View previous topic :: View next topic |
Author |
Message |
SpaMx01 How do I cheat? Reputation: 0
Joined: 16 Sep 2017 Posts: 6
|
Posted: Wed May 09, 2018 2:21 pm Post subject: How to search memory region and dissect datas? |
|
|
Dear community,
I programmed kernel driver for memory reading. I can set Application to catch, get its Process ID and Base Address. Because I work only with x64 applications, whole memory reagion can be from 0x0000000000000000 to 0x7FFFFFFFFFFFFFFF. I thought I can read every byte and than dissect datas from it. But it took so much time to complete so I must do it wrong. Does anyone know how to search through App memory fast? I want to read all bytes, than find value (1B / 2B / 4B / 8B / string). Why CheatEngine can scan app memory in seconds?
Thank you.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed May 09, 2018 2:27 pm Post subject: |
|
|
ce skips memory that is not allocated
also, do not switch to the target process, read 1 byte and return to the caller. that is slow. read bigger blocks of memory
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
SpaMx01 How do I cheat? Reputation: 0
Joined: 16 Sep 2017 Posts: 6
|
Posted: Wed May 09, 2018 2:40 pm Post subject: |
|
|
Kernels IOCTL can handle message up to ~16kB so this is biggest block of data I can read. How do you know which memory region is not allocated? Some memory reading fail - so maybe this is not allocated address but how can I skip it to the end of unallocated region?
Thank you.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 457
Joined: 09 May 2003 Posts: 25262 Location: The netherlands
|
Posted: Wed May 09, 2018 2:58 pm Post subject: |
|
|
you can read on pageboundary blocks (4KB) which is at least faster than 1 byte
and keep on mind that windows has an allocation granularity of 64KB so if a page is unreadable that means the next possible address is on a address dividable by 65536
now if you wish to be more specific then you need to walk the pagetable system and scan for pages that are present
first check the pml4 entry, then the pagedirpointer entry, the pagedir entry, and if it's a small pagedir then also the pagetable entry
windows is so nice to link the pml4 address inside the pml4 table so you can access that using virtual memory without having to map it manually. downside is that in 64 bit this tends to be at a randomis location so you will probably have to scan for that once (just map cre's physicall memory as a 4k page and scan that or use the getvirtualaddressfromphysical function exports)
just check github on ce's driver for some example
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
SpaMx01 How do I cheat? Reputation: 0
Joined: 16 Sep 2017 Posts: 6
|
Posted: Wed May 09, 2018 3:01 pm Post subject: |
|
|
That looks difficult. I try to Google-search it and implement it.
Thank you for your help.
|
|
Back to top |
|
|
|