I'm having the following problem; I am trying to write a program that acts more or less like a debugger. I enter the PID of a process and a value, and it finds all mem addresses at which the value exists in the given process.

This works fine, except for that fact that I don't know where the process memory STARTS. If I start looping at some mem address near the value I am looking for, it comes up with the correct value. However, when I start at address 0 (using ReadProcessMemory), it immidiately returns a FALSE and quits.

I loop the ReadProcessMemory and keep increasing the address, till I get a FALSE, then I assume I am at the end of the process memory, so that works.

How do I figure out the address to BEGIN enumerating at, tho?

Anyone got an idea?

- Fahr
Posted on 2003-03-26 09:25:56 by Fahr

Psapi.dll EnumProcessModules


Kernel32.dll Module32First
Kernel32.dll Module32Next
Posted on 2003-03-26 10:53:40 by Axial
I'm not sure that's what I'm looking for... I want to enum the memory of ONE process, not all of them...

- Fahr
Posted on 2003-03-26 11:40:06 by Fahr
You could get the baseaddress of the Process in memory and the size of the file when loaded, get that from the PE Header etc.
Posted on 2003-03-26 11:46:11 by SFP
The process I'm trying to enum IS already loaded...

- Fahr
Posted on 2003-03-26 11:48:02 by Fahr
This Module32First thing seems to be what I want after all...

except for the fact that the modBaseAddr is a char*. How the heck am I supposed to use that? :S

- Fahr
Posted on 2003-03-26 11:59:13 by Fahr

try VirtualQueryEx
Posted on 2003-03-26 11:59:19 by japheth
Yeah, that really looks like the stuff I need...

But what am I gonna enter for the address param? That's the thing I'm trying to figure out, no?

- Fahr
Posted on 2003-03-26 12:06:37 by Fahr
Well, japheth, it seems to work fine if I NULL the second param :)

I don't know if it's really correct what I'm doing tho, cuz the RegionSize seems to be always 65536... now that maybe logical, but I dunno...

I did a quick thing in C before porting it to ASM, what I do is this; (pInfo is the MEMORY_BASIC_INFORMATION struct) I loop from (DWORD) &pInfo.BaseAddress to ((DWORD) &pInfo.BaseAddress + pInfo.RegionSize) and then do a ReadProcessMemory on every byte I pass...

Does this actually get me thru all the memory, or is it just working in this one case by accident?

- Fahr
Posted on 2003-03-26 12:20:44 by Fahr
One time i wrote something to enumerate process memory.
The code is based on example from Jeffrey Richter's book.
Can't remember but the cod4e is unfinished maybe, like almost all i wrote and write ;)
Posted on 2003-03-26 12:29:15 by Four-F
Well, thanks a lot, but that's a bit too much for me I think :P

What I'm trying to do is pinpoint addresses in game exes of life values etc. to build trainers

- Fahr
Posted on 2003-03-26 12:32:23 by Fahr
Well, what I tried above with the VirtualQueryEx is obviously not working :(

I tried to pinpoint the address of 'gold' in Warcraft 3, but it came up with nothing...

It works with a small test program I made, tho, but it seems like it does nothing on bigger programs, like games... I dunno where I go wrong :S

- Fahr
Posted on 2003-03-26 12:38:22 by Fahr

This Module32First thing seems to be what I want after all...

except for the fact that the modBaseAddr is a char*. How the heck am I supposed to use that? :S

- Fahr

Don't know where you get your incs but here is the correct moduleentry struct from microsoft:

typedef struct tagMODULEENTRY32 {
DWORD dwSize;
DWORD th32ModuleID;
DWORD th32ProcessID;
DWORD GlblcntUsage;
DWORD ProccntUsage;
BYTE * modBaseAddr;
DWORD modBaseSize;
HMODULE hModule;
char szModule[MAX_MODULE_NAME32 + 1];
char szExePath[MAX_PATH];

Also, dont be confused, modBaseAddr IS the base address of the module referenced by the szModule field in the context of the process taken in the snapshot (which is actually the module you are looking for ) To get the base address you need to compare the path of the process your scanning with the szExePath field. Once you get the same, you have your base address.
Posted on 2003-03-26 14:19:10 by Axial