Find a String in Memory

delphi package - easy access to kernel objects etc.
Post Reply
neji
Posts: 155
Joined: Wed Mar 09, 2005 11:39 am
Contact:
Contact neji

Find a String in Memory

Post by neji »

Hey,

I need to find a certain String in another Processes Memory and retrieve the address, but I have no Idea where to start :(
Top
madshi
Site Admin
Posts: 10764
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You can do a loop by using VirtualQueryEx. And then you can read out each allocate page by using ReadProcessMemory. Quite easy to do, actually.
Top
neji
Posts: 155
Joined: Wed Mar 09, 2005 11:39 am
Contact:
Contact neji

Post by neji »

hi :)

after a long time I had time to look at the method you mentioned.

Long Story Short. I Tried to work with VirtualQueryEx but I wasn't very successful.

I Created a dummy.exe with a global Variable '1121' in it.

In another App I tried to find that Value in Memory. Here is what I tried :

Code: Select all

procedure TForm1.GetHProc;
var
  hWnd : Cardinal;
begin
  hWnd := FindWindow(nil,'Form4');

  if hWnd = INVALID_HANDLE_VALUE then
    exit;

  GetWindowThreadProcessId(hWnd,@procid);
  hProc := OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);
  GetMemMinMax;
  CloseHandle(hProc);
end;

procedure TForm1.GetMemMinMax;
var
  mbi     : TMemoryBasicInformation;
  adress  ,
  start   ,
  ende    : Cardinal;
begin
  adress := $400000;
  while adress < $80000000 do
  begin
    VirtualQueryEx(hProc,
                   ptr(adress),
                   mbi,
                   SizeOf(TMemoryBasicInformation));

    if (mbi.State = MEM_COMMIT) and
       (mbi.Protect = PAGE_READWRITE) and
       (mbi.Type_9 = MEM_PRIVATE) then
    begin
      start := DWORD(mbi.BaseAddress);
      ende  := DWORD(mbi.BaseAddress) + mbi.RegionSize;
      ScanMem(start,ende);   // als hex?
    end;
    adress := adress + mbi.RegionSize;
  end;
  showmessage(ergebnis);
end;

procedure TForm1.ScanMem(start, ende: dword);
var
  dwRead    : DWORD;
  iBuffer   ,
  adress    : Integer;

begin
  showmessage('start ' + inttostr(start) + #13#10 +
              'ende  ' + Inttostr(ende));
  dwRead  := 0;
  iBuffer := 0;

  for adress := start to ende - 1 do
  begin
    ReadProcessMemory(hProc,
                      ptr(adress),
                      @iBuffer,
                      SizeOf(Integer),
                      dwRead);
    if iBuffer = 1121 then
      ergebnis := ergebnis + inttostr(start) + #13#10
  end;
end;

procedure TForm1.btnClick(Sender: TObject);
begin
  GetHProc;
end;
at the end, 'ergebnis' is empty :(
do you see, what I am doing wrong here?
Top
madshi
Site Admin
Posts: 10764
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I think this "if" is much too restrictive:

Code: Select all

    if (mbi.State = MEM_COMMIT) and
       (mbi.Protect = PAGE_READWRITE) and
       (mbi.Type_9 = MEM_PRIVATE) then
Top
Post Reply

Return to “madKernel”