I think I pieced together what you have been helping me with, but this still raise a error I have been loosely following this guide: https://www.codeproject.com/articles/716227/csharp-how-to-scan-a-process-memory
>code start. import ctypes from ctypes.wintypes import WORD, DWORD, LPVOID PVOID = LPVOID SIZE_T = ctypes.c_size_t # https://msdn.microsoft.com/en-us/library/aa383751#DWORD_PTR if ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulonglong): DWORD_PTR = ctypes.c_ulonglong elif ctypes.sizeof(ctypes.c_void_p) == ctypes.sizeof(ctypes.c_ulong): DWORD_PTR = ctypes.c_ulong class SYSTEM_INFO(ctypes.Structure): """https://msdn.microsoft.com/en-us/library/ms724958"""; class _U(ctypes.Union): class _S(ctypes.Structure): _fields_ = (('wProcessorArchitecture', WORD), ('wReserved', WORD)) _fields_ = (('dwOemId', DWORD), # obsolete ('_s', _S)) _anonymous_ = ('_s',) _fields_ = (('_u', _U), ('dwPageSize', DWORD), ('lpMinimumApplicationAddress', LPVOID), ('lpMaximumApplicationAddress', LPVOID), ('dwActiveProcessorMask', DWORD_PTR), ('dwNumberOfProcessors', DWORD), ('dwProcessorType', DWORD), ('dwAllocationGranularity', DWORD), ('wProcessorLevel', WORD), ('wProcessorRevision', WORD)) _anonymous_ = ('_u',) LPSYSTEM_INFO = ctypes.POINTER(SYSTEM_INFO) Kernel32 = ctypes.WinDLL('kernel32', use_last_error=True) Kernel32.GetSystemInfo.restype = None Kernel32.GetSystemInfo.argtypes = (LPSYSTEM_INFO,) sysinfo = SYSTEM_INFO() Kernel32.GetSystemInfo(ctypes.byref(sysinfo)) print(sysinfo.lpMinimumApplicationAddress) print(sysinfo.lpMaximumApplicationAddress) # maybe it will change, maybe it won't. Assuming it won't. # 2nd, get Open process. PID = 1234 PROCESS_QUERY_INFORMATION = 0x0400 PROCESS_VM_READ = 0x0010 Process = Kernel32.OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, False, PID) print('process:', Process) # 3rd class MEMORY_BASIC_INFORMATION(ctypes.Structure): """https://msdn.microsoft.com/en-us/library/aa366775"""; _fields_ = (('BaseAddress', PVOID), ('AllocationBase', PVOID), ('AllocationProtect', DWORD), ('RegionSize', SIZE_T), ('State', DWORD), ('Protect', DWORD), ('Type', DWORD)) ##PMEMORY_BASIC_INFORMATION = ctypes.POINTER(MEMORY_BASIC_INFORMATION) mbi = MEMORY_BASIC_INFORMATION() ##sysinfo.lpMinimumApplicationAddress print('VirtualQueryEx ran properly?',Kernel32.VirtualQueryEx(Process, \ None, ctypes.byref(mbi),ctypes.sizeof(mbi))) # sysinfo.lpMinimumApplicationAddress replaced by None print('') print('mbi start') print('mbi.BaseAddress: ',mbi.BaseAddress) print('mbi.AllocationBase: ',mbi.AllocationBase) print('mbi.AllocationProtect: ',mbi.AllocationProtect) print('mbi.RegionSize: ',mbi.RegionSize) print('mbi.State: ',mbi.State) print('mbi.Protect: ', mbi.Protect) print('mbi.Type: ',mbi.Type) buffer = ctypes.create_string_buffer(mbi.RegionSize) nread = SIZE_T() start = ctypes.c_void_p(mbi.BaseAddress) ##start_pointer = ctypes.byref(start) ReadProcessMemory = Kernel32.ReadProcessMemory if ReadProcessMemory(Process, start, ctypes.byref(buffer), \ ctypes.sizeof(buffer), ctypes.byref(nread)): print('buffer is: ',buffer) else: raise ctypes.WinError(ctypes.get_last_error()) # once I figure out read process memory, I'll combine it with virtual process memory. # if they don't equal to that, then it's time to move to the next thing? # Don't do read memory yet. # make it traverse through all memory and print out when protect and state # are both true. ## ##MEM_COMMIT = 0x00001000; ##PAGE_READWRITE = 0x04; ## ##current_address = sysinfo.lpMinimumApplicationAddress ##end_address = sysinfo.lpMaximumApplicationAddress ## ##while current_address < end_address: ## Kernel32.VirtualQueryEx(Process, \ ## current_address, ctypes.byref(mbi),ctypes.sizeof(mbi)) ## ## if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT : ## print(current_address) ## print('Both are true') ## ## ## current_address += mbi.RegionSize On Fri, Oct 6, 2017 at 3:29 PM, eryk sun <eryk...@gmail.com> wrote: > On Fri, Oct 6, 2017 at 11:05 PM, Michael C > <mysecretrobotfact...@gmail.com> wrote: > > For this read process memory, if I am trying compose a LPCVOID > > lpBaseAddress, am I not making a variable that equals to > mbi.BaseAddress, > > and then making a pointer pointing to it? > > > > start_address = mbi.BaseAddress > > LPCVOID = ctypes.byref(start_address) > > LPCVOID is a pointer type; don't use it as a variable name because > it's confusing to someone who's reading your code. > > The `BaseAddress` field is an LPVOID, which is an alias for > ctypes.c_void_p. Simple C types such as c_void_p are automatically > converted to Python native types such as int, bytes, and str. It's > fine that mbi.BaseAddress is a Python int. With argtypes defined for > ReadProcessMemory, ctypes will convert the int back to a void pointer > for you automatically. > _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
