tom13 Posted September 30, 2007 Share Posted September 30, 2007 Hi, I now know how to open a process and read a memory address for it thanks to Larry his UDFs: Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1) If Not ProcessExists($iv_Pid) Then SetError(1) Return 0 EndIf Local $ah_Handle[2] = [DllOpen('kernel32.dll')] If @Error Then SetError(2) Return 0 EndIf Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid) If @Error Then DllClose($ah_Handle[0]) SetError(3) Return 0 EndIf $ah_Handle[1] = $av_OpenProcess[0] Return $ah_Handle EndFuncoÝ÷ Ù«¢+ÙÕ¹}5µ½ÉåI ÀÌØí¥Ù}ÉÍÌ°ÀÌØí¡}!¹±°ÀÌØíÍÙ}QåÁôÌäíݽÉÌäì¤($(%%9½Ð%ÍÉÉä ÀÌØí¡}!¹±¤Q¡¸($%MÑÉÉ½È Ä¤(IÑÕɸÀ(%¹%($(%1½°ÀÌØíÙ} ÕÈô±±MÑÉÕÑ ÉÑ ÀÌØíÍÙ}QåÁ¤($(%%ÉɽÈQ¡¸($%MÑÉɽȡÉɽȬĤ($%IÑÕɸÀ(%¹%($(%±± ±° ÀÌØí¡}!¹±lÁt°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¡}!¹±lÅt°Ìäí¥¹ÐÌäì°ÀÌØí¥Ù}ÉÍÌ°ÌäíÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°±±MÑÉÕÑÑM¥é ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°ÌäìÌäì¤($(%%9½ÐÉɽÈQ¡¸($%1½°ÀÌØíÙ}Y±Õô±±MÑÉÕÑÑÑ ÀÌØíÙ} ÕȰĤ($%IÑÕɸÀÌØíÙ}Y±Õ(%±Í($%MÑÉÉ½È Ø¤(IÑÕɸÀ(%¹%($)¹Õ¹ But after I attached to an process I do not want to search for the value of an address, but I want to search for the address of an value. So I want to search for all addresses that have the value "0" and return this in an array. Can anyone help me with this? Link to comment Share on other sites More sharing options...
frostfel Posted October 1, 2007 Share Posted October 1, 2007 Hi, I now know how to open a process and read a memory address for it thanks to Larry his UDFs: Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1) If Not ProcessExists($iv_Pid) Then SetError(1) Return 0 EndIf Local $ah_Handle[2] = [DllOpen('kernel32.dll')] If @Error Then SetError(2) Return 0 EndIf Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid) If @Error Then DllClose($ah_Handle[0]) SetError(3) Return 0 EndIf $ah_Handle[1] = $av_OpenProcess[0] Return $ah_Handle EndFuncoÝ÷ Ù«¢+ÙÕ¹}5µ½ÉåI ÀÌØí¥Ù}ÉÍÌ°ÀÌØí¡}!¹±°ÀÌØíÍÙ}QåÁôÌäíݽÉÌäì¤($(%%9½Ð%ÍÉÉä ÀÌØí¡}!¹±¤Q¡¸($%MÑÉÉ½È Ä¤(IÑÕɸÀ(%¹%($(%1½°ÀÌØíÙ} ÕÈô±±MÑÉÕÑ ÉÑ ÀÌØíÍÙ}QåÁ¤($(%%ÉɽÈQ¡¸($%MÑÉɽȡÉɽȬĤ($%IÑÕɸÀ(%¹%($(%±± ±° ÀÌØí¡}!¹±lÁt°Ìäí¥¹ÐÌäì°ÌäíIAɽÍÍ5µ½ÉäÌäì°Ìäí¥¹ÐÌäì°ÀÌØí¡}!¹±lÅt°Ìäí¥¹ÐÌäì°ÀÌØí¥Ù}ÉÍÌ°ÌäíÁÑÈÌäì°±±MÑÉÕÑÑAÑÈ ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°±±MÑÉÕÑÑM¥é ÀÌØíÙ} ÕȤ°Ìäí¥¹ÐÌäì°ÌäìÌäì¤($(%%9½ÐÉɽÈQ¡¸($%1½°ÀÌØíÙ}Y±Õô±±MÑÉÕÑÑÑ ÀÌØíÙ} ÕȰĤ($%IÑÕɸÀÌØíÙ}Y±Õ(%±Í($%MÑÉÉ½È Ø¤(IÑÕɸÀ(%¹%($)¹Õ¹ But after I attached to an process I do not want to search for the value of an address, but I want to search for the address of an value. So I want to search for all addresses that have the value "0" and return this in an array. Can anyone help me with this? Yeah Ive been woundering how to do that for a while I tried searching trough DLL functions (Use DLL Export Viewer if you want to try) and couldnt find anything to search. Ive also tried doin something where the read value increases by 1 each time but thats either very slow or doesnt work Link to comment Share on other sites More sharing options...
qazwsx Posted October 1, 2007 Share Posted October 1, 2007 u could get all the values of all address and then search those. Link to comment Share on other sites More sharing options...
tom13 Posted October 1, 2007 Author Share Posted October 1, 2007 u could get all the values of all address and then search those.how do I know what addresses excist? Link to comment Share on other sites More sharing options...
frostfel Posted October 1, 2007 Share Posted October 1, 2007 Ive been messin around with DLL Export Viewer it lets you see all the functions a process is able to use from the dlls its attached. So I loaded TSearch and did that then searched for fuctions containing "search" I havent found much yet but try it yourself and see what you can findDLL Export Viewer - http://www.nirsoft.net/utils/dll_export_viewer.html Link to comment Share on other sites More sharing options...
tom13 Posted October 2, 2007 Author Share Posted October 2, 2007 Ive been messin around with DLL Export Viewer it lets you see all the functions a process is able to use from the dlls its attached. So I loaded TSearch and did that then searched for fuctions containing "search" I havent found much yet but try it yourself and see what you can findDLL Export Viewer - http://www.nirsoft.net/utils/dll_export_viewer.htmlhmm could you accept me on xfire? Anyone else aware of a solution by the way? Link to comment Share on other sites More sharing options...
tom13 Posted October 3, 2007 Author Share Posted October 3, 2007 I have no idea how to work with these values, I think the easiest way is to read all addresses and then check their values. But can anyone tell me how to know what addresses of the process excist? Link to comment Share on other sites More sharing options...
galpha Posted October 4, 2007 Share Posted October 4, 2007 (edited) What you're looking to do is called a "HexDump". Basically, what this does is a Hex view of computer's memory for a specific process. So the format for a HexDump is like this: Adress |1st byte|2nd byte| etc... | 8th byte 00105e0 e6b0 0804 e79e 0804 e7bc 0804 e7d5 0804 00105f0 e7e4 0804 e6b0 0804 e7f0 0804 e7ff 0804 0010600 e80b 0804 e81a 0804 e6b0 0804 e6b0 0804 You can have it organised in rows of 8 or 16 bytes. Then you test each row to see if it equals zero. Then you store the adress of each rows. Is that what you want? Edited October 4, 2007 by galpha Link to comment Share on other sites More sharing options...
galpha Posted October 4, 2007 Share Posted October 4, 2007 (edited) If that's what you want, here's the process on how to do it in step by step. Be free to ask questions if unsure, or I can help you code it if you're unsure: - Get the window handle - Get the process handle - Adjust priviledges to debug - Do a ReadProcessMemory on base adress - Test at the adress to see if it equals Zero - Increment until you reach the top of the process's memory space OR VirtualQueryEx - Not sure how to work with that, still a noob Pretty sure it would be the logical steps =/ Edited October 4, 2007 by galpha Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now