Read memory - Reading string from address

[alacn]

Below i am using this common readmemory function. Im calling the function like so

Code:

msgbox ReadMemory(hWnd, &H883221, 10)

However it just msg's a long number rather than a string, and i know theres a string at that address. Ive got to edit something in the functon and possible the way i call it, any ideas how?
thanks

Code:

Public Function ReadMemory(hWnd As Long, Address As Long, Bytes As Long, Optional strReplaceWith As String) As String
    'Runs For Not Unicode Strings (VB-Strings)
    On Error Resume Next
    Dim pId As Long        ' Used to hold the Process Id
    Dim pHandle As Long    ' Holds the Process Handle
    Dim bytValue As Long   'Stores the value of a byte in the memory
    Dim i As Long
    Dim Text As String
    Dim BytePass As Integer
   
    ' Get the ProcId of the Window
    GetWindowThreadProcessId hWnd, pId

    ' use the pId to get a handle
    pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)

    If (pHandle = 0) Then
         shpCon.FillColor = vbRed
         Timer1.Enabled = False
 
         Exit Function
    End If

    If Address = 0 Then Exit Function

    shpCon.FillColor = vbGreen
    Timer1.Enabled = True
    BytePass = Bytes
    If Bytes = 2 Then BytePass = 4
    For i = 1 To Bytes Step 2
       ' Read Byte to Byte
       
       ReadProcessMemory pHandle, Address + i - 1, bytValue, BytePass, 0&
       'value now contains the long value of the byte located in [Address + i - 1] pos.
       'ReadMemory is a string...
       '
   

       ReadMemory = bytValue

    Next
    'to write numeric values you can ..(Must) use WriteValue API
    If LenB(strReplaceWith) <> 0 Then
        'No Unicode!!
        WriteString pHandle, Address, StrPtr(strReplaceWith), LenB(strReplaceWith), 0&
    End If
    'Close the Handle
    CloseHandle pHandle
End Function

[vb5prgrmr]

Well from what I remember is that you need CopyMemory and the appropriate variable type to recieve the string. I believe, but don't take my word for it, that you will need a byte array and then use StrConv to convert the byte array into the final string you are looking for.



Good Luck

[IanS]

As far as I know you can't actually read a specific memory location - well you can but it's all virtualized. What I mean by that is that Windows is a 'Protected Operating System' so hardware is virtualized. When you think your app is speaking to physical hardware it's just windows "pretending" to allow you to speak to physical memory. It's not the actual computer's actual hardware memory address. So just because one application thinks it can see some data at a specific address doesn't mean that another application will see the same data at that same address.

If you're just looking for some way for applications to share some common data then you might look at a technology called 'Memory Mapped Files'. This is not actually a file - it's just memory but by using the MMF standards you are able to have more than one app reading and writing to the same 'physical' memory.

[alacn]

IanS, the address i am reading contain the data i am after, i know this because all the other address the program reads contain the correct values however those values are long variables so i can read them, however this address is a string and i cant seem to read it due to an error in my coding.

i tried a string convert in the function (ie convert the function return before it was returned) but that didnt work, maybe the code i used was wrong, any code anyone can suggest would be welcomed

[Milk]

I've never used these particular API before but I've had a quick go a a couple of untested functions based on your code and the MSDN reference.

Code:

Public Function ReadProcessBytes(ByVal hWnd As Long, ByVal Address As Long, ByVal Size As Long) As Byte()
    Dim pId As Long
    Dim pHandle As Long
    Dim readsz As Long
    Dim buf() As Byte
    
    If Address <> 0 And Size > 0 Then
        GetWindowThreadProcessId hWnd, pId
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)
        If pHandle Then
            ReDim buf(Size - 1)
            ReadProcessMemory pHandle, Address, buf(0), Size, readsz
            CloseHandle pHandle
        End If
    End If
    
    If readsz Then
        If readsz <> Size Then ReDim Preserve buf(readsz - 1)
    Else
        buf = vbNullString
    End If
    
    ReadProcessBytes = buf
End Function

Public Function WriteProcessBytes(ByVal hWnd As Long, ByVal Address As Long, Bytes() As Byte) As Long
    Dim pId As Long
    Dim pHandle As Long
    Dim writesz As Long
    
    If Address <> 0 Then
        GetWindowThreadProcessId hWnd, pId
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)
        If pHandle Then
            WriteProcessMemory pHandle, Address, Bytes(LBound(Bytes)), UBound(Bytes) - LBound(Bytes) + 1, writesz
            CloseHandle pHandle
        End If
    End If
    
    WriteProcessBytes = writesz
End Function

reading a non unicode string would work like this...

Code:

    Dim sTest As String
    sTest = StrConv(ReadProcessBytes(hWnd, Address, Size), vbUnicode)

have you considered that you might be reading a pointer value?

[alacn]

I've never used these particular API before but I've had a quick go a a couple of untested functions based on your code and the MSDN reference.

Code:

Public Function ReadProcessBytes(ByVal hWnd As Long, ByVal Address As Long, ByVal Size As Long) As Byte()
    Dim pId As Long
    Dim pHandle As Long
    Dim readsz As Long
    Dim buf() As Byte
    
    If Address <> 0 And Size > 0 Then
        GetWindowThreadProcessId hWnd, pId
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)
        If pHandle Then
            ReDim buf(Size - 1)
            ReadProcessMemory pHandle, Address, buf(0), Size, readsz
            CloseHandle pHandle
        End If
    End If
    
    If readsz Then
        If readsz <> Size Then ReDim Preserve buf(readsz - 1)
    Else
        buf = vbNullString
    End If
    
    ReadProcessBytes = buf
End Function

Public Function WriteProcessBytes(ByVal hWnd As Long, ByVal Address As Long, Bytes() As Byte) As Long
    Dim pId As Long
    Dim pHandle As Long
    Dim writesz As Long
    
    If Address <> 0 Then
        GetWindowThreadProcessId hWnd, pId
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)
        If pHandle Then
            WriteProcessMemory pHandle, Address, Bytes(LBound(Bytes)), UBound(Bytes) - LBound(Bytes) + 1, writesz
            CloseHandle pHandle
        End If
    End If
    
    WriteProcessBytes = writesz
End Function

reading a non unicode string would work like this...

Code:

    Dim sTest As String
    sTest = StrConv(ReadProcessBytes(hWnd, Address, Size), vbUnicode)

have you considered that you might be reading a pointer value?

oh it could be, ill find out. Plus thanks for code, ill give it a bash

[alacn]

ok i used ur function milk however i got a runtime error "out of memory" any ideas?

[Milk]

I never tested them sorry if I messed them up.

I used buf() = vbnullstring to show a fail state by returning an array with a Ubound of -1 and an Lbound of 0. It appears that StrConv can't handle that although it can handle a null string (which is what the fail state buf() converts to). To avoid the error you could use...

Code:

sTest = StrConv(CStr(ReadProcessBytes(hWnd, Address, Size)), vbUnicode)

Unfortunately if buf() is in it's fail state then the function has failed somehow, either because one or more of the parameters is incorrect or more likely because readsz has returned 0 where it should return the number of bytes read, which all going well should be the same as Size.

Can you show me the declares you have used for Read/WriteProcessMemory and can you confirm that you are not using On Error Resume Next.

Edit: No need, I see the code you posted is just a cut and paste from Allapi, I assume you are using the declares from there as well. I'll test them at some point later today to see If I notice anything.

[alacn]

thanks for helping, ill get working on this when i get home. look forward to ur outcome

[Milk]

Sorry not had a chance to test, and possibly won't have for a few days. Big job just landed, never rains but it pours eh.

[alacn]

Milk, sorry to bother your code below worked however, it only returned the first letter of the string. Is there a way to make the function find all the letter in the string?
i did some searching and as i expected the other letters in the string are stored in the next address' along ,so im assuming the function has to loop through the address somehow? but im not sure how to do that.
Also not all the address have a letter in it, sometimes u get a blank address in the sequence, so i guess u would have to take that into consideration too.

please could you help ?

vb Code:

sTest = StrConv(CStr(ReadProcessBytes(hWnd, Address, Size)), vbUnicode)

[alacn]

vb Code:

Public Function ReadProcessBytes(ByVal hWnd As Long, ByVal Address As Long, ByVal Size As Long) As Byte()
    Dim pId As Long
    Dim pHandle As Long
    Dim readsz As Long
    Dim buf() As Byte
    
    If Address <> 0 And Size > 0 Then
        GetWindowThreadProcessId hWnd, pId
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pId)
        If pHandle Then
            ReDim buf(Size - 1)
            ReadProcessMemory pHandle, Address, buf(0), Size, readsz
            CloseHandle pHandle
        End If
    End If
    
    If readsz Then
        If readsz <> Size Then ReDim Preserve buf(readsz - 1)
    Else
        buf = vbNullString
    End If
    
    ReadProcessBytes = buf
End Function

being called

vb Code:

sTest = StrConv(CStr(ReadProcessBytes(hWnd, Address, Size)), vbUnicode)

bump. This almost resolved just need someone to show me how to edit the code in the above function so i can loop through addresses so that it returns whole strings and not just the first letter of each of the string.

[alacn]

bump

[akhileshbc]

bump

I think if you do it again, the moderators will do some actions against you...!

[alacn]

I think if you do it again, the moderators will do some actions against you...!

i dont see why, its a valid question which hasnt been answered yet

[AsmIscool]

The question is valid of course but bumping threads is considered poor netiquette. I have yet to find a forum where it is not frowned upon.