Difference between revisions of "Process Hook and Read From Memory VB6"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
m
m (Reverted edits by Atekysepiko (Talk); changed back to last version by Tricotec)
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
This is in the line of creating your own debugger.  Yes, this can be used to "cheat at games," however, this is not the intention of the exercise.  Being able to "peek" at memory in a closed source program and activate triggers in your own program can be extremely useful.  Imagine being able to detect when your Phone/FAX software is receiving an incoming call, and instead of being hindered by the limitations of that software, you can have your own application piggy back on it, reading from its memory, and performing advanced scripted tasks.  Sure, you could write your own code to do everything the FAX software does, but its a lot faster and easier to just peek at the memory and make your stuff happen based on what it is already doing.  How about using a VB program to piggy back on ATI Video capture software?  You may also write to the memory space of applications, triggering the software to do things, such as kick off the video recorder.  The posibilities are endless.
 +
 
== The API Calls ==
 
== The API Calls ==
  
Line 4: Line 6:
  
 
'''Hook the process or reading, or reading and writing'''
 
'''Hook the process or reading, or reading and writing'''
  hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
+
  hProcess = OpenProcess(PROCESS_READ_QUERY, False, pid)
  
 
*'''hProcess''': A handle to the process with memory that is being read. This is generated using the process id (PID).  The handle must have PROCESS_VM_READ access to the process.  The handle is a number, it will be used for ReadProcessMemory.  This needs to be closed when you are done with "CloseHandle hProcess" after ReadProcessMemory.
 
*'''hProcess''': A handle to the process with memory that is being read. This is generated using the process id (PID).  The handle must have PROCESS_VM_READ access to the process.  The handle is a number, it will be used for ReadProcessMemory.  This needs to be closed when you are done with "CloseHandle hProcess" after ReadProcessMemory.
Line 60: Line 62:
 
  <nowiki>End Type</nowiki>
 
  <nowiki>End Type</nowiki>
 
  <nowiki></nowiki>
 
  <nowiki></nowiki>
  <nowiki>Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long<
+
  <nowiki>Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long</nowiki>
  <nowiki>Private Declare Function VirtualQueryEx& Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC
+
  <nowiki>Private Declare Function VirtualQueryEx& Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long)</nowiki>
 
  <nowiki>Private Declare Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)</nowiki>
 
  <nowiki>Private Declare Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)</nowiki>
  <nowiki>Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwA
+
  <nowiki>Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwA</nowiki>
 
  <nowiki>Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long</nowiki>
 
  <nowiki>Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long</nowiki>
  <nowiki>Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, B
+
  <nowiki>Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long</nowiki>
  <nowiki>Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any,  
+
  <nowiki>Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long</nowiki>
 
  <nowiki></nowiki>
 
  <nowiki></nowiki>
 
  <nowiki>Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long</nowiki>
 
  <nowiki>Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long</nowiki>
  <nowiki>Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Long, ByVal lpWindowName As Long
+
  <nowiki>Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Long, ByVal lpWindowName As Long) As Long</nowiki>
 
  <nowiki>Private Declare Function GetParent Lib "user32" (ByVal hWnd As Long) As Long</nowiki>
 
  <nowiki>Private Declare Function GetParent Lib "user32" (ByVal hWnd As Long) As Long</nowiki>
 
  <nowiki>Private Declare Function GetWindow Lib "user32" (ByVal hWnd As Long, ByVal wCmd As Long) As Long</nowiki>
 
  <nowiki>Private Declare Function GetWindow Lib "user32" (ByVal hWnd As Long, ByVal wCmd As Long) As Long</nowiki>
 
  <nowiki>Const GW_HWNDNEXT = 2</nowiki>
 
  <nowiki>Const GW_HWNDNEXT = 2</nowiki>
 
  <nowiki></nowiki>
 
  <nowiki></nowiki>
  <nowiki>Private Declare Function InvalidateRect Lib "user32" (ByVal hWnd As Long, ByVal lpRect As Long, ByVal bErase As Long) As Lo
+
  <nowiki>Private Declare Function InvalidateRect Lib "user32" (ByVal hWnd As Long, ByVal lpRect As Long, ByVal bErase As Long) As Long</nowiki>
 
  <nowiki>Const PROCESS_VM_READ = (&H10)</nowiki>
 
  <nowiki>Const PROCESS_VM_READ = (&H10)</nowiki>
 
  <nowiki>Const PROCESS_VM_WRITE = (&H20)</nowiki>
 
  <nowiki>Const PROCESS_VM_WRITE = (&H20)</nowiki>
 
  <nowiki>Const PROCESS_VM_OPERATION = (&H8)</nowiki>
 
  <nowiki>Const PROCESS_VM_OPERATION = (&H8)</nowiki>
 
  <nowiki>Const PROCESS_QUERY_INFORMATION = (&H400)</nowiki>
 
  <nowiki>Const PROCESS_QUERY_INFORMATION = (&H400)</nowiki>
  <nowiki>Const PROCESS_READ_WRITE_QUERY = PROCESS_VM_READ + PROCESS_VM_WRITE + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION</now
+
  <nowiki>Const PROCESS_READ_WRITE_QUERY = PROCESS_VM_READ + PROCESS_VM_WRITE + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION</nowiki>
 +
<nowiki>Const PROCESS_READ_QUERY = PROCESS_VM_READ + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION</nowiki>
 
  <nowiki></nowiki>
 
  <nowiki></nowiki>
 
  <nowiki>Const MEM_PRIVATE& = &H20000</nowiki>
 
  <nowiki>Const MEM_PRIVATE& = &H20000</nowiki>
 
  <nowiki>Const MEM_COMMIT& = &H1000</nowiki>
 
  <nowiki>Const MEM_COMMIT& = &H1000</nowiki>
 +
 +
&nbsp;
 +
 +
== Function to Get Handle From PID ==
 +
 +
<nowiki>Private Function InstanceToWnd(ByVal target_pid As Long) As Long</nowiki>
 +
<nowiki>  Dim test_hwnd As Long</nowiki>
 +
<nowiki>  Dim test_pid As Long</nowiki>
 +
<nowiki>  Dim test_thread_id As Long</nowiki>
 +
<nowiki>  test_hwnd = FindWindow(ByVal 0&, ByVal 0&)</nowiki>
 +
<nowiki>  Do While test_hwnd <> 0</nowiki>
 +
<nowiki>  If GetParent(test_hwnd) = 0 Then</nowiki>
 +
<nowiki>      test_thread_id = GetWindowThreadProcessId(test_hwnd, test_pid)</nowiki>
 +
<nowiki>      If test_pid = target_pid Then</nowiki>
 +
<nowiki>        InstanceToWnd = test_hwnd</nowiki>
 +
<nowiki>        Exit Do</nowiki>
 +
<nowiki>      End If</nowiki>
 +
<nowiki>  End If</nowiki>
 +
<nowiki>  test_hwnd = GetWindow(test_hwnd, GW_HWNDNEXT)</nowiki>
 +
<nowiki>  Loop</nowiki>
 +
<nowiki>End Function</nowiki>
 +
 +
&nbsp;
  
 
== Miscellaneous Notes ==
 
== Miscellaneous Notes ==

Latest revision as of 11:40, 24 November 2010

This is in the line of creating your own debugger. Yes, this can be used to "cheat at games," however, this is not the intention of the exercise. Being able to "peek" at memory in a closed source program and activate triggers in your own program can be extremely useful. Imagine being able to detect when your Phone/FAX software is receiving an incoming call, and instead of being hindered by the limitations of that software, you can have your own application piggy back on it, reading from its memory, and performing advanced scripted tasks. Sure, you could write your own code to do everything the FAX software does, but its a lot faster and easier to just peek at the memory and make your stuff happen based on what it is already doing. How about using a VB program to piggy back on ATI Video capture software? You may also write to the memory space of applications, triggering the software to do things, such as kick off the video recorder. The posibilities are endless.

The API Calls

The important code:

Hook the process or reading, or reading and writing

hProcess = OpenProcess(PROCESS_READ_QUERY, False, pid)
  • hProcess: A handle to the process with memory that is being read. This is generated using the process id (PID). The handle must have PROCESS_VM_READ access to the process. The handle is a number, it will be used for ReadProcessMemory. This needs to be closed when you are done with "CloseHandle hProcess" after ReadProcessMemory.

Get MBI information from the process

ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)

VirtualQueryEx takes an address (lpMem) and returns information about it in the MEMORY_BASIC_INFORMATION (mbi) structure. The function is used to retrieve information about a range of pages in the address space of another process.

Read the memory range into buffer

ReadProcessMemory hProcess, ByVal intRead1, ByVal sBuffer, intLen1, lWritten
  • WHAT GOES IN: hProcess, intRead1, intLen1
  • WHAT COMES OUT: sBuffer, lWritten
  • intRead1: base address to read memory from. (where a chunk of text memory starts) (pointer)
  • sBuffer: the memory contents copied into our buffer. (data chunk read)
  • intLen1: how much memory should be read, in bytes. (how big the chunk of data is)
  • lWritten: how much was actually read, in bytes. (pointer)

What is actually happening is the region of memory from the other program is being accesses, read, and the contents copied into a region of memory in our own program, the buffer.

 

Required Declarations For API Calls

Private Type OSVERSIONINFO
    dwOSVersionInfoSize As Long
    dwMajorVersion As Long
    dwMinorVersion As Long
    dwBuildNumber As Long
    dwPlatformId As Long
    szCSDVersion As String * 128
End Type

Private Type MEMORY_BASIC_INFORMATION ' 28 bytes
    BaseAddress As Long
    AllocationBase As Long
    AllocationProtect As Long
    RegionSize As Long
    State As Long
    Protect As Long
    lType As Long
End Type

Private Type SYSTEM_INFO ' 36 Bytes
    dwOemID As Long
    dwPageSize As Long
    lpMinimumApplicationAddress As Long
    lpMaximumApplicationAddress As Long
    dwActiveProcessorMask As Long
    dwNumberOrfProcessors As Long
    dwProcessorType As Long
    dwAllocationGranularity As Long
    wProcessorLevel As Integer
    wProcessorRevision As Integer
End Type

Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long
Private Declare Function VirtualQueryEx& Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long)
Private Declare Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwA
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Long, ByVal lpWindowName As Long) As Long
Private Declare Function GetParent Lib "user32" (ByVal hWnd As Long) As Long
Private Declare Function GetWindow Lib "user32" (ByVal hWnd As Long, ByVal wCmd As Long) As Long
Const GW_HWNDNEXT = 2

Private Declare Function InvalidateRect Lib "user32" (ByVal hWnd As Long, ByVal lpRect As Long, ByVal bErase As Long) As Long
Const PROCESS_VM_READ = (&H10)
Const PROCESS_VM_WRITE = (&H20)
Const PROCESS_VM_OPERATION = (&H8)
Const PROCESS_QUERY_INFORMATION = (&H400)
Const PROCESS_READ_WRITE_QUERY = PROCESS_VM_READ + PROCESS_VM_WRITE + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION
Const PROCESS_READ_QUERY = PROCESS_VM_READ + PROCESS_VM_OPERATION + PROCESS_QUERY_INFORMATION

Const MEM_PRIVATE& = &H20000
Const MEM_COMMIT& = &H1000

 

Function to Get Handle From PID

Private Function InstanceToWnd(ByVal target_pid As Long) As Long
  Dim test_hwnd As Long
  Dim test_pid As Long
  Dim test_thread_id As Long
  test_hwnd = FindWindow(ByVal 0&, ByVal 0&)
  Do While test_hwnd <> 0
   If GetParent(test_hwnd) = 0 Then
      test_thread_id = GetWindowThreadProcessId(test_hwnd, test_pid)
      If test_pid = target_pid Then
         InstanceToWnd = test_hwnd
         Exit Do
      End If
   End If
   test_hwnd = GetWindow(test_hwnd, GW_HWNDNEXT)
  Loop
End Function

 

Miscellaneous Notes

  • Direct Memory Access Class for NT/2000/XP

To learn how to hook a running program in Windows we will use calc.exe, the windows calculator, as a guinea pig. So, we create a Visual BASIC program that attaches itself to calc.exe and monitors for the calculator value to change from zero.

Already found four key addresses to use for testing with a debugger:

calc.exe+14D55          01014D55
calc.exe+14D56          01014D56
calc.exe+14D57          01014D57
calc.exe+14D58          01014D58

Specifically, 01014D58:

0 = 0 or 124   Value of the leftmost number in the display
1 = 125        is 124 + the digit.  If there is nothing in 
2 = 126        the display then the value is 0.
9 = 133
  1. Get the Process ID of calc.exe
  2. Hook the Process
  3. Read the Memory
  • Getwindowthreadprocessid: retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window.


  • ReadProcessMemory: Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory(
  HANDLE hProcess,
  LPCVOID lpBaseAddress,
  LPVOID lpBuffer,
  SIZE_T nSize,
  SIZE_T* lpNumberOfBytesRead
);
ReadProcessMemory hProcess [in], lpBaseAddress [in], lpBuffer[out], nSize[in], lpNumberOfBytesRead[out]

If the function succeeds, the return value is nonzero. If the function fails, the return value is 0 (zero).

  • hProcess: A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
  • lpBaseAddress: A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails.
  • lpBuffer: A pointer to a buffer that receives the contents from the address space of the specified process.
  • nSize: The number of bytes to be read from the specified process.
  • lpNumberOfBytesRead: A pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.

ReadProcessMemory Code Snippet

  addr = addr + 1        
  buffer = Space$(1)
  Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)
  • myHandle is a long integer
  • addr is a long integer
  • buffer is a string variable / buffer = Space$(1) / ???
  • readlen is
  myHandle = OpenProcess(&H1F0FFF, False, pid)
  buffer = Space$(1)
  addr = 16798516 ' memory address to what we are watching is
  Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)