Untitled

uses tlhelp32;

type
TStringArray = array of string;
function AddressSearchByValue(name_pocess:string; value:DWord):TStringArray;
var
ProcessID, Addr: DWord;
ProcessHandle: THandle;
Mbi: TMemoryBasicInformation;
i: Cardinal;
Buf: PChar;
BytesRead : Size_T;
Count:Integer;
function GetPid(name_process: string): Integer;
var
hSnap: THandle;
pe: TProcessEntry32;
pid: DWORD;
begin
pe.dwSize := SizeOf(pe);
hSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if Process32First(hSnap, pe) then
while Process32Next(hSnap, pe) do
if ExtractFileName(pe.szExeFile) = name_process then
Result := pe.th32ProcessID;
end;
begin
ProcessID := GetPid(name_pocess);
ProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_ALL_ACCESS or PROCESS_VM_OPERATION, false, ProcessID);
if ProcessHandle <> 0 then
try
Addr := 0;
Count := 0;
while VirtualQueryEx(ProcessHandle, Pointer(Addr), Mbi, SizeOf(Mbi)) <> 0 do
begin
if (Mbi.State = MEM_COMMIT) and not ((Mbi.Protect and PAGE_GUARD) = PAGE_GUARD) then
begin
GetMem(Buf, Mbi.RegionSize);
try
if ReadProcessMemory(ProcessHandle, Mbi.BaseAddress, Buf, Mbi.RegionSize, BytesRead) then
begin
for i := 0 to BytesRead - SizeOf(Value) do
begin
if PDWord(@Buf[i])^ = Value then
begin
SetLength(result, Count + 1);
Result[Count] := '$' + IntToHex(Integer(Cardinal(Mbi.BaseAddress) + i + i), 8);
Inc(Count);
end;
end;
end;
FreeMem(Buf);
except
on e: Exception do
begin
FreeMem(Buf);
Application.ProcessMessages;
end;
end;
end;
Addr := Addr + Mbi.RegionSize;
end;
finally
CloseHandle(ProcessHandle);
end;
end;


// Use it like this, displays all addresses in Memo1 that contain the numeric value 21000
procedure TForm1.Button5Click(Sender: TObject);
var
arr: TStringArray;
i: Integer;
begin
arr := AddressSearchByValue('h3blade.exe', 21000);
Memo1.Clear;
for i := 0 to High(arr) do
Memo1.Lines.Add(arr[i]);
end;