Hi all,
Can you someone please give me a clue how to do this. I want to search my own processes memory (or another process, but in this instance it is my own process) for certain byte values. I am guessing I need to use the kernal "ReadMemory".
I don't really need the search routine as such, what I would be eternally grateful for is, how do I know where to start searching from and where to stop. Do I get the base address of the exe and start from there? How do I know if the block of memory I am about to read is my memory, am I allowed to read it, what is the next block to read etc.
Thanks to anyone who can help and I apologise if this question is not appropriate here.
cheers
John
Read / Search process memory
If you want to read memory of your own process, you don't need madKernel at all. Just do a loop with VirtualQuery. This will tell you all pages in your process' memory space which are readable. Read all those pages (with simple pointer access) and search in them. It's not too difficult, once you know how.
VirtualQuery
Hi,
I'm trying to be able to do this for like months, and everytime I end giving up. The only thing I found that was useful was this topic.
I tried a lot using VirtualQuery. I started at page 0x0000000000 and then checking for every page until 0x7FFFFFFFFF. But it takes hours to search. And all the MEMORY_BASIC_INFORMATION.AllocationProtect were PAGE_EXECUTE. So I didn't search at any address realy.
Am I doing something wrong here?
Any help is much apreciated, thanks a lot!
CoePSX
I'm trying to be able to do this for like months, and everytime I end giving up. The only thing I found that was useful was this topic.
I tried a lot using VirtualQuery. I started at page 0x0000000000 and then checking for every page until 0x7FFFFFFFFF. But it takes hours to search. And all the MEMORY_BASIC_INFORMATION.AllocationProtect were PAGE_EXECUTE. So I didn't search at any address realy.
Am I doing something wrong here?
Any help is much apreciated, thanks a lot!
CoePSX
Ok, look here on how to enumerate the modules of your own process by using a VirtualQuery loop:
Code: Select all
type
TModule = record
handle : dword;
fileName : string;
end;
TDAModule = array of TModule;
// returns all modules of the current process
function GetModuleList : TDAModule;
var p1, p2 : pointer;
mbi : TMemoryBasicInformation;
arrCh : array [0..MAX_PATH] of char;
i1 : integer;
begin
SetLength(result, 10);
i1 := 0;
p1 := nil;
p2 := nil;
while VirtualQuery(p1, mbi, sizeOf(mbi)) = sizeOf(mbi) do begin
if (mbi.State = MEM_COMMIT) and
(mbi.AllocationBase <> p2) and (mbi.AllocationBase = mbi.BaseAddress) and
(GetModuleFileName(dword(mbi.AllocationBase), arrCh, MAX_PATH) > 0) then begin
if i1 = Length(result) then
SetLength(result, i1 * 2);
with result[i1] do begin
handle := dword(mbi.AllocationBase);
fileName := ExtractFileName(arrCh);
end;
inc(i1);
end;
p2 := mbi.AllocationBase;
dword(p1) := dword(p1) + mbi.RegionSize;
end;
SetLength(result, i1);
end;