Oct-16-2017, 07:56 PM
Hi all,
I am working on my own memory scanner. It uses Windows API, VirtualQueryEX
and ReadProcessMemory. I am not sure I put down the following properly:
I am sure
Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
ran properly, because it didn't return a 0.
Then it's VirtualQueryEx:
current_address = sysinfo.lpMinimumApplicationAddress
end_address = sysinfo.lpMaximumApplicationAddress
while current_address < end_address:
Kernel32.VirtualQueryEx(Process, \
current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
print('This region can be scanned!')
current_address += mbi.RegionSize
Now, I think it run fine as well, because it didn't return 0 at all.
Just to make sure, in the end of scanning for a region, I use
current_address += mbi.RegionSize
instead of
current_address += mbi.RegionSize + 1
, Right?
Lastly, ReadProcessMemory:
1st Question: The setup.
buffer = ctypes.c_double()
nread = SIZE_T()
ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer), ctypes.byref(nread))
I used ctypes.c_double() to determine the size of the buffer, so does this mean
that the value I retrieve would be doubles? As in, I know I want to scan for double
values, therefore what I do is what I did here, ask ReadProcessMemory to
read 8 bytes at a time?
Lastly, I don't understand this part about the memory:
if I used VirtualQueryEx to find out if a region of memory is ok to scan, and it
says it's ok, are the values in the region arranged like this:
short,int,double,long,char, double, short in
as in, random?
I am asking this because, if it's random, then I'd have to run ReadProcessMemory
by increasing the value of of my loop by ONE (1) at a time, like this
for i in range(start_of_region, end_of_region, 1):
ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer), ctypes.byref(nread))
Is that correct?
Thanks all!
this is my scanner's full code :
https://pastebin.com/bdq0afT0
I am working on my own memory scanner. It uses Windows API, VirtualQueryEX
and ReadProcessMemory. I am not sure I put down the following properly:
I am sure
Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
ran properly, because it didn't return a 0.
Then it's VirtualQueryEx:
current_address = sysinfo.lpMinimumApplicationAddress
end_address = sysinfo.lpMaximumApplicationAddress
while current_address < end_address:
Kernel32.VirtualQueryEx(Process, \
current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
print('This region can be scanned!')
current_address += mbi.RegionSize
Now, I think it run fine as well, because it didn't return 0 at all.
Just to make sure, in the end of scanning for a region, I use
current_address += mbi.RegionSize
instead of
current_address += mbi.RegionSize + 1
, Right?
Lastly, ReadProcessMemory:
1st Question: The setup.
buffer = ctypes.c_double()
nread = SIZE_T()
ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer), ctypes.byref(nread))
I used ctypes.c_double() to determine the size of the buffer, so does this mean
that the value I retrieve would be doubles? As in, I know I want to scan for double
values, therefore what I do is what I did here, ask ReadProcessMemory to
read 8 bytes at a time?
Lastly, I don't understand this part about the memory:
if I used VirtualQueryEx to find out if a region of memory is ok to scan, and it
says it's ok, are the values in the region arranged like this:
short,int,double,long,char, double, short in
as in, random?
I am asking this because, if it's random, then I'd have to run ReadProcessMemory
by increasing the value of of my loop by ONE (1) at a time, like this
for i in range(start_of_region, end_of_region, 1):
ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer), ctypes.byref(nread))
Is that correct?
Thanks all!
this is my scanner's full code :
https://pastebin.com/bdq0afT0