How can i know, process's memory offset, from it's begining to ending address?

I opend process as below,

FindWindowA
GetWindowThreadProcessId
OpenProcess
ReadProcessMemory

and, want to search some value,
but i don't know how can i get start and end address to search.

help me...
Posted on 2002-02-06 01:37:52 by muzidowa
Well, I've been thinking on this one 'cause I find it tricky. There certainly are some other solutions but I can't think of any right now. So, my solution is to inject some code into the process you are investigating and call GetModuleHandle, 0 - you will get what you want. As for the end address you'll have to figure it out from PE header, but it's easy when you already have the handle. I only wonder how will the injected code pass the obtained handle to your app - under 9x it's easy - memory mapped files but I don't know how to do it under 2k/XP - it must also be easy but I never had a need to do it.
Posted on 2002-02-08 01:51:02 by marcinbu
Usually you use ReadProcessMemory to scan a running EXE file but you need to start it first with OpenProcess. A more or less routine thing to do with an application you start yourself.

If the references to "injected" code involve modifying someone elses binary, this posting with get "ejected" REAL fast so keep this stuff out of here. :grin:

Regards,

hutch@movsd.com
Posted on 2002-02-08 08:02:25 by hutch--
Injected code has its (legal) uses. I will soon be writing a piece of
code to keep track of HeapAlloc/HeapFree and VirtualAlloc/VirtualFree
mismatches. This will deal with code injection, IAT patching, and
several other topics that hutch doesn't like... but it will be legal,
written for debugging purposes, and show that these techniques
can be applied in very useful, very legal, and very very nice ways.

As for passing the GetModuleHandle(0) return back to the main
app, you can use VirtualProtect to unprotect the code section at
some known location, write the handle there, and have the main
app read it back. Thing is... you need a known code location ;).
You could also put it in a register and use GetThreadContext. But
you still need a known addy to do the injection (if you want to be
9x compatible anyway). And if you know the name of the EXE file,
you can get to the PE header anyway, and thus know the base
address (on 99% of the executables out there anyway.)
Posted on 2002-02-08 12:41:01 by f0dder
Good idea! If you're using 2k/XP it's quite easy to save something at known location 'cause after VirtualAllocEx you know exactly where you have injected the code, so you can save the handle for example at the beggining of allocated memory. If you also use CreateRemoteThread you can try WaitForSingleObject to make sure the handle is already there when you try to ReadProcessMemory it.

If you know the loacation of the EXE file everything is easy but I thought muzidowa wants to attach to a running process that he knows nothing about.

@hutch: hey, even Matt Pietrek talks about code injection in a MSJ/MSDN "Under the hood" article about the DelayLoad feature - another example of legal use of injection :grin:
Posted on 2002-02-09 04:15:04 by marcinbu
I can also think of a number of illegal uses for code injection like placing a virus's payload in someone elses file or hacking a copyright EXE file so if anyone wants to post ANY of this stuff, it will magically disappear.

Don't take my warning lightly, I have been around for many years and so have at least some of our moderators and smartarse wisecracks to protect crappy ideas for illegal coding are well understood so keep it legal and keep it clean or it will disappear.

Regards,

hutch@movsd.com
Posted on 2002-02-09 05:26:05 by hutch--
Hutch, does that mean *any* injection (and related topics) will be
removed, or only the bad ones? I'm all for removing the bad ones...
but it's sorta sucky if something useful has to go just because it
could potentially be twisted into something no-no.
Posted on 2002-02-09 09:54:51 by f0dder
And try to think of it this way: if I asked how to append some code to the end of an executable, my post would be removed. And I only wanted to implement an executable packer/protector for example... So, where is the magic line which divides the things into good and bad ones?
Posted on 2002-02-09 13:31:43 by marcinbu
f0dder,

I accept that you are not a native English speaker but what I have posted is clear in English, if anything here is illegal, it will disappear and if the poster persists, so will he. There is an appropriate place for discussion of forum policy among moderators, feel free to take it up with me there.

The error in your logic is a quantification error, confusing the difference between ALL and SOME.

marcinbu,

If you want to use any technology for legal purposes, feel free to do so but if any of it is illegal or parts its hair the wrong way, it will disappear if it is posted here. Just as a note on one of your questions, it is common to use append technology, many SFX programs do just that and many installation programs do the same.

The distinction is between legal usages and viral code which in very old examples used to append a payload at the end of the EXE file. It is a very easy technique to detect with virus scanners so it appears to have fallen from the methods used by the virus idiot fringe.

To anybody who wants to live dangerously and tread the fine line between legal and illegal, be prepared to be questioned or warned about what is being posted, this forum will not be used as a posting place for illegal activities no matter what.

Regards,

hutch@movsd.com
Posted on 2002-02-09 16:41:10 by hutch--