Reputation: 35276
Reading Win32 variables
If I can hook into a Win32 process, will I be able to do:
Read variables from inside a Class inside the process?
I have a full source code for the Win32 app above, can I use that as reference for this subject?
Cheers.
Upvotes: 2
Views: 338
Answers (1)
Reputation: 1002
Yes. As soon as your module is hooked into the process, you share the same address space. That means memory that the process has allocated (e.g. for class instances) will be accessible to you.
If you know the offset of the class instance, then you can either:
- cast this memory address to a pointer to the class (provided you have the class header included)
- use offsets from this memory address to access the class's members.
See Traversing the Module List on MSDN. Once you have the MODULEENTRY32 of the process you wish to "hook", you can use the modBaseAddr as a base for your offsets. For example if you know that a global variable which points to a class instance is at 0x000AD421, you can do:
ClassName *pClassBase = moduleEntry->modBaseAddr + 0x000AD421;
pClassBase->UseSomeFunctions();
or
unsigned char *pClassBase = moduleEntry->modBaseAddr + 0x000AD421; // if we don't know the exact definition of the class we want to play with
float flMemberValue = *reinterpret_cast<float*>((unsigned char *)pClassBase + 24); // float member value at offset 24
// value of member is flMemberValue
*reinterpret_cast<float*>((unsigned char *)pClassBase + 24) = 15.25; // setting the same member value to 15.25.
As stated by other commenters, finding the offset of the class base is the hardest part of this process. However if you have the class definitions handy, this is essentially the only piece of work you have to do (i.e. you don't also have to find the class member offsets, too).
Upvotes: 2