jchilds

Search for byte array in memory

6 posts in this topic

#RequireAdmin
#include <NomadMemory.au3>
#include <Array.au3>
;

Local $s_pname = 'Memory_String_Search'
Local $s_start = 0x0473A528
Local $s_end = 0x0473B548


$n_pid = ProcessExists(InputBox('Give process name, 32-bit exes only!', 'Example : calc.exe', "", "", 200, 120))
If $n_pid < 1 Then Exit MsgBox(16, $s_pname, 'Process not found !')


$f_mopen = _MemoryOpen($n_pid)
If @error > 0 Then Exit MsgBox(16, $s_pname, 'Process could not be opened !')

$s_search = InputBox('Give search string', 'Example : Something', "", "", 200, 120)
ConsoleWrite('>Searching...' & @CRLF)

For $i_search = $s_start To $s_end
  ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit
    If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then
         MsgBox (4096, $s_pname, 'String found')
    EndIf
 Next

 MsgBox(16, $s_pname, 'String not found !')

Trying to just do a simple search in memory for a string. It seems to work, but the problem is there are null characters in the memory. For example here (41 00 63 00 74 00 69 00 76 00 65) is an array that I would try and search for "Active" for, but I am guessing I am unable to find due to there being 00 in between each character.

 

Thanks for any and all help!

Share this post


Link to post
Share on other sites



Reinventing the wheel ?

Why not use the 1000 times faster StringInStr() which can handle the search no matter of the UTF-encoding...

19 hours ago, jchilds said:

but I am guessing I am unable to find due to there being 00 in between each character.

Search the helpfile for "StringToBinary"

$a = "Active"
For $i = 1 To 4
    $bin = StringToBinary($a, $i)
    ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $bin = ' & $bin & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console
Next

 

Share this post


Link to post
Share on other sites

@AndyG: He's trying to read a memory address from another process, how could StringToBinary help? :blink:

@jchilds: why $s_start is exatly equal to 0x0473A528? How do you know that value?

Share this post


Link to post
Share on other sites

Here is a better question - what process is he trying to read the memory from? The exe name please. ANd no, not an example but the real exe you want to read from.

I'm asking this for in just about every case you do not need to do memory  reading and instead hook into the control.

So - whats the name of the exe?

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

16 hours ago, j0kky said:

He's trying to read a memory address from another process, how could StringToBinary help?

No, he NOT want to read a memory address, he is trying to search a string in memory....and he is looking for the "right" binary similar to the word "Active" which is 0x416374697665 in ANSI, but he needs to "transform" this into 0x410063007400690076006500 (via StringToBinary) to find this string in the memory.

And furthermore, StringInStr() is much faster than this piece of **** code:

For $i_search = $s_start To $s_end
  ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit
    If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then
         MsgBox (4096, $s_pname, 'String found')
    EndIf
 Next

I don´t think that slower code exists...convince me! And believe me, even the included UDF´s are not needed...

Why not copy the memory into a string and search FAST and EASY? He has the pointer to the memory, could create a bytestruct with the length = end-start, and can easily search with stringinstr(data_from_bytestruct,stringtobinary("Active",the_right_flag_from_my_code_in_the_post_above))....

And yes, a little bit of knowing about the VAD (process's virtual address descriptor)- tree would be helpful too!. But I think, this is far away of his skills....

Edited by AndyG

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now