- needs spellchecked
To learn how to hook a running program in Windows we will use calc.exe, the windows calculator, as a guinea pig. So, we create a Visual BASIC program that attaches itself to calc.exe and monitors for the calculator value to change from zero.
Direct Memory Access Class for NT/2000/XP
Already found four key addresses to use for testing with a debugger:
calc.exe+14D55 01014D55 calc.exe+14D56 01014D56 calc.exe+14D57 01014D57 calc.exe+14D58 01014D58
- Get the Process ID of calc.exe
- Hook the Process
- Read the Memory
- Getwindowthreadprocessid
- ReadProcessMemory: Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead );
ReadProcessMemory hProcess [in], lpBaseAddress [in], lpBuffer[out], nSize[in], lpNumberOfBytesRead[out]
If the function succeeds, the return value is nonzero. If the function fails, the return value is 0 (zero).
The GetWindowThreadProcessId function retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window.