loki1982 Posted July 16, 2007 Share Posted July 16, 2007 I decided to play around with memory. I got NomadMemory.au3 and started playing around with the functions in it. I opened a notepad file, then used autoit to find the $pid, and print the pid into a logfile. I started going a bit further, and tryed to read memory. Ive run into a problem. How can I find a memory location to read, when I dont know what the address is called. I am not looking to do anything specific just playing around right now. The problem I run into is, lets say I take this code from someone elses script $readmemory = _MemoryRead(0x00cbaa88, $pid, 'char[11]') FileWrite("log.log",$readmemory) I get a 0 in my log which I assume is because "0x00cbaa88" is just a random memory location maybe not even a valid one for my process. Is there a way to display the first memory address that is assoicated with my process, or am I going about this all wrong? I guess a better way to explain it would be, once I have the pid, and have the process memory open, how can I read say the 1st byte, or the 16th when I dont know the addresses. Link to comment Share on other sites More sharing options...
evilertoaster Posted July 16, 2007 Share Posted July 16, 2007 I got NomadMemory.au3 and started playing around with the functions in it...Looking into this a bit-You may be better off using a more current library, that one was writen for 3.1 beta and the dll calls have been changed since then. It's probable this udf is no longer in production...How can I find a memory location to read...humm well any memory reader can do find out...i hear alot of people using tsearch (google it) and liking it so you could try that Link to comment Share on other sites More sharing options...
DW1 Posted July 16, 2007 Share Posted July 16, 2007 Tsearch is sweet, so is artmoney AutoIt3 Online Help Link to comment Share on other sites More sharing options...
loki1982 Posted July 16, 2007 Author Share Posted July 16, 2007 Tsearch is sweet, so is artmoneyOk thanks both of you. So you dont know of a way with autoit to say read the first memory address of your process without knowing the address before hand? Or say a way to return the first address name?Thanks again for the quick response Link to comment Share on other sites More sharing options...
piccaso Posted July 16, 2007 Share Posted July 16, 2007 It aint that simple The windows api (psapi,imagehlp,...) or a debugger can help you with this. for example this is how a memory map can look like: expandcollapse popupMemory map Address Size Owner Section Contains Type Access Initial Mapped as 00010000 00002000 Priv RW RW 00020000 00001000 Priv RW RW 0012C000 00001000 Priv RW Guarded RW 0012D000 00003000 stack of main thread Priv RW Guarded RW 00130000 00003000 Map R R 00140000 00002000 Map R R 00150000 00006000 Priv RW RW 00250000 00006000 Priv RW RW 00260000 00003000 Map RW RW 00270000 00016000 Map R R \Device\HarddiskVolume2\WINDOWS\System32\UNICODE.NLS 00290000 0003D000 Map R R \Device\HarddiskVolume2\WINDOWS\System32\LOCALE.NLS 002D0000 00041000 Map R R \Device\HarddiskVolume2\WINDOWS\System32\SORTKEY.NLS 00320000 00006000 Map R R \Device\HarddiskVolume2\WINDOWS\System32\SORTTBLS.NLS 00330000 00005000 Priv RW RW 00340000 00003000 Map R R \Device\HarddiskVolume2\WINDOWS\System32\CTYPE.NLS 00350000 00008000 Priv RW RW 00360000 00001000 Priv RW RW 00370000 00001000 Priv RW RW 00380000 00002000 Map R R 00390000 00002000 Map R R 00400000 00001000 me PE header Imag R RWE 00401000 0005D000 me UPX0 Imag R RWE 0045E000 00031000 me UPX1 code Imag R RWE 0048F000 00008000 me .rsrc data,imports,resources Imag R RWE 004A0000 00009000 Map R E R E 00560000 00002000 Map R E R E 00570000 00103000 Map R R 00680000 00165000 Map R E R E 00980000 00001000 Priv RW RW 62E10000 00001000 LPK PE header Imag R RWE 62E11000 00005000 LPK .text code,imports,exports Imag R RWE 62E16000 00001000 LPK .data data Imag R RWE 62E17000 00001000 LPK .rsrc resources Imag R RWE 62E18000 00001000 LPK .reloc relocations Imag R RWE 71A00000 00001000 WS2HELP PE header Imag R RWE 71A01000 00004000 WS2HELP .text code,imports,exports Imag R RWE 71A05000 00001000 WS2HELP .data data Imag R RWE 71A06000 00001000 WS2HELP .rsrc resources Imag R RWE 71A07000 00001000 WS2HELP .reloc relocations Imag R RWE 71A10000 00001000 WS2_32 PE header Imag R RWE 71A11000 00013000 WS2_32 .text code,imports,exports Imag R RWE 71A24000 00001000 WS2_32 .data data Imag R RWE 71A25000 00001000 WS2_32 .rsrc resources Imag R RWE 71A26000 00001000 WS2_32 .reloc relocations Imag R RWE 71A30000 00001000 WSOCK32 PE header Imag R RWE 71A31000 00003000 WSOCK32 .text code,imports,exports Imag R RWE 71A34000 00001000 WSOCK32 .data data Imag R RWE 71A35000 00004000 WSOCK32 .rsrc resources Imag R RWE 71A39000 00001000 WSOCK32 .reloc relocations Imag R RWE 71A80000 00001000 MPR PE header Imag R RWE 71A81000 0000E000 MPR .text code,imports,exports Imag R RWE 71A8F000 00001000 MPR .data data Imag R RWE 71A90000 00001000 MPR .rsrc resources Imag R RWE 71A91000 00001000 MPR .reloc relocations Imag R RWE 75790000 00001000 USP10 PE header Imag R RWE 75791000 00044000 USP10 .text code,imports,exports Imag R RWE 757D5000 00010000 USP10 .data data Imag R RWE 757E5000 00002000 USP10 Shared Imag R RWE 757E7000 00012000 USP10 .rsrc resources Imag R RWE 757F9000 00002000 USP10 .reloc relocations Imag R RWE 76350000 00001000 comdlg32 PE header Imag R RWE 76351000 00030000 comdlg32 .text code,imports,exports Imag R RWE 76381000 00004000 comdlg32 .data data Imag R RWE 76385000 00012000 comdlg32 .rsrc resources Imag R RWE 76397000 00003000 comdlg32 .reloc relocations Imag R RWE 76AF0000 00001000 WINMM PE header Imag R RWE 76AF1000 0001F000 WINMM .text code,imports,exports Imag R RWE 76B10000 00002000 WINMM .data data Imag R RWE 76B12000 0000A000 WINMM .rsrc resources Imag R RWE 76B1C000 00002000 WINMM .reloc relocations Imag R RWE 770F0000 00001000 OLEAUT32 PE header Imag R RWE 770F1000 0007F000 OLEAUT32 .text code,imports,exports Imag R RWE 77170000 00002000 OLEAUT32 .orpc code Imag R RWE 77172000 00003000 OLEAUT32 .data data Imag R RWE 77175000 00001000 OLEAUT32 .rsrc resources Imag R RWE 77176000 00006000 OLEAUT32 .reloc relocations Imag R RWE 773A0000 00001000 COMCTL32 PE header Imag R RWE 773A1000 00090000 COMCTL32 .text code,imports,exports Imag R RWE 77431000 00001000 COMCTL32 .data data Imag R RWE 77432000 0006A000 COMCTL32 .rsrc resources Imag R RWE 7749C000 00006000 COMCTL32 .reloc relocations Imag R RWE 774B0000 00001000 ole32 PE header Imag R RWE 774B1000 0011E000 ole32 .text code,imports,exports Imag R RWE 775CF000 00006000 ole32 .orpc code Imag R RWE 775D5000 00007000 ole32 .data data Imag R RWE 775DC000 00002000 ole32 .rsrc resources Imag R RWE 775DE000 0000E000 ole32 .reloc relocations Imag R RWE 77BD0000 00001000 VERSION PE header Imag R RWE 77BD1000 00004000 VERSION .text code,imports,exports Imag R RWE 77BD5000 00001000 VERSION .data data Imag R RWE 77BD6000 00001000 VERSION .rsrc resources Imag R RWE 77BD7000 00001000 VERSION .reloc relocations Imag R RWE 77BE0000 00001000 msvcrt PE header Imag R RWE 77BE1000 0004C000 msvcrt .text code,imports,exports Imag R RWE 77C2D000 00007000 msvcrt .data data Imag R RWE 77C34000 00001000 msvcrt .rsrc resources Imag R RWE 77C35000 00003000 msvcrt .reloc relocations Imag R RWE 77D10000 00001000 USER32 PE header Imag R RWE 77D11000 0005F000 USER32 .text code,imports,exports Imag R RWE 77D70000 00002000 USER32 .data data Imag R RWE 77D72000 0002B000 USER32 .rsrc resources Imag R RWE 77D9D000 00003000 USER32 .reloc relocations Imag R RWE 77DA0000 00001000 ADVAPI32 PE header Imag R RWE 77DA1000 00075000 ADVAPI32 .text code,imports,exports Imag R RWE 77E16000 00005000 ADVAPI32 .data data Imag R RWE 77E1B000 0002A000 ADVAPI32 .rsrc resources Imag R RWE 77E45000 00005000 ADVAPI32 .reloc relocations Imag R RWE 77E50000 00001000 RPCRT4 PE header Imag R RWE 77E51000 00082000 RPCRT4 .text code,imports,exports Imag R RWE 77ED3000 00007000 RPCRT4 .orpc code Imag R RWE 77EDA000 00001000 RPCRT4 .data data Imag R RWE 77EDB000 00001000 RPCRT4 .rsrc resources Imag R RWE 77EDC000 00005000 RPCRT4 .reloc relocations Imag R RWE 77EF0000 00001000 GDI32 PE header Imag R RWE 77EF1000 00041000 GDI32 .text code,imports,exports Imag R RWE 77F32000 00001000 GDI32 .data data Imag R RWE 77F33000 00001000 GDI32 .rsrc resources Imag R RWE 77F34000 00002000 GDI32 .reloc relocations Imag R RWE 77F40000 00001000 SHLWAPI PE header Imag R RWE 77F41000 0006C000 SHLWAPI .text code,imports,exports Imag R RWE 77FAD000 00001000 SHLWAPI .data data Imag R RWE 77FAE000 00002000 SHLWAPI .rsrc resources Imag R RWE 77FB0000 00006000 SHLWAPI .reloc relocations Imag R RWE 7C800000 00001000 kernel32 PE header Imag R RWE 7C801000 00082000 kernel32 .text code,imports,exports Imag R RWE 7C883000 00005000 kernel32 .data data Imag R RWE 7C888000 00078000 kernel32 .rsrc resources Imag R RWE 7C900000 00006000 kernel32 .reloc relocations Imag R RWE 7C910000 00001000 ntdll PE header Imag R RWE 7C911000 0007B000 ntdll .text code,exports Imag R RWE 7C98C000 00005000 ntdll .data data Imag R RWE 7C991000 00033000 ntdll .rsrc resources Imag R RWE 7C9C4000 00003000 ntdll .reloc relocations Imag R RWE 7C9D0000 00001000 SHELL32 PE header Imag R RWE 7C9D1000 001FB000 SHELL32 .text code,imports,exports Imag R RWE 7CBCC000 0001D000 SHELL32 .data data Imag R RWE 7CBE9000 005EA000 SHELL32 .rsrc resources Imag R RWE 7D1D3000 0001B000 SHELL32 .reloc relocations Imag R RWE 7F6F0000 00007000 Map R E R E 7FFB0000 00024000 Map R R 7FFD6000 00001000 Priv RW RW 7FFDF000 00001000 data block of main thread Priv RW RW 7FFE0000 00001000 Priv R R CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map Link to comment Share on other sites More sharing options...
evilertoaster Posted July 16, 2007 Share Posted July 16, 2007 I think it depends on the memory library you're using. I think one of them (maybe w0uters?) used to start at a proc handles start and the memory read functions address were provided in offsets rather than absolute positions. Link to comment Share on other sites More sharing options...
loki1982 Posted July 16, 2007 Author Share Posted July 16, 2007 I think it depends on the memory library you're using. I think one of them (maybe w0uters?) used to start at a proc handles start and the memory read functions address were provided in offsets rather than absolute positions.Thanks everyone. I got tsearch, and after many attempts at changing values in notepad and searching, it never could find the address. I then did artmoney and it worked first time. I then put the following code in and was able to write the value of the address to my log file. I know that is very sloppy code, I was just fooling around to see if I coudl get it working ; /I really appreicate the help.#include <NomadMemory.au3>$pid = WinGetProcess("mem - Notepad")$opened = 0$opened = _MemoryOpen($pid)if not @error Then MsgBox("@error","","Memory Opened")$readmemory = _MemoryRead(0x000A08D4, $opened) if not @error Then MsgBox("@error","","Memory Read") EndIf MsgBox("no","no","no")endifMsgBox("error","error","error")FileWrite("log.log",$readmemory) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now