Difference between revisions of "Process Hook and Read From Memory VB6"
m |
m |
||
Line 8: | Line 8: | ||
*'''hProcess''': A handle to the process with memory that is being read. This is generated using the process id (PID). The handle must have PROCESS_VM_READ access to the process. The handle is a number, it will be used for ReadProcessMemory. This needs to be closed when you are done with "CloseHandle hProcess" after ReadProcessMemory. | *'''hProcess''': A handle to the process with memory that is being read. This is generated using the process id (PID). The handle must have PROCESS_VM_READ access to the process. The handle is a number, it will be used for ReadProcessMemory. This needs to be closed when you are done with "CloseHandle hProcess" after ReadProcessMemory. | ||
− | + | Get MBI information from the process | |
ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI) | ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI) | ||
+ | VirtualQueryEx takes an address (lpMem) and returns information about it in the MEMORY_BASIC_INFORMATION (mbi) structure. The function is used to retrieve information about a range of pages in the address space of another process. | ||
Read the memory range into buffer | Read the memory range into buffer |
Revision as of 17:26, 19 August 2007
The API Calls
The important code:
Hook the process or reading, or reading and writing
hProcess = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
- hProcess: A handle to the process with memory that is being read. This is generated using the process id (PID). The handle must have PROCESS_VM_READ access to the process. The handle is a number, it will be used for ReadProcessMemory. This needs to be closed when you are done with "CloseHandle hProcess" after ReadProcessMemory.
Get MBI information from the process
ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)
VirtualQueryEx takes an address (lpMem) and returns information about it in the MEMORY_BASIC_INFORMATION (mbi) structure. The function is used to retrieve information about a range of pages in the address space of another process.
Read the memory range into buffer
ReadProcessMemory hProcess, ByVal intRead1, ByVal sBuffer, intLen1, lWritten
- WHAT GOES IN: hProcess, intRead1, intLen1
- WHAT COMES OUT: sBuffer, lWritten
- intRead1: base address to read memory from. (where a chunk of text memory starts) (pointer)
- sBuffer: the memory contents copied into our buffer. (data chunk read)
- intLen1: how much memory should be read, in bytes. (how big the chunk of data is)
- lWritten: how much was actually read, in bytes. (pointer)
What is actually happening is the region of memory from the other program is being accesses, read, and the contents copied into a region of memory in our own program, the buffer.
Direct Memory Access Class for NT/2000/XP
To learn how to hook a running program in Windows we will use calc.exe, the windows calculator, as a guinea pig. So, we create a Visual BASIC program that attaches itself to calc.exe and monitors for the calculator value to change from zero.
Already found four key addresses to use for testing with a debugger:
calc.exe+14D55 01014D55 calc.exe+14D56 01014D56 calc.exe+14D57 01014D57 calc.exe+14D58 01014D58
Specifically, 01014D58:
0 = 0 or 124 Value of the leftmost number in the display 1 = 125 is 124 + the digit. If there is nothing in 2 = 126 the display then the value is 0. 9 = 133
- Get the Process ID of calc.exe
- Hook the Process
- Read the Memory
- Getwindowthreadprocessid: retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window.
- ReadProcessMemory: Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead );
ReadProcessMemory hProcess [in], lpBaseAddress [in], lpBuffer[out], nSize[in], lpNumberOfBytesRead[out]
If the function succeeds, the return value is nonzero. If the function fails, the return value is 0 (zero).
- hProcess: A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
- lpBaseAddress: A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails.
- lpBuffer: A pointer to a buffer that receives the contents from the address space of the specified process.
- nSize: The number of bytes to be read from the specified process.
- lpNumberOfBytesRead: A pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
ReadProcessMemory Code Snippet
addr = addr + 1 buffer = Space$(1) Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)
- myHandle is a long integer
- addr is a long integer
- buffer is a string variable / buffer = Space$(1) / ???
- readlen is
myHandle = OpenProcess(&H1F0FFF, False, pid) buffer = Space$(1) addr = 16798516 ' memory address to what we are watching is Call ReadProcessMemory(myHandle, addr, buffer, 1, readlen)