c++ Pointer operation equivalent with ReadProcessMemory

Question

I need to read a program's memory from a different application. I have the whole process and application 'connection' in place.

I have a function that searches for a pattern in the memory of the opened process, and that thanks to a signature returns a valid entry point to the function I'm interested in.

Problem is, the assembly instruction that leads me to the data (which I can't find through an offset or signature), is the following:

H5Calc.exe+12DDC5B - E8 10F1FFFF           - call H5Calc.exe+12DCD70

I've searched around and found that this might serve my purpose:

return (MainClass*) *(DWORD*) PatternPointer;

but the problem is that the line above would work if using 'injection', and I'm using ReadProcessMemory since I'm not allowed to do so.

So, can somebody help 'translating' the

(MainClass*) *(DWORD*) PatternPointer;

pointer operation into a ReadProcessMemory call, considering the assembly instruction? Given that I'm opening from another application, I don't have access to the H5Calc memory area if not with ReadProcessMemory (which I can call regularly for other operations).

Any help appreciated.

Thanks.

Answer 1

You can calculate the actual address as described here, i. e. you take the address of the instruction following the jump, which is

0x12DDC5B + 5 = 0x12DDC60

then you take the offset which is a 32-bit little endian 2's complement signed integer, so

"0x10 0xF1 0xFF 0xFF" = 0xFFFFF110 - 0x100000000 = -0xEF0

Then you add the offset to the base address computed above to obtain

0x12DDC60 + (-0xEF0) = 0x12DCD70

In C, this would look something like:

unsigned char *jmp_ptr = (unsigned char *)0x12DDC5B;
int offset; // or use ptrdiff_t if it's 32 bits wide
ReadProcessMemory(hProc, jmp_ptr + 1, &offset, sizeof offset, NULL);
unsigned char *target_ptr = jmp_ptr + 5 + offset;

(apply stylistic mash-ups to obtain C++ code. Also check the return value of the function, etc.)

You can now feed the resulting address to another call to ReadProcessMemory() in order to obtain the pointer to the instance:

MainClass *instance = NULL;
ReadProcessMemory(hProc, target_ptr, &instance, sizeof instance, NULL);

Answer 2

You could use shared memory between processes. If you want to know how to do this I can post some code. The Windows API uses CreateFileMapping() and MapViewOfFile(). Then both processes can see the same memory.