Schnappi
How do I cheat?
![]() Reputation: 0
Joined: 02 Jun 2010
Posts: 1
|
 Posted: Wed Jun 02, 2010 12:13 pm Post subject: [Help, C++] Memory Scanning |
 |
|
Hello, I'm trying to code a memory scanner. Nothing fancy - No driver or scanning from outside. I have started few days ago and I was hoping you could help me with some ideas and possible correct any mistakes I have done. I would let myself get inspired by Dark Byte's source (CE), but I'm afraid I know nothing about Delphi.
First Scan - I guess this one is working quite well:
The first scan for exact values is like this:
The function takes input value, scantype(BYTE, DWORD, WORD), "IsHex"(I will remove this, as I don't need to add values directly to the ListCtrl from the scan), UINT_PTR to start address and UINT_PTR to end address.
I skip all MEM_FREE and MEM_RESERVE regions and those regions which has VirtualProtection of PAGE_EXECUTE or PAGE_NOACCESS (Because I cannot read those regions). I also skip all regions which has protection consatnts between 0x100 and 0x199 (PAGE_GUARD | SOMETHING).
If all conditions are met, then the IsBadReadPtr is executed to see if I can read (Don't know why, but I was still getting exceptions without this. Somewhere around System Dlls). Should I use IsBadReadPtr or __try __except instead? Well when I tried to use SEH, then I got error, because I derived CFile class for writing the output and SEH doesn't like destructors.
I use CFile because, as Dark Byte stated, it's faster to load addresses from file and insert values into ListCtrl relative to scrollbar. ScrollBar's Max is set as FoundValues minus HowManyItemsCanFitPerOneScrollPosition (No, I don't actually name my vars like that  ).
For one regions scan, I allocate a DWORD array with "new" of same size as region (How much is the most size I can allocate anyways?). -> I'm kinda afraid of this, because what would I do If the region was filled with nulls and I was searching for nulls? I would get a addresses with size of DWORD for each NULL in the region. That could be regionsize*4 ( or something) => overflow of my allocated memory. <-
Then I write all found addresses into File. That's pretty much whole FirstScanFunc.
UpdateFunctions (ScrollBarMove or TIMER "time to refresh values"):
Not sure about those.
For scrollbar move, I remove all 20 (default size of ListCtrl) items from it, then I read the file (depending on scanlevel it's firstaddress file or nextaddress file). Sample
| Code: |
AddressFile.Seek(AddressFile.m_dwHeaderSize+nPos*4, AddressFile.begin); //Headersize is size of header (Data, that doesn't intrest me right now); nPos is current position of scrollbar and 4 is size of DWORD)
IN THE LOOP: // int i > HowManyItemsCanFitToWindow or ,if actuall address count ss smaller that HowManyItemsCanFitToWindow , then add all items.
AddressFile.Read(&dwReadAddress, 4);
if(IsBadReadPtr((const void*)dwReadAddress, 4) == 0)
|
NOTICE THE "4" in IsBadReadPtr. I should find better solution, because this would make it primary for DWORD scan because of that 4 (size of DWORD)
All needed items are inserted into the ListCtrl.
For TIMER update: It just reads from all addresses in the list (check with IsBadReadPtr) and updates them (There is just a switch with last scanned type, so it will update with DWORD, BYTE or WORD)
ScanNext Exact Value:
This one really sux. And I guess I will need some help with it. Right now it just scan for DWORD:
| Code: |
void CMemoryScanner::SearchNext_ExactValue(DWORD dwValue, BYTE bScanType, BYTE bRadix)
{
CMemoryFile memAddressFileRead;
CFileException fileExcept;
CMemoryFile memAddressFileWrite;
CMemoryFile memMemoryFileWrite;
CString strReadFileName;
CString strWriteFileName_Address;
CString strWriteFileName_Data;
DWORD dwScanType = 0;
DWORD dwAddressRead = 0;
DWORD* dwAddressWritePtr = 0;
DWORD* dwDataWritePtr = 0;
DWORD dwAddressCountRead = 0;
DWORD dwAddressCountWrite = 0;
DWORD dwRest = 0;
strReadFileName.Format("ADDRESSNEXT%d.MEM", m_bScanLevel);
strWriteFileName_Address.Format("ADDRESSNEXT%d.MEM", m_bScanLevel+1);
strWriteFileName_Data.Format("MEMORYNEXT%d.MEM", m_bScanLevel+1);
if(m_bScanLevel == 1)
{
memAddressFileRead.Open("ADDRESSFIRST.MEM", memAddressFileRead.modeReadWrite, &fileExcept);
}
else
{
memAddressFileRead.Open(strReadFileName, memAddressFileRead.modeReadWrite, &fileExcept);
}
dwAddressCountRead = memAddressFileRead.GetItemCount();
dwScanType = memAddressFileRead.GetScanType();
memAddressFileRead.Seek(memAddressFileRead.m_dwHeaderSize, memAddressFileRead.begin);
memAddressFileWrite.WriteHeader(strWriteFileName_Address.GetBuffer(30), bScanType);
memMemoryFileWrite.WriteHeader(strWriteFileName_Data.GetBuffer(30), bScanType);
dwAddressWritePtr = new DWORD[0x500];
dwDataWritePtr = new DWORD[0x500];
for(unsigned int i = 0, b = 0; i < dwAddressCountRead; i++)
{
memAddressFileRead.Read(&dwAddressRead, 4);
if(IsBadReadPtr((const void*)dwAddressRead, 4) == 0)
{
if( *(DWORD*)dwAddressRead == dwValue)
{
dwDataWritePtr[b] = *(DWORD*)dwAddressRead;
dwAddressWritePtr[b] = (DWORD)dwAddressRead;
dwAddressCountWrite++;
dwRest++;
b++;
if(b == 0x400)
{
memMemoryFileWrite.Write(dwDataWritePtr, b*4);
memAddressFileWrite.Write(dwAddressWritePtr, b*4);
b = 0;
dwRest = 0;
delete []dwAddressWritePtr;
delete [] dwDataWritePtr;
dwAddressWritePtr = new DWORD[0x500];
dwDataWritePtr = new DWORD[0x500];
}
}
}
}
memMemoryFileWrite.Write(dwDataWritePtr, dwRest*4);
memAddressFileWrite.Write(dwAddressWritePtr, dwRest*4);
delete [] dwAddressWritePtr;
delete [] dwDataWritePtr;
memMemoryFileWrite.Seek(memMemoryFileWrite.m_pPOS_dwDataSize, memMemoryFileWrite.begin);
memMemoryFileWrite.Write(&dwAddressCountWrite, 4);
memAddressFileWrite.Seek(memAddressFileWrite.m_pPOS_dwDataSize, memAddressFileWrite.begin);
memAddressFileWrite.Write(&dwAddressCountWrite, 4);
m_bScanLevel++;
SCROLLINFO scbinfo;
scbinfo.cbSize = sizeof(scbinfo);
scbinfo.nMax = dwAddressCountWrite-20;
scbinfo.nMin = 0;
scbinfo.nPos = 0;
scbinfo.fMask = SIF_RANGE | SIF_POS;
m_LCtrl_ValueList.SetScrollInfo(SB_VERT, &scbinfo, 1);
memAddressFileWrite.Close();
memMemoryFileWrite.Close();
CString strNumFound;
strNumFound.Format("%d", dwAddressCountWrite);
m_Num_FoundNum.SetWindowTextA(strNumFound);
UpdateValList();
}
|
Shall I use tempfile for all next scans and only one ADDRESSNEXT file for current scan? I putted together this function yesterday. It just works incorrectly when I search for different values. And if first scan was for NULL then I froze up.
Thank you, if you read the whole thing. Any suggestions, advices, help?
Thank you, Schnappi
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 6
