I don't know why this doesn't work. I think it worked fine on my windows sp1 pc, but not sp2! It's even vb source code from online modified just slightly.
Code:Private Sub Command1_Click() Dim pid As Long, hProcess As Long, hWin As Long Dim lpMem As Long, ret As Long, lLenMBI As Long Dim lWritten As Long, CalcAddress As Long, lPos As Long Dim sBuffer As String Dim sSearchString As String, sReplaceString As String Dim si As SYSTEM_INFO Dim mbi As MEMORY_BASIC_INFORMATION sSearchString = Text2 sReplaceString = Text3 & Chr(0) If IsWindowsNT Then 'NT store strings in RAM in UNICODE sSearchString = StrConv(sSearchString, vbUnicode) sReplaceString = StrConv(sReplaceString, vbUnicode) End If ' modification 'pid = Shell(Text1) 'launch application (calc.exe in this sample) pid = Text4.Text hWin = InstanceToWnd(pid) 'get handle of launched window - only to repaint it after changes 'Open process with required access hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid) lLenMBI = Len(mbi) 'Determine applications memory addresses range Call GetSystemInfo(si) lpMem = si.lpMinimumApplicationAddress 'Scan memory Do While lpMem < si.lpMaximumApplicationAddress mbi.RegionSize = 0 ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI) If ret = lLenMBI Then If mbi.State = MEM_COMMIT And mbi.lType = MEM_PRIVATE Then ' And this block is In use by this process If mbi.RegionSize > 0 Then sBuffer = String(mbi.RegionSize, 0) 'Read region into string ReadProcessMemory hProcess, ByVal mbi.BaseAddress, ByVal sBuffer, mbi.RegionSize, lWritten Open App.Path & "/log.txt" For Append As #1 Print #1, hProcess & " : " & mbi.BaseAddress & " : " & mbi.RegionSize & " : " & Len(sBuffer) Close #1 'Check if region contain search string lPos = InStr(1, sBuffer, sSearchString, vbTextCompare) If lPos Then CalcAddress = mbi.BaseAddress + lPos Me.Show ret = MsgBox("Search string was found at address " & CalcAddress & "." & vbCrLf & "Do you want to replace it?", vbInformation + vbYesNo, "VB-O-Matic") If ret = vbYes Then 'Replace string in virtual memory Call WriteProcessMemory(hProcess, ByVal CalcAddress - 1, ByVal sReplaceString, Len(sReplaceString), lWritten) 'Redraw window InvalidateRect hWin, 0, 1 End If Exit Do End If End If End If 'Increase base address for next searching cicle. Last address may overhead max Long value (Windows use 2GB memory, which is near max long value), so add Error checking On Error GoTo Finished lpMem = mbi.BaseAddress + mbi.RegionSize On Error GoTo 0 Else Exit Do End If Loop Finished: CloseHandle hProcess End Sub
and here's log.txt
PID : mbi.BaseAddress : mbi.RegionSize : Len(sBuffer) (same as regionsize)Code:284 : 65536 : 4096 : 4096 284 : 131072 : 4096 : 4096 284 : 1220608 : 4096 : 4096 284 : 1224704 : 20480 : 20480 284 : 1310720 : 241664 : 241664 284 : 2359296 : 24576 : 24576 284 : 3276800 : 32768 : 32768 284 : 3407872 : 57344 : 57344 284 : 3473408 : 4096 : 4096 284 : 3538944 : 4096 : 4096 284 : 3604480 : 4096 : 4096 284 : 3608576 : 8192 : 8192 284 : 3670016 : 16384 : 16384 284 : 3866624 : 12288 : 12288 284 : 3997696 : 65536 : 65536 284 : 4063232 : 16384 : 16384 284 : 11321344 : 4096 : 4096 284 : 11325440 : 12288 : 12288 284 : 13238272 : 4096 : 4096 284 : 15847424 : 4096 : 4096 284 : 15851520 : 8192 : 8192 284 : 15859712 : 4096 : 4096 284 : 15925248 : 167936 : 167936 284 : 16973824 : 4096 : 4096 284 : 17170432 : 16384 : 16384 284 : 17235968 : 32768 : 32768 284 : 18284544 : 4096 : 4096 284 : 18350080 : 4096 : 4096 284 : 18415616 : 12288 : 12288 284 : 18481152 : 4096 : 4096 284 : 2147307520 : 4096 : 4096 284 : 2147340288 : 4096 : 4096 284 : 2147344384 : 4096 : 4096 284 : 2147348480 : 4096 : 4096 284 : 2147352576 : 4096 : 4096
When I output the sbuffer in a text file here's a few handpicked text of what I get.
I find strings like the above many many times in the 800kb text file. Nothing to do with the program I'm trying to detect which is wpe-pro alpha. Process explorer is able to read the strings from the program just fine.Code:: : = : : \ A L L U S E R S P R O F I L E = C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s A P P D A T A = C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ A p p l i c a t i o n D a t a C o m m o n P r o g r a m F i l e s = C : \ P r o g r a m F i l e s \ C o m m o n F i l e s C O M P U T E R N A M E = C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a ; C : \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O W S \ s y s t e m ; C : \ W I N D O W S ; . ; C : \ G T K \ b i n ; C : \ W I N D O W S \ s y s t e m 3 2 ; C : \ W I N D O W S ; C : \ W I N D O W S \ S y s t e m 3 2 \ W b e m C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e " C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e " C : \ D o c u m e n t s a n d S e t t i n g s \ A D M I N \ D e s k t o p \ w p e p r o a l p h a 0 _ 9 a \ W P E P R O . e x e W i n S t a 0 \ D e f a u l t C : \ P r o g r a m F i l e s \ T e c h \ W h e e l M o u s e \ 5 . 3 \ M O U D L 3 2 A . D L L
Reply With Quote