Re: [Tutor] How do I scan memory for singles, doubles and so on?
it might help if you mention what you are trying to do. if it is forensics, there a bunch of python tools in that area. your problem may already have solutions you could use. On October 7, 2017 3:00:25 PM MDT, Michael C wrote: >Hi all: > >I am working on a memory scanner, and the source code and output is as >following: > >Now, I know why my buffer from read process memory looks like values >such >as "67108864" ; it's because I read into the buffer entire chunk of >memory >at a time, because I fed read process memory this: "mbi.RegionSize" > >Now, how do I read for values such as doubles? >I am guessing I need to use a for loop to scan for small bits of memory >chunk >at a time. > >Is there a way to do it? > >Thanks! > > > > >>output starts > >buffer is: c_ulong(0) >buffer is: c_ulong(0) >buffer is: c_ulong(6385664) >buffer is: c_ulong(67108864) >buffer is: c_ulong(7761920) >buffer is: c_ulong(7798784) >buffer is: c_ulong(7872512) >buffer is: c_ulong(8007680) >buffer is: c_ulong(8044544) >buffer is: c_ulong(8069120) >buffer is: c_ulong(8216576) >buffer is: c_ulong(0) >buffer is: c_ulong(0) >buffer is: c_ulong(3976) >buffer is: c_ulong(0) >buffer is: c_ulong(0) >buffer is: c_ulong(1318755581) >buffer is: c_ulong(0) >buffer is: c_ulong(0) >buffer is: c_ulong(0) >buffer is: c_ulong(0) > >> code starts > >buffer = ctypes.c_uint() >nread = SIZE_T() > >start = ctypes.c_void_p(mbi.BaseAddress) > >ReadProcessMemory = Kernel32.ReadProcessMemory > >MEM_COMMIT = 0x1000; >PAGE_READWRITE = 0x04; > >current_address = sysinfo.lpMinimumApplicationAddress >end_address = sysinfo.lpMaximumApplicationAddress > >while current_address < end_address: >Kernel32.VirtualQueryEx(Process, \ >current_address, ctypes.byref(mbi),ctypes.sizeof(mbi)) > >if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT : > >if ReadProcessMemory(Process, current_address, >ctypes.byref(buffer), \ > ctypes.sizeof(buffer), ctypes.byref(nread)): >print('buffer is: ',buffer) >else: >raise ctypes.WinError(ctypes.get_last_error()) > >current_address += mbi.RegionSize >___ >Tutor maillist - Tutor@python.org >To unsubscribe or change subscription options: >https://mail.python.org/mailman/listinfo/tutor -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] How do I scan memory for singles, doubles and so on?
Or to put it better, I think, it's How do I set up ReadProcessMemory, so that it returns a double instead of 129819721. On Sat, Oct 7, 2017 at 2:00 PM, Michael C wrote: > Hi all: > > I am working on a memory scanner, and the source code and output is as > following: > > Now, I know why my buffer from read process memory looks like values such > as "67108864" ; it's because I read into the buffer entire chunk of memory > at a time, because I fed read process memory this: "mbi.RegionSize" > > Now, how do I read for values such as doubles? > I am guessing I need to use a for loop to scan for small bits of memory > chunk > at a time. > > Is there a way to do it? > > Thanks! > > > > > >output starts > > buffer is: c_ulong(0) > buffer is: c_ulong(0) > buffer is: c_ulong(6385664) > buffer is: c_ulong(67108864) > buffer is: c_ulong(7761920) > buffer is: c_ulong(7798784) > buffer is: c_ulong(7872512) > buffer is: c_ulong(8007680) > buffer is: c_ulong(8044544) > buffer is: c_ulong(8069120) > buffer is: c_ulong(8216576) > buffer is: c_ulong(0) > buffer is: c_ulong(0) > buffer is: c_ulong(3976) > buffer is: c_ulong(0) > buffer is: c_ulong(0) > buffer is: c_ulong(1318755581) > buffer is: c_ulong(0) > buffer is: c_ulong(0) > buffer is: c_ulong(0) > buffer is: c_ulong(0) > > > code starts > > buffer = ctypes.c_uint() > nread = SIZE_T() > > start = ctypes.c_void_p(mbi.BaseAddress) > > ReadProcessMemory = Kernel32.ReadProcessMemory > > MEM_COMMIT = 0x1000; > PAGE_READWRITE = 0x04; > > current_address = sysinfo.lpMinimumApplicationAddress > end_address = sysinfo.lpMaximumApplicationAddress > > while current_address < end_address: > Kernel32.VirtualQueryEx(Process, \ > current_address, ctypes.byref(mbi),ctypes.sizeof(mbi)) > > if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT : > > if ReadProcessMemory(Process, current_address, > ctypes.byref(buffer), \ > ctypes.sizeof(buffer), ctypes.byref(nread)): > print('buffer is: ',buffer) > else: > raise ctypes.WinError(ctypes.get_last_error()) > > current_address += mbi.RegionSize > > ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
[Tutor] How do I scan memory for singles, doubles and so on?
Hi all: I am working on a memory scanner, and the source code and output is as following: Now, I know why my buffer from read process memory looks like values such as "67108864" ; it's because I read into the buffer entire chunk of memory at a time, because I fed read process memory this: "mbi.RegionSize" Now, how do I read for values such as doubles? I am guessing I need to use a for loop to scan for small bits of memory chunk at a time. Is there a way to do it? Thanks! >output starts buffer is: c_ulong(0) buffer is: c_ulong(0) buffer is: c_ulong(6385664) buffer is: c_ulong(67108864) buffer is: c_ulong(7761920) buffer is: c_ulong(7798784) buffer is: c_ulong(7872512) buffer is: c_ulong(8007680) buffer is: c_ulong(8044544) buffer is: c_ulong(8069120) buffer is: c_ulong(8216576) buffer is: c_ulong(0) buffer is: c_ulong(0) buffer is: c_ulong(3976) buffer is: c_ulong(0) buffer is: c_ulong(0) buffer is: c_ulong(1318755581) buffer is: c_ulong(0) buffer is: c_ulong(0) buffer is: c_ulong(0) buffer is: c_ulong(0) > code starts buffer = ctypes.c_uint() nread = SIZE_T() start = ctypes.c_void_p(mbi.BaseAddress) ReadProcessMemory = Kernel32.ReadProcessMemory MEM_COMMIT = 0x1000; PAGE_READWRITE = 0x04; current_address = sysinfo.lpMinimumApplicationAddress end_address = sysinfo.lpMaximumApplicationAddress while current_address < end_address: Kernel32.VirtualQueryEx(Process, \ current_address, ctypes.byref(mbi),ctypes.sizeof(mbi)) if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT : if ReadProcessMemory(Process, current_address, ctypes.byref(buffer), \ ctypes.sizeof(buffer), ctypes.byref(nread)): print('buffer is: ',buffer) else: raise ctypes.WinError(ctypes.get_last_error()) current_address += mbi.RegionSize ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] ctypes wintypes
I think I pieced together what you have been helping me with, but this still raise a error I have been loosely following this guide: https://www.codeproject.com/articles/716227/csharp-how-to-scan-a-process-memory >code start. import ctypes from ctypes.wintypes import WORD, DWORD, LPVOID PVOID = LPVOID SIZE_T = ctypes.c_size_t # https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong): DWORD_PTR = ctypes.c_ulonglong elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong): DWORD_PTR = ctypes.c_ulong class SYSTEM_INFO(ctypes.Structure): """https://msdn.microsoft.com/en-us/library/ms724958"""; class _U(ctypes.Union): class _S(ctypes.Structure): _fields_ = (('wProcessorArchitecture', WORD), ('wReserved', WORD)) _fields_ = (('dwOemId', DWORD), # obsolete ('_s', _S)) _anonymous_ = ('_s',) _fields_ = (('_u', _U), ('dwPageSize', DWORD), ('lpMinimumApplicationAddress', LPVOID), ('lpMaximumApplicationAddress', LPVOID), ('dwActiveProcessorMask', DWORD_PTR), ('dwNumberOfProcessors',DWORD), ('dwProcessorType', DWORD), ('dwAllocationGranularity', DWORD), ('wProcessorLevel',WORD), ('wProcessorRevision', WORD)) _anonymous_ = ('_u',) LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO) Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True) Kernel32.GetSystemInfo.restype = None Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,) sysinfo = SYSTEM_INFO() Kernel32.GetSystemInfo(ctypes.byref(sysinfo)) print(sysinfo.lpMinimumApplicationAddress) print(sysinfo.lpMaximumApplicationAddress) # maybe it will change, maybe it won't. Assuming it won't. # 2nd, get Open process. PID = 1234 PROCESS_QUERY_INFORMATION = 0x0400 PROCESS_VM_READ = 0x0010 Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID) print('process:', Process) # 3rd class MEMORY_BASIC_INFORMATION(ctypes.Structure): """https://msdn.microsoft.com/en-us/library/aa366775"""; _fields_ = (('BaseAddress', PVOID), ('AllocationBase',PVOID), ('AllocationProtect', DWORD), ('RegionSize', SIZE_T), ('State', DWORD), ('Protect', DWORD), ('Type',DWORD)) ##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION) mbi = MEMORY_BASIC_INFORMATION() ##sysinfo.lpMinimumApplicationAddress print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \ None, ctypes.byref(mbi),ctypes.sizeof(mbi))) # sysinfo.lpMinimumApplicationAddress replaced by None print('') print('mbi start') print('mbi.BaseAddress: ',mbi.BaseAddress) print('mbi.AllocationBase: ',mbi.AllocationBase) print('mbi.AllocationProtect: ',mbi.AllocationProtect) print('mbi.RegionSize: ',mbi.RegionSize) print('mbi.State: ',mbi.State) print('mbi.Protect: ', mbi.Protect) print('mbi.Type: ',mbi.Type) buffer = ctypes.create_string_buffer(mbi.RegionSize) nread = SIZE_T() start = ctypes.c_void_p(mbi.BaseAddress) ##start_pointer = ctypes.byref(start) ReadProcessMemory = Kernel32.ReadProcessMemory if ReadProcessMemory(Process, start, ctypes.byref(buffer), \ ctypes.sizeof(buffer), ctypes.byref(nread)): print('buffer is: ',buffer) else: raise ctypes.WinError(ctypes.get_last_error()) # once I figure out read process memory, I'll combine it with virtual process memory. # if they don't equal to that, then it's time to move to the next thing? # Don't do read memory yet. # make it traverse through all memory and print out when protect and state # are both true. ## ##MEM_COMMIT = 0x1000; ##PAGE_READWRITE = 0x04; ## ##current_address = sysinfo.lpMinimumApplicationAddress ##end_address = sysinfo.lpMaximumApplicationAddress ## ##while current_address < end_address: ##Kernel32.VirtualQueryEx(Process, \ ##current_address, ctypes.byref(mbi),ctypes.sizeof(mbi)) ## ##if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT : ##print(current_address) ##print('Both are true') ## ## ##current_address += mbi.RegionSize On Fri, Oct 6, 2017 at 3:29 PM, eryk sun wrote: > On Fri, Oct 6, 2017 at 11:05 PM, Michael C > wrote: > > For this read process memory, if I am trying compose a LPCVOID > > lpBaseAddress, am I not making a variable that equals to > mbi.BaseAddress, > > and then making a pointer pointing to it? > > > > start_address = mbi.BaseAddress > > LPCVOID = ctypes.byref(start_address) > > LPCVOID is a pointer type; don't use it as a variable name because > it's confusing to someone who's reading your code. > > The `BaseAddress` field is an LPVOID, which is an alias for > ctypes.c_void_p. Simple C types such as c_void_p are automatically
Re: [Tutor] ctypes wintypes
For this read process memory, if I am trying compose a LPCVOID lpBaseAddress, am I not making a variable that equals to mbi.BaseAddress, and then making a pointer pointing to it? start_address = mbi.BaseAddress LPCVOID = ctypes.byref(start_address) ? But I get this start = ctypes.byref(mbi.BaseAddress) TypeError: byref() argument must be a ctypes instance, not 'int' On Fri, Oct 6, 2017 at 2:53 PM, eryk sun wrote: > On Fri, Oct 6, 2017 at 10:26 PM, Michael C > wrote: > > > > base = mbi.BaseAddress > > buffer = ctypes.c_int32() > > buffer_pointer = ctypes.byref(buffer) > > ReadProcessMemory = Kernel32.ReadProcessMemory > > > > if ReadProcessMemory(Process, base, buffer_pointer, mbi.RegionSize, > None): > > print('buffer is: ',buffer) > > else: > > raise ctypes.WinError(ctypes.get_last_error()) > > If you need to read RegionSize bytes, then you have to allocate a > buffer that's RegionSize bytes: > > buffer = ctypes.create_string_buffer(mbi.RegionSize) > > Or use a smaller buffer and loop until the total number of bytes read > is RegionSize. > > Also, remember to check that the state is MEM_COMMIT. You cannot read > an address range that's free or reserved. It must be committed, i.e. > backed by physical storage. > ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] ctypes wintypes
like this? buffer = ctypes.byref(ctypes.create_string_buffer(4)) On Fri, Oct 6, 2017 at 1:55 PM, eryk sun wrote: > On Fri, Oct 6, 2017 at 9:12 PM, Michael C > wrote: > > > > How do I create a buffer, or rather, is a buffer just a variable? > > A buffer is a block of memory for an I/O operation. For example, if > you need to read a 4-byte (32-bit) integer at an address in another > process, the 'buffer' could be ctypes.c_int32(). In general, to read > an arbitrary-sized block of memory, use ctypes.create_string_buffer() > to create a char array. > > > How do I create a pointer to it? > > Pass it byref(). > > > print('mbi.State: ',mbi.State) > > Check whether mbi.State is MEM_COMMIT before trying to read it. If > it's MEM_FREE or MEM_RESERVE, then ReadProcessMemory will fail. > > > buffer = ctypes.create_string_buffer(4) > > bufferSize = (ctypes.sizeof(buffer)) > > > > ReadProcessMemory = Kernel32.ReadProcessMemory > > > > if ReadProcessMemory(Process, ctypes.byref(mbi), buffer, bufferSize, > None): > > print('buffer is: ',buffer) > > else: > > print('something is wrong') > > Don't print "something is wrong". You're capturing the thread's last > error value, so use it to raise an informative exception. For example: > > if not success: > raise ctypes.WinError(ctypes.get_last_error()) > ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] ctypes wintypes
This is my updated version, it still doesn't work :( base = mbi.BaseAddress buffer = ctypes.c_int32() buffer_pointer = ctypes.byref(buffer) ReadProcessMemory = Kernel32.ReadProcessMemory if ReadProcessMemory(Process, base, buffer_pointer, mbi.RegionSize, None): print('buffer is: ',buffer) else: raise ctypes.WinError(ctypes.get_last_error()) On Fri, Oct 6, 2017 at 2:06 PM, Michael C wrote: > like this? > > buffer = ctypes.byref(ctypes.create_string_buffer(4)) > > On Fri, Oct 6, 2017 at 1:55 PM, eryk sun wrote: > >> On Fri, Oct 6, 2017 at 9:12 PM, Michael C >> wrote: >> > >> > How do I create a buffer, or rather, is a buffer just a variable? >> >> A buffer is a block of memory for an I/O operation. For example, if >> you need to read a 4-byte (32-bit) integer at an address in another >> process, the 'buffer' could be ctypes.c_int32(). In general, to read >> an arbitrary-sized block of memory, use ctypes.create_string_buffer() >> to create a char array. >> >> > How do I create a pointer to it? >> >> Pass it byref(). >> >> > print('mbi.State: ',mbi.State) >> >> Check whether mbi.State is MEM_COMMIT before trying to read it. If >> it's MEM_FREE or MEM_RESERVE, then ReadProcessMemory will fail. >> >> > buffer = ctypes.create_string_buffer(4) >> > bufferSize = (ctypes.sizeof(buffer)) >> > >> > ReadProcessMemory = Kernel32.ReadProcessMemory >> > >> > if ReadProcessMemory(Process, ctypes.byref(mbi), buffer, bufferSize, >> None): >> > print('buffer is: ',buffer) >> > else: >> > print('something is wrong') >> >> Don't print "something is wrong". You're capturing the thread's last >> error value, so use it to raise an informative exception. For example: >> >> if not success: >> raise ctypes.WinError(ctypes.get_last_error()) >> > > ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor