Back to General and Gameplay Programming

Locked memory?

General and Gameplay Programming Programming

Started by klems December 23, 2002 04:17 PM

10 comments, last by klems 21 years, 3 months ago

klems

513

Author

December 23, 2002 04:17 PM

Can anyone here with good knowledge of how Windows handles memory give me a clue on how I get which areas of another process''s RAM is available to alter with ReadProcessMemory and WriteProcessMemory under Windows XP? I''m writing a simple app which searches another program''s RAM, and lets you change interesting memory locations (like the cheat function of ZSNES). I''ve only managed to read the first 500 or so kilobytes after 0x00400000, then there''s some locked memory, and then theres another readable chunk, and then... [repeat until insanity sets in]

Three shall be the number thou shall count, and the number of the counting shall be three...

Witchcraven

564

December 23, 2002 07:05 PM

Im no expert on windows, but it would seem to me you would need a process running on a lower rung than the application you want to read. Its been a while since I have dealt with rungs and memory protection crap though. Can you run code in rung 0 on windows?

Evil Bill

126

December 23, 2002 07:15 PM

Semi-random guess:
If you can get the path to the executable, you can get the size of it. If you can get the size of the executable, you can determine how much data is allocated after 0x00400000. Maybe. You can get the address of the exe (if you don't already have it) from the ToolHelp functions ISTR [CreateToolhelp32Snapshot(), Process32First(), ...])

Edit: Actually, i'm talking crap :s That won't tell you anything abount memory allocated with new(), malloc(), etc...

[edited by - Evil Bill on December 23, 2002 8:17:25 PM]

Member of the Unban Mindwipe Society (UMWS)

DrPizza

160

December 23, 2002 08:36 PM

IsBadReadPtr(), IsBadWritePtr(), IsBadCodePtr(), IsBadStringPtr() let you find out what you want to know.

char a[99999],*p=a;int main(int c,char**V){char*v=c>0?1[V]:(char*)V;if(c>=0)for(;*v&&93!=*v;){62==*v&&++p||60==*v&&--p||43==*v&&++*p||45==*v&&--*p||44==*v&&(*p=getchar())||46==*v&&putchar(*p)||91==*v&&(*p&&main(0,(char**)(--v+2))||(v=(char*)main(-1,(char**)++v)-1));++v;}else for(c=1;c;c+=(91==*v)-(93==*v),++v);return(int)v;}  /*** drpizza@battleaxe.net ***/

klems

513

Author

December 24, 2002 01:43 AM

Do they work with another process? I think they only work with your own memory...

Three shall be the number thou shall count, and the number of the counting shall be three...

DrPizza

160

December 24, 2002 07:40 AM

I don''t see what difference it makes, really -- if you have an NT OS you can allocate memory in the other process, copy a function to that memory, and CreateRemoteThread() to begin execution within the other process.

But if that''s no good, perhaps you can use VirtualQueryEx() to obtain this information.

char a[99999],*p=a;int main(int c,char**V){char*v=c>0?1[V]:(char*)V;if(c>=0)for(;*v&&93!=*v;){62==*v&&++p||60==*v&&--p||43==*v&&++*p||45==*v&&--*p||44==*v&&(*p=getchar())||46==*v&&putchar(*p)||91==*v&&(*p&&main(0,(char**)(--v+2))||(v=(char*)main(-1,(char**)++v)-1));++v;}else for(c=1;c;c+=(91==*v)-(93==*v),++v);return(int)v;}  /*** drpizza@battleaxe.net ***/

klems

513

Author

December 24, 2002 08:05 AM

OK, thanks!

You have just read a controversial statement by Valderman. Thank you for your tolerance.

Anonymous

December 24, 2002 12:46 PM

You can absolutely access other processes'' memory with ReadProcessMemory/WriteProcessMemory (that''s how a debugger does it), but the problem is to find what addresses to read from. What memory are you trying to read? It''s as you understand almost impossible to read the value of a stack variable for a thread that calls a function unless you write a debugger and single-step the program. In order to read memory, your chance is if that memory is long-lived and allocated from the heap.

The IsBad*Ptr() family of functions works for the current process, so that will work only if you create a remote thread in the process you want to search in.

In order to search, you might want to suspend all threads in the process while searching.

The Heretic

146

December 24, 2002 12:56 PM

quote:Original post by Witchcraven
Im no expert on windows, but it would seem to me you would need a process running on a lower rung than the application you want to read. Its been a while since I have dealt with rungs and memory protection crap though. Can you run code in rung 0 on windows?

It''s RING

Anonymous

December 24, 2002 01:21 PM

quote:Original post by Witchcraven
Im no expert on windows, but it would seem to me you would need a process running on a lower rung than the application you want to read. Its been a while since I have dealt with rungs and memory protection crap though. Can you run code in rung 0 on windows?

You can run code in ring 0 ("kernel mode" in Windows terms) if you write a device driver, but you don''t need this to read another process'' memory. Either you can attach as a debugger, create a remote thread, or register a dll that gets loaded for each program started and in that way access the memory of a certain process.

In order to debug or attach remote threads, you need to run as administrator (or in some other way adjust security so you get sufficient rights). Normal low-priviliged users would not be able to do this as it would clearly be a security issue.

Locked memory?

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Locked memory?

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines