Ok. I'm working a program that reads the memory of another process. I've gotten it to read & write to the other process and have the correct results. Now I'm looking to be able to search the address space of the other process. Here's my questions:

= 1 =
The data are at a different locations everytime it starts. Using TASM or MASM, does anyone have a routine to search the memory of another process?

At the start of the program I have to re-search my name and enter that address in my source code then recompile it. It only taks a few seconds to complete, but it's a pain in the @$$.

= 2 =
I don't know how to phrase this question, so here's an example:
I need to store 4 memory addresses (ex. c00000, c00008, c00010, c00018). Their locations change after every run, but always 8 bytes apart. After searching (Problem #1) for the address, I'd like to add 8 bytes to the 1st address, to get the 2nd address, then add 8 bytes to the 2nd addres to get the 3rd address, etc. Would anyone have a routine for that also?

Any help/hints/tips/comments/compliments would be greatly appreciated!

Posted on 2001-10-14 20:51:15 by XECRVTBY

I think a basic search routine like this should work. This scans for a 2 dword match.


cld ; clear direction flag, process string left to right
mov ecx, dwSize ; size of region (divided by 4 bytes) to search as a counter in ecx
lea edi, lpAddress ; start address of region to search, load source in edi

mov eax, 52434558h ; load dword to scan for in accumulator, reverse order


repne scasd ; scan for 'XECR'
; decrements ecx by 1, increments edi by 4
jnz finish ; jump if not found

cmp dword ptr , 59425456h ; test if next dword is 'VTBY'
jnz again



If a successful match is found, edi points to your 2nd dword (c00004), so points to c00008 and so on. Hope that's right anyway ;)

Posted on 2001-10-15 00:42:15 by Kayaker
Since this is a different process, the easiest would be to use ReadProcessMemory() and WriteProcessMemory() on an OpenProcess() handle. First of all, if you are making a game-trainer and some of them have DMA (Dynamic Memory Allocation) addresses. What you need to do is find a double-pointer. That is where the application stores the pointers to allocated memory. This address should be fixed. Either you find that manually or you do the actual searching. You probably just need to search the data sections, so you can do this similar with some PE knowledge.
1. ReadProcessMemory() the process at 400000h to an IMAGE_DOS_HEADER structure.
2. ReadProcessMemory() the process at 400000h+IMAGE_DOS_HEADER.e_lfanew into a IMAGE_NT_HEADERS structure.
3. Allocate IMAGE_NT_HEADERS.FileHeader.NumberOfSections amount of IMAGE_SECTION_HEADER structure (or just have one, loop and read into one).
4. Read the section(s) right after IMAGE_NT_HEADERS into your allocated buffer.
5. If the section is a data section, proceed with searching.
6. Search the process from the IMAGE_SECTION_HEADER.VirtualAddress for IMAGE_SECTION_HEADER.SizeOfRawData (or VirtualSize) bytes.
7. After you have found your data, read the first dword.
8. Add 8 to the pointer you have just written to.
9. Repeat steps 7 and 8 for the rest of the dwords you need to write.

The process handle in question could be obtained by OpenProcess() which needs the process' identifier. It can be obtained by GetWindowThreadProcessId() which needs a handle to a window that belongs to the process in question. The handle to the window could be obtained by FindWindow(). If you have any more questions, e-mail me or reply to this post.
Posted on 2001-10-15 19:45:50 by comrade

Sorry for not saying this earlier, but I currently use the ReadProcessMemory(), WriteProcessMemory(). I have no problem with those, it's just the searching part I'm unable to do.

I've heard other people talking about DMA, but I haven't had experience with that. I've read you can use SoftIce (which I use) to determine the DMA address, but no instructions were available. Would you know how to do that?

Thanks again.
Posted on 2001-10-15 20:15:12 by XECRVTBY

Great! Thanks, I'll give it try. Will let you know how it turns out.
Posted on 2001-10-15 20:16:28 by XECRVTBY
400000h will *usually* work, but not always. There *are* PE exes
around that don't have a default base addy of 400000h. Not very
often, though :). Oh yeah, and PE exes *can* be relocated (under
NT/2k at least, haven't checked win9x yet). But I doubt you'll ever
see a normal PE exe relocated :).
Posted on 2001-10-15 20:21:34 by f0dder
f0dder: Yes, true. But my point is exactly same as yours - chances of it not being 400000h are very slim. You can do a search for the MZ header on the process. I wish there was an API for getting the base address, but I hear searching needs to be done about this.
XECRVTBY: The DMA address can by looking at the referencing code. First you breakpoint on your current memory address and then SoftICE will drop you where it is referenced. Look a few lines up, it should be getting the address from a DMA pointer storage. Go from there.
Posted on 2001-10-15 21:49:21 by comrade
Btw commie, you might wanna not use the term "DMA" for Dynamic
Memory Allocation, since DMA is usually that... What was it...
Direct Memory Access? (off-cpu memory moves)
Posted on 2001-10-15 21:52:55 by f0dder
yeah Direct Memory Access in the context of CPUs and interrupts and devices and all that...
but its Dynamic Memory Allocation for all train0r dudes out there
Posted on 2006-04-19 23:30:32 by comrade
Heh whoa, welcome back from the dead (both commie and this thread).
Posted on 2006-04-20 04:35:00 by f0dder