Jump to content
  • Advertisement
Sign in to follow this  
Anddos

int memory scanner

This topic is 2537 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

I am trying to make a small program that will find all the int varibles loaded in the memory of my process, source code as follows




int _tmain(int argc, _TCHAR* argv[])
{

GetSystemInfo(&si);
while(dwStart < (DWORD)si.lpMaximumApplicationAddress)
{
LookForInts(dwStart);

if(dwStart + mbi.RegionSize < dwStart)
{
printf("%s\n","breaking");
break;
}

if(mbi.RegionSize != lpRead)
{
printf("Not enough bytes read %d != %d\n",mbi.RegionSize,lpRead);
}

dwStart += mbi.RegionSize;



Sleep(500);

}

return 0;
}

void LookForInts(DWORD dStart)
{
DWORD Pid;
GetWindowThreadProcessId(FindWindow(NULL,"Our Program"),&Pid);
HANDLE Process = OpenProcess(PROCESS_ALL_ACCESS ,true,Pid);
printf("%d %d\n",Pid,dStart);

v = VirtualQueryEx(Process,
(void *)dStart,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION));

if(v == 0)
{
printf("%s\n","breaking");
}
else
{
if(mbi.State == MEM_COMMIT)
{
printf("%s\n","MEM_COMMIT");


if(!ReadProcessMemory(Process, //process handle
(LPVOID)&dStart, //address
(LPVOID)&mbi.RegionSize,
mbi.RegionSize,
&lpRead))
{
printf("%s\n","rpm failed");
}
else
{
printf("%s\n","rpm success");
}



}
}
}

can you tell me if i am on the right track, i want to search 4 bytes in the region and then check if the value is greater than 0, so that will say its a int beng used etc

Share this post


Link to post
Share on other sites
Advertisement
Being able to read four bytes of memory has nothing to do with whether or not that memory is being used as an int. You could get four consecutive bytes being used as chars. You could get half of an eight byte variable. You could get a pointer or a float or pretty much any data type you can imagine.

Share this post


Link to post
Share on other sites
ive just found a reply on a thread i posted ages ago , here is the code


#pragma comment(lib, "advapi32.lib")
#include <windows.h>
#include <stdio.h>

VOID DumpBuffer(const unsigned char* pBuffer, size_t sz)
{
for (size_t i = 0; i < sz; ++i)
printf("0x%x ", pBuffer);
}

BOOL DumpProcessMemory(DWORD dwPid)
{
HANDLE pHandle;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
LPVOID lpMem;
DWORD dwReturn, dwTotalRead;

pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
if (pHandle == NULL)
{
printf("OpenProcess failed for PID: %d\n",dwPid);
return FALSE;
}
GetSystemInfo(&si);
lpMem = si.lpMinimumApplicationAddress;
while (lpMem < si.lpMaximumApplicationAddress)
{
mbi.RegionSize = 0;
dwReturn = VirtualQueryEx(pHandle, lpMem, &mbi, sizeof(mbi));
if (dwReturn == sizeof(mbi)) {
if ((mbi.Type == MEM_PRIVATE) && (mbi.State == MEM_COMMIT))
{
if (mbi.RegionSize > 0)
{
const BYTE* cbBuffer =
(BYTE*)HeapAlloc(GetProcessHeap(), NULL, mbi.RegionSize);
if (cbBuffer == NULL)
{
printf ("HeapAlloc failed\n");
return FALSE;
}
ReadProcessMemory(pHandle, mbi.BaseAddress,
(LPVOID)cbBuffer, mbi.RegionSize, &dwTotalRead);
DumpBuffer(cbBuffer, mbi.RegionSize);
HeapFree(GetProcessHeap(), NULL, (LPVOID)cbBuffer);
}
}
lpMem = (LPVOID)((DWORD)mbi.BaseAddress + mbi.RegionSize);
}
else break;
}
CloseHandle(pHandle);
return TRUE;
}

INT main(INT argc, CHAR **argv)
{
DumpProcessMemory(atoi(argv[1]));
return 0;
}



but the problem is its crashing , does anyone know why?

Share this post


Link to post
Share on other sites

so its not possible?

It is not possible, in general, to scan a processes memory space and pick out things that were declared as integers in the source files that created the process (assuming that is what you want). For one, there is no reliable way to recognise integers (originating in a source file or not). As SiCrane said, an integer looks exactly the same as any group of 4 bytes (assuming you are searching for 32 bit integers). Integers can also have negative values, and are frequently zero, so excluding such values seems... a little arbitrary. Secondly, things that were integers in the source files could be in registers.

Now, if you know something particular about the process, you might have better luck. If you know there is a 400 megabyte array of integers in the range 0-4000 somewhere in the processes memory space, you might be able to find that with a certain level of confidence. If you know the layout and type of data structures, again you might be able to deduce the location of certain integers of interest. Maybe in this case you know the integers are always bigger than 0, which is a start but it will have a high false positive rate. If the source file specified unsigned integers, you are more or less back to having no additional knowledge.

So the real question is not how to scan memory for integers, but what are these integers and why are you scanning for them. This knowledge can allow you to build a program that might be able to carry out deductions like the above.

Share this post


Link to post
Share on other sites
The (very disorganized) source for MHS (Memory Hacking Software) can be found here: http://www.memoryhacking.com/forums/viewtopic.php?f=1&t=8385
This has the complete code for what you want to do.
First you should build an array of the chunks you want to scan from the target process. Don’t just run over the chunks and scan them. Put them into an array so that you can break large chunks into multiple smaller chunks.

Then you will ReadProcessMemory() over each chunk to a local buffer.

Then scan over that buffer treating each 4 bytes as an int type.


L. Spiro

Share this post


Link to post
Share on other sites
If you are trying to find the value of all variables of type "integer" in your code, what you are trying to do doesn't make sense. As far as memory goes it's just a string of bits, used to store, literally, "stuff". What it stores and how to interpret it is entirely up to how the program is coded. If you have no information on what the program does with the memory, you can't infer anything about the data.

If it's your process, what you would do is register a list of pointers pointing to each integer variable in your program, and then read the list as usual. It might be possible to automate it depending how the compiler works but "memory" is a typeless buffer.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!