DW1 Posted July 15, 2008 Posted July 15, 2008 (edited) Hi all, Is there any way to find the beginning and end address of a process in memory via autoit (EDIT: via autoit and native windows dll's)? I am looking to write a script to use as a memory viewer or a memory editor. I have written plenty of successful code caves in my trainers via autoit/nomadmemory UDF, but I always get these values from tsearch or artmoney or another editor. Would like an all autoit solution. Thanks, Edited July 17, 2008 by danwilli AutoIt3 Online Help
Pain Posted July 15, 2008 Posted July 15, 2008 http://www.autoitscript.com/forum/index.php?showtopic=37998Memory scanner for WoW so yes it's possible. I know my answer doesn't help much you but atleast it confirms that it's possible.
DW1 Posted July 15, 2008 Author Posted July 15, 2008 That doesn't use a dynamic memory range. If you look at that code, you see that he already has the start and end values declared in the script, they are not derived from autoit. Still need to be able to select a process and see it's memory range via autoit. AutoIt3 Online Help
evilertoaster Posted July 15, 2008 Posted July 15, 2008 Hum, if you look at the wikipedia page for Cheat Engine (the open source alternitive to tsearch) http://en.wikipedia.org/wiki/Cheat_Engine it touches on some of its functionality (see the coding section). The kernal driver 'dbk32.dll' seems to have the core functionality you're looking for. If you download the source ( http://www.heijnen1.demon.nl/CheatEngine54src.rar) you see it has the DBK32functions.pas file in the dbk32 directory. You might be able to extrapolate some functionality from there...
DW1 Posted July 15, 2008 Author Posted July 15, 2008 Thanks, I will look into it. I was thinking there would be a way to do this without needing a dll, but I may be wrong. I don't need to read or write memory, as the NomadMemory UDF will handle that using kernel32.dll, I just need to find the starting and ending addresses. Thanks again for your time eviltoaster, I will do what I can with that dll in the interim, but am still looking for a windows + autoit exclusive method. AutoIt3 Online Help
DW1 Posted July 17, 2008 Author Posted July 17, 2008 Wishing Nomad was still here..../bump AutoIt3 Online Help
felanor Posted July 18, 2008 Posted July 18, 2008 I'd also like to know how to do this. Is there anyone who might be able to provide an answer? Check Out My ScriptsFile Property Management - Adjust a file's title, author, subject, etc.
Oldschool Posted July 19, 2008 Posted July 19, 2008 I'd also like to know how to do this. Is there anyone who might be able to provide an answer?http://www.autoitscript.com/forum/index.php?showtopic=66210By yours truly muttley
DW1 Posted July 20, 2008 Author Posted July 20, 2008 OldSchool, I am having a hard time seeing in the script where the start address and end address of the process specified can be found. Can you turn this into a function that will just deliver the start and end addresses for a specified process? I would really appreciate it. If you do not have time, can you just point me in the right direction? Thanks, Danny AutoIt3 Online Help
Oldschool Posted July 20, 2008 Posted July 20, 2008 (edited) You need to study the script to understand it...VirtualQueryEX is tied to 'procHwnd'So... you figure out where your '$lpMinimumApplicationAddress & $lpMaximumApplicationAddress' are, and then analize the output of VirtualQueryEX via MemoryBasicInformation sctructure. When you find the desired application memory sector, you read it to memory, and use StringInStr to search through it...I don't know any other way to do it.refer to MSDN for more infohttp://msdn.microsoft.com/en-us/library/aa366907(VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa366775(VS.85).aspx Edited July 20, 2008 by Oldschool
DW1 Posted July 20, 2008 Author Posted July 20, 2008 $lpMinimumApplicationAddress always seems to be 00010000 $lpMaximumApplicationAddress always seems to be 7FFEFFFF Is there a way that we can modify the script to return a range of memory that the executable is using? AutoIt3 Online Help
Oldschool Posted July 20, 2008 Posted July 20, 2008 $lpMinimumApplicationAddress always seems to be 00010000 $lpMaximumApplicationAddress always seems to be 7FFEFFFF Is there a way that we can modify the script to return a range of memory that the executable is using? Right, that's because it a system wide range for applications... Like I said, the only information you have about memory sector base addresses is from the output of VirtualQueryEX, which contains a BaseAddress of each sector in $mbi[0] if I'm not mistaking, so to get the address range of a particular process, you use $mbi[0] of the first sector it finds for starting address, and $mbi[0]+$mbi[3] of the last region it finds for ending address. I don't have time to get you a working sample, but it would look something like this: http://msdn.microsoft.com/en-us/library/aa366775(VS.85).aspx expandcollapse popup#Include <WinAPI.au3> #Include <Constants.au3> #Include <Array.au3> HotKeySet("{ESC}", "_Exit") ;If Not ProcessExists("calc.exe") Then Exit ; exit if calculator is not running; ;$procHwnd = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, False, ProcessExists("calc.exe")) ;If Not $procHwnd Then _Exit("Error while getting process handle!") ; if we didn't get a valid 'access' handle then exit $iv_Pid = ProcessExists("calc.exe") $iv_DesiredAccess = 0x1F0FFF $av_OpenProcess = DllCall('Kernel32.dll', 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', 1, 'int', $iv_Pid) $procHwnd = $av_OpenProcess[0] If Not $procHwnd Then MsgBox(0, "","Error while getting process handle!") $dType = 1 Local $FirstAddress Local $LastAddress $range = _GetMemoryRange($procHwnd, $SearchValue, $dType) MsgBox(0, 'MemRange', $FirstAddress&' - '$LastAddress) Func _GetMemoryRange($procHwnd, $SearchValue, $dType) ;GetSystemInfo $systemInfo = DllStructCreate ("short;short;dword;int;int;dword;dword;dword;dword;short;short") DllCall ("Kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo)) $lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4) $lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5) $systemInfo="" $i = $lpMinimumApplicationAddress While $i < $lpMaximumApplicationAddress Local $mbi[7] ; MEMORY_BASIC_INFORMATION Structure Local $v_Buffer = DllStructCreate('dword;dword;dword;dword;dword;dword;dword') If @Error Then SetError(@Error + 1) DllCall('Kernel32.dll', 'int', 'VirtualQueryEx', 'int', $procHwnd, 'int', $i, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer)) If Not @Error Then For $j = 0 to 6 $mbi[$j] = StringStripWS(DllStructGetData($v_Buffer, ($j + 1)),3) Next Else SetError(6) EndIf ;_ArrayDisplay($mbi) If Not $FirstAddress Then $FirstAddress = $mbi[0] $LastAddress = $mbi[0]+$mbi[3] $i += $mbi[3] WEnd EndFunc Func _Exit($s_Msg="") MsgBox(0, "Error", $s_Msg) Exit EndFunc
Siao Posted July 20, 2008 Posted July 20, 2008 (edited) In that While loop, check the State (and possibly Type) member of each MEMORY_BASIC_INFORMATION structure to filter out unallocated pages. At the very least, state should read MEM_COMMIT.Also, if you only looking for code caves and not interested in memory allocated after PE is loaded, you could loop though PE section header, and get start address, raw/virtual size and flags of each section. Edited July 20, 2008 by Siao "be smart, drink your wine"
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now