Re: [python-win32] VirtualQueryEx/ReadProcessMemory
I have a question Supposed by using Openprocess and VirtualQueryEx, I have the locations of all the memory the application is using, wouldn't this to be true? Say, a 8 byte data is somewhere in the region i am scanning. Ok, I know by scanning it like this for n in range(start,end,1) will read into another variable and mostly nothing, but unless a variable, that is, one number, can be truncated and exist in multiple locations like this double = 12345678 123 is at x001 45 is at x005 678 is at x010 unless a number can be broken up like that, wouldn't I, while use the silly 'increment by one' approach, actually luck out and get that value in it's actual position? On Mon, Oct 16, 2017 at 4:39 PM, Michael C wrote: > >>>Did you acquire the SeDebugPrivilege before calling? > > Eh, no. I don't know what that is! How do I get it? > > > > >>>That's a screwed up way of doing it. If you want buffers of 8 bytes, > then make a buffer of 8 bytes. > > So like this? > > ReadProcessMemory(Process, i, ctypes.byref(buffer), 8, ctypes.byref(nread)) > > >>> > I have no idea what you're asking. What you get back from > ReadProcessMemory is an untyped set of bytes. There is no way to find > out anything about the type. It might be strings, it might be machine > code, it might be header info, it might be floats, it might be images. > It could be ANYTHING. > No. What are you hoping to learn here? > > > Bummer... I thought with what I did, I was building a simple memory > scanner. > See, I thought with my ReadProcessMemory line I was retrieving values in > the size of doubles. > > I thought by doing what I did, by reading 8 bytes at a time, (the size of > doubles) I was effectively looking for values in my memory. I thought a > > for(start,end,8) > > would give me all the values of doubles since I believed that doubles > exist in the memory in the positions of base, base+8, base+16, base+24, > and so forth. > > failing that, at least > > for(start,end,1) > > would achieve the same thing. I would store the address containing the > doubles I want in a list() called hit_pool. And then the incorrect values > would be flushed out anyway, when I run a another run of comparing the > address found with target value. like this > > for n in hit_pool: > readprocessmemory(process, n, ctypes.byref(buffer), 8, > ctypes.byref(nread)) > > > > Since the way I am reading the memory is not correct, could you tell me > the correct way to do it? > > > Thanks! > > > > > > > > > > On Mon, Oct 16, 2017 at 2:54 PM, Tim Roberts wrote: > >> Michael C wrote: >> > >> > I am working on my own memory scanner. It uses Windows API, >> VirtualQueryEX >> > and ReadProcessMemory. I am not sure I put down the following properly: >> > >> > I am sure >> > >> > Process = >> > Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, >> > PID) >> > >> > ran properly, because it didn't return a 0. >> >> Did you acquire the SeDebugPrivilege before calling? >> >> > Lastly, ReadProcessMemory: >> > >> > 1st Question: The setup. >> > >> > buffer = ctypes.c_double() >> > nread = SIZE_T() >> > >> > ReadProcessMemory(Process, i, ctypes.byref(buffer), >> > ctypes.sizeof(buffer), ctypes.byref(nread)) >> > >> > >> > I used ctypes.c_double() to determine the size of the buffer, so does >> > this mean >> > that the value I retrieve would be doubles? As in, I know I want to >> > scan for double >> > values, therefore what I do is what I did here, ask ReadProcessMemory >> to >> > read 8 bytes at a time? >> >> That's a screwed up way of doing it. If you want buffers of 8 bytes, >> then make a buffer of 8 bytes. >> >> >> > Lastly, I don't understand this part about the memory: >> > >> > if I used VirtualQueryEx to find out if a region of memory is ok to >> > scan, and it >> > says it's ok, are the values in the region arranged like this: >> > >> > short,int,double,long,char, double, short in >> > >> > as in, random? >> >> I have no idea what you're asking. What you get back from >> ReadProcessMemory is an untyped set of bytes. There is no way to find >> out anything about the type. It might be strings, it might be machine >> code, it might be header info, it might be floats, it might be images. >> It could be ANYTHING. >> >> >> > I am asking this because, if it's random, then I'd have to run >> > ReadProcessMemory >> > by increasing the value of of my loop by ONE (1) at a time, like this >> > >> > for i in range(start_of_region, end_of_region, 1): >> > ReadProcessMemory(Process, i, ctypes.byref(buffer), >> > ctypes.sizeof(buffer), ctypes.byref(nread)) >> > >> > Is that correct? >> >> No. What are you hoping to learn here? >> >> -- >> Tim Roberts, t...@probo.com >> Providenza & Boekelheide, Inc. >> >> ___ >> python-win32 mailing list >> python-win32@python.org >> https://mail.python.org/mailman/listinfo/python-win32 >> > > ___ python-
Re: [python-win32] VirtualQueryEx/ReadProcessMemory
>>>Did you acquire the SeDebugPrivilege before calling? Eh, no. I don't know what that is! How do I get it? >>>That's a screwed up way of doing it. If you want buffers of 8 bytes, then make a buffer of 8 bytes. So like this? ReadProcessMemory(Process, i, ctypes.byref(buffer), 8, ctypes.byref(nread)) >>> I have no idea what you're asking. What you get back from ReadProcessMemory is an untyped set of bytes. There is no way to find out anything about the type. It might be strings, it might be machine code, it might be header info, it might be floats, it might be images. It could be ANYTHING. No. What are you hoping to learn here? Bummer... I thought with what I did, I was building a simple memory scanner. See, I thought with my ReadProcessMemory line I was retrieving values in the size of doubles. I thought by doing what I did, by reading 8 bytes at a time, (the size of doubles) I was effectively looking for values in my memory. I thought a for(start,end,8) would give me all the values of doubles since I believed that doubles exist in the memory in the positions of base, base+8, base+16, base+24, and so forth. failing that, at least for(start,end,1) would achieve the same thing. I would store the address containing the doubles I want in a list() called hit_pool. And then the incorrect values would be flushed out anyway, when I run a another run of comparing the address found with target value. like this for n in hit_pool: readprocessmemory(process, n, ctypes.byref(buffer), 8, ctypes.byref(nread)) Since the way I am reading the memory is not correct, could you tell me the correct way to do it? Thanks! On Mon, Oct 16, 2017 at 2:54 PM, Tim Roberts wrote: > Michael C wrote: > > > > I am working on my own memory scanner. It uses Windows API, > VirtualQueryEX > > and ReadProcessMemory. I am not sure I put down the following properly: > > > > I am sure > > > > Process = > > Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, > > PID) > > > > ran properly, because it didn't return a 0. > > Did you acquire the SeDebugPrivilege before calling? > > > Lastly, ReadProcessMemory: > > > > 1st Question: The setup. > > > > buffer = ctypes.c_double() > > nread = SIZE_T() > > > > ReadProcessMemory(Process, i, ctypes.byref(buffer), > > ctypes.sizeof(buffer), ctypes.byref(nread)) > > > > > > I used ctypes.c_double() to determine the size of the buffer, so does > > this mean > > that the value I retrieve would be doubles? As in, I know I want to > > scan for double > > values, therefore what I do is what I did here, ask ReadProcessMemory to > > read 8 bytes at a time? > > That's a screwed up way of doing it. If you want buffers of 8 bytes, > then make a buffer of 8 bytes. > > > > Lastly, I don't understand this part about the memory: > > > > if I used VirtualQueryEx to find out if a region of memory is ok to > > scan, and it > > says it's ok, are the values in the region arranged like this: > > > > short,int,double,long,char, double, short in > > > > as in, random? > > I have no idea what you're asking. What you get back from > ReadProcessMemory is an untyped set of bytes. There is no way to find > out anything about the type. It might be strings, it might be machine > code, it might be header info, it might be floats, it might be images. > It could be ANYTHING. > > > > I am asking this because, if it's random, then I'd have to run > > ReadProcessMemory > > by increasing the value of of my loop by ONE (1) at a time, like this > > > > for i in range(start_of_region, end_of_region, 1): > > ReadProcessMemory(Process, i, ctypes.byref(buffer), > > ctypes.sizeof(buffer), ctypes.byref(nread)) > > > > Is that correct? > > No. What are you hoping to learn here? > > -- > Tim Roberts, t...@probo.com > Providenza & Boekelheide, Inc. > > ___ > python-win32 mailing list > python-win32@python.org > https://mail.python.org/mailman/listinfo/python-win32 > ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
Re: [python-win32] VirtualQueryEx/ReadProcessMemory
Michael C wrote: > > I am working on my own memory scanner. It uses Windows API, VirtualQueryEX > and ReadProcessMemory. I am not sure I put down the following properly: > > I am sure > > Process = > Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, > PID) > > ran properly, because it didn't return a 0. Did you acquire the SeDebugPrivilege before calling? > Lastly, ReadProcessMemory: > > 1st Question: The setup. > > buffer = ctypes.c_double() > nread = SIZE_T() > > ReadProcessMemory(Process, i, ctypes.byref(buffer), > ctypes.sizeof(buffer), ctypes.byref(nread)) > > > I used ctypes.c_double() to determine the size of the buffer, so does > this mean > that the value I retrieve would be doubles? As in, I know I want to > scan for double > values, therefore what I do is what I did here, ask ReadProcessMemory to > read 8 bytes at a time? That's a screwed up way of doing it. If you want buffers of 8 bytes, then make a buffer of 8 bytes. > Lastly, I don't understand this part about the memory: > > if I used VirtualQueryEx to find out if a region of memory is ok to > scan, and it > says it's ok, are the values in the region arranged like this: > > short,int,double,long,char, double, short in > > as in, random? I have no idea what you're asking. What you get back from ReadProcessMemory is an untyped set of bytes. There is no way to find out anything about the type. It might be strings, it might be machine code, it might be header info, it might be floats, it might be images. It could be ANYTHING. > I am asking this because, if it's random, then I'd have to run > ReadProcessMemory > by increasing the value of of my loop by ONE (1) at a time, like this > > for i in range(start_of_region, end_of_region, 1): > ReadProcessMemory(Process, i, ctypes.byref(buffer), > ctypes.sizeof(buffer), ctypes.byref(nread)) > > Is that correct? No. What are you hoping to learn here? -- Tim Roberts, t...@probo.com Providenza & Boekelheide, Inc. ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
[python-win32] PyWin32 API
To Whom it May Concern, I've been reading the documentation and had a question. How would I create a custom tag in the details tab of a file then set it, and read it? If creating it is not possible, would it then be possible just set an already existing tag and then read it? My end goal is to try and metatag a large group of files to avoid having to open them to read them. I'd rather just use a script to blast through 10,000 files and understand what files are in my folder structure. Thanks. Josh Clayton ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
[python-win32] VirtualQueryEx/ReadProcessMemory
Hi all, I am working on my own memory scanner. It uses Windows API, VirtualQueryEX and ReadProcessMemory. I am not sure I put down the following properly: I am sure Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID) ran properly, because it didn't return a 0. Then it's VirtualQueryEx: current_address = sysinfo.lpMinimumApplicationAddress end_address = sysinfo.lpMaximumApplicationAddress while current_address < end_address: Kernel32.VirtualQueryEx(Process, \ current_address, ctypes.byref(mbi),ctypes.sizeof(mbi)) if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT : print('This region can be scanned!') current_address += mbi.RegionSize Now, I think it run fine as well, because it didn't return 0 at all. Just to make sure, in the end of scanning for a region, I use current_address += mbi.RegionSize instead of current_address += mbi.RegionSize + 1 , Right? Lastly, ReadProcessMemory: 1st Question: The setup. buffer = ctypes.c_double() nread = SIZE_T() ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer), ctypes.byref(nread)) I used ctypes.c_double() to determine the size of the buffer, so does this mean that the value I retrieve would be doubles? As in, I know I want to scan for double values, therefore what I do is what I did here, ask ReadProcessMemory to read 8 bytes at a time? Lastly, I don't understand this part about the memory: if I used VirtualQueryEx to find out if a region of memory is ok to scan, and it says it's ok, are the values in the region arranged like this: short,int,double,long,char, double, short in as in, random? I am asking this because, if it's random, then I'd have to run ReadProcessMemory by increasing the value of of my loop by ONE (1) at a time, like this for i in range(start_of_region, end_of_region, 1): ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer), ctypes.byref(nread)) Is that correct? Thanks all! this is my scanner's full code : https://pastebin.com/bdq0afT0 ___ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32