Oldschool Posted March 9, 2008 Share Posted March 9, 2008 (edited) I need to search memory, and been digging around for some code that will get me closer to it.This is basically what I need to do:unsigned long pid=dwPID; HANDLE process; SYSTEM_INFO lpSysInfo; MEMORY_BASIC_INFORMATION mbi; char cMemContents[512]; CString csMemContents; int lowAddress, highAddress, stepAddress; LPVOID currentAddress; DWORD status; GetSystemInfo(&lpSysInfo); process=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); lowAddress=(int)lpSysInfo.lpMinimumApplicationAddress; stepAddress=sizeof(MEMORY_BASIC_INFORMATION); currentAddress=lpSysInfo.lpMinimumApplicationAddress; while (currentAddress < lpSysInfo.lpMaximumApplicationAddress) { VirtualQueryEx(process,(LPCVOID)currentAddress,&mbi,sizeof(MEMORY_BASIC_INFO RMATION)); if(ReadProcessMemory(process,mbi.BaseAddress,cMemContents,sizeof(MEMORY_BASIC_IN FORMATION),NULL)) { printf("%s\n",cMemContents); } } ...I'm still pretty fuzzy how to use the "GetSystemInfo" to determine the minimum address to start searching @.Here are some more links I dug up on available solutions in other languages:http://www.codeproject.com/KB/threads/MDumpAll.aspxhttp://search.cpan.org/~qjzhou/Win32-Proce...-0.20/Memory.pmLink to Nomads VirtualQueryExhttp://www.autoitscript.com/forum/index.ph...ost&id=9764Link to MSDN VirtualQueryExhttp://msdn2.microsoft.com/en-us/library/bb202715.aspxFrom what I gather so far it should go something like this:#include <NomadMemory.au3> ;get the process ID $ProcessID = WinGetProcess("Some Window") Func _ProcessMemorySearch($ProcessID) ;open the process and get the handle $Handle = _MemoryOpen($ProcessID) ;determine minimum address $MinAddress = _GetMinAddress($ProcessID) ;<=== need help here $MaxAddress = _GetMaxAddress($ProcessID) ;<=== need help here $SearchValue = 'some value' ;Set search value $dType = 'ptr' ;Set search value datatype here Local $Output For $i = $MinAddress To $MaxAddress $Read =_MemoryRead($i, $Handle, $dType) If StringInStr($Read, $SearchValue) Then $Output &= $i & @CRLF & $Read EndIf Next _MemoryClose($Handle) $var = StringSplit($Output, @CRLF) Return $var EndFunc Edited March 9, 2008 by Oldschool Link to comment Share on other sites More sharing options...
BorisTheBlade Posted March 10, 2008 Share Posted March 10, 2008 Try this, it should get you started...$systemInfo = DllStructCreate ("short;short;dword;ptr;ptr;dword;dword;dword;dword;short;short") DllCall ("kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo)) $wProcessorArchitecture = DllStructGetData ($systemInfo, 1) $wReserved = DllStructGetData ($systemInfo, 2) $dwPageSize = DllStructGetData ($systemInfo, 3) $lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4) $lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5) $dwActiveProcessorMask = DllStructGetData ($systemInfo, 6) $dwNumberOfProcessors = DllStructGetData ($systemInfo, 7) $dwProcessorType = DllStructGetData ($systemInfo, 8) $dwAllocationGranularity = DllStructGetData ($systemInfo, 9) $wProcessorLevel = DllStructGetData ($systemInfo, 10) $wProcessorRevision = DllStructGetData ($systemInfo, 11) $baseInfo = "Processor Architecture: " & $wProcessorArchitecture & @CRLF & _ "Reserved: " & $wReserved & @CRLF & @CRLF & _ "PageSize: " & $dwPageSize & @CRLF & _ "MinimumApplicationAddress: " & $lpMinimumApplicationAddress & @CRLF & _ "MaximumApplicationAddress: " & $lpMaximumApplicationAddress & @CRLF & @CRLF & _ "ActiveProcessorMask: " & $dwActiveProcessorMask & @CRLF & _ "Number of Processors: " & $dwNumberOfProcessors & @CRLF & _ "Processor Type: " & $dwProcessorType & @CRLF & _ "Allocation Granularity: " & $dwAllocationGranularity & @CRLF & _ "Processor Level: " & $wProcessorLevel & @CRLF & _ "Processor Revision: " & $wProcessorRevision & @CRLF & @CRLF MsgBox (0, "Whazzup?", $baseInfo)Fixed this old example by SmokeN, he could not get it right...http://www.autoitscript.com/forum/index.ph...st&p=427175 Link to comment Share on other sites More sharing options...
Oldschool Posted March 10, 2008 Author Share Posted March 10, 2008 (edited) Nice...Look at this example: #include <NomadMemory.au3> ;GetSystemInfo $systemInfo = DllStructCreate ("short;short;dword;ptr;ptr;dword;dword;dword;dword;short;short") DllCall ("kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo)) $lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4) $lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5) $systemInfo="" ;get the process ID $ProcessID = WinGetProcess("Some Window") Func _ProcessMemorySearch($ProcessID, $MinAddress, $MaxAddress) $Handle = _MemoryOpen($ProcessID) $SearchValue = 'some value' ;Set search value $dType = 'ptr' ;Set search value datatype here Local $Output $memInfo = VirtualQueryEx($MinAddress, $Handle) For $i = $memInfo[1] To $MaxAddress $memNfo = VirtualQueryEx($i, $Handle) If $memNfo[5] = "MEM_COMMIT" Then $Read =_MemoryRead($i, $Handle, $dType) If StringInStr($Read, $SearchValue) Then $Output &= $i & @CRLF & $Read EndIf EndIf Next _MemoryClose($Handle) $var = StringSplit($Output, @CRLF) Return $var EndFunc Hey Gary Frost, I even freed the struct like in the docs. I know you could make this work in like 5 minutes... Edited March 10, 2008 by Oldschool Link to comment Share on other sites More sharing options...
Oldschool Posted March 11, 2008 Author Share Posted March 11, 2008 Shipped....http://www.autoitscript.com/forum/index.php?showtopic=66210 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now