CODEWITHSUNDEEP
c++windowsmemoryscanning
Denis Muhic
Denis Muhic

Reputation: 11

How can I read process memory in chunks and scan for exact address of Values?

I have written a simple memory scanner in C++, but it is slow and someone said, that reading chunks of memory would speed it up, but how do I get every correct address ?

Here is a sample source code :

#include <iostream>
#include <Windows.h>
#include <string>

#define CHUNK_SIZE 0x80000
#define MAX_ADDRESS 0x7ffffff

using namespace std;

int main()
{
    DWORD pid;
    char buffer[CHUNK_SIZE];
    std::cin >> pid;
    int something;
    int someValue = 0;
    HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    SIZE_T numberRead;
    if (process)
        printf("opened process.\n");
    else
        printf("could not open process.\n");

    for (DWORD i = 0; i < MAX_ADDRESS; i += CHUNK_SIZE) {
        if (ReadProcessMemory(process, (void*)i, &buffer, sizeof(buffer), 
   &numberRead)) {
        
        for (int j = 0; j < sizeof(buffer); j++)
        {
                someValue = (int)buffer[i];
                if (someValue == 220)
                {
                    printf("found value %d at 0x%x.\n", someValue, i + j);
                }
            }

        }
    }

}

Upvotes: 0

Views: 2786

Answers (2)

Denis Muhic
Denis Muhic

Reputation: 11


#define CHUNK_SIZE 0x1

for (DWORD i = 0x000000; i < MAX_ADDRESS; i += CHUNK_SIZE) {
        
        ReadProcessMemory(process, (void*)i, &buffer, sizeof(CHUNK_SIZE), 0);
        for (int j = 0; j < CHUNK_SIZE; j++)
        {
            
            if (buffer[j] == value)
            {
                count++;
                printf("found value %d at 0x%x.\n", buffer[j], i + j);
                //fprintf(f, "0x%x\n", i + j);
                printCheatTable(f,i + j,count);

                results[k] = i + j;
                k++;
            }
            
        }
            
        
    }

there must be a problem with this code. Basically I want to read a chunk of memory into ReadProcessMemory.

There are some modifications to the previous code ,namely "results[k]" array and the function printCheatTable, but which are of no importance to the code. One more change is that "CHUNK_SIZE" is "0x1" now.

Upvotes: 0

GuidedHacking
GuidedHacking

Reputation: 3923

It would be best to use VirtualQueryEx to loop through all the valid memory and avoid calling ReadProcessMemory on invalid memory

while (VirtualQueryEx(hProc, addr, &mbi, sizeof(mbi)))
{

    if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS)
    {
        delete[] buffer;
        buffer = new char[mbi.RegionSize];

        ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead);

        for (int j = 0; j < bytesRead; j++)
        {
                if ((int)buffer[j] == 220)
                {
                    printf("found value %d at 0x%x.\n", someValue, mbi.BaseAddress + j);
                }
            }
        }
    }
    addr += mbi.RegionSize;
}

return match;

Keep in mind this will return areas of memory where portions of two variables when combined have the same bits as your value in integer representation. Meaning you can get false positives

Upvotes: 1

Related Questions