After spending hours searching the board for help on this i cant find a strait answer. :?
I dont need to execute my own code or anything flash like that, i just need to read/write some bytes of memory inside an allready running process that does not belong to my process.
If anybody can point my in the right direction i would be very greatfull
I dont need to execute my own code or anything flash like that, i just need to read/write some bytes of memory inside an allready running process that does not belong to my process.
If anybody can point my in the right direction i would be very greatfull
For NT/2K/XP...
For 9x/ME you need to use ordinal values, in GoAsm you can define them as follows, in MASM it is more complicated. Since I use GoAsm, you have to figure out the MASM way yourself...
The MemCopy function for the 9x version:
; Get the ID of the process
invoke GetWindowThreadProcessId,[hwnd],OFFSET PID
; Open the process with Virtual memory priviledges
invoke OpenProcess,PROCESS_VM_OPERATION \
+ PROCESS_VM_READ + PROCESS_VM_WRITE,0,[PID]
mov [hProcess],eax
; Create a buffer inside the process space
invoke VirtualAllocEx,eax,0,[cbData],MEM_COMMIT,PAGE_READWRITE
mov [pMem],eax
; Write to the remote process buffer
invoke WriteProcessMemory,[hProcess],[pMem],\
[pData],[cbData],OFFSET cbWritten
; Copy from the remote buffer
invoke ReadProcessMemory,[hProcess],[pMem],[pData],\
[cbData],OFFSET cbWritten
; Free the memory and close the remote process
invoke VirtualFreeEx,[hProcess],[pMem],0,MEM_RELEASE
invoke CloseHandle,[hProcess]
For 9x/ME you need to use ordinal values, in GoAsm you can define them as follows, in MASM it is more complicated. Since I use GoAsm, you have to figure out the MASM way yourself...
Alloc = COMCTL32.DLL:71
ReAlloc = COMCTL32.DLL:72
Free = COMCTL32.DLL:73
GetSize = COMCTL32.DLL:74
; Allocate memory on the shared heap
invoke Alloc,[cbData]
mov [pMem],eax
; Write to the shared buffer
invoke MemCopy,[pData],[pMem],[cbData]
; Copy the shared buffer to our local buffer
invoke MemCopy,[pMem],[pData],[cbData]
invoke Free,[pMem]
The MemCopy function for the 9x version:
MemCopy FRAME lpSource,lpDest,nBytes
uses edi,esi,ecx
cld
mov edi,[lpDest]
mov esi,[lpSource]
mov ecx,[nBytes]
; do the evenly divisible ones
shr ecx,2
rep movsd
; do the remainder
mov ecx,[nBytes]
and ecx,3
rep movsb
RET
ENDF
niceeee!!!
secret ordinals huh? never knew about them, always used the 8000000h trick, and the file mapping trick. are you absolutely sure that those ordinals are like, generally avaliable on all of 9x?
secret ordinals huh? never knew about them, always used the 8000000h trick, and the file mapping trick. are you absolutely sure that those ordinals are like, generally avaliable on all of 9x?
Yes, my Desktop listview demo uses them to extract information from the desktop process in all versions of 9x. I have tested them on all OSR releases of 95 and 98.
wow, thank you for the perfect reply Donkey :)
im a bit confused about the need to create a buffer inside the process space, do i need to do this if i want to read/write to existing memory inside the process?
I just tried the follow code and it works perfect
im a bit confused about the need to create a buffer inside the process space, do i need to do this if i want to read/write to existing memory inside the process?
I just tried the follow code and it works perfect
LOCAL lpdwProcessId:DWORD
LOCAL Buffer:BYTE
INVOKE FindWindow,OFFSET szClassName,NULL
mov ecx,eax
INVOKE GetWindowThreadProcessId,ecx,ADDR lpdwProcessId
INVOKE OpenProcess,PROCESS_VM_READ,NULL,lpdwProcessId
mov lpdwProcessId,eax
INVOKE ReadProcessMemory,lpdwProcessId,0aa69aah,ADDR Buffer,1,NULL
INVOKE CloseHandle,lpdwProcessId
I wasn't sure if you needed to read existing memory or not so I assumed that you did not, after all the rest is not too difficult to figure out. I should note that the 9x method I posted will not allow you to read/write existing memory, it is using the shared heap and can only allocate memory there.
ah ok, i was expecting it to be a very involved process, not a few lines of code! i was looking to deep...
I'm also surprised its the 9x versions that are going to be complicated, would the above method not work on windows 9x for reading existing memory?
I'm also surprised its the 9x versions that are going to be complicated, would the above method not work on windows 9x for reading existing memory?