Reading A Proccess Memory.

[rtk217]

this things dont help me

i want to read! a value not to change one!

so all i want to know is if i got the correct pointer and the correct offset how do i get the address!

im talking about programing in autoit

is this what i should do:

$life = 0x6F8B6379 + 668
$pid = WinGetProcess("Minesweeper")
msgbox(0,"title",$pid)
$memh = _MemOpen (0x0010 , false , $pid)
$v_life = _MemRead($memh, $life, 1)
msgbox(0,"",$v_life)
_memclose ($memh)

[erifash]

Nice work, but I have a couple quick questions...

How would you use the size parameter to specify 1 byte, 2 bytes, 4 bytes, 8 bytes, float, and double?

How do you get the number of addresses in a program?

Sorry if they sound noobish... I don't have much experience with pointers and such, but I really want to learn.

Thanks.

Edited October 2, 2005 by erifash

[w0uter]

How would you use the size parameter to specify 1 byte, 2 bytes, 4 bytes, 8 bytes, float, and double?

i wouldnt know...

How do you get the number of addresses in a program?

try a disasembler/debugger or a memory searching tool like TSearch.

[WSCPorts]

well erifash most if not all pertinent memory is found at 4 byte and below, and if u searched 4 bytes and got a 4 byte pointer then

this would be correct

$v_life = _MemRead($memh, $life, 4)

[erifash]

Ok, thanks WSCPorts and w0uter. The reason I asked is I want to create a TSearch-like program in AutoIt. I am trying to hack a game and I need to know how to loop through the addresses reading each one. I can't use TSearch in the game (it's blocked) and AutoIt works sooooo... hehe.

[WSCPorts]

@erifash Im actuall in the process of what u speak of maybe a collaboration of sorts is in order..

Edited October 3, 2005 by WSCPorts

[Cameri]

I'm currently porting out Kernel32.dll and User32.dll specific functions that are useful in terms of computer automation.

For now, here is my 'robust' version for MemRead and MemWrite, it's different from Mem.au3's. USE AT YOUR OWN RISK.

expandcollapse popup

;$s_Type can be any of the struct types specified in DllStructCreate in your help file.
Func _ReadProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$i_nSize)
   Local $hDll = DllOpen("kernel32.dll")
   If @error Then
      SetError(1)
      Return 0
   EndIf
   Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')
   Local $v_lpNumberOfBytesRead = ''
   DllCall($hDll, 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
   If @error Then
      SetError(1)
      Return 0
   EndIf
   Local $v_Return = DllStructGetData ($v_Struct, 1)
   DllStructDelete ($v_Struct)
   DllClose($hDll)
   Return $v_Return
EndFunc

Func _WriteProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$v_Inject, $i_nSize)
   Local $hDll = DllOpen("kernel32.dll")
   If @error Then
      SetError(1)
      Return 0
   EndIf
   $v_lpNumberOfBytesRead = ''
   Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')
   DllStructSetData ($v_Struct, 1, $v_Inject)
    
   $i_Call = DllCall($hDll, 'int', 'WriteProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
   If @error Then
      SetError(1)
      Return 0
   EndIf
   DllStructDelete ($v_Struct)
   DllClose($hDll)
   Return $i_Call[0]
EndFunc

Examples:

; $pid can be obtained by _ProcessOpen()

;this reads a string of 256 bytes of length
$return = _ReadProcessMemory($pid,$address,'char',256)

; this reads a single char or byte
$return = _ReadProcessMemory($pid,0xFFF,'char',1)
$return = _ReadProcessMemory($pid,0xFFF,'byte',1)

;this reads an integer (4 bytes)
$return = _ReadProcessMemory($pid,0xFFF,'int',4)

; and so on... just change the 3rd param to what has been said before
; check for @error all the time!

[Knight]

I'm currently porting out Kernel32.dll and User32.dll specific functions that are useful in terms of computer automation.

For now, here is my 'robust' version for MemRead and MemWrite, it's different from Mem.au3's. USE AT YOUR OWN RISK.

expandcollapse popup

;$s_Type can be any of the struct types specified in DllStructCreate in your help file.
Func _ReadProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$i_nSize)
   Local $hDll = DllOpen("kernel32.dll")
   If @error Then
      SetError(1)
      Return 0
   EndIf
   Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')
   Local $v_lpNumberOfBytesRead = ''
   DllCall($hDll, 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
   If @error Then
      SetError(1)
      Return 0
   EndIf
   Local $v_Return = DllStructGetData ($v_Struct, 1)
   DllStructDelete ($v_Struct)
   DllClose($hDll)
   Return $v_Return
EndFunc

Func _WriteProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$v_Inject, $i_nSize)
   Local $hDll = DllOpen("kernel32.dll")
   If @error Then
      SetError(1)
      Return 0
   EndIf
   $v_lpNumberOfBytesRead = ''
   Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')
   DllStructSetData ($v_Struct, 1, $v_Inject)
    
   $i_Call = DllCall($hDll, 'int', 'WriteProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
   If @error Then
      SetError(1)
      Return 0
   EndIf
   DllStructDelete ($v_Struct)
   DllClose($hDll)
   Return $i_Call[0]
EndFunc

Examples:

; $pid can be obtained by _ProcessOpen()

;this reads a string of 256 bytes of length
$return = _ReadProcessMemory($pid,$address,'char',256)

; this reads a single char or byte
$return = _ReadProcessMemory($pid,0xFFF,'char',1)
$return = _ReadProcessMemory($pid,0xFFF,'byte',1)

;this reads an integer (4 bytes)
$return = _ReadProcessMemory($pid,0xFFF,'int',4)

; and so on... just change the 3rd param to what has been said before
; check for @error all the time!

Nice, could I use this to read floats that t-search finds?

[Cameri]

yeah, just make sure you set $s_Type as 'float' or 'double'

[Spooky]

I have a few questions about this.

1. I do this as an incude in my script - right?

2. In my script I need to define what - $i_hProcess, $i_lpBaseAddress, $s_Type ,$i_nSize - are? As global variables?

3. If I need to define the items in question 2 above, then do I need to use all of them? If for example I dont need the - $i_lpBaseAddress, $s_Type ,$i_nSize - do I still need to define them and use them for this to work?

4. for the line: Func _WriteProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$v_Inject, $i_nSize)

if i'm going to write opcodes to something in memory, an .exe for example, i assume that the $v_Inject would be the opcode? If it is the opcode then does it take the format of for example "90" (a NOP) or just 90 (without quotes)? What format does this take?

5. I dont understand this:

Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')

Local $v_lpNumberOfBytesRead = ''

is it necessary to use this? If so, do I need to define $s_Type and $i_nSize ??

I'm currently porting out Kernel32.dll and User32.dll specific functions that are useful in terms of computer automation.

For now, here is my 'robust' version for MemRead and MemWrite, it's different from Mem.au3's. USE AT YOUR OWN RISK.

expandcollapse popup

;$s_Type can be any of the struct types specified in DllStructCreate in your help file.
Func _ReadProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$i_nSize)
   Local $hDll = DllOpen("kernel32.dll")
   If @error Then
      SetError(1)
      Return 0
   EndIf
   Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')
   Local $v_lpNumberOfBytesRead = ''
   DllCall($hDll, 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
   If @error Then
      SetError(1)
      Return 0
   EndIf
   Local $v_Return = DllStructGetData ($v_Struct, 1)
   DllStructDelete ($v_Struct)
   DllClose($hDll)
   Return $v_Return
EndFunc

Func _WriteProcessMemory($i_hProcess, $i_lpBaseAddress, $s_Type ,$v_Inject, $i_nSize)
   Local $hDll = DllOpen("kernel32.dll")
   If @error Then
      SetError(1)
      Return 0
   EndIf
   $v_lpNumberOfBytesRead = ''
   Local $v_Struct = DllStructCreate ($s_Type&'[' & $i_nSize & ']')
   DllStructSetData ($v_Struct, 1, $v_Inject)
    
   $i_Call = DllCall($hDll, 'int', 'WriteProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
   If @error Then
      SetError(1)
      Return 0
   EndIf
   DllStructDelete ($v_Struct)
   DllClose($hDll)
   Return $i_Call[0]
EndFunc

Examples:

; $pid can be obtained by _ProcessOpen()

;this reads a string of 256 bytes of length
$return = _ReadProcessMemory($pid,$address,'char',256)

; this reads a single char or byte
$return = _ReadProcessMemory($pid,0xFFF,'char',1)
$return = _ReadProcessMemory($pid,0xFFF,'byte',1)

;this reads an integer (4 bytes)
$return = _ReadProcessMemory($pid,0xFFF,'int',4)

; and so on... just change the 3rd param to what has been said before
; check for @error all the time!

Edited December 29, 2005 by Spooky

[w0uter]

not to be mean but i suggest you start with easier things then memory editing

(to get more familiar with autit ofcourse)

if you still want to hear more:

latest beta broke all of my code that used DllStructGetPtr($struct, 1)

(Not to mention that DllStructDelete doesnt exist anymore)

so i asume the script from Cameri is also broke

this version is newer & working correctly AFAIK

http://www.autoitscript.com/forum/index.php?showtopic=19329

(my following awnsers will all refer to this thread since this is the only one working afaik)

1. you should only include the top of the script not the example at the bottom

(so only the Func ... EndFunc things)

2. you need to pass the Function parameters

(for more info see the autoit helpfile & the example code at the bottom)

3. -

4. _MemWrite is currently broken but it is going to take values like 0x90 (hex for NOP) or 144 (dec for NOP)

5. You dont have to understand that

[Wacksoff]

hey wouter can you provide working examples for your scripts..

[faldo]

hey wouter can you provide working examples for your scripts..

Heya,

Wouter is a god when it comes to scripting... however he not as good at explaining his stuff (no offence)

Here's a few steps that might help:

- Open winmine.exe

- Paste the following code and name the file "mem.au3"

Main functions:

mem.au3

expandcollapse popup

Func _MemRead($i_hProcess, $i_lpBaseAddress, $i_nSize, $v_lpNumberOfBytesRead = '')
    Local $v_Struct = DllStructCreate ('byte[' & $i_nSize & ']')
    DllCall('kernel32.dll', 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
    Local $v_Return = DllStructGetData ($v_Struct, 1)
    $v_Struct=0
    Return $v_Return
EndFunc ;==> _MemRead()

Func _MemWrite($i_hProcess, $i_lpBaseAddress, $v_Inject, $i_nSize, $v_lpNumberOfBytesRead = '')
    Local $v_Struct = DllStructCreate ('byte[' & $i_nSize & ']')
    DllStructSetData ($v_Struct, 1, $v_Inject)
    $i_Call = DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
    $v_Struct=0
    Return $i_Call[0]
EndFunc ;==> _MemWrite()

Func _MemOpen($i_dwDesiredAccess, $i_bInheritHandle, $i_dwProcessId)
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $i_dwDesiredAccess, 'int', $i_bInheritHandle, 'int', $i_dwProcessId)
    If @error Then
        SetError(1)
        Return 0
    EndIf
    Return $ai_Handle[0]
EndFunc ;==> _MemOpen()

Func _MemClose($i_hProcess)
    $av_CloseHandle = DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $i_hProcess)
    Return $av_CloseHandle[0]
EndFunc ;==> _MemClose()
oÝ÷ ØƤy©è¶«jíìr¸©µ©ÝºÇ­æ¢÷¬r¸©µ«)Üç^¥«-zØ^~e£§)íéÞÂÇ+DÅ©©éçbµ«·jëh×6
#include <mem.au3>

$Process = 'winmine.exe' ;-> Target process
$PID = ProcessExists($Process) ;-> Get Process ID
$Address = 0x1005330 ;-> Read/write address
$Value = 12 ;-> Value to write


$OpenProcess = _MemOpen(0x38, False, $PID) ;-> Enable reading/writing to the process and get the handle

    $v_Read = _MemRead($OpenProcess, $Address, 1) ;-> Read a 1 byte value from the defined address
    MsgBox(0,"Info", "The value of address "&HEX($Address, 8)&" is now: "&$v_Read)

    $v_Read = _MemWrite($OpenProcess, $Address, $Value, 1);-> Write a new 1 byte value to the defined address
    MsgBox(0,"Info", "Writing the value "&$Value&" to address "&HEX($Address, 8))

    $v_Read = _MemRead($OpenProcess, $Address, 1) ;-> Read the new value from the defined address
    MsgBox(0,"Info", "The value of address "&HEX($Address, 8)&" is now: "&$v_Read)

_MemClose($OpenProcess) ;-> Disable reading/writing to the process

Remember to use the latest beta (located here: http://www.autoitscript.com/autoit3/files/beta/autoit/)to run/compile this script.

I've tried to comment most of the steps, if you have questions i'd be happy to answer =)

Edited June 28, 2006 by faldo

[Valen]

I'm a newbie and not good at English pls help me !

I used the code above to read the value of HP in game. It still work but there 's a problem.

When the Memory Address Value in range 0-128 , the script read and show it exactly.

But when MAV in range 129-256, the value that the script show is -128 to 0 ???

In the next range it show 0-128, and next range return to 0...............

Ex: the HP value is 225 but the script read and show -31

How can i solve this problem! Like when the HP value is 1249 it show 1249 , not -31 like now

Thx

[sohfeyr]

When in doubt, experiment.

It sounds like you're converting an unsigned integer to a signed integer. Looking at the MSDN documentation.

BOOL ReadProcessMemory(

* HANDLE hProcess, ; [in]Handle to the process whose memory is being read. In Windows CE, any call to

OpenProcess will return a process handle with the proper access rights.

* LPCVOID lpBaseAddress, ; [in] Pointer to the base address in the specified process to be read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds; otherwise, the function fails.

* LPVOID lpBuffer, ; [out] Pointer to a buffer that receives the contents from the address space of the specified process.

* DWORD nSize, ; [in] Specifies the requested number of bytes to read from the specified process.

lpNumberOfBytesRead

* LPDWORD lpNumberOfBytesRead ;[out] Pointer to the actual number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.

)

It looks like any conversion issues will be in the third parameter. Based on the list here there isn't a seperate DLLCall type for INT and UINT.

You might try replacing

DllCall('kernel32.dll', 'int', 'ReadProcessMemory', 'int', $i_hProcess, 'int', $i_lpBaseAddress, 'int', DllStructGetPtr ($v_Struct, 1), 'int', $i_nSize, 'int', $v_lpNumberOfBytesRead)
oÝ÷ Û­«­¢+Ø)±±
±° Ìäí­É¹°Ìȹ±°Ìäì°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¥}¡AɽÍÌ°Ìäí¥¹ÐÌäì°ÀÌØí¥}±Á   ÍÉÍÌ°Ìäí¥¹Ñ}ÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ}MÑÉÕаĤ°Ìäí¥¹ÐÌäì°ÀÌØí¥}¹M¥é°Ìäí¥¹ÐÌäì°ÀÌØíÙ}±Á9ÕµÉ=   åÑÍI¤(

or just hoping someone else comes along to correct me on this...

[=sinister=]

I'm just getting into this DMA stuff, do you have to use the AutoHack while reading/writing memory? It looks confusing.

[strate]

Do I have to _MemClose for each address? or can I leave it open and read all of the addresses I want then close it at the end?

[=sinister=]

Some one needs to help us =P.

And to answer your question, strate, I do believe you can leave it open and read all of the addresses in the memory, and then close it.

[sohfeyr]

Some one needs to help us =P.

Guys, I think wOuter is more likely to pay attention to things happening at http://www.autoitscript.com/forum/index.php?showtopic=19329

Look at the first post in the thread... he last updated this in Feb 2006, and last responded to a post in this thread in Dec 2005. The first post has been modified to point to his signature for a link to newer code. That thread hasn't seen any activity since mid-2006, but it's worth a try.

And no, apart from that, I personally can't help you with this

[UrzaShop]

Hello,

First off I'd like to say awsome script. It saves time of writing an unmanged Dll to do this since autoit doesn't support managed Dll's. With memory reading one base pointer most the time in large games/programs isn't enough. Base pointers tend to have yet another base pointer. In one game our company botted 3 base pointers. Which means 1 pointer leads to another and yet to another. Also.. another thing you must understand with DMA is you have to use the chunk of memory in which the program loaded in. Basicly in the end you find this X + an offset. Where X is where the program starts in memory. Don't be fooled though a program may look like it always loads in the same spot this is really false. It may do this 4 - 1000 times ina row but a simple app asking for that same chunk of memory will force it to load in another. Our company has never used autoit to attempt bots this interactive. The tutorials listed further back in this project help a lot. They may not show you exactly how to memory read but they show you thing such as code caves... with a code cave (I suggest not doing this on any MMO's as its highly detectable) you can accully throw the info you want in a static unused chunk of memory . also if you plan to do memory reading you may want to brush up on your ASM or machine code as you will see it a lot and use it a lot If you have any questions feel free to contact myself. Just ask for D. Lamb in any emails or messages.

Good luck,

D. Lamb

UrzaShop Dev.