ReadProcessMemory

[HezkoreParticipant]

I’m trying to read memory from another process but I’m having a hard time wrapping the Windows API function for it.

https://msdn.microsoft.com/en-us/library/ms680553(v=VS.85).aspx

Anyone got any hints?

[HezkoreParticipant]

I’ve had some progress, but the problem is that the data I get from ReadProcessMemory does not match with what other memory readers show.
For example, the memory address for me at the time of testing $0CC7E8E8 was how far I’ve scrolled in Ted2Go.
That value when read via this example remains unchanged no matter how much I scroll, but I can see the value change in other memory readers just fine.
And restarting the example below displays another value the next time, even though I have NOT scrolled.
So I’m not sure what kind of data I’m getting back…

This may be hard for others to test since the address probably won’t be the same twice, and your Process ID for Ted2Go will be different…
But really, all you have to do is have Ted2Go running, find the PID for Ted2Go and enter that into the example and run it a few times without doing anything in Ted2Go, and you’ll see that the value is different each time.
If you have a memory reader, you can check the address 0CC7E8E8 for Ted2Go and you’ll see that it doesn’t match with what this example shows.

I’m honestly not even sure if I’m wrapping the Win32 functions correctly…
At line 27 – OpenProcess https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx
At line 30 – CloseHandle https://msdn.microsoft.com/en-us/library/windows/desktop/ms724211(v=vs.85).aspx
At line 33 – ReadProcessMemory https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx

Monkey

#Import "<std>" #Import "<mojo>" Using std.. Using mojo.. #Import "<windows.h>" '===IMPORTANT CHANGE THIS TO YOUR TED2 PROCESS ID/PID=== Global Ted2Id:UInt=5392 'Things like Process Explorer for Windows shows you your Ted2 PID 'https://cdn.portableapps.com/ProcessExplorerPortable.png 'Ideally you'd want to search for a window name and get the PID that way 'But I haven't figured that out Global MemoryAddr:=$0CC7E8E8 Extern Struct HANDLE End 'Get a HANDLE via a process ID Function OpenProcess:HANDLE( dwDesiredAccess:UInt, bInheritHandle:Bool, dwProcessId:UInt ) 'Close a HANDLE Function CloseHandle:Bool( hObject:HANDLE ) 'Read memory from a HANDLE Function ReadProcessMemory:Bool( hProcess:HANDLE, lpBaseAddress:UInt Ptr, lpBuffer:Byte Ptr, nSize:Int, lpNumberOfBytesRead:Int ) Public Function ReadMemory:Byte[]( addr:UInt, bytes:Byte ) 'Prepare buffer to store our bytes in Local buff:=New Byte[bytes] 'Open the process to get HANDLE 'Open with PROCESS_VM_READ rights Local process:=OpenProcess( $0010 , False, Ted2Id ) 'Use HANDLE to read memory If Not ReadProcessMemory( process, Varptr addr, Varptr buff[0], bytes, 0 ) Then Print "Unable to read memory!" Endif 'Close the HANDLE If Not CloseHandle( process ) Then Print "Unable to close handle" 'Return memory read Return buff End Class MyWindow Extends Window Method New( title:String="Simple mojo app",width:Int=640,height:Int=480,flags:WindowFlags=Null ) Super.New( title,width,height,flags ) End Method OnRender( canvas:Canvas ) Override App.RequestRender() 'Display our memory stuff Local x:Int=8 Local v:=ReadMemory( MemoryAddr, 4 ) For Local i:=0 Until v.Length canvas.DrawText( v[i], x, 8 ) x+=canvas.Font.TextWidth( v[i] ) x+=canvas.Font.TextWidth( " " ) Next End End Function Main() New AppInstance New MyWindow App.Run() End

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

#Import "<std>" #Import "<mojo>"   Using std.. Using mojo..   #Import "<windows.h>"       '===IMPORTANT CHANGE THIS TO YOUR TED2 PROCESS ID/PID=== Global Ted2Id:UInt=5392   'Things like Process Explorer for Windows shows you your Ted2 PID 'https://cdn.portableapps.com/ProcessExplorerPortable.png   'Ideally you'd want to search for a window name and get the PID that way 'But I haven't figured that out   Global MemoryAddr:=$0CC7E8E8   Extern Struct HANDLE End 'Get a HANDLE via a process ID Function OpenProcess:HANDLE( dwDesiredAccess:UInt, bInheritHandle:Bool, dwProcessId:UInt ) 'Close a HANDLE Function CloseHandle:Bool( hObject:HANDLE ) 'Read memory from a HANDLE Function ReadProcessMemory:Bool( hProcess:HANDLE, lpBaseAddress:UInt Ptr, lpBuffer:Byte Ptr, nSize:Int, lpNumberOfBytesRead:Int ) Public   Function ReadMemory:Byte[]( addr:UInt, bytes:Byte ) 'Prepare buffer to store our bytes in Local buff:=New Byte[bytes] 'Open the process to get HANDLE 'Open with PROCESS_VM_READ rights Local process:=OpenProcess( $0010 , False, Ted2Id ) 'Use HANDLE to read memory If Not ReadProcessMemory( process, Varptr addr, Varptr buff[0], bytes, 0 ) Then Print "Unable to read memory!" Endif 'Close the HANDLE If Not CloseHandle( process ) Then Print "Unable to close handle" 'Return memory read Return buff End   Class MyWindow Extends Window Method New( title:String="Simple mojo app",width:Int=640,height:Int=480,flags:WindowFlags=Null ) Super.New( title,width,height,flags ) End   Method OnRender( canvas:Canvas ) Override App.RequestRender() 'Display our memory stuff Local x:Int=8 Local v:=ReadMemory( MemoryAddr, 4 ) For Local i:=0 Until v.Length canvas.DrawText( v[i], x, 8 ) x+=canvas.Font.TextWidth( v[i] ) x+=canvas.Font.TextWidth( " " ) Next End End   Function Main() New AppInstance New MyWindow App.Run() End

[Mark SiblyKeymaster]

HANDLE should be:

Alias HANDLE:Void Ptr

[Author]

Posts