View previous topic :: View next topic |
Author |
Message |
Michaelc Cheater Reputation: 0
Joined: 15 May 2016 Posts: 47
|
Posted: Wed Sep 27, 2017 7:41 pm Post subject: Python Ctypes ReadProcessMemory |
|
|
Hi all, I am trying to write a memory scanner using Read process memory!
Apparently, the current code keeps returning print('something is wrong') !
Because I didn't initialize the buffer and buffer size parameter, perhaps?
Or maybe it's the range() function?
Please take a look! Thanks!
Code: | import ctypes
# setup ctypes.
User32 = ctypes.WinDLL('User32', use_last_error=True)
Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
PID = 5924 # or anything other number.
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
ReadProcessMemory = Kernel32.ReadProcessMemory
# Did I set these up properly?
buffer = ctypes.create_string_buffer(4)
bufferSize = (ctypes.sizeof(buffer))
# I need a way to find out how big the process is!
for n in range(1000000000):
if ReadProcessMemory(Process, n, buffer, bufferSize, None):
print('buffer is: ',buffer)
else:
print('something is wrong')
print('Done.') |
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Wed Sep 27, 2017 11:49 pm Post subject: |
|
|
Ensure the handle returned from OpenProcess is valid.
Also, attempting to just read every single address starting at 0 is going to land up throwing a lot of errors. There is not memory always at every address, especially low-end addresses like 0, 1, 2, etc. Try reading an area of memory you know exists.
_________________
- Retired. |
|
Back to top |
|
|
Michaelc Cheater Reputation: 0
Joined: 15 May 2016 Posts: 47
|
Posted: Fri Sep 29, 2017 1:10 pm Post subject: |
|
|
Thanks for the reply.
How do I scan a big chunk at a time?
How do I know if a chunk is good to scan?
Thanks!
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri Sep 29, 2017 2:08 pm Post subject: |
|
|
Use VirtualQueryEx to obtain memory page information to determine what is and isn't valid.
The returned info will contain a memory pages size, protection(s), and start address which you can use to read the whole page at once.
_________________
- Retired. |
|
Back to top |
|
|
Michaelc Cheater Reputation: 0
Joined: 15 May 2016 Posts: 47
|
Posted: Fri Sep 29, 2017 2:09 pm Post subject: |
|
|
I'll try that, thanks!
|
|
Back to top |
|
|
|