Difference between revisions of "Process Hook and Read From Memory VB6"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
m
(Show a list of Windows Processes)
Line 65: Line 65:
  
 
 
 
 
 
== Show a list of Windows Processes ==
 
 
=== Example 1: ===
 
Add the following to a module:
 
 
Option Explicit
 
 
Public Const TH32CS_SNAPPROCESS As Long = 2&
 
Public Const MAX_PATH As Long = 260
 
 
Public Type PROCESSENTRY32
 
    dwSize As Long
 
    cntUsage As Long
 
    th32ProcessID As Long
 
    th32DefaultHeapID As Long
 
    th32ModuleID As Long
 
    cntThreads As Long
 
    th32ParentProcessID As Long
 
    pcPriClassBase As Long
 
    dwFlags As Long
 
    szExeFile As String * MAX_PATH
 
End Type
 
   
 
Public Declare Function CreateToolhelp32Snapshot Lib "kernel32" _
 
    (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
 
 
Public Declare Function ProcessFirst Lib "kernel32" _
 
    Alias "Process32First" _
 
    (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long
 
 
Public Declare Function ProcessNext Lib "kernel32" _
 
    Alias "Process32Next" _
 
    (ByVal hSnapShot As Long, uProcess As PROCESSENTRY32) As Long
 
 
Public Declare Sub CloseHandle Lib "kernel32" _
 
    (ByVal hPass As Long)
 
 
Then to the program:
 
 
Private Sub doShowProcessList()
 
  Dim hSnapShot As Long
 
  Dim uProcess As PROCESSENTRY32
 
  Dim success As Long
 
 
  hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
 
 
  If hSnapShot = -1 Then Exit Sub
 
  uProcess.dwSize = Len(uProcess)
 
  success = ProcessFirst(hSnapShot, uProcess)
 
 
  If success = 1 Then 
 
    Do
 
      txtOut.Text = txtOut.Text & vbCrLf & uProcess.szExeFile
 
    Loop While ProcessNext(hSnapShot, uProcess)       
 
  End If
 
 
  Call CloseHandle(hSnapShot)
 
End Sub
 
  
  

Revision as of 16:49, 19 August 2007

  • needs spellchecked

To learn how to hook a running program in Windows we will use calc.exe, the windows calculator, as a guinea pig. So, we create a Visual BASIC program that attaches itself to calc.exe and monitors for the calculator value to change from zero.

Direct Memory Access Class for NT/2000/XP

Already found four key addresses to use for testing with a debugger:

calc.exe+14D55          01014D55
calc.exe+14D56          01014D56
calc.exe+14D57          01014D57
calc.exe+14D58          01014D58

Specifically, 01014D58:

0 = 0 or 124   Value of the leftmost number in the display
1 = 125        is 124 + the digit.  If there is nothing in 
2 = 126        the display then the value is 0.
9 = 133
  1. Get the Process ID of calc.exe
  2. Hook the Process
  3. Read the Memory
  • Getwindowthreadprocessid: retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window.


  • ReadProcessMemory: Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory(
  HANDLE hProcess,
  LPCVOID lpBaseAddress,
  LPVOID lpBuffer,
  SIZE_T nSize,
  SIZE_T* lpNumberOfBytesRead
);
ReadProcessMemory hProcess [in], lpBaseAddress [in], lpBuffer[out], nSize[in], lpNumberOfBytesRead[out]

If the function succeeds, the return value is nonzero. If the function fails, the return value is 0 (zero).

  • hProcess: A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
  • lpBaseAddress: A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails.
  • lpBuffer: A pointer to a buffer that receives the contents from the address space of the specified process.
  • nSize: The number of bytes to be read from the specified process.
  • lpNumberOfBytesRead: A pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.

ReadProcessMemory Code Snippet

  addr = addr + 1        
  buffer = Space$(1)
  Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)
  • myHandle is a long integer
  • addr is a long integer
  • buffer is a string variable / buffer = Space$(1) / ???
  • readlen is
  myHandle = OpenProcess(&H1F0FFF, False, pid)
  buffer = Space$(1)
  addr = 16798516 ' memory address to what we are watching is
  Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)