Thread: search for ints from the memory

  1. #1
    Registered User
    Join Date
    Nov 2002
    Posts
    319

    search for ints from the memory

    I am trying to make a small program that will find all the int varibles loaded in the memory of my process, source code as follows

    Code:
    int _tmain(int argc, _TCHAR* argv[])
    {
      
     GetSystemInfo(&si);
     while(dwStart < (DWORD)si.lpMaximumApplicationAddress)
      {
    	  LookForInts(dwStart);
    
    if(dwStart + mbi.RegionSize < dwStart)
    	 {
    		printf("%s\n","breaking");
    		 break;
    	 }
    	    
    	 if(mbi.RegionSize != lpRead)
         {
             printf("Not enough bytes read %d != %d\n",mbi.RegionSize,lpRead);
        }
            
    	 dwStart += mbi.RegionSize;
    
    	
    
    	Sleep(500);
    
      }
    
    	return 0;
    }
    
    void LookForInts(DWORD dStart)
    {
    	DWORD Pid;
    	GetWindowThreadProcessId(FindWindow(NULL,"Our  Program"),&Pid);
    	HANDLE Process = OpenProcess(PROCESS_ALL_ACCESS ,true,Pid);
    	printf("%d %d\n",Pid,dStart);
    
    	v = VirtualQueryEx(Process,
                     (void *)dStart,
                                &mbi,
    sizeof(MEMORY_BASIC_INFORMATION));
    
    	 if(v == 0)
    	 {
    		printf("%s\n","breaking");
    	 }
    	 else
    	 {
    		 if(mbi.State == MEM_COMMIT)
    		 {
    			 printf("%s\n","MEM_COMMIT");
    		
    			 
    			 if(!ReadProcessMemory(Process, //process handle
    		           (LPVOID)&dStart, //address
    				   (LPVOID)&mbi.RegionSize, 
    				   mbi.RegionSize,
    				   &lpRead))
    			 {
    				 printf("%s\n","rpm failed");
    			 }
    			 else
    			 {
    				 printf("%s\n","rpm success");
    			 }
    
    
    		
    		 }
    	 }
    }
    can you tell me if i am on the right track, i want to search 4 bytes in the region and then check if the value is greater than 0, so that will say its a int beng used etc

  2. #2
    C++ Witch laserlight's Avatar
    Join Date
    Oct 2003
    Location
    Singapore
    Posts
    28,413
    Why do you want to do this in the first place?

    I may be wrong, but I don't think that just "searching" memory will work, e.g., a four byte int would appear indistinguishable from four consecutive chars.
    Quote Originally Posted by Bjarne Stroustrup (2000-10-14)
    I get maybe two dozen requests for help with some sort of programming or design problem every day. Most have more sense than to send me hundreds of lines of code. If they do, I ask them to find the smallest example that exhibits the problem and send me that. Mostly, they then find the error themselves. "Finding the smallest program that demonstrates the error" is a powerful debugging tool.
    Look up a C++ Reference and learn How To Ask Questions The Smart Way

  3. #3
    'Allo, 'Allo, Allo
    Join Date
    Apr 2008
    Posts
    639
    Man, you've been at this and its various permutations (strings, ints, etc) for 6 years now (if the link expires it's Anddos' threads containing ReadProcessMemory). We all admire your perserverance, but it's probably time to give it up as a bad job.

  4. #4
    Registered User
    Join Date
    Nov 2002
    Posts
    319
    ive just found a reply on a thread i posted ages ago , here is the code

    Code:
    #pragma comment(lib, "advapi32.lib")
    #include <windows.h>
    #include <stdio.h>
    
    VOID DumpBuffer(const unsigned char* pBuffer, size_t sz)
    {
        for (size_t i = 0; i < sz; ++i)
            printf("0x%x ", pBuffer[i]);
    }
    
    BOOL DumpProcessMemory(DWORD dwPid)
    {
        HANDLE pHandle;
        SYSTEM_INFO si;
        MEMORY_BASIC_INFORMATION mbi;
        LPVOID lpMem;
        DWORD dwReturn, dwTotalRead;
    
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
        if (pHandle == NULL)
        {
            printf("OpenProcess failed for PID: %d\n",dwPid);
            return FALSE;
        }
        GetSystemInfo(&si);
        lpMem = si.lpMinimumApplicationAddress;
        while (lpMem < si.lpMaximumApplicationAddress)
        {
            mbi.RegionSize = 0;
            dwReturn = VirtualQueryEx(pHandle, lpMem, &mbi, sizeof(mbi));
            if (dwReturn == sizeof(mbi)) {
                if ((mbi.Type == MEM_PRIVATE) && (mbi.State == MEM_COMMIT))
                {
                    if (mbi.RegionSize > 0)
                    {
                        const BYTE* cbBuffer =
    (BYTE*)HeapAlloc(GetProcessHeap(), NULL, mbi.RegionSize);
                        if (cbBuffer == NULL)
                        {
                            printf ("HeapAlloc failed\n");
                            return FALSE;
                        }
                        ReadProcessMemory(pHandle, mbi.BaseAddress,
    (LPVOID)cbBuffer, mbi.RegionSize, &dwTotalRead);
                        DumpBuffer(cbBuffer, mbi.RegionSize);
                        HeapFree(GetProcessHeap(), NULL, (LPVOID)cbBuffer);
                    }
                }
                lpMem = (LPVOID)((DWORD)mbi.BaseAddress + mbi.RegionSize);
            }
            else break;
        }
        CloseHandle(pHandle);
        return TRUE;
    }
    
    INT main(INT argc, CHAR **argv)
    {
        DumpProcessMemory(atoi(argv[1]));
        return 0;
    }
    but the problem is its crashing , does anyone know why?

  5. #5
    Algorithm Dissector iMalc's Avatar
    Join Date
    Dec 2005
    Location
    New Zealand
    Posts
    6,318
    I'll try and help even though I feel like I'll be trying to help you find the pot at the end of the rainbow. Perhaps your description of what you're trying to do is just extremely poor to the point of being not at all what you are trying to do.

    With the debugger attached, what line of code does it show when it breaks into the debugger after it crashes and you click 'Retry'?
    My homepage
    Advice: Take only as directed - If symptoms persist, please see your debugger

    Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"

  6. #6
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    We might want to ask "Why?" the OP wants to do this.

    Security wise, trying to read memory belonging to a different process is some serious bad juju.

  7. #7
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    @Anddos, You're email request for assistance has been acknowledged. Respond appropriately.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Advanced Search -> Search Multiple Content Types
    By phantomotap in forum Tech Board
    Replies: 2
    Last Post: 05-21-2011, 07:28 AM
  2. Difference Between A Linear Search And Binary Search
    By ImBack92 in forum C Programming
    Replies: 4
    Last Post: 05-12-2011, 08:47 AM
  3. Allowing my search function to search sub directories!
    By Queatrix in forum Windows Programming
    Replies: 10
    Last Post: 09-30-2005, 04:54 PM
  4. Search Engine - Binary Search Tree
    By Gecko2099 in forum C Programming
    Replies: 9
    Last Post: 04-17-2005, 02:56 PM
  5. my extensive search found no info on <memory>
    By edwardtisdale in forum C++ Programming
    Replies: 2
    Last Post: 04-13-2003, 01:59 AM