0

For example if a memory address within the process had the value 1616 how could I find it ?

2
Contributors
1
Reply
3
Views
5 Years
Discussion Span
Last Post by m4ster_r0shi
3

You can use ReadProcessMemory:

#include <windows.h>
#include <iostream>
#include <cstring>

using namespace std;

int main()
{
    char data[20] = "Hello, World!!!";

    char buffer[20] = { 0 };

    HANDLE my_process = GetCurrentProcess();

    unsigned long address = 0;

    cout << "(before) " << data << endl;

    while (true)
    {
        ReadProcessMemory(my_process, (LPCVOID) address, buffer, 20, 0);

        if (strcmp(data, buffer) == 0)
        {
            cout << "found it!" << endl;

            WriteProcessMemory(my_process, (LPVOID) address, "Yo! What's up?", 20, 0);

            break;
        }

        ++address;
    }

    cout << "(after) " << data << endl;

    cout << "(hit enter to quit...)"; cin.get();

    return 0;
}

[EDIT]

I didn't do it here, as this is just an example, but usually you'll
want to make few ReadProcessMemory calls with big buffers
instead of many ReadProcessMemory calls with small buffers.

It can make a huge difference in performance...

[/EDIT]

If you want to do this with other processes, you'll first have
to get the debug privilege and then use OpenProcess.

That's how you can get the debug privilege:

HANDLE my_process;
HANDLE htoken;
TOKEN_PRIVILEGES tp;
LUID luid;

my_process = GetCurrentProcess();
OpenProcessToken(my_process, TOKEN_ALL_ACCESS, &htoken);

LookupPrivilegeValue(NULL, "SeDebugPrivilege", &luid );

tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(htoken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), 0, 0);

You can find additional info for all of these functions on MSDN:

http://msdn.microsoft.com/en-us/library/ms683179(v=vs.85).aspx (GetCurrentProcess)

http://msdn.microsoft.com/en-us/library/ms680553(v=vs.85).aspx (ReadProcessMemory)
http://msdn.microsoft.com/en-us/library/ms681674(v=vs.85).aspx (WriteProcessMemory)

http://msdn.microsoft.com/en-us/library/aa379295(v=vs.85).aspx (OpenProcessToken)
http://msdn.microsoft.com/en-us/library/aa379180(v=vs.85).aspx (LookupPrivilegeValue)
http://msdn.microsoft.com/en-us/library/aa375202(v=vs.85).aspx (AdjustTokenPrivileges)

http://msdn.microsoft.com/en-us/library/ms684320(v=vs.85).aspx (OpenProcess)

Edited by m4ster_r0shi: n/a

Votes + Comments
nice..
You wrote A LOT
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.