Sign in to follow this  
Followers 0
FaridAgl

C++ Memory Pattern Scanner

16 posts in this topic

Hi folks,

I have a function in AutoIt that performs what i want, here it is:

Func _MemoryPatternSearch($ProcessHandle, $Pattern, $StartAddress = 0x00400000, $StopAddress = 0x00600000, $Step = 51200)
If Not IsArray($ProcessHandle) Then
  SetError(1)
  Return -1
EndIf
$Pattern = StringRegExpReplace($Pattern, '[^0123456789ABCDEFabcdef.]', '')
If StringLen($Pattern) = 0 Then
  SetError(2)
  Return -2
EndIf
Local $BufferPattern, $FormatedPattern
For $i = 0 To ((StringLen($Pattern) / 2) - 1)
  $BufferPattern = StringLeft($Pattern, 2)
  $Pattern = StringRight($Pattern, StringLen($Pattern) - 2)
  $FormatedPattern = $FormatedPattern & $BufferPattern
Next
$Pattern = $FormatedPattern
For $Address = $StartAddress To $StopAddress Step $Step - (StringLen($Pattern) / 2)
  StringRegExp(_MemoryRead($Address, $ProcessHandle, 'byte[' & $Step & ']'), $Pattern, 1, 2)
  If Not @error Then
   Return StringFormat('0x%.8X', $Address + ((@extended - StringLen($Pattern) - 2) / 2))
  EndIf
Next
Return -3
EndFunc   ;==>_MemoryPatternSearch

Is there a similar function in C++? Any link? Any idea?

One thing, i'm coding a Dll that will get injected to a process and patch it, all is done atm ( using memcpy ) but it's really great if i could find a MemoryPatternScanner. I found a FindPattern while googling but i can't get that to work.

Share this post


Link to post
Share on other sites



Uhm... Start from the beginning checking one character after another, find first character, then check second, then third, then...


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

It's about finding a pattern of bytes in a process memory, from address n1 to n2 ( or to the end ).

For example, look at this:

It's a process memory, and the memory dump is:

00612000 00 00 00 80 00 00 00 80

00612008 00 00 00 00 00 00 00 00

00612010 00 48 5C 00 00 00 00 00

00612018 2E 3F 41 56 49 53 79 73

00612020 74 65 6D 4E 6F 74 69 66

00612028 79 40 40 00 00 48 5C 00

00612030 00 00 00 00 2E 3F 41 56

00612038 49 50 61 63 6B 65 74 40

00612040 40 00 00 00 00 48 5C 00

00612048 00 00 00 00 2E 3F 41 56

Now the Pattern Scanner should give me 00612018 if i search for pattern 2E 3F 41 56 49 53 79 73.

Note that in the AutoIt example i gave in the first post we was opening the process ( ProcessOpen ) and then checking byte by byte usign RPM ( ReadProcessMemory ) but in this case that i'm going to find a solution we do not need this coz we are injecting our Dll to the target process so we can access the whole process memory directly.

Share this post


Link to post
Share on other sites

It's about finding a pattern of bytes in a process memory, from address n1 to n2 ( or to the end ).

For example, look at this:

It's a process memory, and the memory dump is:

00612000 00 00 00 80 00 00 00 80

00612008 00 00 00 00 00 00 00 00

00612010 00 48 5C 00 00 00 00 00

00612018 2E 3F 41 56 49 53 79 73

00612020 74 65 6D 4E 6F 74 69 66

00612028 79 40 40 00 00 48 5C 00

00612030 00 00 00 00 2E 3F 41 56

00612038 49 50 61 63 6B 65 74 40

00612040 40 00 00 00 00 48 5C 00

00612048 00 00 00 00 2E 3F 41 56

Now the Pattern Scanner should give me 00612018 if i search for pattern 2E 3F 41 56 49 53 79 73.

Note that in the AutoIt example i gave in the first post we was opening the process ( ProcessOpen ) and then checking byte by byte usign RPM ( ReadProcessMemory ) but in this case that i'm going to find a solution we do not need this coz we are injecting our Dll to the target process so we can access the whole process memory directly.

Hello and regards to all, my knowledge is poor but I'm ready to learn ...I have just looking for something like this.

What I would like to do is to create script that can find a pattern of bytes using RPM and if pattern is there than Msg. "pattern found" else something else.

So in theory ....

$Process = "Program.exe" ; $pattern = "3200320032003200320032" Msg. "pattern found"

Func _MemoryPatternSearch

If some one can tray to help me would much appreciate..

Thank you

Share this post


Link to post
Share on other sites

Hi ivica1,

welcome to AutoIt and the forum!

Can you please tell us why you start with such a complex subject? What do you need it for?


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

O hello , nice to receive so quick response,

Question why, actually there is no special reason maybe the big of all is it I'm curios. And as we now curiosity is what make as to go one. So the best answer would be can this be done. What for can I use it. I would like to see for example if some data on running excel file exist.

Thank you for now

Just seen you are from Austria so close greetings from Kroatien.

Edited by ivica1

Share this post


Link to post
Share on other sites

Hi ivica,

I suspected you are from Croatia. I have heard this name quite often because my ex-girlfriend is from Croatia.

Playing with memory makes us suspicious because it's often used for game automation. I'm sure you have read the forum rules and hence know that game automation is a no go on this forum.

For Excel automation I would try the builtin Excel UDF (User Defined Functions).


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

thx, I'm not sure that in Excel UDF is what I'm searching for but thanx for advice. Will look in it.

In mean time if some one can work on my request many thx.

About game automatation...last game I have played has been bobble bubble c64 ...I'm little old for that but you never now.:)

So question still stands _MemoryPatternSearch. Or maybe knowledge is hidden in time and patience.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Playing with memory makes us suspicious because it's often used for game automation.

You have no idea about other usages then.

@ivica1:

Do you want the Function for AutoIt? Or C++?

For AutoIt, here you go:

#include 

Global Const $tagSYSTEM_INFO = 'WORD wProcessorArchitecture;' & _
'WORD wReserved;' & _
'DWORD dwPageSize;' & _
'ptr lpMinimumApplicationAddress;' & _
'ptr lpMaximumApplicationAddress;' & _
'DWORD_PTR dwActiveProcessorMask;' & _
'DWORD dwNumberOfProcessors;' & _
'DWORD dwProcessorType;' & _
'DWORD dwAllocationGranularity;' & _
'WORD wProcessorLevel;' & _
'WORD wProcessorRevision'

Func ProcessFindPattern(Const $hProcess, $sPattern, $dwBaseAddress = -1, $dwSize = -1)
$sPattern = StringStripWS($sPattern, 8)

Local Const $tSYSTEM_INFO = DllStructCreate($tagSYSTEM_INFO)
GetSystemInfo(DllStructGetPtr($tSYSTEM_INFO))

If ($dwBaseAddress == -1) Then $dwBaseAddress = DllStructGetData($tSYSTEM_INFO, 4)
If ($dwSize == -1) Then $dwSize = DllStructGetData($tSYSTEM_INFO, 5)

For $dwAddress = $dwBaseAddress To $dwSize Step DllStructGetData($tSYSTEM_INFO, 3)
StringRegExp(ProcessReadMemory($hProcess, $dwAddress, 'BYTE[' & DllStructGetData($tSYSTEM_INFO, 3) & ']'), $sPattern, 1, 2)
If (Not @error) Then Return SetError(0, 0, StringFormat('0x%.8X', $dwAddress + ((@extended - StringLen($sPattern) - 2) / 2)))
Next

Return SetError(1, 0, 0)
EndFunc

Func GetSystemInfo(Const $lpSystemInfo)
DllCall('Kernel32.dll', 'none', 'GetSystemInfo', _
'ptr', $lpSystemInfo)
EndFunc

Func ProcessReadMemory(Const $hProcess, Const $dwBaseAddress, Const $sType)
Local Const $tagBuffer = DllStructCreate($sType)
Local $iNumberOfBytesRead = 0

If (_WinAPI_ReadProcessMemory($hProcess, $dwBaseAddress, DllStructGetPtr($tagBuffer, 1), DllStructGetSize($tagBuffer), $iNumberOfBytesRead)) Then
Return SetError(0, $iNumberOfBytesRead, DllStructGetData($tagBuffer, 1))
Else
Return SetError(1, 0, 0)
EndIf
EndFunc

Let me know if you had any difficulties using ProcessFindPattern.

For C++, let me know if you want, I will reply here.

Edited by D4RKON3

Share this post


Link to post
Share on other sites

You have no idea about other usages then.

I asked because the OP didn't mention it in his post.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I'm guessing D4RKON3 doesn't understand the concept of "often used for".


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
:rolleyes:

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Thank you D4RKON3... quick as a flash.

Yes I need func for autoit...this relay looks nice the only problem am I.

My knowledge is like on a kindergarten kid (shame on me for my years) but what can I do, I understand the concept of your function but don't now how to apply on a sample.

Can I ask you to make a sample if you have time for it.

Thank you

Share this post


Link to post
Share on other sites

Wow great , thank you so much ..I throw myself on the job. Going to study it.

Thank you again great func :bye:

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

hi Universalist , 
i need a program that will use the above function (your function in au), let me know how can i contact you , i have alredy added your ym id , but dont know if it is stell active .
My ym id is eupedoi -at-  yahoo -dot-  com pls add me thx

Edited by Jos
changed Email to avoid spamming.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0