Read / Search process memory

delphi package - easy access to kernel objects etc.
Post Reply
jh092
Posts: 3
Joined: Fri Oct 07, 2005 1:31 am

Read / Search process memory

Post by jh092 »

Hi all,

Can you someone please give me a clue how to do this. I want to search my own processes memory (or another process, but in this instance it is my own process) for certain byte values. I am guessing I need to use the kernal "ReadMemory".

I don't really need the search routine as such, what I would be eternally grateful for is, how do I know where to start searching from and where to stop. Do I get the base address of the exe and start from there? How do I know if the block of memory I am about to read is my memory, am I allowed to read it, what is the next block to read etc.

Thanks to anyone who can help and I apologise if this question is not appropriate here.

cheers

John
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

If you want to read memory of your own process, you don't need madKernel at all. Just do a loop with VirtualQuery. This will tell you all pages in your process' memory space which are readable. Read all those pages (with simple pointer access) and search in them. It's not too difficult, once you know how.
CoePSX
Posts: 2
Joined: Fri Oct 20, 2006 5:28 am
Location: Brazil

VirtualQuery

Post by CoePSX »

Hi,

I'm trying to be able to do this for like months, and everytime I end giving up. The only thing I found that was useful was this topic.

I tried a lot using VirtualQuery. I started at page 0x0000000000 and then checking for every page until 0x7FFFFFFFFF. But it takes hours to search. And all the MEMORY_BASIC_INFORMATION.AllocationProtect were PAGE_EXECUTE. So I didn't search at any address realy.

Am I doing something wrong here?
Any help is much apreciated, thanks a lot!

CoePSX
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Ok, look here on how to enumerate the modules of your own process by using a VirtualQuery loop:

Code: Select all

type
  TModule = record
    handle   : dword;
    fileName : string;
  end;
  TDAModule = array of TModule;

// returns all modules of the current process
function GetModuleList : TDAModule;
var p1, p2 : pointer;
    mbi    : TMemoryBasicInformation;
    arrCh  : array [0..MAX_PATH] of char;
    i1     : integer;
begin
  SetLength(result, 10);
  i1 := 0;
  p1 := nil;
  p2 := nil;
  while VirtualQuery(p1, mbi, sizeOf(mbi)) = sizeOf(mbi) do begin
    if (mbi.State = MEM_COMMIT) and
       (mbi.AllocationBase <> p2) and (mbi.AllocationBase = mbi.BaseAddress) and
       (GetModuleFileName(dword(mbi.AllocationBase), arrCh, MAX_PATH) > 0) then begin
      if i1 = Length(result) then
        SetLength(result, i1 * 2);
      with result[i1] do begin
        handle   := dword(mbi.AllocationBase);
        fileName := ExtractFileName(arrCh);
      end;
      inc(i1);
    end;
    p2 := mbi.AllocationBase;
    dword(p1) := dword(p1) + mbi.RegionSize;
  end;
  SetLength(result, i1);
end;
CoePSX
Posts: 2
Joined: Fri Oct 20, 2006 5:28 am
Location: Brazil

Post by CoePSX »

Thank you a lot for the help! I'll try that when I return to home today! :D
Post Reply