how to find the address of data in memory?
https://stackoverflow.com/questions/2612304
-
25-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
i need to find a way how to find the address's for value of another program. i find the address before hand but i don't know how to find them again after i close and reopen the program with out searching for them again (i need the program to find them on it's own). anyone know how i can do this (sorry if im unclear i don't know how to explain it really) if your confused just ask and i'll try to make it clear
im using C++
Solution
Assuming your platform is Windows, I find it convenient to inject your own DLL into the target process. From there, you could possibly do a heap walk and look for the value. After you've got it, send it back to your process via IPC (for instance, with Boost's message_queue).
EDIT
Blood, as you requested, here's a little code and a food for thought. The DLL itself is pretty simple, for example something like this:
#include <Windows.h>
/** You can use this one to examine the given memory blocks.
* However, since you're inside another process, you cannot use
* std::cout. But you'll get the idea (just an example). The code
* is from my another project.
*/
void MyDump(const void *m, unsigned int n)
{
const unsigned char *p = reinterpret_cast<const unsigned char *>(m);
char buffer[16];
unsigned int mod = 1;
memset(&buffer, 0, sizeof(buffer));
std::cout << "------------------------------------------------------------------------------------\nOffset | Hex | ASCII |\n------------------------------------------------------------------------------------\n0x" << std::setfill('0') << std::setw(8) << std::hex << (long)m << " |";
for (unsigned int i = 0; i < n; ++i, ++mod) {
buffer[i % 16] = p[i];
--mod;
if (mod % 4 == 0)
std::cout << " ";
++mod;
std::cout << std::setw(2) << std::hex << static_cast<unsigned int>(p[i]) << " ";
if ((mod == 16 && i != 0) || i == n - 1) {
if (i == n - 1) {
for (unsigned int j = 0; j < (16 - mod) * 3; ++j)
std::cout << " ";
if (mod <= 4)
std::cout << " ";
if (mod <= 8)
std::cout << " ";
if (mod <= 12)
std::cout << " ";
}
mod = 0;
std::cout << "| ";
for (unsigned short j = 0; j < 16; ++j) {
switch (buffer[j]) {
case 0x7:
case 0x8:
case 0x9:
case 0xa:
case 0xb:
case 0xd:
case 0xe:
case 0xf:
std::cout << " ";
break;
default: std::cout << buffer[j];
}
}
std::cout << " |";
if (i == n - 1) {
std::cout << "\n------------------------------------------------------------------------------------\n";
return;
}
memset(&buffer, 0, sizeof(buffer));
std::cout << "\n0x" << std::setfill('0') << std::setw(8) << std::hex << (long)m + i << " |";
}
}
}
BOOL APIENTRY DllMain(HANDLE h_module, DWORD ul_reason_for_call, LPVOID)
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
/** Do the heap walk here, please see
* http://msdn.microsoft.com/en-us/library/ee175819%28v=VS.85%29.aspx
* for enumerating the heap.
*/
break;
case DLL_THREAD_ATTACH: break;
case DLL_THREAD_DETACH: break;
case DLL_PROCESS_DETACH:
}
}
Now that you have the DLL, you still need to inject it to the desired process. This can be easily done with EasyHook API. Download the library and see an example of unmanaged hook.
OTHER TIPS
A program can find addresses of its own variables pretty easily (&variable). If it's cooperating in things, it can then send that to the other program by some normal IPC mechanism. The other program won't (normally) be able to do much with it directly though -- at least on a typical system (*BSD, Linux, Windows, etc.) each process will have memory mapped separately, so an address in one isn't directly usable in another.
Nearly all will provide some sort of debugging capability that lets you access one process' memory from another process, but how that works varies widely.
After you close and reopen a program, the addresses are all randomized. There's no way to save an address for the next time you run.
Instead, you need to design a file structure for whatever data you have. Write it to a file, expressing structural relationships somehow other than addresses, and restore pointer-links when reading it back. This is called serialization.
In theory, if you understand how the target program working and its internal data structure, you can find the address of the target variable, because each single byte of memory that is dynamically allocated during run time can always be found from some information statically known to code, except variables originated inside a function. However, practically, it's nearly impossible to understand a program by inspecting its binary representation. So you are out of luck:-)
A little more thoughts:
let me guess what you are trying to do: you want to stop an integer counting down in another process. If that the case, you can manually find the address by a game tool, then set a break point by a debugger to pause when the address is written, then make the break point to happen by different possible operations in the target program. This way you could identify which code are decreasing the value and possibly modify the EXE/DLL to disable these code. Chances are the target program will crash more often or does not entertain you any more, for the same code you disabled is used to decrease the energy of you and your opponents:-)
If you just want to know the pointer one time to include it in your code, you can use too programs like cheatengine to get the pointer.
