Memory Process reading/Writing & Pattern Scans (Array of bytes)

Post your working scripts, libraries and tools
RHCP
Posts: 177
Joined: 30 Sep 2013, 10:59

Memory Process reading/Writing & Pattern Scans (Array of bytes)

28 Dec 2013, 03:02

Last edited by RHCP on 25 Jul 2016, 21:57, edited 4 times in total.
ciantic
Posts: 14
Joined: 24 Oct 2015, 15:39
GitHub: Ciantic

Re: Memory Process reading/Writing

02 Nov 2015, 03:31

I get total emptiness if I run:

Code: [Select all] [Download] GeSHi © Codebox Plus

explorerExe := new memory("ahk_exe explorer.exe")
msgbox % explorerExe.BaseAddress


Should this also work for explorer.exe?

Edit: I'm using Windows 10, 64 bit.

I've made a in-memory patch for explorer.exe and tested it using x64dbg, and now I'm thinking best way to apply it without x64dbg. But since I need to also call GetWindowLongPtrW within the explorer.exe process context, I wonder if this is at all possible with AHK, because I'm not sure if I can use CreateRemoteThread from AHK at all, it may require me to write C++ which makes the patch more rigid.
RHCP
Posts: 177
Joined: 30 Sep 2013, 10:59

Re: Memory Process reading/Writing

02 Nov 2015, 07:44

Code: [Select all] [Download] GeSHi © Codebox Plus

#Include <classMemory>

if (_ClassMemory.__Class != "_ClassMemory")
{
msgbox class memory not correctly installed.
ExitApp
}
explorerExe := new _ClassMemory("ahk_exe explorer.exe")
SetFormat, IntegerFast, H ; View the addresses in hex
msgbox % explorerExe.BaseAddress ; This works for me on explorer. For some applications it will not be correct. getmodulebaseAddress() always seems to work. (but its bitness dependant)
. "`n" explorerExe.getmodulebaseAddress() ; fails if AHK is 32 and target is 64 bit. When ahk is 64 bit this will work with both 64 and 32 bit target apps




The description in the original post is outdated.

It's possible to call CreateRemoteThread in AHK and consequently call functions in remote processes. I've done it before, but only as a test.
vasili111
Posts: 731
Joined: 21 Jan 2014, 02:04
Location: Georgia

Re: Memory Process reading/Writing

16 Jan 2016, 11:25

First of all thanks for great script!

This works fine:

Code: [Select all] [Download] GeSHi © Codebox Plus

stringAdress := vlc.processPatternScan( ,, 0x30, 0x30, 0x3a, 0x30, 0x34)


But I need to use instead of aAOBPattern* a variable with hex number. Something like:

Code: [Select all] [Download] GeSHi © Codebox Plus

bbb := 0x30, 0x30, 0x3a, 0x30, 0x34

stringAdress := vlc.processPatternScan( ,, bbb)


OR

Code: [Select all] [Download] GeSHi © Codebox Plus

bbb := 0x30303a3034

stringAdress := vlc.processPatternScan( ,, bbb)


How can I do it?
DRAKON-AutoHotkey: Visual programming for AutoHotkey.
RHCP
Posts: 177
Joined: 30 Sep 2013, 10:59

Re: Memory Process reading/Writing

16 Jan 2016, 12:24

There are a few ways, but it depends on what that number represents.

The found address is being stored as 'stringAdress' so this kinda indicates that youre searching for a string i.e. '00:04'.
I'm guessing you're trying to search for a changing string?


A neater method:

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus




Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus

Last edited by RHCP on 16 Jan 2016, 13:30, edited 1 time in total.
vasili111
Posts: 731
Joined: 21 Jan 2014, 02:04
Location: Georgia

Re: Memory Process reading/Writing

16 Jan 2016, 13:23

Thank you :) It works great with strings.

How to instead of string 00:04 search for some hex pattern. I mean something like this:



Code: [Select all] [Download] GeSHi © Codebox Plus

AOB := hexToAOBPattern(0xA734dFFF345643C) 
patternAdress := vlc.processPatternScan( ,, AOB*)
DRAKON-AutoHotkey: Visual programming for AutoHotkey.
RHCP
Posts: 177
Joined: 30 Sep 2013, 10:59

Re: Memory Process reading/Writing

16 Jan 2016, 13:34

I edited the post above, hexStrToAOBPattern() does exactly that. Don't use the hex prefix.
vasili111
Posts: 731
Joined: 21 Jan 2014, 02:04
Location: Georgia

Re: Memory Process reading/Writing

17 Jan 2016, 11:21

Here is my code:

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus




MsgBox, % stringAdress and MsgBox, % stringAdress2 are giving me correct result. But MsgBox, % pattern gives 0x0 . What I am doing wrong?
DRAKON-AutoHotkey: Visual programming for AutoHotkey.
RHCP
Posts: 177
Joined: 30 Sep 2013, 10:59

Re: Memory Process reading/Writing

17 Jan 2016, 22:54

Code: [Select all] [Download] GeSHi © Codebox Plus

pattern := hexStrToAOBPattern("30303a3034")

SetFormat, IntegerFast, hex
pattern += 0 ; Sets Var (which previously contained 11) to be 0xb.
pattern .= "" ; Necessary due to the "fast" mode.
SetFormat, IntegerFast, d

MsgBox, % pattern


That is from your code.

hexStrToAOBPattern() is returning an object, like you did in the other examples, you need to pass that object to a pattern scan method.

Code: [Select all] [Download] GeSHi © Codebox Plus

pattern := hexStrToAOBPattern("30303a3034")
stringAdress3 := vlc.processPatternScan( ,, pattern*)


You can't display objects via a msgbox. Consider downloading HotkeyIt's ObjTree function, It allows you to see the contents and layout of an object/array - I use it all the time.
https://autohotkey.com/board/topic/6483 ... ts-easily/

Cheers.
vasili111
Posts: 731
Joined: 21 Jan 2014, 02:04
Location: Georgia

Re: Memory Process reading/Writing

18 Jan 2016, 13:29

Thanks :) Works great! :)
DRAKON-AutoHotkey: Visual programming for AutoHotkey.
loter
Posts: 38
Joined: 26 May 2016, 00:35

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

09 Aug 2016, 19:33

Really good script.
Thank you very much
User avatar
WAZAAAAA
Posts: 71
Joined: 13 Jan 2015, 19:48

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

23 Oct 2016, 11:51

I have built 3 game trainer tools around classMemory, thank you RHCP.

For those who would like to have a fully working basic example of the memory read and write functions, take a look at my stuff https://autohotkey.com/boards/viewtopic.php?&t=24155
YOU'RE NOT ALEXANDER
User avatar
jNizM
Posts: 2295
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

24 Oct 2016, 08:29

Suggestion for EnumProcessModulesEx

Instand of loop to get the size you can call it twice:

Code: [Select all] [Download] GeSHi © Codebox Plus

; Initial call to get the size needed
DllCall("psapi\EnumProcessModulesEx", "ptr", hProcess, "ptr", 0, "uint", 0, "uint*", size, "uint", 0x03)

; Allocate space for use with DllCall
cb := VarSetCapacity(hModule, size, 0)

; Second call to get the data we want
DllCall("psapi\EnumProcessModulesEx", "ptr", hProcess, "ptr", &hModule, "uint", cb, "uint*", size, "uint", 0x03)
[AHK] 1.1.26.01 x64 Unicode | [WIN] 10 Pro (Version 1703) x64
My GitHub Profile | Donations are appreciated if I could help you
User avatar
WAZAAAAA
Posts: 71
Joined: 13 Jan 2015, 19:48

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

19 Jul 2017, 08:22

Hello RHCP

I can't seem to be able to loop stringToPattern() searches while the targeted program does not exist yet. I can do that easily with read() so that my memory tool will pick up the right memory addresses as soon as the targeted program is detected. This way I'm not forcing the user to run the target program BEFORE the memory tool, thus making it easier to use.

Here's an example. If I first launch Notepad, type Thisisatest and launch the script, the AOB is correctly found:

Code: [Select all] [Expand] [Download] (AOBlooptest.ahk)GeSHi © Codebox Plus

Launching Notepad, launching the script and finally typing Thisisatest also works.
But if I first launch the script, then Notepad and type Thisisatest, the AOB will never be found even though the search is looped. Is there any workaround for this? I want to make my scripts as easy as possible for users.


Also, just a suggestion, I think classMemory should convert the found AOB address from decimal to hexadecimal AUTOMATICALLY. I mean the rest of the stuff I worked with in classMemory outputted addresses in hex, so why does this one in particular have to be dec?
YOU'RE NOT ALEXANDER
RHCP
Posts: 177
Joined: 30 Sep 2013, 10:59

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

20 Jul 2017, 04:45

I can't seem to be able to loop stringToPattern() searches while the targeted program does not exist yet. I can do that easily with read()

When you mention read(), I assume you're refering to some ReadMemory function in another library.... replacing the AOB scan in your code with a _classMemory.read() definitely wont work.

The target process must exist when you call "new _ClassMemory()".
Notes:
If the target process exits and then starts again (or restarts) you will need to free the derived object and then use the new operator to create a new object i.e.
calc := [] ; or calc := "" ; free the object. This is actually optional if using the line below, as the line below would free the previous derived object calc prior to initialising the new copy.
calc := new _ClassMemory("ahk_exe calc.exe") ; Create a new derived object to read calc's memory.



This is a simple approach. Just wait for the target to exist before doing any memory stuff. Exit the script when the target closes.

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus



This is a better solution. It allows the user to exit/restart the target.
When checking if the target exists or not you want to use a relatively low interval, otherwise it's possible for the target process to restart with the script missing this. You could check the PID for extra-protection, or use other means - but this is simple and works well for most purposes.

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus



This works like the script above, but it's a safer approach that relies on isHandleValid() - this will always detect if the target has closed (no chance of missing it). You have to update class memory to the latest version (vr 2.8).

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus



I think classMemory should convert the found AOB address from decimal to hexadecimal AUTOMATICALLY.

That is a valid point and I did consider it when writing the functions. I elected not to for the simple fact that the vast majority of times that these functions are called they will not be outputting values for people to read. When debugging, its easy to place the thread into hex mode via setformat. And when outputting found addresses for some other purpose you will often want it in a specific format - perhaps with or without the '0x' prefix and/or left zero padded which would could negate any default conversion.
I mean the rest of the stuff I worked with in classMemory outputted addresses in hex

None of the functions in this class convert dec to hex or vice versa.
KusochekDobra
Posts: 13
Joined: 25 Apr 2016, 18:00

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

08 Aug 2017, 16:47

This is Great work!!! Thank You very much for so awesome, simple and beautiful solution!!!
Дай Вам Бог здоровья и долгих и интересных дней жизни! =)
User avatar
WAZAAAAA
Posts: 71
Joined: 13 Jan 2015, 19:48

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

10 Oct 2017, 08:57

RHCP wrote:When you mention read(), I assume you're refering to some ReadMemory function in another library.... replacing the AOB scan in your code with a _classMemory.read() definitely wont work.
No I mean the read method described in your library. classMemory is the only library I've ever used for memory related stuff in AHK. From your documentation:

Code: [Select all] [Download] GeSHi © Codebox Plus

    Commonly used methods:
read()

None of the functions in this class convert dec to hex or vice versa.
yeah my bad I meant every time I use read() and write() I feed it addresses written in hex not dec like this:
PX_distance := TargetProcess.read(0x00FB79A0 + TargetProcess.BaseAddress, "UFloat")
but I understand I made no sense since the dec version of 0x00FB79A0 (16480672) would work too there.

Anyway, thanks for the help on the AOB scans and for isHandleValid, they worked great, this is the looped code I've been using on my own tool:
Spoiler




Moving on to another matter, I can't get suspend() and resume() to work through classMemory. This is the code I've been trying:

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus

It doesn't suspend or resume the process, what am I doing wrong?
I would also like to recommend you to somehow implement multiple methods of process suspension, as they have different pros and cons.

METHOD 1:
NtSuspendProcess/ZwSuspendProcess and NtResumeProcess/ZwResumeProcess. This is the one your classMemory uses but I can't get it to work.
Working example with a function that checks weather a process has been suspended or not before attempting to suspend:

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus

CONS:
- if you send the suspend command to a process like 3 times in a row, you also need to resume it the same amount of times (or more) to actually resume it, so there needs to be a way to properly check the current suspension status of a process beforehand (provided in the above example)

METHOD 2:
DebugActiveProcess and DebugActiveProcessStop
example:

Code: [Select all] [Expand] [Download] GeSHi © Codebox Plus

PROS:
- can suspend multiple times without the need to resume the same amount of times unlike METHOD 1

METHOD 3:
SuspendThread/Wow64SuspendThread and ResumeThread/Wow64ResumeThread. Suspending every thread of a process should result in the same outcome as the previous methods.
I don't have a ready to use code for this, I did it with Process Hacker, but these resources may be useful
https://autohotkey.com/board/topic/2124 ... endthread/
https://autohotkey.com/boards/viewtopic.php?t=19323
https://autohotkey.com/boards/viewtopic.php?t=24055
PROS:
- this method can work where METHOD 1 and 2 fail with some protected processes, bypassing "Access denied" errors
Image
Black Desert Online for example is protected by anticheat XIGNCODE, and this has been the only suspension method that worked.
CONS:
looks complicated for multi-threaded processes
Last edited by WAZAAAAA on 11 Oct 2017, 02:03, edited 3 times in total.
YOU'RE NOT ALEXANDER
User avatar
jNizM
Posts: 2295
Joined: 30 Sep 2013, 01:33
GitHub: jNizM
Contact:

Re: Memory Process reading/Writing & Pattern Scans (Array of bytes)

10 Oct 2017, 09:22

For suspend and resume see here:
https://autohotkey.com/boards/viewtopic ... 012#p96012

(A 64-bit application can suspend a WOW64 thread using the Wow64SuspendThread function.)
[AHK] 1.1.26.01 x64 Unicode | [WIN] 10 Pro (Version 1703) x64
My GitHub Profile | Donations are appreciated if I could help you

Return to “Scripts and Functions”

Who is online

Users browsing this forum: No registered users and 11 guests