C++

Forum

 
Can´t find adress of variable.

h4rm0ni3 (4)
I tried to get the adress of the variable which contains the String/Value "Systemname" or "Microsoft Corporation".
(of the window "Systeminformationen").

Using FindWindows,GetWindowThreadProcessID,Process32First|Next,CreateToolhelpSnapshot etc
,I create an array ,which contains the PROCESSENTRY32 of the
target Process(which appendet to "Systeminformation") and
of his parent process and of all his threads and child processes.
(of course that is redundant,but I want to play it safe)
->I think,this part of my programm works fine

Then I used OpenProcess,VirtualQueryEx for getting the memory of every single Process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
 
void GetMemory(DWORD proc_ID,char* target_buf){	  

 	MEMORY_BASIC_INFORMATION mbi;
    unsigned int adress = 0x100000;
	unsigned int start=0;
	unsigned int end=0;
	HANDLE hproc;

	hproc=OpenProcess(PROCESS_ALL_ACCESS,false,proc_ID);

    do
    {
        VirtualQueryEx( //öffnet Speicher des Prozesses
                        hproc,
                        (void*)adress,
                        &mbi,
                        sizeof(MEMORY_BASIC_INFORMATION)
                    );

				
		

        if((mbi.State == MEM_COMMIT)  //--Speicher beantsprucht		
        
		   ){
        
            start = (uint)mbi.BaseAddress;
            end = (uint)mbi.BaseAddress+mbi.RegionSize;

			ScanMemory(start,end,target_buf,hproc);
		}

        adress += mbi.RegionSize; 
	} while(adress < 0x80000000 && !(ERROR_INVALID_PARAMETER==GetLastError()));
	
		if(!(ERROR_INVALID_PARAMETER==GetLastError())){
		printf("MemoryAdresse too high 0x%x\n",adress);
		}

		
		CloseHandle(hproc);
}


Searching for "Systemname",I rifled through all of this memory-blocs
but I didn´t get any satisfying result.
( of course ,there were matches,but they seemd to be part of a kind of manual)
void ScanMemory(DWORD start, DWORD end,char* target_buf,HANDLE hproc){

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
void ScanMemory(DWORD start, DWORD end,char* target_buf,HANDLE hproc){
    
	void* save_buf;
   	
	uint sizebuffer=end-start; 
	
	void* buffer=(void*) malloc(sizebuffer); //buffer for memory
	
	DWORD read = 0;
	uint count=0;
	uint i=0;

		
	//check both formats
	//wchar_t is 2byte -> Unicode 
	//char is 1 Byte -> Ansi

	wchar_t* target_buf_wide=(wchar_t*) malloc((strlen(target_buf)+1)*sizeof(wchar_t));

	//transform a Ansi-String into a Unicode-String
	MultiByteToWideChar (CP_ACP, 0, target_buf, -1,target_buf_wide,(strlen(target_buf)+1));
	

	//Reading Memory
        ReadProcessMemory(
                            hproc,
                            (void*)start,
                            buffer,
                            sizebuffer,
                            &read
                        );

	
		save_buf=buffer;

		//interpretation as char 
				for(;sizeof(char)*count<sizebuffer;){ 
			
			
			if(target_buf[i]==*((char*)buffer)){ 
//check if agree with memory
				i++;
				if(i==strlen(target_buf)){   //strlen(target_buf) checks in a row -> match
					printf("< %s > gefunden an 0x%x \n",target_buf,(start+(DWORD)(count*sizeof(char))));
					i=0;
				}
			}
			else{
				if(i>0){
				count=count-i; //go on after first match
				
                      buffer=(void*)((uint)buffer-(uint)(i*sizeof(char))); //","
				i=0;}}
			count++;
			buffer=(void*)((uint)buffer+(uint)sizeof(char)); 
		}

		
		buffer=save_buf; 
		
//interpretation as wchar_t 
//, -----------------in a similar manner-----------------
		
		for(count=0;sizeof(wchar_t)*count<sizebuffer;){

			if(target_buf_wide[i]==*((wchar_t*)buffer)){ //check if agree with memory
				i++;
				if(i==strlen(target_buf)){
					printf("< %s > gefunden an 0x%x \n",target_buf,(start+(DWORD)(count*sizeof(wchar_t))));
					
					i=0;
				}
			}
			else{
				if(i>0){
				count=count-i; //go on after first match
				buffer=(void*)((uint)buffer-(uint)(i*sizeof(wchar_t))); //
				i=0;}}

			count++;
			buffer=(void*)((uint)buffer+(uint)sizeof(char)); 
		}


		free(save_buf_2);
		free(target_buf_wide);
	
}


Where are my mistakes?
I searched on Heaps,Stacks, etc but i could not find
this variable?!
Where could it be?

btw. I use Microsoft Windows 7 Professional.

kbw (9488)
Mixing tabs and spaces makes your code tricky to follow. As does not declaring variables where they're used.

Why don't you just pass the pointers in to ScanMemory as void*? Why are they cast to int? Do you realize you can still do pointer arithmetic if they are treated as char*?

Why is target_buf not const? I had to follow the code to work out that it's an input parameter.

This test doesn't make any sense:
1
2
3
4
 
if(target_buf[i]==*((char*)buffer)){ 
//check if agree with memory
	i++;
	if(i==strlen(target_buf)){   //strlen(target_buf) checks in a row -> match

1. What does the length of target_buf have to do with the search? Why are you not using target_buf_wide?
2. The index into the buffer is not related to the length of the search string.

Why is a simple search so complicated?
Stop casting things. Most of those casts are unnecessary and confusing for everyone.
h4rm0ni3 (4)
Sorry , I tried to make it easier to understand.

Now I use this fkt , but my problem remains.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
void ScanMemory2(DWORD start, DWORD end,HANDLE hproc){
	//renamed:

        //target_buf => target_string
	//buffer => buffer_memory
	// i    => matches_in_a_row

	const char target_string[]= "Systemname" ;

        DWORD read = 0;
	uint sizebuffer=end-start; 

	
        char* buffer_memory=(char*) malloc(sizebuffer); //buffer memoryblock
	char* save_buffer_memory;

	uint count=0;
	uint matches_in_a_row=0;


        ReadProcessMemory(
                            hproc,
                            (void*)start,
                            buffer_memory,
                            sizebuffer,
                            &read
                        );

		save_buffer_memory=buffer_memory;//just for free() at the end

//------------------------------------- like strstr() [but strstr()  doesn´t work]		

		for(;sizeof(char)*(count)<sizebuffer;){


			
			if(target_string[matches_in_a_row]==*buffer_memory){ 
				//Example: target_string[0]='S' , buffer_memory point to "SbSystemname" (for example)		   
				
				// count=0->*buffer_memory='S' ->matches_in_a_row=1 --match
				// count=1->*buffer_memory='b' ->matches_in_a_row=0 --mismatch
				// count=2->*buffer_memory='S' ->matches_in_a_row=1 --match
				// count=3->*buffer_memory='y' ->matches_in_a_row=2 --match
				// count=4->*buffer_memory='s' ->matches_in_a_row=3 --match

				// etc. if(matches_in_a_row=length of target_String) => complete String found

				
				matches_in_a_row++;							 
									

				if(matches_in_a_row==strlen(target_string)){
					printf("\n < %s > gefunden an 0x%x \n",target_string,(start+(DWORD)(count*sizeof(char)-strlen(target_string))));
					matches_in_a_row=0;
					
				}
			}
			else{
				matches_in_a_row=0;}

//--------------------------------------			
			
			count++;
			buffer_memory=buffer_memory+sizeof(char); //buffer hoczaehlen
		}
webJose (2948)
Your efforts may be futile. According to the topic caption, you are trying to find out the address of some variable. But most variables get variable addresses every time the process is run, so what's the point of this, really? Maybe if you explain what you need you might get a better solution.
h4rm0ni3 (4)
I want to read the value from target_address and used it for calculations in my program.

And I want to keep this way of reading a value from a target_process almost independent from the target_process.

(so almost I could read any Value of any target_process [of course if the target_process contains this Value])

___
This Search_Process will always be run with Administratior Rights and his ProcessAccessToken include SeDebugPrivilegs.
kbw (9488)
I want to keep this way of reading a value from a target_process almost independent from the target_process.
Can you explain this further please.
h4rm0ni3 (4)
sorry, I mean:
"...almost independent from the Privilegs/Security Level of the target_process."

It is possible that maybe a DLL contains my searched variable and it is just included in target_process?
So it is not in the memory of the target_process?
Topic archived. No new replies allowed.