• Welcome to Valhalla Legends Archive.
 

ReadProcessMemory

Started by Augural Sentinel, April 05, 2006, 06:34 PM

Previous topic - Next topic

Augural Sentinel

I'm helping somebody with a program they are making and I need a good reference or an example for ReadProcessMemory.  Would anybody happen to have a link to a site that demonstrates how to properly use this?  I've found examples in C#, but it really needs to be in C++

Basically, I need to read an unknown value from another program's memory.  Since the address changes every time the program is run, I have no idea how to do this.  It appears to be possible to do it with C# unless the code example I found only happens to work once.

At the very least, is it possible to access the registers another program is using?

Kp

Yes.  Look at GetThreadContext.  If the value is moving with every run, it's probably stored in dynamic memory.  The target process must have a pointer to the dynamic memory somewhere.  Read that, then use that to track down the value you want.  Beware that there may be several levels of indirection involved.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Augural Sentinel

#2
Alright, thank you.  I was being told it's absolutely impossible unless I know what the value is in which case I can write a function to search for it in the other program's memory (which would completely defeat the purpose of accessing it in the first place).

Edit:

Okay, I found this line of code in OllyDbg:
MOV BYTE PTR DS:[EDX],AL
When I look at the register EDX, it shows me the memory address that I need.  So, after Googling and searching MSDN, I didn't find much to help my case.  Does anyone know of a starting point to access another program's registers?

Kp

GetThreadContext!  That gets you all of the registers of the thread you target.  Use SetThreadContext if you need to change it.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!

Adron

Though at this time it might be appropriate to point out that values in registers do not quite stay the same throughout the execution of a program.

Augural Sentinel

Quote from: Adron on April 07, 2006, 04:33 AM
Though at this time it might be appropriate to point out that values in registers do not quite stay the same throughout the execution of a program.
Yeah, I realized that after awhile.  I guess I'm going to have to find where in the code the memory address is determined.

tA-Kane

And in fact, it's possible (though unlikely) that unless your target program is suspended, that the pointer will have changed between the time that you read the pointer, and the time you read the data pointed to by the pointer.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

Augural Sentinel

How do trainers for games work then?  Memory addresses are going to change every time the game is run, so the trainers have to get that value somehow.  What would be a solution to this then?  And just a note, no, I'm not making anything like a trainer.

tA-Kane

There are multiple solutions, two of which I know to be fairly common. The first is to use ReadProcessMemory/WriteProcessMemory and the second is to use DLL injection. Both have advantages and disadvantages.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

Augural Sentinel

In this case, wouldn't DLL injection be best if I can't use ReadProcessMemory if the pointer can't be found?

I have a basic idea of how to go about doing DLL injection with ASM, but I have no clue how to get it to work in conjunction with another program written in C++.  I guess I'll have to go do a bit of searching on Google.

tA-Kane

Whether you use ReadProcessMemory or DLL injection hardly matters if you don't know how to find the pointer.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

Augural Sentinel

Well, I'm going to have to do a bit more searching then.  I found an article that makes ReadProcessMemory feasible, but like you said, it doesn't do any good if I can't find the pointer.