none
How to read more memory with ReadProcessMemory RRS feed

  • Question

  • Hello everybody,

    I've written code that can read information from another processes memory using ReadProcessMemory API... and I get this as my output:

    ...
    16 - 24
    17 - 248
    18 - 126
    19 - 29
    20 - 0
    21 - 0
    22 - 0
    23 - 0
    24 - 98
    ...

    How would I use this information to read more information from the address?

     

    Below is the code I'm using to generate the output I posted above:

    Process[] Proc = Process.GetProcessesByName("Game");

    if ( EnablePrivilege(Process.GetCurrentProcess().Handle.ToInt32()) )
    {
      
    byte[] buff = new byte[100];
      
    int bytesRead = 0;
      
      
    ReadProcessMemory(Proc[0].Handle, (IntPtr)0x6FBCC1E0, buff, 100, out bytesRead);

       for ( int i = 0; i <= buff.Length - 1; i++ )
       {
         
    Console.WriteLine(i + " - " + buffIdea);
       }
    }

    Thursday, October 19, 2006 6:01 PM

Answers

  • What's the big picture for what you're trying to do here?

    If you read a buffer of 100 bytes from 0x6FBCC1E0 in the target process, and buf[19] = 29, then you know  (BYTE*) (0x6FBCC1E0+19) = 29, which would be "the exact location of where its found in memory" 

    Where did the 0x6FBCC1E0  come from?

    If you want to find the semantic meaning of that '29' (ie, why is the value 29 as opposed to something else), and you don't have symbols or source to the program, it's going to be very hard.

    Saturday, October 21, 2006 6:45 AM
    Moderator

All replies

  •  deodorant2 wrote:

    How would I use this information to read more information from the address?

    What information and which address?

     

    Friday, October 20, 2006 9:17 AM
    Moderator
  • The information returned from reading "0x6FBCC1E0."

    The byte[] buff held 100 members, and, for instance buff[19] was equal to 29. Is there a way to get anymore information on the number 29 by reading the exact location of where its found in the memory?

    In other words, and this is just a wild guess, but what I think I need to do is create a pointer to 29, and read from that to be able to find more information about it... and am I completely wrong?

    Friday, October 20, 2006 6:49 PM
  • What's the big picture for what you're trying to do here?

    If you read a buffer of 100 bytes from 0x6FBCC1E0 in the target process, and buf[19] = 29, then you know  (BYTE*) (0x6FBCC1E0+19) = 29, which would be "the exact location of where its found in memory" 

    Where did the 0x6FBCC1E0  come from?

    If you want to find the semantic meaning of that '29' (ie, why is the value 29 as opposed to something else), and you don't have symbols or source to the program, it's going to be very hard.

    Saturday, October 21, 2006 6:45 AM
    Moderator