stackoom
  简体   繁体   中英

How do I scan for an INT value in another process memory

 原文  2017-02-26 02:31:31       c++/ windows/ virtual-memory

Question

I have been trying to find a good way to scan another programs memory on a specific value (int). What I have now does work but I am sure there are way better ways and way faster ways. 

DWORD pid;
DWORD Money = 0x04661128; //Address of money in-game
int MyMoney;
int MyMoneyReal;

int main()
{
    HWND hWnd = FindWindowA(0, ("Euro Truck Simulator 2"));
    GetWindowThreadProcessId(hWnd, &pid);
    HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
    cout << "Please input your exact current money value!" << pid << endl;
    cin >> MyMoneyReal;
    for (int i = 0; i < 0x7FFFFFFF; i++) {
        ReadProcessMemory(pHandle, (LPVOID)i, &MyMoney, sizeof(MyMoney), 0);
        if (MyMoney == MyMoneyReal) {
            cout << "Found a match: " << MyMoney << MyMoneyReal << " With HEX value: " << hex << i << endl;
        }
    }
    cout << "Processing...";
}

So as you can see, I make an int MyMoney and MyMoneyReal. Then I proceed to scan from 0 to 0x7FFFFFFF in the program memory to find all addressess containing MyMoneyReal. This takes a very long time to complete and I'm sure there are better ways, I have no clue how though.

I should add: I am very new to C++ so any extra help is always nice :)

1 answers

solution1
 1  2017-02-26 06:24:39

Your loop calls ReadProcessMemory 2147483647 times.

Every time it's called it has to verify that the memory is readable and then it copies sizeof(int) bytes into the buffer. It has its cost...

You can read for example 1MB chunks of memory so you've got fewer calls to ReadProcessMemory . Then you can process each chunk locally just like you do it now. Simplified version: 

constexpr unsigned CHUNK_SIZE = 0x100000;
constexpr unsigned MAX_ADDRESS = 0x7FFFFFFF;
//remember to make sure stack is big enough or allocate it on heap
char buffer[CHUNK_SIZE];

for (unsigned i = 0; i < MAX_ADDRESS; i += CHUNK_SIZE) {
    if (ReadProcessMemory(hProcess, (LPVOID)i, buffer, sizeof(buffer), nullptr)) {
        for (int j = 0; j <= CHUNK_SIZE - sizeof(int); ++j) {
            int something;
            memcpy(&something, buffer + j, sizeof(int));
            //...
        }
    }
}

As you can see in the inner for we read up until CHUNK_SIZE - sizeof(int) because we don't want to read past the end of buffer. However outer loop in my example doesn't handle it properly and we skip some bytes. It's easy to fix, I leave it up to you.

Of course your buffer can be bigger/smaller. You have to try and measure.

Note: This is still a lot of operations. We just limit the number of calls to potentially expensive ReadProcessMemory . You should try to limit your address range. I'm pretty sure most of this calls to ReadProcessMemory just fail. As suggested in comments, one is to use VirtualQueryEx

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I scan another process memory to find what follows a specific string? How to change a value in memory space of another process How can I create this int value and process it? How do I edit protected process memory? How can I read process memory in chunks and scan for exact address of Values? How do I copy data from CPU to GPU in a C++ process and run TF in another python process while pointing to the copied memory? How can I search for a string in the memory of another process? How can I search for a string by regex in the memory of another process? Do I really have to scan memory twice to do a memcmp + memcpy? With MODULEENTRY32 and MODULEINFO, what are the steps to scan for a specific INT value in a separate process?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM