Scanning memory functions in C

Thanks, yes
Read/WriteProcessMemory works but is way too complicated as you can't
just read/write to any process as you would think, instead you have to
do a lot of work before you get the ability to change anything or find
any value. In my opinion it would be better if someone constructed a
simple function to do this for you instead of having to override the
manic security settings all the time. After all, isn't that what
functions are for so you don't have to reinvent the wheel all the time?



I came this far, and was able to read but not write, and since I
couldn't write I couldn't be certain what I read was correct either:

Code:

BOOL EnablePriv(LPCSTR lpszPriv, HANDLE tprocid) // by Napalm { HANDLE hToken; LUID luid; TOKEN_PRIVILEGES tkprivs; ZeroMemory(&tkprivs, sizeof(tkprivs)); if(!OpenProcessToken(tprocid, (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken)) return FALSE; if(!LookupPrivilegeValue(NULL, lpszPriv, &luid)){ CloseHandle(hToken); return FALSE; } tkprivs.PrivilegeCount = 1; tkprivs.Privileges[0].Luid = luid; tkprivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; BOOL bRet = AdjustTokenPrivileges(hToken, FALSE, &tkprivs, sizeof(tkprivs), NULL, NULL); CloseHandle(hToken); return bRet; } // Called as: EnablePriv(SE_DEBUG_NAME); int getbyte(int procid, int address) { int c; HANDLE mprocess; mprocess=(HANDLE)procid; EnablePriv(SE_DEBUG_NAME, mprocess); HANDLE hProcess; unsigned char ucMem; DWORD dwMemAddr = (DWORD)address; SIZE_T stBytes = 0; hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, (DWORD)mprocess); ReadProcessMemory(hProcess,(LPCVOID)dwMemAddr, &ucMem, 1,&stBytes); CloseHandle(hProcess); c = (int)ucMem; return (c); } int writebyte(int procid, int address, int value) { int c; HANDLE mprocess; mprocess=(HANDLE)procid; EnablePriv(SE_DEBUG_NAME, mprocess); HANDLE hProcess; unsigned char ucMem; ucMem=(unsigned char)value; DWORD dwMemAddr = (DWORD)address; SIZE_T stBytes = 0; hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, (DWORD)mprocess); c=(int)WriteProcessMemory(hProcess, (LPVOID)dwMemAddr, (LPCVOID)&ucMem, 1,NULL); CloseHandle(hProcess); return (c); }

C'mon there must be a easier way than this?



I have looked at the source code, but I don't fully understand the
structure of Delphi and I'm only a beginner at C, so trying to decipher
Delphi to C is too big a task for me, what would be superb is a function
to prepare the Process so it can be read from and written to, and a
function to actually read and write to it. That's all I need, yet so
hard to do.



I hope you understand my concern, this is not something that should be
difficult to do, it should be easy. If I could only get it to read and
write one single byte successfully then that would be a BIG step in the
right direction.



(QB64 doesn't have a certain types of variables so I convert to and fro int instead if you wonder about that)








I'm saying not to use PROCESS_ALL_ACCESS because
the flags changed across OS versions. The flag changed between XP and
Vista/Win7:

Code:

#if (NTDDI_VERSION >= NTDDI_VISTA) #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFFF) #else #define PROCESS_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0xFFF) #endif

This doesn't make the documentation wrong, what they say in the docs is correct.

What I'm telling you to do is not use this flag at all and use specifically the ones you need. For example:

Code:

HANDLE hHandle = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProcId );

Which does not require the token to be adjusted since you aren't asking for all privileges.



The next step you need to do is start checking error returns and
obtaining the error code from the system after the API fails. For
example:

Code:

// Obtain process handle.. HANDLE hHandle = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, dwProcId ); if( hHandle == NULL ) { // OpenProcess failed.. read the error from the system.. DWORD dwLastError = GetLastError(); // Handle error here.. } // Attempt to read a DWORD from memory.. DWORD dwValue = 0; if( !ReadProcessMemory( hHandle, 0x12345678, &dwValue, sizeof( dwValue ), NULL ) ) { // ReadProcessMemory failed.. read the error from the system.. DWORD dwLastError = GetLastError(); // Handle error here.. // Be sure to cleanup the handle and other objects.. CloseHandle( hHandle ); return ; }

One other thing to keep in mind, the API is 'dumb'. It has no knowledge
of what sits between the call you make and the result it will give you.
Meaning if the target process has any security features implemented, the
systems API has no idea. So your targets could also be blocking calls
to things like OpenProcess, ReadProcessMemory / WriteProcessMemory and
so on.



Try starting on something basic like Minesweeper. Get the idea and
understanding down on altering memory on something that is completely
unprotected and then move onto other things.