Re: [python-win32] VirtualQueryEx/ReadProcessMemory

2017-10-17 Thread Tim Roberts 
On Oct 16, 2017, at 4:39 PM, Michael C  wrote:
> 
> >>>Did you acquire the SeDebugPrivilege before calling?
> 
> Eh, no. I don't know what that is! How do I get it?

https://www.programcreek.com/python/example/80627/win32con.TOKEN_ADJUST_PRIVILEGES
 



> >>>That's a screwed up way of doing it.  If you want buffers of 8 bytes,
> then make a buffer of 8 bytes.
> 
> So like this?
> 
> ReadProcessMemory(Process, i, ctypes.byref(buffer), 8, ctypes.byref(nread))

I would probably use ctypes.c_buffer to create the buffer.  You can experiment 
by reading your own process before you start reading other processes.


> Bummer... I thought with what I did, I was building a simple memory scanner.
> See, I thought with my ReadProcessMemory line I was retrieving values in the 
> size of doubles.
> 
> I thought by doing what I did, by reading 8 bytes at a time, (the size of 
> doubles) I was effectively looking for values in my memory. I thought a
> 
> for(start,end,8)
> 
> would give me all the values of doubles since I believed that doubles exist 
> in the memory in the positions of   base, base+8, base+16, base+24, and so 
> forth.

You would get the memory, 8 bytes at a time.  8-byte integers are often stored 
aligned on 8-byte boundaries, because it's slightly more efficient, but it's 
not required.  It depends on what you're looking for, which you still haven't 
told us.


> would achieve the same thing. I would store the address containing the 
> doubles I want in a list() called hit_pool.  And then the incorrect values 
> would be flushed out anyway, when I run a another run of comparing the 
> address found with target value. like this
> 
> for n in hit_pool:
> readprocessmemory(process, n,  ctypes.byref(buffer), 8, 
> ctypes.byref(nread))

Well, you wouldn't pass your "hit_pool" values to ReadProcessMemory.  You would 
read the memory, then scan through it locally looking for your hit_pool.

However, you'e always going to be fighting the language.  This kind of 
low-level machine-dependent processing is always going to be much faster and 
easier to code in C or C++.
— 
Tim Roberts, t...@probo.com
Providenza & Boekelheide, Inc.

___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] VirtualQueryEx/ReadProcessMemory

2017-10-17 Thread Tim Roberts 
On Oct 16, 2017, at 5:06 PM, Michael C  wrote:
> 
> Supposed by using Openprocess and VirtualQueryEx, I have the locations of all 
> the memory the application is using, wouldn't this to be true?
> 
> Say, a 8 byte data is somewhere in the region i am scanning. Ok, I know by 
> scanning it like this
> for n in range(start,end,1)
> 
> will read into another variable and mostly nothing, but unless a variable, 
> that is, one number, can be truncated and exist in multiple locations like 
> this
> 
> double = 12345678

You keep using the word "double".  A "double" is a floating-point number.  Are 
you actually referring to an 8-byte integer?


> 123 is at x001
> 45 is at x005
> 678 is at x010
> 
> unless a number can be broken up like that, wouldn't I, while use the silly 
> 'increment by one' approach,  actually luck out and get that value in it's 
> actual position?

I can't tell what your x001 notation is trying to say.  If you have the decimal 
value 12345678 stored somewhere in memory in a 64-bit value, the consecutive 
bytes in memory will look like this:
   4E 61 BC 00 00 00 00 00

If you actually mean the floating point value 12345678.0, it will be stored in 
8 bytes like this:
  00 00 00 c0 29 8c 67 41

It will take you forever to search another process 8 bytes at a time.  You're 
probably going to want to fetch a page at a time and scan the page locally.
— 
Tim Roberts, t...@probo.com
Providenza & Boekelheide, Inc.

___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] VirtualQueryEx/ReadProcessMemory

2017-10-16 Thread Michael C 
I have a question
Supposed by using Openprocess and VirtualQueryEx, I have the locations of
all the memory the application is using, wouldn't this to be true?

Say, a 8 byte data is somewhere in the region i am scanning. Ok, I know by
scanning it like this
for n in range(start,end,1)

will read into another variable and mostly nothing, but unless a variable,
that is, one number, can be truncated and exist in multiple locations like
this

double = 12345678

123 is at x001
45 is at x005
678 is at x010

unless a number can be broken up like that, wouldn't I, while use the silly
'increment by one' approach,  actually luck out and get that value in it's
actual position?

On Mon, Oct 16, 2017 at 4:39 PM, Michael C 
wrote:

> >>>Did you acquire the SeDebugPrivilege before calling?
>
> Eh, no. I don't know what that is! How do I get it?
>
>
>
> >>>That's a screwed up way of doing it.  If you want buffers of 8 bytes,
> then make a buffer of 8 bytes.
>
> So like this?
>
> ReadProcessMemory(Process, i, ctypes.byref(buffer), 8, ctypes.byref(nread))
>
> >>>
> I have no idea what you're asking.  What you get back from
> ReadProcessMemory is an untyped set of bytes.  There is no way to find
> out anything about the type.  It might be strings, it might be machine
> code, it might be header info, it might be floats, it might be images.
> It could be ANYTHING.
> No.  What are you hoping to learn here?
>
>
> Bummer... I thought with what I did, I was building a simple memory
> scanner.
> See, I thought with my ReadProcessMemory line I was retrieving values in
> the size of doubles.
>
> I thought by doing what I did, by reading 8 bytes at a time, (the size of
> doubles) I was effectively looking for values in my memory. I thought a
>
> for(start,end,8)
>
> would give me all the values of doubles since I believed that doubles
> exist in the memory in the positions of   base, base+8, base+16, base+24,
> and so forth.
>
> failing that, at least
>
> for(start,end,1)
>
> would achieve the same thing. I would store the address containing the
> doubles I want in a list() called hit_pool.  And then the incorrect values
> would be flushed out anyway, when I run a another run of comparing the
> address found with target value. like this
>
> for n in hit_pool:
> readprocessmemory(process, n,  ctypes.byref(buffer), 8,
> ctypes.byref(nread))
>
>
>
> Since the way I am reading the memory is not correct, could you tell me
> the correct way to do it?
>
>
> Thanks!
>
>
>
>
>
>
>
>
>
> On Mon, Oct 16, 2017 at 2:54 PM, Tim Roberts  wrote:
>
>> Michael C wrote:
>> >
>> > I am working on my own memory scanner. It uses Windows API,
>> VirtualQueryEX
>> > and ReadProcessMemory. I am not sure I put down the following properly:
>> >
>> > I am sure
>> >
>> > Process =
>> > Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False,
>> > PID)
>> >
>> > ran properly, because it didn't return a 0.
>>
>> Did you acquire the SeDebugPrivilege before calling?
>>
>> > Lastly, ReadProcessMemory:
>> >
>> > 1st Question: The setup.
>> >
>> > buffer = ctypes.c_double()
>> > nread = SIZE_T()
>> >
>> > ReadProcessMemory(Process, i, ctypes.byref(buffer),
>> > ctypes.sizeof(buffer), ctypes.byref(nread))
>> >
>> >
>> > I used ctypes.c_double() to determine the size of the buffer, so does
>> > this mean
>> > that the value I retrieve would be doubles? As in, I know I want to
>> > scan for double
>> > values, therefore what I do is what I did here, ask ReadProcessMemory
>> to
>> > read 8 bytes at a time?
>>
>> That's a screwed up way of doing it.  If you want buffers of 8 bytes,
>> then make a buffer of 8 bytes.
>>
>>
>> > Lastly, I don't understand this part about the memory:
>> >
>> > if I used VirtualQueryEx to find out if a region of memory is ok to
>> > scan, and it
>> > says it's ok, are the values in the region arranged like this:
>> >
>> > short,int,double,long,char, double, short in
>> >
>> > as in, random?
>>
>> I have no idea what you're asking.  What you get back from
>> ReadProcessMemory is an untyped set of bytes.  There is no way to find
>> out anything about the type.  It might be strings, it might be machine
>> code, it might be header info, it might be floats, it might be images.
>> It could be ANYTHING.
>>
>>
>> > I am asking this because, if it's random, then I'd have to run
>> > ReadProcessMemory
>> >  by increasing  the value of of my loop by ONE (1) at a time, like this
>> >
>> > for i in range(start_of_region, end_of_region, 1):
>> >   ReadProcessMemory(Process, i, ctypes.byref(buffer),
>> > ctypes.sizeof(buffer), ctypes.byref(nread))
>> >
>> > Is that correct?
>>
>> No.  What are you hoping to learn here?
>>
>> --
>> Tim Roberts, t...@probo.com
>> Providenza & Boekelheide, Inc.
>>
>> ___
>> python-win32 mailing list
>> python-win32@python.org
>> https://mail.python.org/mailman/listinfo/python-win32
>>
>
>

Re: [python-win32] VirtualQueryEx/ReadProcessMemory

2017-10-16 Thread Michael C 
>>>Did you acquire the SeDebugPrivilege before calling?

Eh, no. I don't know what that is! How do I get it?



>>>That's a screwed up way of doing it.  If you want buffers of 8 bytes,
then make a buffer of 8 bytes.

So like this?

ReadProcessMemory(Process, i, ctypes.byref(buffer), 8, ctypes.byref(nread))

>>>
I have no idea what you're asking.  What you get back from
ReadProcessMemory is an untyped set of bytes.  There is no way to find
out anything about the type.  It might be strings, it might be machine
code, it might be header info, it might be floats, it might be images.
It could be ANYTHING.
No.  What are you hoping to learn here?


Bummer... I thought with what I did, I was building a simple memory scanner.
See, I thought with my ReadProcessMemory line I was retrieving values in
the size of doubles.

I thought by doing what I did, by reading 8 bytes at a time, (the size of
doubles) I was effectively looking for values in my memory. I thought a

for(start,end,8)

would give me all the values of doubles since I believed that doubles exist
in the memory in the positions of   base, base+8, base+16, base+24, and so
forth.

failing that, at least

for(start,end,1)

would achieve the same thing. I would store the address containing the
doubles I want in a list() called hit_pool.  And then the incorrect values
would be flushed out anyway, when I run a another run of comparing the
address found with target value. like this

for n in hit_pool:
readprocessmemory(process, n,  ctypes.byref(buffer), 8,
ctypes.byref(nread))



Since the way I am reading the memory is not correct, could you tell me the
correct way to do it?


Thanks!









On Mon, Oct 16, 2017 at 2:54 PM, Tim Roberts  wrote:

> Michael C wrote:
> >
> > I am working on my own memory scanner. It uses Windows API,
> VirtualQueryEX
> > and ReadProcessMemory. I am not sure I put down the following properly:
> >
> > I am sure
> >
> > Process =
> > Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False,
> > PID)
> >
> > ran properly, because it didn't return a 0.
>
> Did you acquire the SeDebugPrivilege before calling?
>
> > Lastly, ReadProcessMemory:
> >
> > 1st Question: The setup.
> >
> > buffer = ctypes.c_double()
> > nread = SIZE_T()
> >
> > ReadProcessMemory(Process, i, ctypes.byref(buffer),
> > ctypes.sizeof(buffer), ctypes.byref(nread))
> >
> >
> > I used ctypes.c_double() to determine the size of the buffer, so does
> > this mean
> > that the value I retrieve would be doubles? As in, I know I want to
> > scan for double
> > values, therefore what I do is what I did here, ask ReadProcessMemory to
> > read 8 bytes at a time?
>
> That's a screwed up way of doing it.  If you want buffers of 8 bytes,
> then make a buffer of 8 bytes.
>
>
> > Lastly, I don't understand this part about the memory:
> >
> > if I used VirtualQueryEx to find out if a region of memory is ok to
> > scan, and it
> > says it's ok, are the values in the region arranged like this:
> >
> > short,int,double,long,char, double, short in
> >
> > as in, random?
>
> I have no idea what you're asking.  What you get back from
> ReadProcessMemory is an untyped set of bytes.  There is no way to find
> out anything about the type.  It might be strings, it might be machine
> code, it might be header info, it might be floats, it might be images.
> It could be ANYTHING.
>
>
> > I am asking this because, if it's random, then I'd have to run
> > ReadProcessMemory
> >  by increasing  the value of of my loop by ONE (1) at a time, like this
> >
> > for i in range(start_of_region, end_of_region, 1):
> >   ReadProcessMemory(Process, i, ctypes.byref(buffer),
> > ctypes.sizeof(buffer), ctypes.byref(nread))
> >
> > Is that correct?
>
> No.  What are you hoping to learn here?
>
> --
> Tim Roberts, t...@probo.com
> Providenza & Boekelheide, Inc.
>
> ___
> python-win32 mailing list
> python-win32@python.org
> https://mail.python.org/mailman/listinfo/python-win32
>
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

Re: [python-win32] VirtualQueryEx/ReadProcessMemory

2017-10-16 Thread Tim Roberts 
Michael C wrote:
>
> I am working on my own memory scanner. It uses Windows API, VirtualQueryEX
> and ReadProcessMemory. I am not sure I put down the following properly:
>
> I am sure 
>
> Process =
> Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False,
> PID)
>
> ran properly, because it didn't return a 0.

Did you acquire the SeDebugPrivilege before calling?

> Lastly, ReadProcessMemory:
>
> 1st Question: The setup.
>
>     buffer = ctypes.c_double()
>     nread = SIZE_T()
>
> ReadProcessMemory(Process, i, ctypes.byref(buffer),
> ctypes.sizeof(buffer), ctypes.byref(nread))
>
>
> I used ctypes.c_double() to determine the size of the buffer, so does
> this mean
> that the value I retrieve would be doubles? As in, I know I want to
> scan for double
> values, therefore what I do is what I did here, ask ReadProcessMemory to 
> read 8 bytes at a time?

That's a screwed up way of doing it.  If you want buffers of 8 bytes,
then make a buffer of 8 bytes.


> Lastly, I don't understand this part about the memory:
>
> if I used VirtualQueryEx to find out if a region of memory is ok to
> scan, and it
> says it's ok, are the values in the region arranged like this:
>
> short,int,double,long,char, double, short in
>
> as in, random?

I have no idea what you're asking.  What you get back from
ReadProcessMemory is an untyped set of bytes.  There is no way to find
out anything about the type.  It might be strings, it might be machine
code, it might be header info, it might be floats, it might be images. 
It could be ANYTHING.


> I am asking this because, if it's random, then I'd have to run
> ReadProcessMemory
>  by increasing  the value of of my loop by ONE (1) at a time, like this 
>
> for i in range(start_of_region, end_of_region, 1):
>       ReadProcessMemory(Process, i, ctypes.byref(buffer),
> ctypes.sizeof(buffer),             ctypes.byref(nread))
>
> Is that correct?

No.  What are you hoping to learn here?

-- 
Tim Roberts, t...@probo.com
Providenza & Boekelheide, Inc.

___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32

[python-win32] VirtualQueryEx/ReadProcessMemory

2017-10-16 Thread Michael C 
Hi all,

I am working on my own memory scanner. It uses Windows API, VirtualQueryEX
and ReadProcessMemory. I am not sure I put down the following properly:

I am sure

Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
False, PID)


ran properly, because it didn't return a 0.

Then it's VirtualQueryEx:

current_address = sysinfo.lpMinimumApplicationAddress
end_address = sysinfo.lpMaximumApplicationAddress

while current_address < end_address:
Kernel32.VirtualQueryEx(Process, \
current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))

if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
print('This region can be scanned!')

current_address += mbi.RegionSize


Now, I think it run fine as well, because it didn't return 0 at all.
Just to make sure, in the end of scanning for a region, I use
current_address += mbi.RegionSize

instead of

current_address += mbi.RegionSize + 1

, Right?




Lastly, ReadProcessMemory:

1st Question: The setup.


buffer = ctypes.c_double()
nread = SIZE_T()

ReadProcessMemory(Process, i, ctypes.byref(buffer), ctypes.sizeof(buffer),
ctypes.byref(nread))


I used ctypes.c_double() to determine the size of the buffer, so does this
mean
that the value I retrieve would be doubles? As in, I know I want to scan
for double
values, therefore what I do is what I did here, ask ReadProcessMemory to
read 8 bytes at a time?




Lastly, I don't understand this part about the memory:

if I used VirtualQueryEx to find out if a region of memory is ok to scan,
and it
says it's ok, are the values in the region arranged like this:

short,int,double,long,char, double, short in

as in, random?


I am asking this because, if it's random, then I'd have to run
ReadProcessMemory
 by increasing  the value of of my loop by ONE (1) at a time, like this

for i in range(start_of_region, end_of_region, 1):
  ReadProcessMemory(Process, i, ctypes.byref(buffer),
ctypes.sizeof(buffer), ctypes.byref(nread))


Is that correct?

Thanks all!


this is my scanner's full code :
https://pastebin.com/bdq0afT0
___
python-win32 mailing list
python-win32@python.org
https://mail.python.org/mailman/listinfo/python-win32