How to "find" all memory which program uses?



  • This topic about functions from Windows.h which allows detect other programs which now is running and also read and write from/to memory of that programs.

    All day i spent time to understand that two functions:

    GetWindowThreadProcessId(); and ReadProcessMemory();
    

    With first it's easier, in returns process ID, but the second, i tested, and it's works well, you put in the second parameter memory address and you can know what value it's storing, i dont understand only one thing.

    How, just how i can find out which memory addresses this process uses? How can i get to know how much variables this program now uses and what that actual addresses of that variables?

    I'm really tired, spent all day googling, everybody telling about how to use

    ReadProcessMemory(someHandle, (LPVOID)0x033FA818, &myValue, sizeof(myValue), 0);
    

    but no info about how i can get that variable addresses 0x033FA818 at the first place...

    P.S.dont tell me that impossible, programs like CheatEngine succeed in that.


  • Moderators

    @Engelard said in How to "find" all memory which program uses?:

    How, just how i can find out which memory addresses this process uses? How can i get to know how much variables this program now uses and what that actual addresses of that variables?

    ...no info about how i can get that variable addresses 0x033FA818 at the first place...

    This post might help: https://stackoverflow.com/questions/24182927/c-writeprocessmemory-how-to-get-the-right-lpbaseaddress (it's about WriteProcessMemory(), but you can use the same ideas in ReadProcessMemory())

    The first time you do it, you probably have to scan the whole process using brute-force -- check every single address in a loop and see if that address contains what you're looking for. This can take a long time!

    How can i get to know how much variables this program now uses...

    You cannot. After source code has been compiled into an executable, "variables" and "types" no longer exist (unless you make a Debug build). All of them get reduced to addresses and offsets only.

    ...and what that actual addresses of that variables?

    You find the addresses by reverse-engineering the program.

    This topic about functions from Windows.h which allows detect other programs which now is running and also read and write from/to memory of that programs.

    This is a Qt forum, so very few people here use those functions. If you still have more questions about them, you might have better luck at other places like MSDN forums or StackOverflow.



  • The first time you do it, you probably have to scan the whole process using brute-force -- check every single address in a loop and see if that address contains what you're looking for. This can take a long time!

    Hey i've thought about that, and the question arise: how much of memory should i scan with my for loop, or i should scan until i'll reach maximum number of 8-digit number? And if i'll find something in byte i'm scanning, how would i know what type is it, if it will be continuous 8bytes, it might be long long int or it might be 2 int's just one after another or it might be one char, then one int and after it 3 chars again!

    This is a Qt forum, so very few people here use those functions. If you still have more questions about them, you might have better luck at other places like MSDN forums or StackOverflow.

    I just saw "C++ gurus")). Will try MSDN. StackOverflow not very good because there is 7 day cooldown and i just yesterday asked important question.

    Update: what if i want get to know about all variables of my test program which have one or couple int's at all? I will use loop ofcourse, and it will take time, but till what number loop should go? till 4294967295 which means last memory adress 0xFFFFFFFFF? i can't get that moment rly...


  • Qt Champions 2017

    @Engelard said in How to "find" all memory which program uses?:

    how much of memory should i scan with my for loop, or i should scan until i'll reach maximum number of 8-digit number?

    None of that. No offense, but you're way over your head here, judging by the questions.

    And if i'll find something in byte i'm scanning, how would i know what type is it, if it will be continuous 8bytes, it might be long long int or it might be 2 int's just one after another or it might be one char, then one int and after it 3 chars again!

    You can't know. What you can know is what register holds what data (incl. addresses) and try to deduce by the pushes/pops from the stack and stores and loads into memory if the registers hold a reference to an array or a variable etc. However, this requires you knowing assembly and more to the point having experience with low-level debugging techniques.

    Update: what if i want get to know about all variables of my test program which have one or couple int's at all?

    There's no such thing as variables at the low level. You have registers and memory, memory has addresses and that's all. The data held in memory or in the registers is interpreted in some way so you get "variable types", but this is done for you when the compiler runs on your code. Reversing it isn't at all trivial, nor is it always correctly interpreted.



  • @Engelard said in How to "find" all memory which program uses?:

    P.S.dont tell me that impossible, programs like CheatEngine succeed in that.

    It's quite possible to predict addresses of global variables, as their offsets from start of corrseponding memory mapping area will never change when you run the same binary repeatedly. Similarly with stack variables, their offset from frame pointer of corresponding function are constant, but you need to get frame pointer first, and their meaning might be different depending how this function is used. To start learning these dark arts you need to make a debug build of your code and explore things with debugger and binary analysis tools like objdump. You may also want to read on "reverse engineering" topic.

    What about heap-allocated variables, their locations are random in generic case, so you indeed might need to do brute force scans, or use some complicated application-specific heuristics to speed up this tedious process.

    Note that doing aforementioned things on code whioch you don't own might be considered illegal, depending on laws of your area and licensing policy of that software



  • @Engelard said in How to "find" all memory which program uses?:

    programs like CheatEngine succeed in that

    If I'm not mistaken CheatEngine asks in input the size (in bytes) of the variable and then asks you to tell it the content of the variable multiple times until it can filter out the junk and find where the variable lives on the memory



  • @Engelard Also, tools like "CheatEngine" may include ebedded full-fledged debugger (e.g. something off-the-shelf like libunwind, or even hand-made) and single-step "hijacked" software right from its start to get all addresses of heap variables as they are being allocated



  • Note that doing aforementioned things on code whioch you don't own might be considered illegal, depending on laws of your area and licensing policy of that software

    WAHHAHA! Since i'm living in shithole called Ukraine i'll be fine 100%



  • Last report from me:
    It's working if i'll use simplest scan with for loop simply scanning every memory address from the beginning. To find variable address of my test program tooks about 24 seconds, considering that fact that that address was placed at the beginning(11 million position), and CPD with 4Ghc speed.

    I calculated, using such "simple" scan might take 2 and half hours...

    P.S. And CheatEngine doing such scan like in one second, but it was written on python, i dont know why he choose to write in that language, but must be some reason.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.