_Address = '0x' & hex($iv_StructData + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @Error Then
                SetError(3)
                Return 0
            EndIf

            $iv_StructData = DllStructGetData($v_Buffer, 1)

        EndIf
    Next

EndFunc

Something like:

$hMemoryOpen = _MemoryOpen(ProcessExists("process.exe"))
$aOffsets[3] = [0, Dec(20), Dec(474)]
$aRead = _MemoryPointerRead(0x00A5BFCC, $hMemoryOpen, $aOffsets)
MsgBox(0, "Test", $aRead[1])
_MemoryClose($hMemoryOpen)

should work, but hasn't been tested.

Edited by darkjohn20

Share this post


Link to post
Share on other sites
periander

strange... its not working for me

i'm using:

$hMemoryOpen = _MemoryOpen(ProcessExists("name.exe"))
dim $aOffsets[5] = [Dec("48"),Dec("3C0"),Dec("3C0"),Dec("C0"),Dec("4C0")]
$aRead = _MemoryPointerRead(0x013791E8, $hMemoryOpen, $aOffsets)
MsgBox(0, "Test", $aRead[1])
_MemoryClose($hMemoryOpen)

with data from CE: Posted Image

i always get "0" back

Edited by periander

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.