Re: [Tutor] How do I scan memory for singles, doubles and so on?
it might help if you mention what you are trying to do. if it is forensics,
there a bunch of python tools in that area. your problem may already have
solutions you could use.
On October 7, 2017 3:00:25 PM MDT, Michael C
wrote:
>Hi all:
>
>I am working on a memory scanner, and the source code and output is as
>following:
>
>Now, I know why my buffer from read process memory looks like values
>such
>as "67108864" ; it's because I read into the buffer entire chunk of
>memory
>at a time, because I fed read process memory this: "mbi.RegionSize"
>
>Now, how do I read for values such as doubles?
>I am guessing I need to use a for loop to scan for small bits of memory
>chunk
>at a time.
>
>Is there a way to do it?
>
>Thanks!
>
>
>
>
>>output starts
>
>buffer is: c_ulong(0)
>buffer is: c_ulong(0)
>buffer is: c_ulong(6385664)
>buffer is: c_ulong(67108864)
>buffer is: c_ulong(7761920)
>buffer is: c_ulong(7798784)
>buffer is: c_ulong(7872512)
>buffer is: c_ulong(8007680)
>buffer is: c_ulong(8044544)
>buffer is: c_ulong(8069120)
>buffer is: c_ulong(8216576)
>buffer is: c_ulong(0)
>buffer is: c_ulong(0)
>buffer is: c_ulong(3976)
>buffer is: c_ulong(0)
>buffer is: c_ulong(0)
>buffer is: c_ulong(1318755581)
>buffer is: c_ulong(0)
>buffer is: c_ulong(0)
>buffer is: c_ulong(0)
>buffer is: c_ulong(0)
>
>> code starts
>
>buffer = ctypes.c_uint()
>nread = SIZE_T()
>
>start = ctypes.c_void_p(mbi.BaseAddress)
>
>ReadProcessMemory = Kernel32.ReadProcessMemory
>
>MEM_COMMIT = 0x1000;
>PAGE_READWRITE = 0x04;
>
>current_address = sysinfo.lpMinimumApplicationAddress
>end_address = sysinfo.lpMaximumApplicationAddress
>
>while current_address < end_address:
>Kernel32.VirtualQueryEx(Process, \
>current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
>
>if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
>
>if ReadProcessMemory(Process, current_address,
>ctypes.byref(buffer), \
> ctypes.sizeof(buffer), ctypes.byref(nread)):
>print('buffer is: ',buffer)
>else:
>raise ctypes.WinError(ctypes.get_last_error())
>
>current_address += mbi.RegionSize
>___
>Tutor maillist - Tutor@python.org
>To unsubscribe or change subscription options:
>https://mail.python.org/mailman/listinfo/tutor
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] How do I scan memory for singles, doubles and so on?
Or to put it better, I think, it's
How do I set up ReadProcessMemory, so that it returns a double instead of
129819721.
On Sat, Oct 7, 2017 at 2:00 PM, Michael C
wrote:
> Hi all:
>
> I am working on a memory scanner, and the source code and output is as
> following:
>
> Now, I know why my buffer from read process memory looks like values such
> as "67108864" ; it's because I read into the buffer entire chunk of memory
> at a time, because I fed read process memory this: "mbi.RegionSize"
>
> Now, how do I read for values such as doubles?
> I am guessing I need to use a for loop to scan for small bits of memory
> chunk
> at a time.
>
> Is there a way to do it?
>
> Thanks!
>
>
>
>
> >output starts
>
> buffer is: c_ulong(0)
> buffer is: c_ulong(0)
> buffer is: c_ulong(6385664)
> buffer is: c_ulong(67108864)
> buffer is: c_ulong(7761920)
> buffer is: c_ulong(7798784)
> buffer is: c_ulong(7872512)
> buffer is: c_ulong(8007680)
> buffer is: c_ulong(8044544)
> buffer is: c_ulong(8069120)
> buffer is: c_ulong(8216576)
> buffer is: c_ulong(0)
> buffer is: c_ulong(0)
> buffer is: c_ulong(3976)
> buffer is: c_ulong(0)
> buffer is: c_ulong(0)
> buffer is: c_ulong(1318755581)
> buffer is: c_ulong(0)
> buffer is: c_ulong(0)
> buffer is: c_ulong(0)
> buffer is: c_ulong(0)
>
> > code starts
>
> buffer = ctypes.c_uint()
> nread = SIZE_T()
>
> start = ctypes.c_void_p(mbi.BaseAddress)
>
> ReadProcessMemory = Kernel32.ReadProcessMemory
>
> MEM_COMMIT = 0x1000;
> PAGE_READWRITE = 0x04;
>
> current_address = sysinfo.lpMinimumApplicationAddress
> end_address = sysinfo.lpMaximumApplicationAddress
>
> while current_address < end_address:
> Kernel32.VirtualQueryEx(Process, \
> current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
>
> if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
>
> if ReadProcessMemory(Process, current_address,
> ctypes.byref(buffer), \
> ctypes.sizeof(buffer), ctypes.byref(nread)):
> print('buffer is: ',buffer)
> else:
> raise ctypes.WinError(ctypes.get_last_error())
>
> current_address += mbi.RegionSize
>
>
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
[Tutor] How do I scan memory for singles, doubles and so on?
Hi all:
I am working on a memory scanner, and the source code and output is as
following:
Now, I know why my buffer from read process memory looks like values such
as "67108864" ; it's because I read into the buffer entire chunk of memory
at a time, because I fed read process memory this: "mbi.RegionSize"
Now, how do I read for values such as doubles?
I am guessing I need to use a for loop to scan for small bits of memory
chunk
at a time.
Is there a way to do it?
Thanks!
>output starts
buffer is: c_ulong(0)
buffer is: c_ulong(0)
buffer is: c_ulong(6385664)
buffer is: c_ulong(67108864)
buffer is: c_ulong(7761920)
buffer is: c_ulong(7798784)
buffer is: c_ulong(7872512)
buffer is: c_ulong(8007680)
buffer is: c_ulong(8044544)
buffer is: c_ulong(8069120)
buffer is: c_ulong(8216576)
buffer is: c_ulong(0)
buffer is: c_ulong(0)
buffer is: c_ulong(3976)
buffer is: c_ulong(0)
buffer is: c_ulong(0)
buffer is: c_ulong(1318755581)
buffer is: c_ulong(0)
buffer is: c_ulong(0)
buffer is: c_ulong(0)
buffer is: c_ulong(0)
> code starts
buffer = ctypes.c_uint()
nread = SIZE_T()
start = ctypes.c_void_p(mbi.BaseAddress)
ReadProcessMemory = Kernel32.ReadProcessMemory
MEM_COMMIT = 0x1000;
PAGE_READWRITE = 0x04;
current_address = sysinfo.lpMinimumApplicationAddress
end_address = sysinfo.lpMaximumApplicationAddress
while current_address < end_address:
Kernel32.VirtualQueryEx(Process, \
current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
if ReadProcessMemory(Process, current_address,
ctypes.byref(buffer), \
ctypes.sizeof(buffer), ctypes.byref(nread)):
print('buffer is: ',buffer)
else:
raise ctypes.WinError(ctypes.get_last_error())
current_address += mbi.RegionSize
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] ctypes wintypes
I think I pieced together what you have been helping me with, but this
still raise a error
I have been loosely following this guide:
https://www.codeproject.com/articles/716227/csharp-how-to-scan-a-process-memory
>code start.
import ctypes
from ctypes.wintypes import WORD, DWORD, LPVOID
PVOID = LPVOID
SIZE_T = ctypes.c_size_t
# https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR
if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong):
DWORD_PTR = ctypes.c_ulonglong
elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong):
DWORD_PTR = ctypes.c_ulong
class SYSTEM_INFO(ctypes.Structure):
"""https://msdn.microsoft.com/en-us/library/ms724958""";
class _U(ctypes.Union):
class _S(ctypes.Structure):
_fields_ = (('wProcessorArchitecture', WORD),
('wReserved', WORD))
_fields_ = (('dwOemId', DWORD), # obsolete
('_s', _S))
_anonymous_ = ('_s',)
_fields_ = (('_u', _U),
('dwPageSize', DWORD),
('lpMinimumApplicationAddress', LPVOID),
('lpMaximumApplicationAddress', LPVOID),
('dwActiveProcessorMask', DWORD_PTR),
('dwNumberOfProcessors',DWORD),
('dwProcessorType', DWORD),
('dwAllocationGranularity', DWORD),
('wProcessorLevel',WORD),
('wProcessorRevision', WORD))
_anonymous_ = ('_u',)
LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO)
Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True)
Kernel32.GetSystemInfo.restype = None
Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,)
sysinfo = SYSTEM_INFO()
Kernel32.GetSystemInfo(ctypes.byref(sysinfo))
print(sysinfo.lpMinimumApplicationAddress)
print(sysinfo.lpMaximumApplicationAddress)
# maybe it will change, maybe it won't. Assuming it won't.
# 2nd, get Open process.
PID = 1234
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_VM_READ = 0x0010
Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
False, PID)
print('process:', Process)
# 3rd
class MEMORY_BASIC_INFORMATION(ctypes.Structure):
"""https://msdn.microsoft.com/en-us/library/aa366775""";
_fields_ = (('BaseAddress', PVOID),
('AllocationBase',PVOID),
('AllocationProtect', DWORD),
('RegionSize', SIZE_T),
('State', DWORD),
('Protect', DWORD),
('Type',DWORD))
##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION)
mbi = MEMORY_BASIC_INFORMATION()
##sysinfo.lpMinimumApplicationAddress
print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \
None, ctypes.byref(mbi),ctypes.sizeof(mbi)))
# sysinfo.lpMinimumApplicationAddress replaced by None
print('')
print('mbi start')
print('mbi.BaseAddress: ',mbi.BaseAddress)
print('mbi.AllocationBase: ',mbi.AllocationBase)
print('mbi.AllocationProtect: ',mbi.AllocationProtect)
print('mbi.RegionSize: ',mbi.RegionSize)
print('mbi.State: ',mbi.State)
print('mbi.Protect: ', mbi.Protect)
print('mbi.Type: ',mbi.Type)
buffer = ctypes.create_string_buffer(mbi.RegionSize)
nread = SIZE_T()
start = ctypes.c_void_p(mbi.BaseAddress)
##start_pointer = ctypes.byref(start)
ReadProcessMemory = Kernel32.ReadProcessMemory
if ReadProcessMemory(Process, start, ctypes.byref(buffer), \
ctypes.sizeof(buffer), ctypes.byref(nread)):
print('buffer is: ',buffer)
else:
raise ctypes.WinError(ctypes.get_last_error())
# once I figure out read process memory, I'll combine it with virtual
process memory.
# if they don't equal to that, then it's time to move to the next thing?
# Don't do read memory yet.
# make it traverse through all memory and print out when protect and state
# are both true.
##
##MEM_COMMIT = 0x1000;
##PAGE_READWRITE = 0x04;
##
##current_address = sysinfo.lpMinimumApplicationAddress
##end_address = sysinfo.lpMaximumApplicationAddress
##
##while current_address < end_address:
##Kernel32.VirtualQueryEx(Process, \
##current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
##
##if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
##print(current_address)
##print('Both are true')
##
##
##current_address += mbi.RegionSize
On Fri, Oct 6, 2017 at 3:29 PM, eryk sun wrote:
> On Fri, Oct 6, 2017 at 11:05 PM, Michael C
> wrote:
> > For this read process memory, if I am trying compose a LPCVOID
> > lpBaseAddress, am I not making a variable that equals to
> mbi.BaseAddress,
> > and then making a pointer pointing to it?
> >
> > start_address = mbi.BaseAddress
> > LPCVOID = ctypes.byref(start_address)
>
> LPCVOID is a pointer type; don't use it as a variable name because
> it's confusing to someone who's reading your code.
>
> The `BaseAddress` field is an LPVOID, which is an alias for
> ctypes.c_void_p. Simple C types such as c_void_p are automatically
Re: [Tutor] ctypes wintypes
For this read process memory, if I am trying compose a LPCVOID
lpBaseAddress, am I not making a variable that equals to mbi.BaseAddress,
and then making a pointer pointing to it?
start_address = mbi.BaseAddress
LPCVOID = ctypes.byref(start_address)
?
But I get this
start = ctypes.byref(mbi.BaseAddress)
TypeError: byref() argument must be a ctypes instance, not 'int'
On Fri, Oct 6, 2017 at 2:53 PM, eryk sun wrote:
> On Fri, Oct 6, 2017 at 10:26 PM, Michael C
> wrote:
> >
> > base = mbi.BaseAddress
> > buffer = ctypes.c_int32()
> > buffer_pointer = ctypes.byref(buffer)
> > ReadProcessMemory = Kernel32.ReadProcessMemory
> >
> > if ReadProcessMemory(Process, base, buffer_pointer, mbi.RegionSize,
> None):
> > print('buffer is: ',buffer)
> > else:
> > raise ctypes.WinError(ctypes.get_last_error())
>
> If you need to read RegionSize bytes, then you have to allocate a
> buffer that's RegionSize bytes:
>
> buffer = ctypes.create_string_buffer(mbi.RegionSize)
>
> Or use a smaller buffer and loop until the total number of bytes read
> is RegionSize.
>
> Also, remember to check that the state is MEM_COMMIT. You cannot read
> an address range that's free or reserved. It must be committed, i.e.
> backed by physical storage.
>
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] ctypes wintypes
like this?
buffer = ctypes.byref(ctypes.create_string_buffer(4))
On Fri, Oct 6, 2017 at 1:55 PM, eryk sun wrote:
> On Fri, Oct 6, 2017 at 9:12 PM, Michael C
> wrote:
> >
> > How do I create a buffer, or rather, is a buffer just a variable?
>
> A buffer is a block of memory for an I/O operation. For example, if
> you need to read a 4-byte (32-bit) integer at an address in another
> process, the 'buffer' could be ctypes.c_int32(). In general, to read
> an arbitrary-sized block of memory, use ctypes.create_string_buffer()
> to create a char array.
>
> > How do I create a pointer to it?
>
> Pass it byref().
>
> > print('mbi.State: ',mbi.State)
>
> Check whether mbi.State is MEM_COMMIT before trying to read it. If
> it's MEM_FREE or MEM_RESERVE, then ReadProcessMemory will fail.
>
> > buffer = ctypes.create_string_buffer(4)
> > bufferSize = (ctypes.sizeof(buffer))
> >
> > ReadProcessMemory = Kernel32.ReadProcessMemory
> >
> > if ReadProcessMemory(Process, ctypes.byref(mbi), buffer, bufferSize,
> None):
> > print('buffer is: ',buffer)
> > else:
> > print('something is wrong')
>
> Don't print "something is wrong". You're capturing the thread's last
> error value, so use it to raise an informative exception. For example:
>
> if not success:
> raise ctypes.WinError(ctypes.get_last_error())
>
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] ctypes wintypes
This is my updated version, it still doesn't work :(
base = mbi.BaseAddress
buffer = ctypes.c_int32()
buffer_pointer = ctypes.byref(buffer)
ReadProcessMemory = Kernel32.ReadProcessMemory
if ReadProcessMemory(Process, base, buffer_pointer, mbi.RegionSize, None):
print('buffer is: ',buffer)
else:
raise ctypes.WinError(ctypes.get_last_error())
On Fri, Oct 6, 2017 at 2:06 PM, Michael C
wrote:
> like this?
>
> buffer = ctypes.byref(ctypes.create_string_buffer(4))
>
> On Fri, Oct 6, 2017 at 1:55 PM, eryk sun wrote:
>
>> On Fri, Oct 6, 2017 at 9:12 PM, Michael C
>> wrote:
>> >
>> > How do I create a buffer, or rather, is a buffer just a variable?
>>
>> A buffer is a block of memory for an I/O operation. For example, if
>> you need to read a 4-byte (32-bit) integer at an address in another
>> process, the 'buffer' could be ctypes.c_int32(). In general, to read
>> an arbitrary-sized block of memory, use ctypes.create_string_buffer()
>> to create a char array.
>>
>> > How do I create a pointer to it?
>>
>> Pass it byref().
>>
>> > print('mbi.State: ',mbi.State)
>>
>> Check whether mbi.State is MEM_COMMIT before trying to read it. If
>> it's MEM_FREE or MEM_RESERVE, then ReadProcessMemory will fail.
>>
>> > buffer = ctypes.create_string_buffer(4)
>> > bufferSize = (ctypes.sizeof(buffer))
>> >
>> > ReadProcessMemory = Kernel32.ReadProcessMemory
>> >
>> > if ReadProcessMemory(Process, ctypes.byref(mbi), buffer, bufferSize,
>> None):
>> > print('buffer is: ',buffer)
>> > else:
>> > print('something is wrong')
>>
>> Don't print "something is wrong". You're capturing the thread's last
>> error value, so use it to raise an informative exception. For example:
>>
>> if not success:
>> raise ctypes.WinError(ctypes.get_last_error())
>>
>
>
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
