Ever wanted to look at the memory of other processes? - Generic Intro
This is my collection of various memory scripts I've seen in the forums.
Its been a while and the german forums went down, so I'm not sure who to credit.
If you see your work, please contact me.
Documentation:
Don't ask what 0x1F0FFF is for, I don't know You have to open the process first, don't try to supply an HWND not from the MemoryOpen functions.' MemoryOpenFromPID(PID, Privilege=0x1F0FFF) - Open the Process via PID with access 0x1F0FFF MemoryOpenFromName(Name, Privilege=0x1F0FFF) - Open the Process via Name (program.exe) with access 0x1F0FFF MemoryOpenFromTitle(title, privilege=0x1F0FFF) - Open the Process via its Title with access 0x1F0FFF Functions above Return HWND of program. Use this in below functions. MemoryClose(hwnd) - Close one of the opened processes. Do this to save memory. MemoryWrite(hwnd, address, writevalue, datatype="int", length=4, offset=0) - Write WriteValue to Address+Offset as DataType of size Length. MemoryRead(hwnd, address, datatype="int", length=4, offset=0) - Read a value of DataType of size Length at Address+Offset. Returns retrieved value. MemoryWritePointer(hwnd, base, writevalue, datatype="int", length=4, offsets=0, offset_1=0, offset_2=0, ...) -_ Same as MemoryWrite except offsets are used for pointers. Offsets = Number of offsets. MemoryReadPointer(hwnd, base, datatype="int", length=4, offsets=0, offset_1=0, offset_2=0, ...) -_ Same as MemoryRead except offsets are used for pointers. Offsets = Number of offsets. Functions above support a maximum of 9 offsets. MemoryGetAddrPID(PID, DllName) - Get the base address for a module called DllName in process of PID MemoryGetAddrName(Name, DllName) - Get the base address for a module called DllName in process of Name MemoryGetAddrTitle(Title, DllName) - Get the base address for a module called DllName in process of Title SetPrivilege(privilege = "SeDebugPrivilege") - Not sure, this function came with the MemoryRead/Write functions. SuspendProcess(hwnd) - Freezes the process via HWND ResumeProcess(hwnd) - Thaws the process via HWNDDownload
MemoryOpenFromPID(PID, Privilege=0x1F0FFF) { HWND := DllCall("OpenProcess", "Uint", Privilege, "int", 0, "int", PID) return HWND } MemoryOpenFromName(Name, Privilege=0x1F0FFF) { Process, Exist, %Name% PID := ErrorLevel Return MemoryOpenFromPID(PID, Privilege) } MemoryOpenFromTitle(title, privilege=0x1F0FFF) { WinGet, PID, PID, %title% Return MemoryOpenFromPID(PID, Privilege) } MemoryClose(hwnd) { return DllCall("CloseHandle", "int", hwnd) } MemoryWrite(hwnd, address, writevalue, datatype="int", length=4, offset=0) { VarSetCapacity(finalvalue, length, 0) NumPut(writevalue, finalvalue, 0, datatype) return DllCall("WriteProcessMemory", "Uint", hwnd, "Uint", address+offset, "Uint", &finalvalue, "Uint", length, "Uint", 0) } MemoryRead(hwnd, address, datatype="int", length=4, offset=0) { VarSetCapacity(readvalue,length, 0) DllCall("ReadProcessMemory","Uint",hwnd,"Uint",address+offset,"Str",readvalue,"Uint",length,"Uint *",0) finalvalue := NumGet(readvalue,0,datatype) return finalvalue } MemoryWritePointer(hwnd, base, writevalue, datatype="int", length=4, offsets=0, offset_1=0, offset_2=0, offset_3=0, offset_4=0, offset_5=0, offset_6=0, offset_7=0, offset_8=0, offset_9=0) { B_FormatInteger := A_FormatInteger Loop, %offsets% { baseresult := MemoryRead(hwnd,base) Offset := Offset_%A_Index% SetFormat, integer, h base := baseresult + Offset SetFormat, integer, d } SetFormat, Integer, %B_FormatInteger% return MemoryWrite(hwnd,address,writevalue,datatype,length) } MemoryReadPointer(hwnd, base, datatype="int", length=4, offsets=0, offset_1=0, offset_2=0, offset_3=0, offset_4=0, offset_5=0, offset_6=0, offset_7=0, offset_8=0, offset_9=0) { B_FormatInteger := A_FormatInteger Loop, %offsets% { baseresult := MemoryRead(hwnd,base) Offset := Offset_%A_Index% SetFormat, integer, h base := baseresult + Offset SetFormat, integer, d } SetFormat, Integer, %B_FormatInteger% return MemoryRead(hwnd,base,datatyp,length) } MemoryGetAddrPID(PID, DllName) { VarSetCapacity(me32, 548, 0) NumPut(548, me32) snapMod := DllCall("CreateToolhelp32Snapshot", "Uint", 0x00000008, "Uint", PID) If (snapMod = -1) Return 0 If (DllCall("Module32First", "Uint", snapMod, "Uint", &me32)) { Loop { If (!DllCall("lstrcmpi", "Str", DllName, "UInt", &me32 + 32)) { DllCall("CloseHandle", "UInt", snapMod) Return NumGet(&me32 + 20) } } Until !DllCall("Module32Next", "Uint", snapMod, "UInt", &me32) } DllCall("CloseHandle", "Uint", snapMod) Return 0 } MemoryGetAddrName(Name, DllName) { Process, Exist, %Name% PID := ErrorLevel Return MemoryGetAddrPID(PID, DllName) } MemoryGetAddrTitle(Title, DllName) { WinGet, PID, PID, %Title% Return MemoryGetAddrPID(PID, DllName) } SetPrivilege(privilege = "SeDebugPrivilege") { success := DllCall("advapi32.dll\LookupPrivilegeValueA","uint",0,"str",privilege,"int64*",luid_SeDebugPrivilege) if (success = 1) && (ErrorLevel = 0) { returnval = 0 } else { returnval = %ErrorLevel% } return %returnval% } SuspendProcess(hwnd) { return DllCall("ntdll\NtSuspendProcess","uint",hwnd) } ResumeProcess(hwnd) { return DllCall("ntdll\NtResumeProcess","uint",hwnd) }