|
Click to See Complete Forum and Search --> : string search on all process's Anddos October 22nd, 2009, 01:37 PM how do i go about doing a full string search on all the process's in task manager? i have created the snapshot and enumed the process's , i know you use ReadProcessMemory but unsure how to make the loop for each offest to scan etc.. Arjay October 22nd, 2009, 02:43 PM What process data are you looking to retrieve? Anddos October 22nd, 2009, 03:03 PM i have this code but i dont know how to compare the data in the memory with strcmp() #include "stdafx.h" #include <windows.h> #include <iostream> using namespace std; int _tmain(int argc, _TCHAR* argv[]) { char *p = NULL; char *test = "test"; DWORD dwStart = 0; SIZE_T lpRead; SYSTEM_INFO si; HANDLE Proc = OpenProcess(PROCESS_ALL_ACCESS,true,GetCurrentProcessId()); GetSystemInfo(&si); while(dwStart < (DWORD)si.lpMaximumApplicationAddress) { MEMORY_BASIC_INFORMATION mbi; VirtualQueryEx( Proc, (void *)dwStart, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); if( (mbi.State == MEM_COMMIT) && (mbi.Protect != PAGE_READONLY) && (mbi.Protect != PAGE_EXECUTE_READ) && (mbi.Protect != PAGE_GUARD) && (mbi.Protect != PAGE_NOACCESS) ) { printf("Memory at %02x, size %d\n", mbi.BaseAddress, mbi.RegionSize); p = (char *)malloc(mbi.RegionSize); if(!ReadProcessMemory( Proc, (void *)dwStart, p, mbi.RegionSize, &lpRead)) { printf("ReadProcessMemory failed %d\nRead %d", GetLastError(), lpRead); } else { } if(mbi.RegionSize != lpRead) { printf("Not enough bytes read %d != %d\n", mbi.RegionSize, lpRead); } } Sleep(50); if(dwStart + mbi.RegionSize < dwStart) break; dwStart += mbi.RegionSize; } return 0; } BobS0327 October 23rd, 2009, 11:23 PM One possible solution would be to convert your character array to an array of hex as indicated in szBytes and then do a memory scan.... // Searching for "Test" string in memory char szBytes[] = { "\x54\x65\x73\x74" }; // Hex values for T e s t while( dwMemAddr < (unsigned long)sysInfo.lpMaximumApplicationAddress ) { if( VirtualQueryEx( hHandle, (unsigned long*)dwMemAddr, &mbi, sizeof(mbi) ) == sizeof(mbi) ) { if( (mbi.Protect != PAGE_NOACCESS) && (mbi.State == MEM_COMMIT) ) { char* szMemDump = (char*)malloc(mbi.RegionSize+1); ReadProcessMemory( hHandle, (unsigned long*)dwMemAddr, szMemDump, mbi.RegionSize, NULL ); for( x=0; x<mbi.RegionSize; x++ ) { if( memcmp( (void*)(szMemDump+x), (void*)szBytes, 4 ) == 0 ) { free( szMemDump ); printf("Located at 0x%08X\n", dwMemAddr + x ); break; } } free( szMemDump ); } } dwMemAddr = (unsigned long)mbi.BaseAddress + mbi.RegionSize; } VladimirF October 25th, 2009, 11:05 PM What exactly are you trying to do? There might be an easier way to do that… Anddos October 26th, 2009, 10:32 PM i am using std::search and working well :D Anddos September 13th, 2010, 07:52 PM BobS0327 you're sample seems to be crashing... would there be away to scan for a int , or float etc in the regions? codeguru.com
Copyright Internet.com Inc., All Rights Reserved. |
|