Reading memory from PID not working
I don't know why this doesn't work. I think it worked fine on my windows sp1 pc, but not sp2! It's even vb source code from online modified just slightly.
Code:
Private Sub Command1_Click()
Dim pid As Long, hProcess As Long, hWin As Long
Dim lpMem As Long, ret As Long, lLenMBI As Long
Dim lWritten As Long, CalcAddress As Long, lPos As Long
Dim sBuffer As String
Dim sSearchString As String, sReplaceString As String
Dim si As SYSTEM_INFO
Dim mbi As MEMORY_BASIC_INFORMATION
sSearchString = Text2
sReplaceString = Text3 & Chr(0)
If IsWindowsNT Then 'NT store strings in RAM in UNICODE
sSearchString = StrConv(sSearchString, vbUnicode)
sReplaceString = StrConv(sReplaceString, vbUnicode)
End If
' modification
'pid = Shell(Text1) 'launch application (calc.exe in this sample)
pid = Text4.Text
hWin = InstanceToWnd(pid) 'get handle of launched window - only to repaint it after changes
'Open process with required access
hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
lLenMBI = Len(mbi)
'Determine applications memory addresses range
Call GetSystemInfo(si)
lpMem = si.lpMinimumApplicationAddress
'Scan memory
Do While lpMem < si.lpMaximumApplicationAddress
mbi.RegionSize = 0
ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)
If ret = lLenMBI Then
If mbi.State = MEM_COMMIT And mbi.lType = MEM_PRIVATE Then ' And this block is In use by this process
If mbi.RegionSize > 0 Then
sBuffer = String(mbi.RegionSize, 0)
'Read region into string
ReadProcessMemory hProcess, ByVal mbi.BaseAddress, ByVal sBuffer, mbi.RegionSize, lWritten
Open App.Path & "/log.txt" For Append As #1
Print #1, hProcess & " : " & mbi.BaseAddress & " : " & mbi.RegionSize & " : " & Len(sBuffer)
Close #1
'Check if region contain search string
lPos = InStr(1, sBuffer, sSearchString, vbTextCompare)
If lPos Then
CalcAddress = mbi.BaseAddress + lPos
Me.Show
ret = MsgBox("Search string was found at address " & CalcAddress & "." & vbCrLf & "Do you want to replace it?", vbInformation + vbYesNo, "VB-O-Matic")
If ret = vbYes Then
'Replace string in virtual memory
Call WriteProcessMemory(hProcess, ByVal CalcAddress - 1, ByVal sReplaceString, Len(sReplaceString), lWritten)
'Redraw window
InvalidateRect hWin, 0, 1
End If
Exit Do
End If
End If
End If
'Increase base address for next searching cicle. Last address may overhead max Long value (Windows use 2GB memory, which is near max long value), so add Error checking
On Error GoTo Finished
lpMem = mbi.BaseAddress + mbi.RegionSize
On Error GoTo 0
Else
Exit Do
End If
Loop
Finished:
CloseHandle hProcess
End Sub
and here's log.txt
Code:
284 : 65536 : 4096 : 4096
284 : 131072 : 4096 : 4096
284 : 1220608 : 4096 : 4096
284 : 1224704 : 20480 : 20480
284 : 1310720 : 241664 : 241664
284 : 2359296 : 24576 : 24576
284 : 3276800 : 32768 : 32768
284 : 3407872 : 57344 : 57344
284 : 3473408 : 4096 : 4096
284 : 3538944 : 4096 : 4096
284 : 3604480 : 4096 : 4096
284 : 3608576 : 8192 : 8192
284 : 3670016 : 16384 : 16384
284 : 3866624 : 12288 : 12288
284 : 3997696 : 65536 : 65536
284 : 4063232 : 16384 : 16384
284 : 11321344 : 4096 : 4096
284 : 11325440 : 12288 : 12288
284 : 13238272 : 4096 : 4096
284 : 15847424 : 4096 : 4096
284 : 15851520 : 8192 : 8192
284 : 15859712 : 4096 : 4096
284 : 15925248 : 167936 : 167936
284 : 16973824 : 4096 : 4096
284 : 17170432 : 16384 : 16384
284 : 17235968 : 32768 : 32768
284 : 18284544 : 4096 : 4096
284 : 18350080 : 4096 : 4096
284 : 18415616 : 12288 : 12288
284 : 18481152 : 4096 : 4096
284 : 2147307520 : 4096 : 4096
284 : 2147340288 : 4096 : 4096
284 : 2147344384 : 4096 : 4096
284 : 2147348480 : 4096 : 4096
284 : 2147352576 : 4096 : 4096
PID : mbi.BaseAddress : mbi.RegionSize : Len(sBuffer) (same as regionsize)
When I output the sbuffer in a text file here's a few handpicked text of what I get.
Code:
: : = : : \ A L L U S E R S P R O F I L E = C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s A P P D A T A = C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ A p p l i c a t i o n D a t a C o m m o n P r o g r a m F i l e s = C : \ P r o g r a m F i l e s \ C o m m o n F i l e s C O M P U T E R N A M E =
C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a ; C : \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O W S \ s y s t e m ; C : \ W I N D O W S ; . ; C : \ G T K \ b i n ; C : \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O W S ; C : \ W I N D O W S \ S y s t e m 3 2 \ W b e m C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e " C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e " C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e W i n S t a 0 \ D e f a u l t
C : \ P r o g r a m F i l e s \ T e c h \ W h e e l M o u s e \ 5 . 3 \ M O U D L 3 2 A . D L L
I find strings like the above many many times in the 800kb text file. Nothing to do with the program I'm trying to detect which is wpe-pro alpha. Process explorer is able to read the strings from the program just fine.
Re: Reading memory from PID not working
Perhaps its a problem with the packet sniffer since its an alpha version? Have you tried searching their site/forums for others with this issue?
Re: Reading memory from PID not working
When you come across text like that, it's usually Unicode...2 bytes per character...the 2nd usually being a Chr$(0) a.k.a. vbNullChar.
Re: Reading memory from PID not working
I don't know why it's not working.
I guess I'll try and read for strings in the exe of the app running.
There was some strings in there from wpe-pro alpha. However strings such as "virtualallocex" weren't there when process explorer shows that they are in memory.
And I'll try opening the text output file with a hex editor and look for strings who's letters are separated by null values.