|
-
Jun 14th, 2008, 10:55 AM
#1
Thread Starter
Member
Reading memory from PID not working
I don't know why this doesn't work. I think it worked fine on my windows sp1 pc, but not sp2! It's even vb source code from online modified just slightly.
Code:
Private Sub Command1_Click()
Dim pid As Long, hProcess As Long, hWin As Long
Dim lpMem As Long, ret As Long, lLenMBI As Long
Dim lWritten As Long, CalcAddress As Long, lPos As Long
Dim sBuffer As String
Dim sSearchString As String, sReplaceString As String
Dim si As SYSTEM_INFO
Dim mbi As MEMORY_BASIC_INFORMATION
sSearchString = Text2
sReplaceString = Text3 & Chr(0)
If IsWindowsNT Then 'NT store strings in RAM in UNICODE
sSearchString = StrConv(sSearchString, vbUnicode)
sReplaceString = StrConv(sReplaceString, vbUnicode)
End If
' modification
'pid = Shell(Text1) 'launch application (calc.exe in this sample)
pid = Text4.Text
hWin = InstanceToWnd(pid) 'get handle of launched window - only to repaint it after changes
'Open process with required access
hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
lLenMBI = Len(mbi)
'Determine applications memory addresses range
Call GetSystemInfo(si)
lpMem = si.lpMinimumApplicationAddress
'Scan memory
Do While lpMem < si.lpMaximumApplicationAddress
mbi.RegionSize = 0
ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)
If ret = lLenMBI Then
If mbi.State = MEM_COMMIT And mbi.lType = MEM_PRIVATE Then ' And this block is In use by this process
If mbi.RegionSize > 0 Then
sBuffer = String(mbi.RegionSize, 0)
'Read region into string
ReadProcessMemory hProcess, ByVal mbi.BaseAddress, ByVal sBuffer, mbi.RegionSize, lWritten
Open App.Path & "/log.txt" For Append As #1
Print #1, hProcess & " : " & mbi.BaseAddress & " : " & mbi.RegionSize & " : " & Len(sBuffer)
Close #1
'Check if region contain search string
lPos = InStr(1, sBuffer, sSearchString, vbTextCompare)
If lPos Then
CalcAddress = mbi.BaseAddress + lPos
Me.Show
ret = MsgBox("Search string was found at address " & CalcAddress & "." & vbCrLf & "Do you want to replace it?", vbInformation + vbYesNo, "VB-O-Matic")
If ret = vbYes Then
'Replace string in virtual memory
Call WriteProcessMemory(hProcess, ByVal CalcAddress - 1, ByVal sReplaceString, Len(sReplaceString), lWritten)
'Redraw window
InvalidateRect hWin, 0, 1
End If
Exit Do
End If
End If
End If
'Increase base address for next searching cicle. Last address may overhead max Long value (Windows use 2GB memory, which is near max long value), so add Error checking
On Error GoTo Finished
lpMem = mbi.BaseAddress + mbi.RegionSize
On Error GoTo 0
Else
Exit Do
End If
Loop
Finished:
CloseHandle hProcess
End Sub
and here's log.txt
Code:
284 : 65536 : 4096 : 4096
284 : 131072 : 4096 : 4096
284 : 1220608 : 4096 : 4096
284 : 1224704 : 20480 : 20480
284 : 1310720 : 241664 : 241664
284 : 2359296 : 24576 : 24576
284 : 3276800 : 32768 : 32768
284 : 3407872 : 57344 : 57344
284 : 3473408 : 4096 : 4096
284 : 3538944 : 4096 : 4096
284 : 3604480 : 4096 : 4096
284 : 3608576 : 8192 : 8192
284 : 3670016 : 16384 : 16384
284 : 3866624 : 12288 : 12288
284 : 3997696 : 65536 : 65536
284 : 4063232 : 16384 : 16384
284 : 11321344 : 4096 : 4096
284 : 11325440 : 12288 : 12288
284 : 13238272 : 4096 : 4096
284 : 15847424 : 4096 : 4096
284 : 15851520 : 8192 : 8192
284 : 15859712 : 4096 : 4096
284 : 15925248 : 167936 : 167936
284 : 16973824 : 4096 : 4096
284 : 17170432 : 16384 : 16384
284 : 17235968 : 32768 : 32768
284 : 18284544 : 4096 : 4096
284 : 18350080 : 4096 : 4096
284 : 18415616 : 12288 : 12288
284 : 18481152 : 4096 : 4096
284 : 2147307520 : 4096 : 4096
284 : 2147340288 : 4096 : 4096
284 : 2147344384 : 4096 : 4096
284 : 2147348480 : 4096 : 4096
284 : 2147352576 : 4096 : 4096
PID : mbi.BaseAddress : mbi.RegionSize : Len(sBuffer) (same as regionsize)
When I output the sbuffer in a text file here's a few handpicked text of what I get.
Code:
: : = : : \ A L L U S E R S P R O F I L E = C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s A P P D A T A = C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ A p p l i c a t i o n D a t a C o m m o n P r o g r a m F i l e s = C : \ P r o g r a m F i l e s \ C o m m o n F i l e s C O M P U T E R N A M E =
C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a ; C : \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O W S \ s y s t e m ; C : \ W I N D O W S ; . ; C : \ G T K \ b i n ; C : \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O W S ; C : \ W I N D O W S \ S y s t e m 3 2 \ W b e m C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e " C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e " C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e W i n S t a 0 \ D e f a u l t
C : \ P r o g r a m F i l e s \ T e c h \ W h e e l M o u s e \ 5 . 3 \ M O U D L 3 2 A . D L L
I find strings like the above many many times in the 800kb text file. Nothing to do with the program I'm trying to detect which is wpe-pro alpha. Process explorer is able to read the strings from the program just fine.
-
Jun 14th, 2008, 01:09 PM
#2
Re: Reading memory from PID not working
Perhaps its a problem with the packet sniffer since its an alpha version? Have you tried searching their site/forums for others with this issue?
VB/Office Guru™ (AKA: Gangsta Yoda™  ®)
I dont answer coding questions via PM. Please post a thread in the appropriate forum. 
Microsoft MVP 2006-2011
Office Development FAQ (C#, VB.NET, VB 6, VBA)
Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
If a post has helped you then Please Rate it! 
• Reps & Rating Posts • VS.NET on Vista • Multiple .NET Framework Versions • Office Primary Interop Assemblies • VB/Office Guru™ Word SpellChecker™.NET • VB/Office Guru™ Word SpellChecker™ VB6 • VB.NET Attributes Ex. • Outlook Global Address List • API Viewer utility • .NET API Viewer Utility •
System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6
-
Jun 14th, 2008, 01:25 PM
#3
Re: Reading memory from PID not working
When you come across text like that, it's usually Unicode...2 bytes per character...the 2nd usually being a Chr$(0) a.k.a. vbNullChar.
-
Jun 14th, 2008, 07:52 PM
#4
Thread Starter
Member
Re: Reading memory from PID not working
I don't know why it's not working.
I guess I'll try and read for strings in the exe of the app running.
There was some strings in there from wpe-pro alpha. However strings such as "virtualallocex" weren't there when process explorer shows that they are in memory.
And I'll try opening the text output file with a hex editor and look for strings who's letters are separated by null values.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
