Sign in to follow this  
Followers 0
ronmage

Multi-level Pointers

5 posts in this topic

Hi, I am hoping to get some help with Multi-level Pointers. i was looking online and i did find NomadMemory.au3 which is supposed to do it. when you open it up it states it is for "AutoIt Version: 3.1.127 (beta)" so i am not sure if it works, but looking around i did not find an update anywhere or anything to replace it. i did get it to work for just looking at one piece of memory but when i try to use it to look at a Multi-level Pointer i keep getting 0 as the output.

This is the pointer data

http://img16.imageshack.us/i/capturetv.png

this is my code

#include <NomadMemory.au3>      
        Global $WindowTitle = "Test.exe"
        Global $PID = WinGetProcess($WindowTitle)
        Global $Ptr = 0x012f25f0
        Global $Off1 = DEC("474")
        Global $Off2 = DEC("20")

        $Handle = _MemoryOpen($PID)
        $baseADDR = _MemoryRead($Ptr, $Handle)
        
        $LVL1 =  '0x' & Hex($baseADDR + $Off1)
        $baseADDR =  _MemoryRead($LVL1, $Handle)
    
        $LVL2 =  '0x' & Hex($baseADDR + $Off2)
        $baseADDR =  _MemoryRead($LVL2, $Handle)



        MsgBox("Info","data",  $baseADDR)

                _MemoryClose($Handle)

Share this post


Link to post
Share on other sites



Looking at this it looks like i need to take and address and add the offset. doing that till all the offsets are added to get my address. but i am not sure.

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Use the Pointer functions in NomadMemory.au3

;=================================================================================================
; Function:   _MemoryPointerRead ($iv_Address, $ah_Handle, $av_Offset[, $sv_Type])
; Description:  Reads a chain of pointers and returns an array containing the destination
;               address and the data at the address.
; Parameter(s):  $iv_Address - The static memory address you want to start at. It must be in
;                       hex format (0x00000000).
;               $ah_Handle - An array containing the Dll handle and the handle of the open
;                       process as returned by _MemoryOpen().
;               $av_Offset - An array of offsets for the pointers.  Each pointer must have an
;                       offset.  If there is no offset for a pointer, enter 0 for that
;                       array dimension.
;               $sv_Type - (optional) The "Type" of data you intend to read at the destination
;                       address.  This is set to 'dword'(32bit(4byte) signed integer) by
;                       default.  See the help file for DllStructCreate for all types.
; Requirement(s):   The $ah_Handle returned from _MemoryOpen.
; Return Value(s):  On Success - Returns an array containing the destination address and the value
;                       located at the address.
;               On Failure - Returns 0
;               @Error - 0 = No error.
;                   1 = $av_Offset is not an array.
;                   2 = Invalid $ah_Handle.
;                   3 = $sv_Type is not a string.
;                   4 = $sv_Type is an unknown data type.
;                   5 = Failed to allocate the memory needed for the DllStructure.
;                   6 = Error allocating memory for $sv_Type.
;                   7 = Failed to read from the specified process.
; Author(s):        Nomad
; Note(s):      Values returned are in Decimal format, unless a 'char' type is selected.
;               Set $av_Offset like this:
;               $av_Offset[0] = NULL (not used)
;               $av_Offset[1] = Offset for pointer 1 (all offsets must be in Decimal)
;               $av_Offset[2] = Offset for pointer 2
;               etc...
;               (The number of array dimensions determines the number of pointers)
;=================================================================================================
Func _MemoryPointerRead($iv_Address, $ah_Handle, $av_Offset, $sv_Type = 'dword')

    If IsArray($av_Offset) Then
        If IsArray($ah_Handle) Then
            Local $iv_PointerCount = UBound($av_Offset) - 1
        Else
            SetError(2)
            Return 0
        EndIf
    Else
        SetError(1)
        Return 0
    EndIf

    Local $iv_Data[2], $i
    Local $v_Buffer = DllStructCreate('dword')

    For $i = 0 To $iv_PointerCount

        If $i = $iv_PointerCount Then
            $v_Buffer = DllStructCreate($sv_Type)
            If @error Then
                SetError(@error + 2)
                Return 0
            EndIf

            $iv_Address = '0x' & Hex($iv_Data[1] + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @error Then
                SetError(7)
                Return 0
            EndIf

            $iv_Data[1] = DllStructGetData($v_Buffer, 1)

        ElseIf $i = 0 Then
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @error Then
                SetError(7)
                Return 0
            EndIf

            $iv_Data[1] = DllStructGetData($v_Buffer, 1)

        Else
            $iv_Address = '0x' & Hex($iv_Data[1] + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @error Then
                SetError(7)
                Return 0
            EndIf

            $iv_Data[1] = DllStructGetData($v_Buffer, 1)

        EndIf

    Next

    $iv_Data[0] = $iv_Address

    Return $iv_Data

EndFunc   ;==>_MemoryPointerRead



;=================================================================================================
; Function:         _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data[, $sv_Type])
; Description:      Reads a chain of pointers and writes the data to the destination address.
; Parameter(s):     $iv_Address - The static memory address you want to start at. It must be in
;                               hex format (0x00000000).
;                   $ah_Handle - An array containing the Dll handle and the handle of the open
;                               process as returned by _MemoryOpen().
;                   $av_Offset - An array of offsets for the pointers.  Each pointer must have an
;                               offset.  If there is no offset for a pointer, enter 0 for that
;                               array dimension.
;                   $v_Data - The data to be written.
;                   $sv_Type - (optional) The "Type" of data you intend to write at the destination
;                               address.  This is set to 'dword'(32bit(4byte) signed integer) by
;                               default.  See the help file for DllStructCreate for all types.
; Requirement(s):   The $ah_Handle returned from _MemoryOpen.
; Return Value(s):  On Success - Returns the destination address.
;                   On Failure - Returns 0.
;                   @Error - 0 = No error.
;                           1 = $av_Offset is not an array.
;                           2 = Invalid $ah_Handle.
;                           3 = Failed to read from the specified process.
;                           4 = $sv_Type is not a string.
;                           5 = $sv_Type is an unknown data type.
;                           6 = Failed to allocate the memory needed for the DllStructure.
;                           7 = Error allocating memory for $sv_Type.
;                           8 = $v_Data is not in the proper format to be used with the
;                               "Type" selected for $sv_Type, or it is out of range.
;                           9 = Failed to write to the specified process.
; Author(s):        Nomad
; Note(s):          Data written is in Decimal format, unless a 'char' type is selected.
;                   Set $av_Offset like this:
;                   $av_Offset[0] = NULL (not used, doesn't matter what's entered)
;                   $av_Offset[1] = Offset for pointer 1 (all offsets must be in Decimal)
;                   $av_Offset[2] = Offset for pointer 2
;                   etc...
;                   (The number of array dimensions determines the number of pointers)
;=================================================================================================

Func _MemoryPointerWrite ($iv_Address, $ah_Handle, $av_Offset, $v_Data, $sv_Type = 'dword')

    If IsArray($av_Offset) Then
        If IsArray($ah_Handle) Then
            Local $iv_PointerCount = UBound($av_Offset) - 1
        Else
            SetError(2)
            Return 0
        EndIf
    Else
        SetError(1)
        Return 0
    EndIf

    Local $iv_StructData, $i
    Local $v_Buffer = DllStructCreate('dword')

    For $i = 0 to $iv_PointerCount
        If $i = $iv_PointerCount Then
            $v_Buffer = DllStructCreate($sv_Type)
            If @Error Then
                SetError(@Error + 3)
                Return 0
            EndIf

            DllStructSetData($v_Buffer, 1, $v_Data)
            If @Error Then
                SetError(8)
                Return 0
            EndIf

            $iv_Address = '0x' & hex($iv_StructData + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'WriteProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @Error Then
                SetError(9)
                Return 0
            Else
                Return $iv_Address
            EndIf
        ElseIf $i = 0 Then
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @Error Then
                SetError(3)
                Return 0
            EndIf

            $iv_StructData = DllStructGetData($v_Buffer, 1)

        Else
            $iv_Address = '0x' & hex($iv_StructData + $av_Offset[$i])
            DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')
            If @Error Then
                SetError(3)
                Return 0
            EndIf

            $iv_StructData = DllStructGetData($v_Buffer, 1)

        EndIf
    Next

EndFunc

Something like:

$hMemoryOpen = _MemoryOpen(ProcessExists("process.exe"))
$aOffsets[3] = [0, Dec(20), Dec(474)]
$aRead = _MemoryPointerRead(0x00A5BFCC, $hMemoryOpen, $aOffsets)
MsgBox(0, "Test", $aRead[1])
_MemoryClose($hMemoryOpen)

should work, but hasn't been tested.

Edited by darkjohn20

Share this post


Link to post
Share on other sites

Thank you .....

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

strange... its not working for me

i'm using:

$hMemoryOpen = _MemoryOpen(ProcessExists("name.exe"))
dim $aOffsets[5] = [Dec("48"),Dec("3C0"),Dec("3C0"),Dec("C0"),Dec("4C0")]
$aRead = _MemoryPointerRead(0x013791E8, $hMemoryOpen, $aOffsets)
MsgBox(0, "Test", $aRead[1])
_MemoryClose($hMemoryOpen)

with data from CE: Posted Image

i always get "0" back

Edited by periander

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0