crackdonalds

64-bit memory reading

15 posts in this topic

Hello people,

 

I've been looking around the forum to find out whether it is possible to read the memory of 64-bit applications. I couldn't find a clear answer. I do see people having trouble with it though because the public UDF's seem to be 32-bit only.

 

1. Is it possible to read the memory of a 64-bit application in AutoIt
2. If so, does anyone have a working example?

 

Thanks for clearing things up.

Share this post


Link to post
Share on other sites



@crackdonalds we tend, for obvious reasons, to tread very lightly when it comes to pulling information from memory, as you will see if you have done a search of the forum. With that in mind, can you please explain what, exactly, are you trying to pull from memory, and from what app?


When you're dead, you don't know you're dead - it's only difficult for those that know you. It's the same way when you're stupid...

My Scripts: SCCM UDFInclude Source with Compiled Script, Windows Firewall UDF

Share this post


Link to post
Share on other sites

I would like to pull audio values in numbers instead of a graph from a tool called dirac.

Share this post


Link to post
Share on other sites
7 hours ago, crackdonalds said:

I would like to pull audio values in numbers instead of a graph from a tool called dirac.

I'm looking at the website that puts the software out - I haven't downloaded it but I can see what you want to do. I'm wondering a few things:

  1. The website for the software - http://www.dirac.com - you would think they have a support link or something. I see a "contact us" link that may be of help. ...wait...ok, this is what I was looking for: http://helpdesk.dirac.se/index.php?pg=request
     That should allow for you to ask them if the software has some method of extracting the values without having to resort to memory reading.
  2. Is the desire to get a number because the software only will give you a graph reading and you want to have it report to you differently? Such as to give your customer a readout of what the room settings are?
  3. Are you building a custom interface to see what you need?

Share this post


Link to post
Share on other sites

Thank you for your reply.

1. There is no method otherwise i wouldn't bother.

2. Almost. Not really for the reporting but more for the ease of optimizing the settings for different situations. Actually knowing the resulting number rather than just seeing a graph and having to guess the value that comes with it.

3. That's what i would like to do. I'm not getting started until my 2 questions are answered though.

I honestly don't see how these returning questions contribute to answering my question. I guess nobody really knows?

Share this post


Link to post
Share on other sites
2 hours ago, crackdonalds said:

.....

I honestly don't see how these returning questions contribute to answering my question. I guess nobody really knows?

It actually helps a lot for we now know what you want to do. Think of it as high level requirements.

OK, I'm with you in that memory reading is the way to go seeing you can't get the data any other way. We could go the pixel reading route but that is horribly unreliable at best.

In looking around I found this but I may be incorrect on saying this is what you need or not.

I will be honest and say this is beyond my skillset for what you are asking for. I've never messed with memory reading for I never had the need. Saying that - I can tell you trancexx is quite skilled and she most likely could direct you. I'm not sure if she is still around or not. I apologize that I'm not more helpful.

Share this post


Link to post
Share on other sites
4 hours ago, crackdonalds said:

I honestly don't see how these returning questions contribute to answering my question. I guess nobody really knows?

Not exactly the tack you want to take when someone is trying to get more information from you so they can assist you. You obviously don't know how to accomplish what you want to do, or you wouldn't be posting here. Then questioning those who volunteer their time to help doesn't really instill in them a desire to continue to assist.


When you're dead, you don't know you're dead - it's only difficult for those that know you. It's the same way when you're stupid...

My Scripts: SCCM UDFInclude Source with Compiled Script, Windows Firewall UDF

Share this post


Link to post
Share on other sites

Bert's effort is appreciated. unfortunately not what i was hoping/looking for.

Logan, you know my question couldn't be more clear. i feel that i am being asked questions for commiting a crime called "reading memory" and i have to explain myself for that. i feel a bit impatient because of that.

Share this post


Link to post
Share on other sites

And your impatience is going to keep people from helping you. Your thread is obviously not (yet) deemed inappropriate, because it is still open. But the attitude isn't helping you any; everyone answering questions on this forum is a volunteer. If someone is willing to assist you on your issue, I would think you would want to go out of your way to provide them any additional info you can. Just some friendly advice.


When you're dead, you don't know you're dead - it's only difficult for those that know you. It's the same way when you're stupid...

My Scripts: SCCM UDFInclude Source with Compiled Script, Windows Firewall UDF

Share this post


Link to post
Share on other sites

#10 ·  Posted

I'll answer it myself:

1. Yes
2.

64-bit program:

Global $count = 76567589
while 1
   MsgBox(0,"", $count)
   $count = $count + 1
   WEnd

Read memory:

#include <KryMemory.au3>

$lovehandle = _Process_Open("test.exe")
$val = _Process_ReadMemory($lovehandle, 0x1F9B21FE110, "dword")
MsgBox(0,"", $val)

Since the above is useless: Read memory through pointer

#include <KryMemory.au3>

$lovehandle = _Process_Open("test.exe")
$val = (_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, 0x7FF6ABE142E0, "uint64") + 0x28), "uint64")), "dword"))
MsgBox(0,"", $val)

First I changed Nomadmemory UDF to work with 64-bit but then i figured that KryMemory actually works with 64-bit.

You just have to do things a bit differently...
The pointer calculation doesn't work. not sure why. you'll have to do it manually like i did or fix the function.

 

Maybe someone has a working ReadPointer function? Let me know if u do or if u know an easy way to change the code above into a easy to use function.

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

I dont know what you mean with "working ReadPointer function"...

Everything works as it should:

compile and run 64Bit-Program "Test.exe"

#AutoIt3Wrapper_UseX64=y

$struct=dllstructcreate("dword")
dllstructsetdata($struct,1,0xDEADBEEF)
$ptr=dllstructgetptr($struct,1)
MsgBox(262144, 'Debug line ~' & @ScriptLineNumber, 'Selection:' & @CRLF & '$ptr' & @CRLF & @CRLF & 'Return:' & @CRLF & $ptr & @crlf & int($ptr)) ;### Debug MSGBOX

then run 

#include <KryMemory.au3>
#AutoIt3Wrapper_UseX64=y

Local $oProc = _Process_Open("test.exe")

$ptr = 7471840  ;here the ptr from the MsgBox (Test.exe)

$memread = _Process_ReadMemory($oProc, $ptr, "dword")
ConsoleWrite($ptr & "   " & $memread & "   " & Hex($memread,8) & @CRLF)

_Process_Close($oProc)

shows:

7471840   3735928559   DEADBEEF

//EDIT there is no "pointer to a pointer"

Edited by AndyG

Share this post


Link to post
Share on other sites

#12 ·  Posted

Thank you for your reply.

i was talking about the _Process_ReadMemoryPointer function in KryMemory. It doesn't work. Is that also what you meant with "there is no pointer to a pointer?

the pointer part works fine like this:

$val = (_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, 0x7FF6ABE142E0, "uint64") + 0x28), "uint64")), "dword"))

would be nice if we could use the _Process_ReadMemoryPointer function though (just to make things easier). Did you try that?

I was expecting it to work like this:

#include <KryMemory.au3>
#include <Array.au3>

$lovehandle = _Process_Open("test.exe")

Local $Offset[2]
$Offset[0] = 0
$Offset[1] = 0x28

$pointerrr = _Process_ReadMemoryPointer($lovehandle, 0x7FF6ABE142E0, $Offset, "uint64")
;MsgBox(0,"pointer", $pointerrr)
_ArrayDisplay($pointerrr)

 

No big deal if the function won't work anyway.

Share this post


Link to post
Share on other sites

#13 ·  Posted

On 14.10.2016 at 3:30 PM, crackdonalds said:

i feel that i am being asked questions for commiting a crime called "reading memory" and i have to explain myself for that.

And your questions/postings are giving reasons for that. 

_Process_ReadMemoryPointer works as expected! It gives back the "last" pointer/result of the "pointer of a pointer"-chain.

I think that you don´t know what´s going on with "ReadMemory" in general nor what these function(s) do.

If i would want to "ReadMemory" of a commercial software, i would ask other questions....

Share this post


Link to post
Share on other sites

#14 ·  Posted

I think you have no idea what you are talking about. If you think it works, come up with some evidence instead of assumptions.

Share this post


Link to post
Share on other sites

#15 ·  Posted

As this thread seems to be deteriorating rapidly, I suggest you continue the discussion by PM - and so....

<click> (c) Jos

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.