| View previous topic :: View next topic |
| Author |
Message |
Metasploitable
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 6
|
 Posted: Thu Dec 29, 2016 5:40 pm Post subject: [Python] Need Help Reading Memory. |
 |
|
Hi,
could some of you point me into the right direction of the following; I wrote a function for reading memory in Windows processes (Python, ctypes) so far it works with regular addresses for example '0x00AA5834' will return the correct value for what I'm looking for (I can confirm this works with Cheat Engine) However I need to return the value of a base adress starting with "somedll.dll" + 0x00AA5834 but I'm unsure how to do this in Python. So if any of you done something similar please let me know what you did and what the outcome was.
Code snippet for reading memory:
| Code: |
def read_process_memory(self, hprocess, address):
read_buffer = ctypes.c_uint()
buffer = ctypes.byref(read_buffer)
size = ctypes.sizeof(read_buffer)
bytes_read = ctypes.c_ulong(0)
if self.ReadProcessMemory(hprocess, address, buffer, size, bytes_read):
print('[*] Read Memory - ', read_buffer.value, self.GetLastError())
return read_buffer.value
else:
print('[!] Read Memory - Error Code: ', self.GetLastError())
self.CloseHandle(hprocess)
self.SetLastError(10000) |
Thanks in advance!
ps. If you have any questions regarding this thread and or need more information let me know and I'll provide it asap.
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Thu Dec 29, 2016 8:26 pm Post subject: |
|
|
You will need to use some method of obtaining the base address of the given module name. Typically, this is done one of two ways:
- CreateToolhelp32Snapshot
- Process32First / Process32Next
- Module32First / Module32Next
or using PSAPI methods:
- EnumProcesses
- EnumProcessModules
- GetModuleFileNameEx
If you are injected into the target process, you can simply use:
- GetModuleHandle
_________________
- Retired. |
|
| Back to top |
|
|
Metasploitable
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 6
|
| Posted: Thu Dec 29, 2016 8:57 pm Post subject: |
|
|
| atom0s wrote: | You will need to use some method of obtaining the base address of the given module name. Typically, this is done one of two ways:
- CreateToolhelp32Snapshot
- Process32First / Process32Next
- Module32First / Module32Next
or using PSAPI methods:
- EnumProcesses
- EnumProcessModules
- GetModuleFileNameEx
If you are injected into the target process, you can simply use:
- GetModuleHandle |
Thanks for replying so quickly, mind elaborating what you mean with 'You will need to use some method of obtaining the base address of the given module name' as far as I understand base adress of what I'm looking for is '0x00AA5834' and the module name is 'client.dll' right? Also, assuming I would need one of those methods which one would be the easiest and most straightforward to use?
Sorry for my ignorance first time doing some low level stuff in Python so please bare with me.
Thanks in advance.
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
|
| Back to top |
|
|
Metasploitable
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 6
|
| Posted: Fri Dec 30, 2016 5:42 pm Post subject: |
|
|
| atom0s wrote: | Microsoft shows how to use the above API here:
You need the module base address of client.dll. |
Hello, thanks for helping me out so far. Okay so I wrote a function to get the base adress of the client.dll and the function returns. '720896' any idea where to go from here? thanks in advance
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Sat Dec 31, 2016 1:37 pm Post subject: |
|
|
As you said above your address starts with:
"somedll.dll" + 0x00AA5834
So you would get the base address of "somedll.dll" like you just did, then add 0x00AA5834 to it as the starting point of what you are doing.
_________________
- Retired. |
|
| Back to top |
|
|
Metasploitable
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 6
|
| Posted: Sat Dec 31, 2016 2:44 pm Post subject: |
|
|
| atom0s wrote: | As you said above your address starts with:
"somedll.dll" + 0x00AA5834
So you would get the base address of "somedll.dll" like you just did, then add 0x00AA5834 to it as the starting point of what you are doing. |
MODULE NAME: b'client.dll'
process ID = 0x00002638
ref count (g) = 0x0001
ref count (p) = 0x0001
base address = 0x18E40000
base size = 85118976
MODULE NAME: b'server.dll'
I wrote a function that returns the base adress of client.dll. As you can see the base adress for client.dll is 0x18E40000 Does anyone know why 0x18E40000 + 0xAA5834 = 198E5834 but client.dll + 0xAA5834 in Cheat Engine = 2CEDBCC0. Why do I get diffrent results in cheat engine compared to this calculation in Python? I'm either returning the wrong address for client.dll or my math is wrong?
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Sat Dec 31, 2016 11:44 pm Post subject: |
|
|
Are you reading the addresses value after adding it together?
_________________
- Retired. |
|
| Back to top |
|
|
Metasploitable
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 6
|
| Posted: Sun Jan 01, 2017 9:24 am Post subject: |
|
|
| atom0s wrote: | | Are you reading the addresses value after adding it together? |
Yep, all I do is return the base address of client.dll I add that to LocalPlayer and then the value it returns is completely diffrent compared to client.dll + Localplayer in Cheat Engine.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4291
|
| Posted: Sun Jan 01, 2017 9:10 pm Post subject: |
|
|
I think it's too much of a coincidence that the value at 198E5834 is 198E5834. Are you sure you aren't looking at the address's value in CE and the address itself in your code?
(if by saying "client.dll + 0xAA5834 = 2CEDBCC0" you were implying client.dll was loaded at 2C43648C, that's impossible and you're probably looking at the value at the address client.dll + 0xAA5834 in CE)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
Metasploitable
How do I cheat?
![]() Reputation: 0
Joined: 29 Dec 2016
Posts: 6
|
| Posted: Mon Jan 02, 2017 12:17 pm Post subject: |
|
|
Thanks, I fixed it guys. I make a stupid mistake.. I did the calculation wrong. 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
