Search for byte array in memory

[jchilds]

#RequireAdmin
#include <NomadMemory.au3>
#include <Array.au3>
;

Local $s_pname = 'Memory_String_Search'
Local $s_start = 0x0473A528
Local $s_end = 0x0473B548


$n_pid = ProcessExists(InputBox('Give process name, 32-bit exes only!', 'Example : calc.exe', "", "", 200, 120))
If $n_pid < 1 Then Exit MsgBox(16, $s_pname, 'Process not found !')


$f_mopen = _MemoryOpen($n_pid)
If @error > 0 Then Exit MsgBox(16, $s_pname, 'Process could not be opened !')

$s_search = InputBox('Give search string', 'Example : Something', "", "", 200, 120)
ConsoleWrite('>Searching...' & @CRLF)

For $i_search = $s_start To $s_end
  ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit
    If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then
         MsgBox (4096, $s_pname, 'String found')
    EndIf
 Next

 MsgBox(16, $s_pname, 'String not found !')

Trying to just do a simple search in memory for a string. It seems to work, but the problem is there are null characters in the memory. For example here (41 00 63 00 74 00 69 00 76 00 65) is an array that I would try and search for "Active" for, but I am guessing I am unable to find due to there being 00 in between each character.

 

Thanks for any and all help!

[AndyG]

Reinventing the wheel ?

Why not use the 1000 times faster StringInStr() which can handle the search no matter of the UTF-encoding...

19 hours ago, jchilds said:

but I am guessing I am unable to find due to there being 00 in between each character.

Search the helpfile for "StringToBinary"

$a = "Active"
For $i = 1 To 4
    $bin = StringToBinary($a, $i)
    ConsoleWrite('@@ Debug(' & @ScriptLineNumber & ') : $bin = ' & $bin & @CRLF & '>Error code: ' & @error & @CRLF) ;### Debug Console
Next

 

[j0kky]

@AndyG: He's trying to read a memory address from another process, how could StringToBinary help? 

@jchilds: why $s_start is exatly equal to 0x0473A528? How do you know that value?

[Bert]

Here is a better question - what process is he trying to read the memory from? The exe name please. ANd no, not an example but the real exe you want to read from.

I'm asking this for in just about every case you do not need to do memory  reading and instead hook into the control.

So - whats the name of the exe?

[AndyG]

16 hours ago, j0kky said:

He's trying to read a memory address from another process, how could StringToBinary help?

No, he NOT want to read a memory address, he is trying to search a string in memory....and he is looking for the "right" binary similar to the word "Active" which is 0x416374697665 in ANSI, but he needs to "transform" this into 0x410063007400690076006500 (via StringToBinary) to find this string in the memory.

And furthermore, StringInStr() is much faster than this piece of **** code:

For $i_search = $s_start To $s_end
  ConsoleWrite(Hex($i_search) & @CRLF) ;I've commented out the consolewrite because it keeps writing after exit
    If _MemoryRead('0x' & Hex($i_search), $f_mopen, 'char[' & StringLen($s_search) +1 & ']') = $s_search Then
         MsgBox (4096, $s_pname, 'String found')
    EndIf
 Next

I don´t think that slower code exists...convince me! And believe me, even the included UDF´s are not needed...

Why not copy the memory into a string and search FAST and EASY? He has the pointer to the memory, could create a bytestruct with the length = end-start, and can easily search with stringinstr(data_from_bytestruct,stringtobinary("Active",the_right_flag_from_my_code_in_the_post_above))....

And yes, a little bit of knowing about the VAD (process's virtual address descriptor)- tree would be helpful too!. But I think, this is far away of his skills....

Edited December 4, 2016 by AndyG

[Bert]

Your missing it - I know he is reading memory. I want to know the name of the EXE he is working with.