[Tutor] How do I scan memory for singles, doubles and so on?

Michael C mysecretrobotfactory at gmail.com
Sat Oct 7 23:18:55 EDT 2017 

I am following some examples online such as this one:
https://social.msdn.microsoft.com/Forums/vstudio/en-US/ce0cc398-2b96-4688-b8a4-b5f4c9ebc064/memory-searcher-with-virtualqueryex-and-readprocessmemory?forum=vclanguage


i think I got most of it right, so this following part is what I would like
you to look at:

DWORD read = 0;
LPVOID buffer = 0

(ReadProcessMemory(hackProcess, (void*)start, &buffer, sizeof(int), &read)


So, what's the Python equivalent statements for sizeof(int) ?






On Sat, Oct 7, 2017 at 7:38 PM, Michael C <mysecretrobotfactory at gmail.com>
wrote:

> Oh I am trying to write my own memory scanner, because I thought the Cheat
> Engine is pretty neat and I am just trying make one for myself.
>
> Onto the problem, I think what happens with Readprocessmemory is that
>
> BOOL WINAPI ReadProcessMemory(
>   _In_  HANDLE  hProcess,
>   _In_  LPCVOID lpBaseAddress,  _Out_ LPVOID  lpBuffer,
>   _In_  SIZE_T  nSize,
>   _Out_ SIZE_T  *lpNumberOfBytesRead
> );
>
>
> for LPVOID lpbuffer, it should be a
>
> buffer = ctypes.c_double
>
> because i am trying to search for a double.
> However, the interpreter gives me this:
>
> ReadProcessMemory(Process, current_address, ctypes.byref(buffer), \
> TypeError: byref() argument must be a ctypes instance, not
> '_ctypes.PyCSimpleType'
>
>
> so I am using
> buffer = ctypes.c_uint()
> instead. It returns things like   "c_ulong(2006549856)" , though.
>
> 2nd, I believe  _In_  SIZE_T  nSize, means I tell the interpreter to read
> that much
> data, which means I can use this parameter to get doubles, which is what I
> want!
>
> However, I am using
>
> ctypes.sizeof(buffer)
>
> for it, so, I need either to change my buffer to a double, or to tell this
> parameter to  search for
> doubles somehow.
>
>
> Am I on the right track?
>
>
> Thanks!
>
>
>
> On Sat, Oct 7, 2017 at 6:58 PM, Mats Wichmann <mats at wichmann.us> wrote:
>
>> it might help if you mention what you are trying to do. if it is
>> forensics, there a bunch of python tools in that area. your problem may
>> already have solutions you could use.
>>
>> On October 7, 2017 3:00:25 PM MDT, Michael C <
>> mysecretrobotfactory at gmail.com> wrote:
>> >Hi all:
>> >
>> >I am working on a memory scanner, and the source code and output is as
>> >following:
>> >
>> >Now, I know why my buffer from read process memory looks like values
>> >such
>> >as "67108864" ; it's because I read into the buffer entire chunk of
>> >memory
>> >at a time, because I fed read process memory this:  "mbi.RegionSize"
>> >
>> >Now, how do I read for values such as doubles?
>> >I am guessing I need to use a for loop to scan for small bits of memory
>> >chunk
>> >at a time.
>> >
>> >Is there a way to do it?
>> >
>> >Thanks!
>> >
>> >
>> >
>> >
>> >>output starts
>> >
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(6385664)
>> >buffer is:  c_ulong(67108864)
>> >buffer is:  c_ulong(7761920)
>> >buffer is:  c_ulong(7798784)
>> >buffer is:  c_ulong(7872512)
>> >buffer is:  c_ulong(8007680)
>> >buffer is:  c_ulong(8044544)
>> >buffer is:  c_ulong(8069120)
>> >buffer is:  c_ulong(8216576)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(3976)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(1318755581)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(0)
>> >buffer is:  c_ulong(0)
>> >
>> >> code starts
>> >
>> >buffer = ctypes.c_uint()
>> >nread = SIZE_T()
>> >
>> >start = ctypes.c_void_p(mbi.BaseAddress)
>> >
>> >ReadProcessMemory = Kernel32.ReadProcessMemory
>> >
>> >MEM_COMMIT = 0x00001000;
>> >PAGE_READWRITE = 0x04;
>> >
>> >current_address = sysinfo.lpMinimumApplicationAddress
>> >end_address = sysinfo.lpMaximumApplicationAddress
>> >
>> >while current_address < end_address:
>> >    Kernel32.VirtualQueryEx(Process, \
>> >    current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
>> >
>> >    if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
>> >
>> >        if ReadProcessMemory(Process, current_address,
>> >ctypes.byref(buffer), \
>> >                           ctypes.sizeof(buffer), ctypes.byref(nread)):
>> >                print('buffer is: ',buffer)
>> >        else:
>> >                raise ctypes.WinError(ctypes.get_last_error())
>> >
>> >    current_address += mbi.RegionSize
>> >_______________________________________________
>> >Tutor maillist  -  Tutor at python.org
>> >To unsubscribe or change subscription options:
>> >https://mail.python.org/mailman/listinfo/tutor
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> _______________________________________________
>> Tutor maillist  -  Tutor at python.org
>> To unsubscribe or change subscription options:
>> https://mail.python.org/mailman/listinfo/tutor
>>
>
>

More information about the Tutor mailing list