Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /**
- * Simple Memory Scanner Example
- * (c) 2014 atom0s [[email protected]]
- */
- #include <Windows.h>
- #include <string>
- #include <TlHelp32.h>
- #include <tchar.h>
- //#include "stdafx.h"
- /**
- * @brief The target process to scan within.
- */
- #define TARGET_NAME TEXT("Tutorial-i386.exe")
- /**
- * @brief Obtains the process id of the given target.
- *
- * @return The process id if found, 0 otherwise.
- */
- unsigned int getTargetProcessId()
- {
- PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) };
- // Obtain a snapshot of the current process list..
- auto handle = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if (handle == INVALID_HANDLE_VALUE)
- return 0;
- // Obtain the first process..
- if (!::Process32First(handle, &pe32))
- {
- ::CloseHandle(handle);
- return 0;
- }
- // Loop each process looking for the target..
- do
- {
- if (!_tcsicmp(pe32.szExeFile, TARGET_NAME))
- {
- ::CloseHandle(handle);
- return pe32.th32ProcessID;
- }
- } while (::Process32Next(handle, &pe32));
- // Cleanup..
- ::CloseHandle(handle);
- return 0;
- }
- /**
- * @brief Entry point of this application.
- *
- * @param argc The count of arguments passed to this application.
- * @param argv The array of arguments passed to this application.
- *
- * @return Non-important return.
- */
- int __cdecl main(int argc, char* argv[])
- {
- // Obtain the target process id..
- auto processId = getTargetProcessId();
- if (processId == 0)
- return 0;
- // Open a handle to the target..
- auto handle = ::OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, processId);
- if (handle == INVALID_HANDLE_VALUE)
- return 0;
- // Obtain the current system information..
- SYSTEM_INFO sysInfo;
- ::GetSystemInfo(&sysInfo);
- auto addr_min = (intptr_t)sysInfo.lpMinimumApplicationAddress;
- auto addr_max = (intptr_t)sysInfo.lpMaximumApplicationAddress;
- auto found = 0;
- // Loop the pages of memory of the application..
- #define TARGET_SCAN_TYPE_INT 1
- #define TARGET_SCAN_TYPE_8BYTE 2
- #define TARGET_SCAN_TYPE_FLOAT 3
- #define TARGET_SCAN_TYPE_DOUBLE 4
- #define TARGET_SCAN_TYPE TARGET_SCAN_TYPE_8BYTE
- #if TARGET_SCAN_TYPE == TARGET_SCAN_TYPE_INT
- typedef int32_t target_t;
- double TARGET_EPSILON = 0;
- #define PRITARGET PRII32
- #elif TARGET_SCAN_TYPE == TARGET_SCAN_TYPE_8BYTE
- typedef int64_t target_t;
- double TARGET_EPSILON = 0;
- #define PRITARGET "%lli"
- #elif TARGET_SCAN_TYPE == TARGET_SCAN_TYPE_FLOAT
- typedef float target_t;
- double TARGET_EPSILON = std::numeric_limits<float>::epsilon();
- #define PRITARGET "%f"
- #elif TARGET_SCAN_TYPE == TARGET_SCAN_TYPE_DOUBLE
- typedef double target_t;
- double TARGET_EPSILON = std::numeric_limits<double>::epsilon();
- #define PRITARGET "%f"
- #endif
- target_t targtValue = (target_t)13371337.0f;
- target_t targtWriteValue = (target_t)-13371337.0f;
- while (addr_min < addr_max)
- {
- MEMORY_BASIC_INFORMATION mbi = { 0 };
- if (!::VirtualQueryEx(handle, (LPCVOID)addr_min, &mbi, sizeof(mbi)))
- {
- printf_s("Failed to query memory.\n");
- break;
- }
- // Determine if we have access to the page..
- if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_GUARD) == 0) && ((mbi.Protect & PAGE_NOACCESS) == 0))
- {
- //
- // Below are flags about the current region of memory. If you want to specifically scan for only
- // certain things like if the area is writable, executable, etc. you can use these flags to prevent
- // reading non-desired protection types.
- //
- auto isCopyOnWrite = ((mbi.Protect & PAGE_WRITECOPY) != 0 || (mbi.Protect & PAGE_EXECUTE_WRITECOPY) != 0);
- auto isExecutable = ((mbi.Protect & PAGE_EXECUTE) != 0 || (mbi.Protect & PAGE_EXECUTE_READ) != 0 || (mbi.Protect & PAGE_EXECUTE_READWRITE) != 0 || (mbi.Protect & PAGE_EXECUTE_WRITECOPY) != 0);
- auto isWritable = ((mbi.Protect & PAGE_READWRITE) != 0 || (mbi.Protect & PAGE_WRITECOPY) != 0 || (mbi.Protect & PAGE_EXECUTE_READWRITE) != 0 || (mbi.Protect & PAGE_EXECUTE_WRITECOPY) != 0);
- // Dump the region into a memory block..
- auto dump = new uint8_t[mbi.RegionSize + 1];
- //memset(dump, 0x00, mbi.RegionSize + 1);
- if (!::ReadProcessMemory(handle, mbi.BaseAddress, dump, mbi.RegionSize, NULL))
- {
- printf_s("Failed to read memory of location: %p\n", mbi.BaseAddress);
- break;
- }
- for (size_t x = 0; x < mbi.RegionSize - 4; x += 4)
- {
- target_t value = *(target_t*)(dump + x);
- if (abs(value-targtValue) <= TARGET_EPSILON)
- {
- found++;
- // assuming unqiue value for testing
- SIZE_T written;
- BOOL success = WriteProcessMemory(handle, (void*)(addr_min + x), &targtWriteValue, sizeof(targtWriteValue), &written);
- printf_s("%s in trying to write %zu bytes (" PRITARGET ") written to %p\n",
- success ? "Succeded" : "Failed", written, targtWriteValue, (void*)(addr_min + x));
- }
- }
- // Cleanup the memory dump..
- delete[] dump;
- }
- // Step the current address by this regions size..
- addr_min += mbi.RegionSize;
- }
- printf_s("Found %d results!\n", found);
- // Cleanup..
- ::CloseHandle(handle);
- return ERROR_SUCCESS;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement