Sign in to follow this  
Followers 0
tom13

How to search for all memory address' which values are "0"

9 posts in this topic

Hi,

I now know how to open a process and read a memory address for it thanks to Larry his UDFs:

Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)
    
    If Not ProcessExists($iv_Pid) Then
        SetError(1)
        Return 0
    EndIf
    
    Local $ah_Handle[2] = [DllOpen('kernel32.dll')]
    
    If @Error Then
        SetError(2)
        Return 0
    EndIf
    
    Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)
    
    If @Error Then
        DllClose($ah_Handle[0])
        SetError(3)
        Return 0
    EndIf
    
    $ah_Handle[1] = $av_OpenProcess[0]
    
    Return $ah_Handle
    
EndFuncoÝ÷ Ù«­¢+ÙÕ¹}5µ½ÉåI ÀÌØí¥Ù}ÉÍÌ°ÀÌØí¡}!¹±°ÀÌØíÍÙ}QåÁôÌäíݽÉÌäì¤($(%%9½Ð%ÍÉÉä ÀÌØí¡}!¹±¤Q¡¸($%MÑÉÉ½È Ä¤(IÑÕɸÀ(%¹%($(%1½°ÀÌØíÙ}  ÕÈô±±MÑÉÕÑ
ÉÑ ÀÌØíÍÙ}QåÁ¤($(%%ÉɽÈQ¡¸($%MÑÉɽȡÉɽȬĤ($%IÑÕɸÀ(%¹%($(%±±
±° ÀÌØí¡}!¹±lÁt°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¡}!¹±lÅt°Ìäí¥¹ÐÌäì°ÀÌØí¥Ù}ÉÍÌ°ÌäíÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°±±MÑÉÕÑÑM¥é ÀÌØíÙ}    ÕȤ°Ìäí¥¹ÐÌäì°ÌäìÌäì¤($(%%9½ÐÉɽÈQ¡¸($%1½°ÀÌØíÙ}Y±Õô±±MÑÉÕÑÑÑ ÀÌØíÙ}    ÕȰĤ($%IÑÕɸÀÌØíÙ}Y±Õ(%±Í($%MÑÉÉ½È Ø¤(IÑÕɸÀ(%¹%($)¹Õ¹

But after I attached to an process I do not want to search for the value of an address, but I want to search for the address of an value. So I want to search for all addresses that have the value "0" and return this in an array.

Can anyone help me with this?

Share this post


Link to post
Share on other sites



Hi,

I now know how to open a process and read a memory address for it thanks to Larry his UDFs:

Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)
    
    If Not ProcessExists($iv_Pid) Then
        SetError(1)
        Return 0
    EndIf
    
    Local $ah_Handle[2] = [DllOpen('kernel32.dll')]
    
    If @Error Then
        SetError(2)
        Return 0
    EndIf
    
    Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)
    
    If @Error Then
        DllClose($ah_Handle[0])
        SetError(3)
        Return 0
    EndIf
    
    $ah_Handle[1] = $av_OpenProcess[0]
    
    Return $ah_Handle
    
EndFuncoÝ÷ Ù«­¢+ÙÕ¹}5µ½ÉåI ÀÌØí¥Ù}ÉÍÌ°ÀÌØí¡}!¹±°ÀÌØíÍÙ}QåÁôÌäíݽÉÌäì¤($(%%9½Ð%ÍÉÉä ÀÌØí¡}!¹±¤Q¡¸($%MÑÉÉ½È Ä¤(IÑÕɸÀ(%¹%($(%1½°ÀÌØíÙ}  ÕÈô±±MÑÉÕÑ
ÉÑ ÀÌØíÍÙ}QåÁ¤($(%%ÉɽÈQ¡¸($%MÑÉɽȡÉɽȬĤ($%IÑÕɸÀ(%¹%($(%±±
±° ÀÌØí¡}!¹±lÁt°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¡}!¹±lÅt°Ìäí¥¹ÐÌäì°ÀÌØí¥Ù}ÉÍÌ°ÌäíÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°±±MÑÉÕÑÑM¥é ÀÌØíÙ}    ÕȤ°Ìäí¥¹ÐÌäì°ÌäìÌäì¤($(%%9½ÐÉɽÈQ¡¸($%1½°ÀÌØíÙ}Y±Õô±±MÑÉÕÑÑÑ ÀÌØíÙ}    ÕȰĤ($%IÑÕɸÀÌØíÙ}Y±Õ(%±Í($%MÑÉÉ½È Ø¤(IÑÕɸÀ(%¹%($)¹Õ¹

But after I attached to an process I do not want to search for the value of an address, but I want to search for the address of an value. So I want to search for all addresses that have the value "0" and return this in an array.

Can anyone help me with this?

Yeah Ive been woundering how to do that for a while I tried searching trough DLL functions (Use DLL Export Viewer if you want to try) and couldnt find anything to search. Ive also tried doin something where the read value increases by 1 each time but thats either very slow or doesnt work

Share this post


Link to post
Share on other sites

u could get all the values of all address and then search those.

Share this post


Link to post
Share on other sites

u could get all the values of all address and then search those.

how do I know what addresses excist?

Share this post


Link to post
Share on other sites

Ive been messin around with DLL Export Viewer it lets you see all the functions a process is able to use from the dlls its attached. So I loaded TSearch and did that then searched for fuctions containing "search" I havent found much yet but try it yourself and see what you can find

DLL Export Viewer - http://www.nirsoft.net/utils/dll_export_viewer.html


Share this post


Link to post
Share on other sites

Ive been messin around with DLL Export Viewer it lets you see all the functions a process is able to use from the dlls its attached. So I loaded TSearch and did that then searched for fuctions containing "search" I havent found much yet but try it yourself and see what you can find

DLL Export Viewer - http://www.nirsoft.net/utils/dll_export_viewer.html

hmm could you accept me on xfire? :)

Anyone else aware of a solution by the way?

Share this post


Link to post
Share on other sites

I have no idea how to work with these values, I think the easiest way is to read all addresses and then check their values. But can anyone tell me how to know what addresses of the process excist?

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

What you're looking to do is called a "HexDump". Basically, what this does is a Hex view of computer's memory for a specific process.

So the format for a HexDump is like this:

Adress |1st byte|2nd byte| etc... | 8th byte

00105e0 e6b0 0804 e79e 0804 e7bc 0804 e7d5 0804
00105f0 e7e4 0804 e6b0 0804 e7f0 0804 e7ff 0804
0010600 e80b 0804 e81a 0804 e6b0 0804 e6b0 0804

You can have it organised in rows of 8 or 16 bytes. Then you test each row to see if it equals zero. Then you store the adress of each rows.

Is that what you want?

Edited by galpha

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

If that's what you want, here's the process on how to do it in step by step. Be free to ask questions if unsure, or I can help you code it if you're unsure:

- Get the window handle

- Get the process handle

- Adjust priviledges to debug

- Do a ReadProcessMemory on base adress

- Test at the adress to see if it equals Zero

- Increment until you reach the top of the process's memory space

OR

VirtualQueryEx - Not sure how to work with that, still a noob :)

Pretty sure it would be the logical steps =/

Edited by galpha

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0