Michaelc Cheater Reputation: 0
Joined: 15 May 2016 Posts: 47
|
Posted: Sat Oct 14, 2017 6:02 pm Post subject: How does scanning for a double value work? |
|
|
Here is my question about the memory:
So I have a base address of a chunk of memory from it's size, from VirtualQueryEx
start = mbi.BaseAddress
finish = mbi.RegionSize
So at this time, I use while and this is how it looks like
while index < finish:
# access the memory here:
while memory function( index)
# then index += 1, for the inner loop
## this line complete the outer while loop
index += mbi.RegionSize
so Why did I put down index += 1 ?
That's because what I think about the memory looks like this
(short)(int)(double)(int)(int)(int)(double) and so on,
since I can't predict which address is the beginning of a double, the only way
to deal with that is to use increment by 1.
Now, from what I have been reading, it seems there is a better way to do it,
for instance, a for loop.
for(start,finish, 8)
why 8? because double begins at exact 0 or multiple of 8 bytes, right?
[code]
import ctypes
from ctypes.wintypes import WORD, DWORD, LPVOID
PVOID = LPVOID
SIZE_T = ctypes.c_size_t
# https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
DWORD_PTR = ctypes.c_ulonglong
elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
DWORD_PTR = ctypes.c_ulong
class SYSTEM_INFO(ctypes.Structure):
"""https://msdn.microsoft.com/en-us/library/ms724958"""
class _U(ctypes.Union):
class _S(ctypes.Structure):
_fields_ = (('wProcessorArchitecture', WORD),
('wReserved', WORD))
_fields_ = (('dwOemId', DWORD), # obsolete
('_s', _S))
_anonymous_ = ('_s',)
_fields_ = (('_u', _U),
('dwPageSize', DWORD),
('lpMinimumApplicationAddress', LPVOID),
('lpMaximumApplicationAddress', LPVOID),
('dwActiveProcessorMask', DWORD_PTR),
('dwNumberOfProcessors', DWORD),
('dwProcessorType', DWORD),
('dwAllocationGranularity', DWORD),
('wProcessorLevel', WORD),
('wProcessorRevision', WORD))
_anonymous_ = ('_u',)
LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
Kernel32.GetSystemInfo.restype = None
Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
sysinfo = SYSTEM_INFO()
Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
print(sysinfo.lpMinimumApplicationAddress)
print(sysinfo.lpMaximumApplicationAddress)
# maybe it will change, maybe it won't. Assuming it won't.
# 2nd, get Open process.
import psutil
import sys
for proc in psutil.process_iter():
if str('swtor.exe') in str(proc.name) and \
proc.memory_info().rss > 1000000000:
PID = proc.pid
print('PID:',PID)
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID)
print('process:', Process)
# 3rd
class MEMORY_BASIC_INFORMATION(ctypes.Structure):
"""https://msdn.microsoft.com/en-us/library/aa366775"""
_fields_ = (('BaseAddress', PVOID),
('AllocationBase', PVOID),
('AllocationProtect', DWORD),
('RegionSize', SIZE_T),
('State', DWORD),
('Protect', DWORD),
('Type', DWORD))
##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
mbi = MEMORY_BASIC_INFORMATION()
##sysinfo.lpMinimumApplicationAddress
print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
sysinfo.lpMinimumApplicationAddress, ctypes.byref(mbi),ctypes.sizeof(mbi)))
# sysinfo.lpMinimumApplicationAddress replaced by None
##print('')
##print('mbi start')
##print('mbi.BaseAddress: ',mbi.BaseAddress)
##print('mbi.AllocationBase: ',mbi.AllocationBase)
##print('mbi.AllocationProtect: ',mbi.AllocationProtect)
##print('mbi.RegionSize: ',mbi.RegionSize)
##print('mbi.State: ',mbi.State)
##print('mbi.Protect: ', mbi.Protect)
##print('mbi.Type: ',mbi.Type)
ReadProcessMemory = Kernel32.ReadProcessMemory
##
MEM_COMMIT = 0x00001000;
PAGE_READWRITE = 0x04;
##buffer = ctypes.c_uint()
buffer = ctypes.c_double()
nread = SIZE_T()
##start = ctypes.c_void_p(mbi.BaseAddress)
current_address = sysinfo.lpMinimumApplicationAddress
end_address = sysinfo.lpMaximumApplicationAddress
hit_count = 0
target_value = -159
hit_pool = list()
while current_address < end_address:
Kernel32.VirtualQueryEx(Process, \
current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
print('This region can be scanned!')
index = current_address
end = current_address + mbi.RegionSize - 7
for i in range(index, end, 8):
if ReadProcessMemory(Process, i, ctypes.byref(buffer), \
ctypes.sizeof(buffer), ctypes.byref(nread)):
## pass
# impletment value comparison now.
if buffer.value < (target_value + 1) and \
buffer.value > (target_value - 1):
print(buffer.value, hex(i), 'hit:', hit_count)
hit_count += 1
hit_pool.append(hex(i))
else:
print('else happend.')
## pass
## raise ctypes.WinError(ctypes.get_last_error())
current_address += mbi.RegionSize
print('done.')
print(hit_count)
print(hit_pool)
[/code]
|
|