Jump to content
Sign in to follow this  
jc28735250

Finding base address fails for certain programs

Recommended Posts

jc28735250

Hello, I have been working with Nomad's Nomadmemory.au3 to learn how memory read/write works.
What I'm trying to accomplish is relatively simple: get the contents of notepad and replace it with something (saw this in a tutorial).
One complication, though, is that I'm using Win 8 64bit, which means that Nomad's SetPrivilege() and _MemoryGetBaseAddress() won't work; OK, no biggie, a quick search on Google revealed an alternative that I've confirmed to be working ... well, at least partially.
I found out that for certain programs, the alternative function I found (see end of post) will fail; i.e. they will return a base address of 0.
Programs that fail include notepad and calculator, but chrome, excel, and firefox work just fine.
What am i missing here?

Note: AutoIt is installed as a 32 bit process and the SciTE editor is started with elevated privileges
 
The code i use to find the base address:

#include <NomadMemory.au3>

Opt("WinTitleMatchMode", 2)

; set debug privileges to read memory
SeDebugPrivilege()

; find the window handle
$myWin = WinGetHandle("Notepad")
If @error Then
    MsgBox(0,"ERROR","Failed to find instance")
    Exit
EndIf

; find the pid
$myPID = WinGetProcess($myWin)
If @error Then
    MsgBox(0,"ERROR","Failed to find PID: " & @error)
    Exit
EndIf

; get the base address
$hProcess = OpenProcess($myPID)
$addrBase = ProcessModuleGetBaseAddress($hProcess, "notepad.exe")
CloseHandle($hProcess)
If $addrBase = 0 Then
    MsgBox(0,"ERROR","Failed to find base addrress")
    Exit
Else
    MsgBox(0,"SUCCESS",$addrBase)
EndIf

The code that finds the base address (author: D4RKON3):

Func SeDebugPrivilege()
Local $iTokenIndex = 1
Local $Struct = DllStructCreate('DWORD;int')
Local $TOKEN_PRIVILEGES = DllStructCreate('DWORD;DWORD[' & (3 * 1) & ']')
DllStructSetData($TOKEN_PRIVILEGES, 1, 1)
While $iTokenIndex <= 1
  Local $bPrivilegeValue = DllCall('advapi32.dll', _
    'BOOL', 'LookupPrivilegeValue', _
    'str', '', _
    'str', 'SeDebugPrivilege', _ ;SE_DEBUG_NAME
    'ptr', DllStructGetPtr($Struct))
  If $bPrivilegeValue[0] Then
   DllStructSetData($TOKEN_PRIVILEGES, 2, 0x00000002, (3 * $iTokenIndex)) ;SE_PRIVILEGE_ENABLED
   DllStructSetData($TOKEN_PRIVILEGES, 2, DllStructGetData($Struct, 1), (3 * ($iTokenIndex - 1)) + 1)
   DllStructSetData($TOKEN_PRIVILEGES, 2, DllStructGetData($Struct, 2), (3 * ($iTokenIndex - 1)) + 2)
   DllStructSetData($Struct, 1, 0)
   DllStructSetData($Struct, 2, 0)
  EndIf
  $iTokenIndex += 1
WEnd
Local $hCurrentProcess = DllCall('kernel32.dll', _
   'HANDLE', 'GetCurrentProcess')
Local $hProcessToken = DllCall('advapi32.dll', _
   'BOOL', 'OpenProcessToken', _
   'HANDLE', $hCurrentProcess[0], _
   'DWORD', 0x00000020 + 0x00000008, _ ;TOKEN_ADJUST_PRIVILEGES + TOKEN_QUERY
   'HANDLE*', '')
Local $NEWTOKEN_PRIVILEGES = DllStructCreate('DWORD;DWORD[' & (3 * 1) & ']')
DllCall('advapi32.dll', _
   'BOOL', 'AdjustTokenPrivileges', _
   'HANDLE', $hProcessToken[3], _
   'BOOL', False, _
   'ptr', DllStructGetPtr($TOKEN_PRIVILEGES), _
   'DWORD', DllStructGetSize($NEWTOKEN_PRIVILEGES), _
   'ptr', '', _
   'DWORD*', '')
DllCall('kernel32.dll', _
   'BOOL', 'CloseHandle', _
   'HANDLE', $hProcessToken[3])
EndFunc

Func OpenProcess($iProcessID)
Local $hProcess = DllCall('kernel32.dll', _
   'HANDLE', 'OpenProcess', _
   'DWORD', 0x1F0FFF, _ ;DesiredAccess = PROCESS_ALL_ACCESS
   'BOOL', True, _ ;InheritHandle = True
   'DWORD', $iProcessID)
Return $hProcess[0]
EndFunc

Func ProcessModuleGetBaseAddress($hProcess, $sModuleName)
Local $ModulesMax = DllStructCreate('ptr[1024]')
Local $iProcessModules = DllCall('psapi.dll', _
   'BOOL', 'EnumProcessModules', _
   'HANDLE', $hProcess, _
   'ptr', DllStructGetPtr($ModulesMax), _
   'DWORD', DllStructGetSize($ModulesMax), _
   'DWORD*', '')
Local $sModuleBaseName
For $i = 1 To $iProcessModules[4] / 4
  $sModuleBaseName = DllCall('psapi.dll', _
    'DWORD', 'GetModuleBaseNameW', _
    'HANDLE', $hProcess, _
    'ptr', DllStructGetData($ModulesMax, 1, $i), _
    'wstr', '', _
    'DWORD', 256)
  If $sModuleBaseName[3] = $sModuleName Then Return DllStructGetData($ModulesMax, 1, $i)
Next
EndFunc

Func CloseHandle($hProcess)
Local $bResult = DllCall('kernel32.dll', _
   'BOOL', 'CloseHandle', _
   'HANDLE', $hProcess)
Return $bResult[0]
EndFunc

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×