Jump to content

How to search for all memory address' which values are "0"


tom13
 Share

Recommended Posts

Hi,

I now know how to open a process and read a memory address for it thanks to Larry his UDFs:

Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)
    
    If Not ProcessExists($iv_Pid) Then
        SetError(1)
        Return 0
    EndIf
    
    Local $ah_Handle[2] = [DllOpen('kernel32.dll')]
    
    If @Error Then
        SetError(2)
        Return 0
    EndIf
    
    Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)
    
    If @Error Then
        DllClose($ah_Handle[0])
        SetError(3)
        Return 0
    EndIf
    
    $ah_Handle[1] = $av_OpenProcess[0]
    
    Return $ah_Handle
    
EndFuncoÝ÷ Ù«­¢+ÙÕ¹}5µ½ÉåI ÀÌØí¥Ù}ÉÍÌ°ÀÌØí¡}!¹±°ÀÌØíÍÙ}QåÁôÌäíݽÉÌäì¤($(%%9½Ð%ÍÉÉä ÀÌØí¡}!¹±¤Q¡¸($%MÑÉÉ½È Ä¤(IÑÕɸÀ(%¹%($(%1½°ÀÌØíÙ}  ÕÈô±±MÑÉÕÑ
ÉÑ ÀÌØíÍÙ}QåÁ¤($(%%ÉɽÈQ¡¸($%MÑÉɽȡÉɽȬĤ($%IÑÕɸÀ(%¹%($(%±±
±° ÀÌØí¡}!¹±lÁt°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¡}!¹±lÅt°Ìäí¥¹ÐÌäì°ÀÌØí¥Ù}ÉÍÌ°ÌäíÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°±±MÑÉÕÑÑM¥é ÀÌØíÙ}    ÕȤ°Ìäí¥¹ÐÌäì°ÌäìÌäì¤($(%%9½ÐÉɽÈQ¡¸($%1½°ÀÌØíÙ}Y±Õô±±MÑÉÕÑÑÑ ÀÌØíÙ}    ÕȰĤ($%IÑÕɸÀÌØíÙ}Y±Õ(%±Í($%MÑÉÉ½È Ø¤(IÑÕɸÀ(%¹%($)¹Õ¹

But after I attached to an process I do not want to search for the value of an address, but I want to search for the address of an value. So I want to search for all addresses that have the value "0" and return this in an array.

Can anyone help me with this?

Link to comment
Share on other sites

Hi,

I now know how to open a process and read a memory address for it thanks to Larry his UDFs:

Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)
    
    If Not ProcessExists($iv_Pid) Then
        SetError(1)
        Return 0
    EndIf
    
    Local $ah_Handle[2] = [DllOpen('kernel32.dll')]
    
    If @Error Then
        SetError(2)
        Return 0
    EndIf
    
    Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)
    
    If @Error Then
        DllClose($ah_Handle[0])
        SetError(3)
        Return 0
    EndIf
    
    $ah_Handle[1] = $av_OpenProcess[0]
    
    Return $ah_Handle
    
EndFuncoÝ÷ Ù«­¢+ÙÕ¹}5µ½ÉåI ÀÌØí¥Ù}ÉÍÌ°ÀÌØí¡}!¹±°ÀÌØíÍÙ}QåÁôÌäíݽÉÌäì¤($(%%9½Ð%ÍÉÉä ÀÌØí¡}!¹±¤Q¡¸($%MÑÉÉ½È Ä¤(IÑÕɸÀ(%¹%($(%1½°ÀÌØíÙ}  ÕÈô±±MÑÉÕÑ
ÉÑ ÀÌØíÍÙ}QåÁ¤($(%%ÉɽÈQ¡¸($%MÑÉɽȡÉɽȬĤ($%IÑÕɸÀ(%¹%($(%±±
±° ÀÌØí¡}!¹±lÁt°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¡}!¹±lÅt°Ìäí¥¹ÐÌäì°ÀÌØí¥Ù}ÉÍÌ°ÌäíÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°±±MÑÉÕÑÑM¥é ÀÌØíÙ}    ÕȤ°Ìäí¥¹ÐÌäì°ÌäìÌäì¤($(%%9½ÐÉɽÈQ¡¸($%1½°ÀÌØíÙ}Y±Õô±±MÑÉÕÑÑÑ ÀÌØíÙ}    ÕȰĤ($%IÑÕɸÀÌØíÙ}Y±Õ(%±Í($%MÑÉÉ½È Ø¤(IÑÕɸÀ(%¹%($)¹Õ¹

But after I attached to an process I do not want to search for the value of an address, but I want to search for the address of an value. So I want to search for all addresses that have the value "0" and return this in an array.

Can anyone help me with this?

Yeah Ive been woundering how to do that for a while I tried searching trough DLL functions (Use DLL Export Viewer if you want to try) and couldnt find anything to search. Ive also tried doin something where the read value increases by 1 each time but thats either very slow or doesnt work
Link to comment
Share on other sites

Ive been messin around with DLL Export Viewer it lets you see all the functions a process is able to use from the dlls its attached. So I loaded TSearch and did that then searched for fuctions containing "search" I havent found much yet but try it yourself and see what you can find

DLL Export Viewer - http://www.nirsoft.net/utils/dll_export_viewer.html

Link to comment
Share on other sites

Ive been messin around with DLL Export Viewer it lets you see all the functions a process is able to use from the dlls its attached. So I loaded TSearch and did that then searched for fuctions containing "search" I havent found much yet but try it yourself and see what you can find

DLL Export Viewer - http://www.nirsoft.net/utils/dll_export_viewer.html

hmm could you accept me on xfire? :)

Anyone else aware of a solution by the way?

Link to comment
Share on other sites

What you're looking to do is called a "HexDump". Basically, what this does is a Hex view of computer's memory for a specific process.

So the format for a HexDump is like this:

Adress |1st byte|2nd byte| etc... | 8th byte

00105e0 e6b0 0804 e79e 0804 e7bc 0804 e7d5 0804
00105f0 e7e4 0804 e6b0 0804 e7f0 0804 e7ff 0804
0010600 e80b 0804 e81a 0804 e6b0 0804 e6b0 0804

You can have it organised in rows of 8 or 16 bytes. Then you test each row to see if it equals zero. Then you store the adress of each rows.

Is that what you want?

Edited by galpha
Link to comment
Share on other sites

If that's what you want, here's the process on how to do it in step by step. Be free to ask questions if unsure, or I can help you code it if you're unsure:

- Get the window handle

- Get the process handle

- Adjust priviledges to debug

- Do a ReadProcessMemory on base adress

- Test at the adress to see if it equals Zero

- Increment until you reach the top of the process's memory space

OR

VirtualQueryEx - Not sure how to work with that, still a noob :)

Pretty sure it would be the logical steps =/

Edited by galpha
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...