Jblz619 Posted October 4, 2023 Share Posted October 4, 2023 (edited) I spent all day putting this together and I would like to share it. Some of the Functions come from Nomad memory read but I had to add a few functions I made myself to get it to work. I could not find any helpful forum posts. Only many people failing at finding base address and pointer reading. Hope you all enjoy it and it helps people to not spend hours looking thru the forum. expandcollapse popup#RequireAdmin SetPrivilege("SeDebugPrivilege", 1) #include<array.au3> $base_address=_Get_base_address(".EXE","Core.dll",0x000000) Global $Offsets[8] = ["Null",0x28, 0x508, 0x1D8, 0x11C, 0x34, 0x6C0, 0xE70] $read=_Pointer_read(".EXE",$Offsets,$base_address) MsgBox(0,"Read Value","The Value of the pointer is :"&$read,-1) ;================================================================================== ;_Get_base_address($Process exe or bin,$Module name,$Base address offset) ;================================================================================== func _Get_base_address($Main_process,$Process_module,$Base_offset) Local $iPID = ProcessExists($Main_process) Global $ah_Handle = _MemoryOpen($iPID) Local $My_dll = _MemoryModuleGetBaseAddress($iPID, $Process_module) $sum=hex($My_dll+$Base_offset) $Read=Hex(_MemoryRead("0x"&$Sum,$ah_Handle)) Return dec($Read) EndFunc ;================================================================================== ;_Pointer_read($Process to read, $Array of offsets,$Base Address) ;================================================================================== func _Pointer_read($process,$Offsets_array,$base_address) $pid=ProcessExists($process) $memory=_MemoryOpen($pid) $value=0 $Last_offset=UBound($Offsets_array) $offset_count=0 do $offset_count+=1 $offset=$Offsets_array[$offset_count] if $offset_count = 1 then $Address=$base_address Else $Address=$value EndIf $Sum=Hex($Address+$offset) if $offset_count= $Last_offset-1 then Return _MemoryRead("0x"&$Sum,$memory) Else $value=_MemoryRead("0x"&$Sum,$memory) EndIf Until $offset_count=$Last_offset-1 _MemoryClose($memory) EndFunc Func _MemoryModuleGetBaseAddress($iPID , $sModule) If Not ProcessExists ($iPID) Then Return SetError (1 , 0 , 0) If Not IsString ($sModule) Then Return SetError (2 , 0 , 0) Local $PSAPI=DllOpen ("psapi.dll") Local $hProcess Local $PERMISSION=BitOR (0x0002, 0x0400, 0x0008, 0x0010, 0x0020) ; CREATE_THREAD, QUERY_INFORMATION, VM_OPERATION, VM_READ, VM_WRITE If $iPID>0 Then Local $hProcess=DllCall ("kernel32.dll" , "ptr" , "OpenProcess" , "dword" , $PERMISSION , "int" , 0 , "dword" , $iPID) If $hProcess [ 0 ] Then $hProcess=$hProcess [ 0 ] EndIf EndIf Local $Modules=DllStructCreate ("ptr[1024]") Local $aCall=DllCall ($PSAPI , "int" , "EnumProcessModules" , "ptr" , $hProcess , "ptr" , DllStructGetPtr ($Modules), "dword" , DllStructGetSize ($Modules), "dword*" , 0) If $aCall [ 4 ]>0 Then Local $iModnum=$aCall [ 4 ] / 4 Local $aTemp For $i=1 To $iModnum $aTemp= DllCall ($PSAPI , "dword" , "GetModuleBaseNameW" , "ptr" , $hProcess , "ptr" , Ptr(DllStructGetData ($Modules , 1 , $i)) , "wstr" , "" , "dword" , 260) If $aTemp [ 3 ]=$sModule Then DllClose ($PSAPI) Return Ptr(DllStructGetData ($Modules , 1 , $i)) EndIf Next EndIf DllClose ($PSAPI) Return SetError (-1 , 0 , 0) EndFunc ;READ FUNCTIONS FROM NOMAD MEMORY ;================================================================================== ; AutoIt Version: 3.1.127 (beta) ; Language: English ; Platform: All Windows ; Author: Nomad ; Requirements: These functions will only work with beta. ;================================================================================== ; Credits: wOuter - These functions are based on his original _Mem() functions. ; But they are easier to comprehend and more reliable. These ; functions are in no way a direct copy of his functions. His ; functions only provided a foundation from which these evolved. ;================================================================================== ; ; Functions: ; ;================================================================================== ; Function: _MemoryOpen($iv_Pid[, $iv_DesiredAccess[, $iv_InheritHandle]]) ; Description: Opens a process and enables all possible access rights to the ; process. The Process ID of the process is used to specify which ; process to open. You must call this function before calling ; _MemoryClose(), _MemoryRead(), or _MemoryWrite(). ; Parameter(s): $iv_Pid - The Process ID of the program you want to open. ; $iv_DesiredAccess - (optional) Set to 0x1F0FFF by default, which ; enables all possible access rights to the ; process specified by the Process ID. ; $iv_InheritHandle - (optional) If this value is TRUE, all processes ; created by this process will inherit the access ; handle. Set to 1 (TRUE) by default. Set to 0 ; if you want it FALSE. ; Requirement(s): None. ; Return Value(s): On Success - Returns an array containing the Dll handle and an ; open handle to the specified process. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = Invalid $iv_Pid. ; 2 = Failed to open Kernel32.dll. ; 3 = Failed to open the specified process. ; Author(s): Nomad ; Note(s): ;================================================================================== Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1) If Not ProcessExists($iv_Pid) Then SetError(1) Return 0 EndIf Local $ah_Handle[2] = [DllOpen('kernel32.dll')] If @Error Then SetError(2) Return 0 EndIf Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid) If @Error Then DllClose($ah_Handle[0]) SetError(3) Return 0 EndIf $ah_Handle[1] = $av_OpenProcess[0] Return $ah_Handle EndFunc ;================================================================================== ; Function: _MemoryRead($iv_Address, $ah_Handle[, $sv_Type]) ; Description: Reads the value located in the memory address specified. ; Parameter(s): $iv_Address - The memory address you want to read from. It must ; be in hex format (0x00000000). ; $ah_Handle - An array containing the Dll handle and the handle ; of the open process as returned by _MemoryOpen(). ; $sv_Type - (optional) The "Type" of value you intend to read. ; This is set to 'dword'(32bit(4byte) signed integer) ; by default. See the help file for DllStructCreate ; for all types. An example: If you want to read a ; word that is 15 characters in length, you would use ; 'char[16]' since a 'char' is 8 bits (1 byte) in size. ; Return Value(s): On Success - Returns the value located at the specified address. ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = Invalid $ah_Handle. ; 2 = $sv_Type was not a string. ; 3 = $sv_Type is an unknown data type. ; 4 = Failed to allocate the memory needed for the DllStructure. ; 5 = Error allocating memory for $sv_Type. ; 6 = Failed to read from the specified process. ; Author(s): Nomad ; Note(s): Values returned are in Decimal format, unless specified as a ; 'char' type, then they are returned in ASCII format. Also note ; that size ('char[size]') for all 'char' types should be 1 ; greater than the actual size. ;================================================================================== Func _MemoryRead($iv_Address, $ah_Handle, $sv_Type = 'dword') If Not IsArray($ah_Handle) Then SetError(1) Return 0 EndIf Local $v_Buffer = DllStructCreate($sv_Type) If @Error Then SetError(@Error + 1) Return 0 EndIf DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '') If Not @Error Then Local $v_Value = DllStructGetData($v_Buffer, 1) Return $v_Value Else SetError(6) Return 0 EndIf EndFunc ;================================================================================== ; Function: _MemoryWrite($iv_Address, $ah_Handle, $v_Data[, $sv_Type]) ; Description: Writes data to the specified memory address. ; Parameter(s): $iv_Address - The memory address which you want to write to. ; It must be in hex format (0x00000000). ; $ah_Handle - An array containing the Dll handle and the handle ; of the open process as returned by _MemoryOpen(). ; $v_Data - The data to be written. ; $sv_Type - (optional) The "Type" of value you intend to write. ; This is set to 'dword'(32bit(4byte) signed integer) ; by default. See the help file for DllStructCreate ; for all types. An example: If you want to write a ; word that is 15 characters in length, you would use ; 'char[16]' since a 'char' is 8 bits (1 byte) in size. ; Return Value(s): On Success - Returns 1 ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = Invalid $ah_Handle. ; 2 = $sv_Type was not a string. ; 3 = $sv_Type is an unknown data type. ; 4 = Failed to allocate the memory needed for the DllStructure. ; 5 = Error allocating memory for $sv_Type. ; 6 = $v_Data is not in the proper format to be used with the ; "Type" selected for $sv_Type, or it is out of range. ; 7 = Failed to write to the specified process. ; Author(s): Nomad ; Note(s): Values sent must be in Decimal format, unless specified as a ; 'char' type, then they must be in ASCII format. Also note ; that size ('char[size]') for all 'char' types should be 1 ; greater than the actual size. ;================================================================================== Func _MemoryWrite($iv_Address, $ah_Handle, $v_Data, $sv_Type = 'dword') If Not IsArray($ah_Handle) Then SetError(1) Return 0 EndIf Local $v_Buffer = DllStructCreate($sv_Type) If @Error Then SetError(@Error + 1) Return 0 Else DllStructSetData($v_Buffer, 1, $v_Data) If @Error Then SetError(6) Return 0 EndIf EndIf DllCall($ah_Handle[0], 'int', 'WriteProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '') If Not @Error Then Return 1 Else SetError(7) Return 0 EndIf EndFunc ;================================================================================== ; Function: _MemoryClose($ah_Handle) ; Description: Closes the process handle opened by using _MemoryOpen(). ; Parameter(s): $ah_Handle - An array containing the Dll handle and the handle ; of the open process as returned by _MemoryOpen(). ; Return Value(s): On Success - Returns 1 ; On Failure - Returns 0 ; @Error - 0 = No error. ; 1 = Invalid $ah_Handle. ; 2 = Unable to close the process handle. ; Author(s): Nomad ; Note(s): ;================================================================================== Func _MemoryClose($ah_Handle) If Not IsArray($ah_Handle) Then SetError(1) Return 0 EndIf DllCall($ah_Handle[0], 'int', 'CloseHandle', 'int', $ah_Handle[1]) If Not @Error Then DllClose($ah_Handle[0]) Return 1 Else DllClose($ah_Handle[0]) SetError(2) Return 0 EndIf EndFunc ;================================================================================== ; Function: SetPrivilege( $privilege, $bEnable ) ; Description: Enables (or disables) the $privilege on the current process ; (Probably) requires administrator privileges to run ; ; Author(s): Larry (from autoitscript.com's Forum) ; Notes(s): ; http://www.autoitscript.com/forum/index.ph...st&p=223999 ;================================================================================== Func SetPrivilege( $privilege, $bEnable ) Const $TOKEN_ADJUST_PRIVILEGES = 0x0020 Const $TOKEN_QUERY = 0x0008 Const $SE_PRIVILEGE_ENABLED = 0x0002 Local $hToken, $SP_auxret, $SP_ret, $hCurrProcess, $nTokens, $nTokenIndex, $priv $nTokens = 1 $LUID = DLLStructCreate("dword;int") If IsArray($privilege) Then $nTokens = UBound($privilege) $TOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]") $NEWTOKEN_PRIVILEGES = DLLStructCreate("dword;dword[" & (3 * $nTokens) & "]") $hCurrProcess = DLLCall("kernel32.dll","hwnd","GetCurrentProcess") $SP_auxret = DLLCall("advapi32.dll","int","OpenProcessToken","hwnd",$hCurrProcess[0], _ "int",BitOR($TOKEN_ADJUST_PRIVILEGES,$TOKEN_QUERY),"int*",0) If $SP_auxret[0] Then $hToken = $SP_auxret[3] DLLStructSetData($TOKEN_PRIVILEGES,1,1) $nTokenIndex = 1 While $nTokenIndex <= $nTokens If IsArray($privilege) Then $priv = $privilege[$nTokenIndex-1] Else $priv = $privilege EndIf $ret = DLLCall("advapi32.dll","int","LookupPrivilegeValue","str","","str",$priv, _ "ptr",DLLStructGetPtr($LUID)) If $ret[0] Then If $bEnable Then DLLStructSetData($TOKEN_PRIVILEGES,2,$SE_PRIVILEGE_ENABLED,(3 * $nTokenIndex)) Else DLLStructSetData($TOKEN_PRIVILEGES,2,0,(3 * $nTokenIndex)) EndIf DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,1),(3 * ($nTokenIndex-1)) + 1) DLLStructSetData($TOKEN_PRIVILEGES,2,DllStructGetData($LUID,2),(3 * ($nTokenIndex-1)) + 2) DLLStructSetData($LUID,1,0) DLLStructSetData($LUID,2,0) EndIf $nTokenIndex += 1 WEnd $ret = DLLCall("advapi32.dll","int","AdjustTokenPrivileges","hwnd",$hToken,"int",0, _ "ptr",DllStructGetPtr($TOKEN_PRIVILEGES),"int",DllStructGetSize($NEWTOKEN_PRIVILEGES), _ "ptr",DllStructGetPtr($NEWTOKEN_PRIVILEGES),"int*",0) $f = DLLCall("kernel32.dll","int","GetLastError") EndIf $NEWTOKEN_PRIVILEGES=0 $TOKEN_PRIVILEGES=0 $LUID=0 If $SP_auxret[0] = 0 Then Return 0 $SP_auxret = DLLCall("kernel32.dll","int","CloseHandle","hwnd",$hToken) If Not $ret[0] And Not $SP_auxret[0] Then Return 0 return $ret[0] EndFunc ;==>SetPrivilege Edited October 4, 2023 by Jblz619 Zedna 1 Link to comment Share on other sites More sharing options...
Developers Jos Posted October 5, 2023 Developers Share Posted October 5, 2023 Just wondering what real live example of usage there is for this? SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Jblz619 Posted October 5, 2023 Author Share Posted October 5, 2023 (edited) 15 hours ago, Jos said: Just wondering what real live example of usage there is for this? It is for reading memory addresses of .exe applications and .dlls modules the there can be many applications. It's not for me to decide how people want to use it. I'm sure you can think of a few reasons it can be appllied. As I've seen your udfs and your wise enough to figure out how It's applicable for many things. I also believe in sharing knowledge and not suppressing valuable knowledge and that is why I'm sharing it. Edited October 5, 2023 by Jblz619 Link to comment Share on other sites More sharing options...
Developers Jos Posted October 6, 2023 Developers Share Posted October 6, 2023 9 hours ago, Jblz619 said: I'm sure you can think of a few reasons it can be appllied. Only game mods come to mind and those aren't discussed around here, hence the simple question! So give me one simple example use case that at qualifies. SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Jblz619 Posted October 6, 2023 Author Share Posted October 6, 2023 (edited) 10 hours ago, Jos said: Only game mods come to mind and those aren't discussed around here, hence the simple question! So give me one simple example use case that at qualifies. Reading values in a data server or excel sheet or other .exes for business software. No ones mentioned games but you. Edited October 6, 2023 by Jblz619 Link to comment Share on other sites More sharing options...
Developers Jos Posted October 6, 2023 Developers Share Posted October 6, 2023 (edited) Yea right ....reading memory to get an excel value.... whatever... Edited October 6, 2023 by Jos Andreik and jchd 2 SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past. Link to comment Share on other sites More sharing options...
Zedna Posted October 13, 2023 Share Posted October 13, 2023 (edited) @Jos Generally any application that use nonstandard controls and can't be automatized by AutoIt's standard functions (navigating/reading values/...). There are several options as workaround in these situations: OCR or MemoryRead/Write or UIAutomation. For example here new PowerBuilder: I heavily use my own AutoIt's tools for automatizing older version of PowerBuilder where most of standard functions work but as seen in above mentioned topic, new version of PowerBuilder is changed and can't be automatized by standard functions ... Edited October 13, 2023 by Zedna added @Jos Jos and Jblz619 2 Resources UDF ResourcesEx UDF AutoIt Forum Search Link to comment Share on other sites More sharing options...
meme18 Posted November 2, 2023 Share Posted November 2, 2023 (edited) i updated my autoit and have overwritten nomad memory. i just updated a steam manager for switching between accounts. with process hacker you can watch which modules loaded when starting steam. example. if friendsui.dll is loaded, you can be 100% sure that steam login was successful. no other great chance to check this. so...open process memory from steam.exe. get baseadresse from friendsui.dll. when true, steam logged in. i also do this with chrome, keepassxc, or discord to get states that normally not possible. but here it comes down to one big question. discord is a 64bit application and steam a 32bit application . how can i get base adresse from both? If i compile autoit in 32 bit i can get baseadress of steam but not discord. If i compile autoit in 64 bit i can get baseadress of discord but not steam. Edited November 2, 2023 by meme18 Jblz619 1 Link to comment Share on other sites More sharing options...
meme18 Posted November 2, 2023 Share Posted November 2, 2023 @Zedna@Jblz619 how do you solve this 32/64bit desaster? Link to comment Share on other sites More sharing options...
AndyG Posted November 2, 2023 Share Posted November 2, 2023 Hi, compile a program "Get_Discord_Status_loaded_64Bit.exe" as a 64bit-application. Write the status into a file or return it elsewhere.... Compile a program "Get_Steam_Status_loaded_32Bit.exe" as a 32bit-application. Write the status into a file or return it elsewhere.... Compile your program as a 32/64bit-Application and evaluate the status from the file. Jblz619 1 Link to comment Share on other sites More sharing options...
meme18 Posted November 3, 2023 Share Posted November 3, 2023 12 hours ago, AndyG said: Hi, compile a program "Get_Discord_Status_loaded_64Bit.exe" as a 64bit-application. Write the status into a file or return it elsewhere.... Compile a program "Get_Steam_Status_loaded_32Bit.exe" as a 32bit-application. Write the status into a file or return it elsewhere.... Compile your program as a 32/64bit-Application and evaluate the status from the file. I feared it, thank you Link to comment Share on other sites More sharing options...
Hadin Posted November 12, 2023 Share Posted November 12, 2023 (edited) Well done, I currently want to implement data acquisition on many simple machines, indeed many controls can not be obtained with the autoit handle, but based on this article how to use the ability, whether there is a big brother to give an example, thank you. like calc.exe?Use windbg to obtain the handle base address? Edited November 12, 2023 by Hadin Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now