Oldschool Posted March 9, 2008 Posted March 9, 2008 (edited) I need to search memory, and been digging around for some code that will get me closer to it.This is basically what I need to do:unsigned long pid=dwPID; HANDLE process; SYSTEM_INFO lpSysInfo; MEMORY_BASIC_INFORMATION mbi; char cMemContents[512]; CString csMemContents; int lowAddress, highAddress, stepAddress; LPVOID currentAddress; DWORD status; GetSystemInfo(&lpSysInfo); process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); lowAddress=(int)lpSysInfo.lpMinimumApplicationAddress; stepAddress=sizeof(MEMORY_BASIC_INFORMATION); currentAddress=lpSysInfo.lpMinimumApplicationAddress; while (currentAddress < lpSysInfo.lpMaximumApplicationAddress) { VirtualQueryEx(process,(LPCVOID)currentAddress,&mbi,sizeof(MEMORY_BASIC_INFO RMATION)); if(ReadProcessMemory(process,mbi.BaseAddress,cMemContents,sizeof(MEMORY_BASIC_IN FORMATION),NULL)) { printf("%s\n",cMemContents); } } ...I'm still pretty fuzzy how to use the "GetSystemInfo" to determine the minimum address to start searching @.Here are some more links I dug up on available solutions in other languages:http://www.codeproject.com/KB/threads/MDumpAll.aspxhttp://search.cpan.org/~qjzhou/Win32-Proce...-0.20/Memory.pmLink to Nomads VirtualQueryExhttp://www.autoitscript.com/forum/index.ph...ost&id=9764Link to MSDN VirtualQueryExhttp://msdn2.microsoft.com/en-us/library/bb202715.aspxFrom what I gather so far it should go something like this:#include <NomadMemory.au3> ;get the process ID $ProcessID = WinGetProcess("Some Window") Func _ProcessMemorySearch($ProcessID) ;open the process and get the handle $Handle = _MemoryOpen($ProcessID) ;determine minimum address $MinAddress = _GetMinAddress($ProcessID) ;<=== need help here $MaxAddress = _GetMaxAddress($ProcessID) ;<=== need help here $SearchValue = 'some value' ;Set search value $dType = 'ptr' ;Set search value datatype here Local $Output For $i = $MinAddress To $MaxAddress $Read =_MemoryRead($i, $Handle, $dType) If StringInStr($Read, $SearchValue) Then $Output &= $i & @CRLF & $Read EndIf Next _MemoryClose($Handle) $var = StringSplit($Output, @CRLF) Return $var EndFunc Edited March 9, 2008 by Oldschool
BorisTheBlade Posted March 10, 2008 Posted March 10, 2008 Try this, it should get you started...$systemInfo = DllStructCreate ("short;short;dword;ptr;ptr;dword;dword;dword;dword;short;short") DllCall ("kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo)) $wProcessorArchitecture = DllStructGetData ($systemInfo, 1) $wReserved = DllStructGetData ($systemInfo, 2) $dwPageSize = DllStructGetData ($systemInfo, 3) $lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4) $lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5) $dwActiveProcessorMask = DllStructGetData ($systemInfo, 6) $dwNumberOfProcessors = DllStructGetData ($systemInfo, 7) $dwProcessorType = DllStructGetData ($systemInfo, 8) $dwAllocationGranularity = DllStructGetData ($systemInfo, 9) $wProcessorLevel = DllStructGetData ($systemInfo, 10) $wProcessorRevision = DllStructGetData ($systemInfo, 11) $baseInfo = "Processor Architecture: " & $wProcessorArchitecture & @CRLF & _ "Reserved: " & $wReserved & @CRLF & @CRLF & _ "PageSize: " & $dwPageSize & @CRLF & _ "MinimumApplicationAddress: " & $lpMinimumApplicationAddress & @CRLF & _ "MaximumApplicationAddress: " & $lpMaximumApplicationAddress & @CRLF & @CRLF & _ "ActiveProcessorMask: " & $dwActiveProcessorMask & @CRLF & _ "Number of Processors: " & $dwNumberOfProcessors & @CRLF & _ "Processor Type: " & $dwProcessorType & @CRLF & _ "Allocation Granularity: " & $dwAllocationGranularity & @CRLF & _ "Processor Level: " & $wProcessorLevel & @CRLF & _ "Processor Revision: " & $wProcessorRevision & @CRLF & @CRLF MsgBox (0, "Whazzup?", $baseInfo)Fixed this old example by SmokeN, he could not get it right...http://www.autoitscript.com/forum/index.ph...st&p=427175
Oldschool Posted March 10, 2008 Author Posted March 10, 2008 (edited) Nice...Look at this example: #include <NomadMemory.au3> ;GetSystemInfo $systemInfo = DllStructCreate ("short;short;dword;ptr;ptr;dword;dword;dword;dword;short;short") DllCall ("kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo)) $lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4) $lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5) $systemInfo="" ;get the process ID $ProcessID = WinGetProcess("Some Window") Func _ProcessMemorySearch($ProcessID, $MinAddress, $MaxAddress) $Handle = _MemoryOpen($ProcessID) $SearchValue = 'some value' ;Set search value $dType = 'ptr' ;Set search value datatype here Local $Output $memInfo = VirtualQueryEx($MinAddress, $Handle) For $i = $memInfo[1] To $MaxAddress $memNfo = VirtualQueryEx($i, $Handle) If $memNfo[5] = "MEM_COMMIT" Then $Read =_MemoryRead($i, $Handle, $dType) If StringInStr($Read, $SearchValue) Then $Output &= $i & @CRLF & $Read EndIf EndIf Next _MemoryClose($Handle) $var = StringSplit($Output, @CRLF) Return $var EndFunc Hey Gary Frost, I even freed the struct like in the docs. I know you could make this work in like 5 minutes... Edited March 10, 2008 by Oldschool
Oldschool Posted March 11, 2008 Author Posted March 11, 2008 Shipped....http://www.autoitscript.com/forum/index.php?showtopic=66210
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now