Sign in to follow this  
Followers 0
Oldschool

_ProcessMemorySearch()

4 posts in this topic

#1 ·  Posted (edited)

I need to search memory, and been digging around for some code that will get me closer to it.

This is basically what I need to do:

unsigned long pid=dwPID;
HANDLE process;
SYSTEM_INFO lpSysInfo;
MEMORY_BASIC_INFORMATION mbi;
char cMemContents[512];
CString csMemContents;
int lowAddress, highAddress, stepAddress;
LPVOID currentAddress;
DWORD status;

GetSystemInfo(&lpSysInfo);
process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
lowAddress=(int)lpSysInfo.lpMinimumApplicationAddress;
stepAddress=sizeof(MEMORY_BASIC_INFORMATION);
currentAddress=lpSysInfo.lpMinimumApplicationAddress;

while (currentAddress &lt lpSysInfo.lpMaximumApplicationAddress) {
VirtualQueryEx(process,(LPCVOID)currentAddress,&mbi,sizeof(MEMORY_BASIC_INFO RMATION));

if(ReadProcessMemory(process,mbi.BaseAddress,cMemContents,sizeof(MEMORY_BASIC_IN FORMATION),NULL))
{
printf("%s\n",cMemContents);
}
}
...

I'm still pretty fuzzy how to use the "GetSystemInfo" to determine the minimum address to start searching @.

Here are some more links I dug up on available solutions in other languages:

http://www.codeproject.com/KB/threads/MDumpAll.aspx

http://search.cpan.org/~qjzhou/Win32-Proce...-0.20/Memory.pm

Link to Nomads VirtualQueryEx

http://www.autoitscript.com/forum/index.ph...ost&id=9764

Link to MSDN VirtualQueryEx

http://msdn2.microsoft.com/en-us/library/bb202715.aspx

From what I gather so far it should go something like this:

#include <NomadMemory.au3>
;get the process ID
$ProcessID = WinGetProcess("Some Window")

Func _ProcessMemorySearch($ProcessID)
    ;open the process and get the handle
    $Handle = _MemoryOpen($ProcessID)
    ;determine minimum address
    $MinAddress  = _GetMinAddress($ProcessID)        ;<=== need help here
    $MaxAddress = _GetMaxAddress($ProcessID)         ;<=== need help here
    $SearchValue = 'some value'                      ;Set search value
    $dType = 'ptr'                                   ;Set search value datatype here
    Local $Output
    For $i = $MinAddress To $MaxAddress
          $Read =_MemoryRead($i, $Handle, $dType)
          If StringInStr($Read, $SearchValue) Then
              $Output &= $i & @CRLF & $Read
                  EndIf
    Next
    _MemoryClose($Handle)
    $var = StringSplit($Output, @CRLF)
    Return $var
EndFunc
Edited by Oldschool

Share this post


Link to post
Share on other sites



Try this, it should get you started...

$systemInfo = DllStructCreate ("short;short;dword;ptr;ptr;dword;dword;dword;dword;short;short")

DllCall ("kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo))

$wProcessorArchitecture = DllStructGetData ($systemInfo, 1)
$wReserved = DllStructGetData ($systemInfo, 2)
$dwPageSize = DllStructGetData ($systemInfo, 3)
$lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4)
$lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5)
$dwActiveProcessorMask = DllStructGetData ($systemInfo, 6)
$dwNumberOfProcessors = DllStructGetData ($systemInfo, 7)
$dwProcessorType = DllStructGetData ($systemInfo, 8)
$dwAllocationGranularity = DllStructGetData ($systemInfo, 9)
$wProcessorLevel = DllStructGetData ($systemInfo, 10)
$wProcessorRevision = DllStructGetData ($systemInfo, 11)

$baseInfo = "Processor Architecture: "    & $wProcessorArchitecture & @CRLF & _
            "Reserved: "                  & $wReserved & @CRLF & @CRLF & _
            "PageSize: "                  & $dwPageSize & @CRLF & _
            "MinimumApplicationAddress: " & $lpMinimumApplicationAddress & @CRLF & _
            "MaximumApplicationAddress: " & $lpMaximumApplicationAddress & @CRLF & @CRLF & _
            "ActiveProcessorMask: "       & $dwActiveProcessorMask & @CRLF & _
            "Number of Processors:   "    & $dwNumberOfProcessors & @CRLF & _
            "Processor Type:         "    & $dwProcessorType & @CRLF & _
            "Allocation Granularity: "    & $dwAllocationGranularity & @CRLF & _
            "Processor Level:        "    & $wProcessorLevel & @CRLF & _
            "Processor Revision:     "    & $wProcessorRevision & @CRLF & @CRLF
            
MsgBox (0, "Whazzup?", $baseInfo)

Fixed this old example by SmokeN, he could not get it right...

http://www.autoitscript.com/forum/index.ph...st&p=427175

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Nice...Look at this example:

#include <NomadMemory.au3>
;GetSystemInfo
$systemInfo = DllStructCreate ("short;short;dword;ptr;ptr;dword;dword;dword;dword;short;short")
DllCall ("kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo))
$lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4)
$lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5)
$systemInfo=""
;get the process ID
$ProcessID = WinGetProcess("Some Window")

Func _ProcessMemorySearch($ProcessID, $MinAddress, $MaxAddress)
    $Handle = _MemoryOpen($ProcessID)
    $SearchValue = 'some value'                      ;Set search value
    $dType = 'ptr'                                   ;Set search value datatype here
    Local $Output

    $memInfo = VirtualQueryEx($MinAddress, $Handle)
    For $i = $memInfo[1] To $MaxAddress
        $memNfo = VirtualQueryEx($i, $Handle)
        If $memNfo[5] = "MEM_COMMIT" Then 
            $Read =_MemoryRead($i, $Handle, $dType)
            If StringInStr($Read, $SearchValue) Then
              $Output &= $i & @CRLF & $Read
            EndIf
        EndIf
    Next
    _MemoryClose($Handle)
    $var = StringSplit($Output, @CRLF)
    Return $var
EndFunc

Hey Gary Frost, I even freed the struct like in the docs. I know you could make this work in like 5 minutes...

Edited by Oldschool

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0