Sign in to follow this  
Zorro1267

ReadProcessMemory Question

Recommended Posts

I am trying to program my own memory editor and I am unsure about how games use memory. I seem to remember reading somewhere that a game won't always be run in the same memory block, but the offsets to the memory where a particular value is stored will be the same. I also don't really understand how one knows where to start searching memory for a particular process that is running. For instance, I want to use the ReadProcessMemory function to look at the memory locations that Diablo II is using, but I don't know how to find out where the memory block for Diablo II starts. Does anyone know?

Share this post


Link to post
Share on other sites
Quote:
Original post by Zorro1267
I am trying to program my own memory editor and I am unsure about how games use memory. I seem to remember reading somewhere that a game won't always be run in the same memory block, but the offsets to the memory where a particular value is stored will be the same.
Actually, the opposite is closer to the truth. Under Windows XP, the base-address of an executable is guaranteed to be the same every time it runs. This defaults to 0x400000. While it can be changed (in the linker's settings), I've never seen an exe with a different base address, other than some fairly heavy and hacky pathological code that I've been involved with. The same isn't true for DLLs, however. While a DLL will have a 'preferred base address' (to which it will load if the space isn't already occupied), the dynamic nature of DLLs demands that they may be loaded at a different base if necessary. This isn't a huge deal though, as the infrastructure of the DLL will always be the same: provided you know the offset of a particular piece of static data and the address to which the DLL was loaded, you can calculate its linear address with ease. So executable code and static data is reliable and predictable.

On the other hand, dynamically-allocated memory is almost impossible to predict. Stack memory can appear anywhere in its thread's stack, depending on the state of the SEH chain and call-stack at the time. Heap memory is far worse, in that it could be just about anywhere within its rather large valid range. Calls to ntdll!RtlAllocateHeap (which includes new and malloc) are 'nondeterministic'. ntdll!NtAllocateVirtualMemory (and hence kernel32!VirtualAlloc) is similarly unpredictable unless the caller specifies a base-address, which is very rarely done. So dynamic data is not such a safe bet, and generally requires a memory-search to pinpoint.

Quote:
I also don't really understand how one knows where to start searching memory for a particular process that is running. For instance, I want to use the ReadProcessMemory function to look at the memory locations that Diablo II is using, but I don't know how to find out where the memory block for Diablo II starts. Does anyone know?
Every process has its own address-space. Fortunately for you, in protected mode (and hence user-mode, where you'll be working) this address-space is the same for every process. Here's a crude list of ranges (all addresses are in hex):

00000000-00010000: Reserved for the system
00010000-00400000: Base of exe file. The PE header can be found here.
00401000-........: Base of exe file's first PE section
004.....-........: The remaining PE sections (they don't necessarily have to be in the 004..... range, but almost always are)
........-7FFFFFFF: DLLs and heaps may be loaded just about anywhere in this range.
7FFFFFFF-FFFFFFFF: This is reserved for the system and isn't accessible from user-mode.

I've made a few assumptions here, but these values fit for 99% of programs you'll encounter.

For your memory-poking purposes, you'll find GetProcessHeaps invaluable. Also to look out for are:

VirtualProtectEx to change the access-level of committed pages
VirtualAllocEx to allocate memory in another process's address-space
CreateRemoteThread to run code in the process's address-space (possibly after injecting it via WriteProcessMemory)
Just about everything in PSAPI

I'm sure there are more I've forgotten about. Good luck on your new adventure.

Admiral

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this