[python-win32] VirtualQueryEx/ReadProcessMemory

Tim Roberts timr at probo.com
Mon Oct 16 17:54:22 EDT 2017 

Michael C wrote:
>
> I am working on my own memory scanner. It uses Windows API, VirtualQueryEX
> and ReadProcessMemory. I am not sure I put down the following properly:
>
> I am sure 
>
> Process =
> Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False,
> PID)
>
> ran properly, because it didn't return a 0.

Did you acquire the SeDebugPrivilege before calling?

> Lastly, ReadProcessMemory:
>
> 1st Question: The setup.
>
>     buffer = ctypes.c_double()
>     nread = SIZE_T()
>
> ReadProcessMemory(Process, i, ctypes.byref(buffer),
> ctypes.sizeof(buffer), ctypes.byref(nread))
>
>
> I used ctypes.c_double() to determine the size of the buffer, so does
> this mean
> that the value I retrieve would be doubles? As in, I know I want to
> scan for double
> values, therefore what I do is what I did here, ask ReadProcessMemory to 
> read 8 bytes at a time?

That's a screwed up way of doing it.  If you want buffers of 8 bytes,
then make a buffer of 8 bytes.


> Lastly, I don't understand this part about the memory:
>
> if I used VirtualQueryEx to find out if a region of memory is ok to
> scan, and it
> says it's ok, are the values in the region arranged like this:
>
> short,int,double,long,char, double, short in
>
> as in, random?

I have no idea what you're asking.  What you get back from
ReadProcessMemory is an untyped set of bytes.  There is no way to find
out anything about the type.  It might be strings, it might be machine
code, it might be header info, it might be floats, it might be images. 
It could be ANYTHING.


> I am asking this because, if it's random, then I'd have to run
> ReadProcessMemory
>  by increasing  the value of of my loop by ONE (1) at a time, like this 
>
> for i in range(start_of_region, end_of_region, 1):
>       ReadProcessMemory(Process, i, ctypes.byref(buffer),
> ctypes.sizeof(buffer),             ctypes.byref(nread))
>
> Is that correct?

No.  What are you hoping to learn here?

-- 
Tim Roberts, timr at probo.com
Providenza & Boekelheide, Inc.

More information about the python-win32 mailing list