Jump to content

Memory space


 Share

Recommended Posts

Hi all,

Is there any way to find the beginning and end address of a process in memory via autoit (EDIT: via autoit and native windows dll's)?

I am looking to write a script to use as a memory viewer or a memory editor. I have written plenty of successful code caves in my trainers via autoit/nomadmemory UDF, but I always get these values from tsearch or artmoney or another editor. Would like an all autoit solution.

Thanks,

Edited by danwilli
Link to comment
Share on other sites

That doesn't use a dynamic memory range. If you look at that code, you see that he already has the start and end values declared in the script, they are not derived from autoit.

Still need to be able to select a process and see it's memory range via autoit.

Link to comment
Share on other sites

Hum, if you look at the wikipedia page for Cheat Engine (the open source alternitive to tsearch) http://en.wikipedia.org/wiki/Cheat_Engine it touches on some of its functionality (see the coding section). The kernal driver 'dbk32.dll' seems to have the core functionality you're looking for. If you download the source ( http://www.heijnen1.demon.nl/CheatEngine54src.rar) you see it has the DBK32functions.pas file in the dbk32 directory. You might be able to extrapolate some functionality from there...

Link to comment
Share on other sites

Thanks, I will look into it. I was thinking there would be a way to do this without needing a dll, but I may be wrong. I don't need to read or write memory, as the NomadMemory UDF will handle that using kernel32.dll, I just need to find the starting and ending addresses.

Thanks again for your time eviltoaster, I will do what I can with that dll in the interim, but am still looking for a windows + autoit exclusive method.

Link to comment
Share on other sites

OldSchool, I am having a hard time seeing in the script where the start address and end address of the process specified can be found. Can you turn this into a function that will just deliver the start and end addresses for a specified process? I would really appreciate it. If you do not have time, can you just point me in the right direction?

Thanks,

Danny

Link to comment
Share on other sites

You need to study the script to understand it...

VirtualQueryEX is tied to 'procHwnd'

So... you figure out where your '$lpMinimumApplicationAddress & $lpMaximumApplicationAddress' are, and then analize the output of VirtualQueryEX via MemoryBasicInformation sctructure. When you find the desired application memory sector, you read it to memory, and use StringInStr to search through it...I don't know any other way to do it.

refer to MSDN for more info

http://msdn.microsoft.com/en-us/library/aa366907(VS.85).aspx

http://msdn.microsoft.com/en-us/library/aa366775(VS.85).aspx

Edited by Oldschool
Link to comment
Share on other sites

$lpMinimumApplicationAddress always seems to be 00010000

$lpMaximumApplicationAddress always seems to be 7FFEFFFF

Is there a way that we can modify the script to return a range of memory that the executable is using?

Right, that's because it a system wide range for applications...

Like I said, the only information you have about memory sector base addresses is from the output of VirtualQueryEX, which contains a BaseAddress of each sector in $mbi[0] if I'm not mistaking, so to get the address range of a particular process, you use $mbi[0] of the first sector it finds for starting address, and $mbi[0]+$mbi[3] of the last region it finds for ending address. I don't have time to get you a working sample, but it would look something like this:

http://msdn.microsoft.com/en-us/library/aa366775(VS.85).aspx

#Include <WinAPI.au3>
#Include <Constants.au3>
#Include <Array.au3>

HotKeySet("{ESC}", "_Exit")

;If Not ProcessExists("calc.exe") Then Exit ; exit if calculator is not running;
    ;$procHwnd = _WinAPI_OpenProcess($PROCESS_ALL_ACCESS, False, ProcessExists("calc.exe"))
;If Not $procHwnd Then _Exit("Error while getting process handle!") ; if we didn't get a valid 'access' handle then exit

    $iv_Pid = ProcessExists("calc.exe")
    $iv_DesiredAccess = 0x1F0FFF
    $av_OpenProcess = DllCall('Kernel32.dll', 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', 1, 'int', $iv_Pid)
    $procHwnd = $av_OpenProcess[0]
    If Not $procHwnd Then MsgBox(0, "","Error while getting process handle!")

$dType = 1


Local $FirstAddress
Local $LastAddress

$range = _GetMemoryRange($procHwnd, $SearchValue, $dType)
MsgBox(0, 'MemRange', $FirstAddress&' - '$LastAddress)


Func _GetMemoryRange($procHwnd, $SearchValue, $dType)
   
    ;GetSystemInfo
    $systemInfo = DllStructCreate ("short;short;dword;int;int;dword;dword;dword;dword;short;short")
    DllCall ("Kernel32.dll", "int", "GetSystemInfo", "ptr", DllStructGetPtr($systemInfo))
    $lpMinimumApplicationAddress = DllStructGetData ($systemInfo, 4)
    $lpMaximumApplicationAddress = DllStructGetData ($systemInfo, 5)
    $systemInfo=""

    $i = $lpMinimumApplicationAddress
    While $i < $lpMaximumApplicationAddress
       
        Local $mbi[7] ; MEMORY_BASIC_INFORMATION Structure
        Local $v_Buffer = DllStructCreate('dword;dword;dword;dword;dword;dword;dword')   
        If @Error Then SetError(@Error + 1)
       
        DllCall('Kernel32.dll', 'int', 'VirtualQueryEx', 'int', $procHwnd, 'int', $i, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer))
       
        If Not @Error Then     
            For $j = 0 to 6    
                $mbi[$j] = StringStripWS(DllStructGetData($v_Buffer, ($j + 1)),3)            
            Next           
        Else
            SetError(6)
        EndIf
        ;_ArrayDisplay($mbi)
       
        If Not $FirstAddress Then $FirstAddress = $mbi[0]
    $LastAddress  = $mbi[0]+$mbi[3]

        $i += $mbi[3]
       
    WEnd
EndFunc


Func _Exit($s_Msg="")
   
    MsgBox(0, "Error", $s_Msg)
    Exit
   
EndFunc
Link to comment
Share on other sites

In that While loop, check the State (and possibly Type) member of each MEMORY_BASIC_INFORMATION structure to filter out unallocated pages.

At the very least, state should read MEM_COMMIT.

Also, if you only looking for code caves and not interested in memory allocated after PE is loaded, you could loop though PE section header, and get start address, raw/virtual size and flags of each section.

Edited by Siao

"be smart, drink your wine"

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...