[python-win32] VirtualQueryEx/ReadProcessMemory

Mon, 16 Oct 2017 13:01:51 -0700 

Hi all,

I am working on my own memory scanner. It uses Windows API, VirtualQueryEX
and ReadProcessMemory. I am not sure I put down the following properly:

I am sure

Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
False, PID)


ran properly, because it didn't return a 0.

Then it's VirtualQueryEx:

    current_address = sysinfo.lpMinimumApplicationAddress
    end_address = sysinfo.lpMaximumApplicationAddress

    while current_address < end_address:
        Kernel32.VirtualQueryEx(Process, \
        current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))

        if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
            print('This region can be scanned!')

        current_address += mbi.RegionSize


Now, I think it run fine as well, because it didn't return 0 at all.
Just to make sure, in the end of scanning for a region, I use
current_address += mbi.RegionSize

instead of

current_address += mbi.RegionSize + 1

, Right?




Lastly, ReadProcessMemory:

1st Question: The setup.


    buffer = ctypes.c_double()
    nread = SIZE_T()

ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer),
ctypes.byref(nread))


I used ctypes.c_double() to determine the size of the buffer, so does this
mean
that the value I retrieve would be doubles? As in, I know I want to scan
for double
values, therefore what I do is what I did here, ask ReadProcessMemory to
read 8 bytes at a time?




Lastly, I don't understand this part about the memory:

if I used VirtualQueryEx to find out if a region of memory is ok to scan,
and it
says it's ok, are the values in the region arranged like this:

short,int,double,long,char, double, short in

as in, random?


I am asking this because, if it's random, then I'd have to run
ReadProcessMemory
 by increasing  the value of of my loop by ONE (1) at a time, like this

for i in range(start_of_region, end_of_region, 1):
      ReadProcessMemory(Process, i, ctypes.byref(buffer),
ctypes.sizeof(buffer),             ctypes.byref(nread))


Is that correct?

Thanks all!


this is my scanner's full code :
https://pastebin.com/bdq0afT0

_______________________________________________
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Reply via email to