Difference between revisions of "Process Hook and Read From Memory VB6"
From Free Knowledge Base- The DUCK Project: information for everyone
m |
m |
||
| Line 15: | Line 15: | ||
#Hook the Process | #Hook the Process | ||
#Read the Memory | #Read the Memory | ||
| + | |||
| + | * Getwindowthreadprocessid | ||
| + | |||
| + | * ReadProcessMemory: Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails. | ||
| + | |||
| + | BOOL ReadProcessMemory( | ||
| + | HANDLE hProcess, | ||
| + | LPCVOID lpBaseAddress, | ||
| + | LPVOID lpBuffer, | ||
| + | SIZE_T nSize, | ||
| + | SIZE_T* lpNumberOfBytesRead | ||
| + | ); | ||
| + | |||
| + | ReadProcessMemory hProcess [in], lpBaseAddress [in], lpBuffer[out], nSize[in], lpNumberOfBytesRead[out] | ||
| + | |||
| + | If the function succeeds, the return value is nonzero. If the function fails, the return value is 0 (zero). | ||
The '''GetWindowThreadProcessId''' function retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window. | The '''GetWindowThreadProcessId''' function retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window. | ||
Revision as of 13:21, 3 June 2007
- needs spellchecked
To learn how to hook a running program in Windows we will use calc.exe, the windows calculator, as a guinea pig. So, we create a Visual BASIC program that attaches itself to calc.exe and monitors for the calculator value to change from zero.
Direct Memory Access Class for NT/2000/XP
Already found four key addresses to use for testing with a debugger:
calc.exe+14D55 01014D55 calc.exe+14D56 01014D56 calc.exe+14D57 01014D57 calc.exe+14D58 01014D58
- Get the Process ID of calc.exe
- Hook the Process
- Read the Memory
- Getwindowthreadprocessid
- ReadProcessMemory: Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.
BOOL ReadProcessMemory( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead );
ReadProcessMemory hProcess [in], lpBaseAddress [in], lpBuffer[out], nSize[in], lpNumberOfBytesRead[out]
If the function succeeds, the return value is nonzero. If the function fails, the return value is 0 (zero).
The GetWindowThreadProcessId function retrieves the identifier of the thread that created the specified window and, optionally, the identifier of the process that created the window.
