1

I am trying to read an address of a process which should be the number 20. I determined this address was located at the dll base offset + a number with an offset of 10. I am using

ReadProcessMemory(phandle, (void*)address, &number, sizeof(number), 0);

to read a specific address. My question is how do I correctly search for the address located at "57B86F68" + the 10 offset?

Jack
  • 194
  • 1
  • 14
  • Remember unless you disabled it you probably have to deal with ASLR. https://en.wikipedia.org/wiki/Address_space_layout_randomization – drescherjm Aug 24 '16 at 01:49
  • This is a bit confusing. Are you looking for the address `0x57b86f68 + 10` or are you looking for the address (or some other kind of value) stored at that location? Either way, you shouldn't need to *search* for anything. – molbdnilo Aug 24 '16 at 02:05
  • @drescherjm, I made sure to grab the base address through code so that isn't a problem as far as I am aware of. – Jack Aug 24 '16 at 02:52
  • @molbdnilo sorry for the confusion, so there is a static pointer at a certain location. I found this location, it points to an address which that address with the offset of 10 is the value I am looking to read. I am unsure of how I can do this though. For example, I am reading address a, which points to b. I am than trying to get the value of b + 10, would there be a simple way to do this? – Jack Aug 24 '16 at 02:56
  • you have the address and you have the offset ... now everything is OK so what is the problem???? – Afshin Aug 24 '16 at 05:07
  • It's not working, it doesn't return the correct number. I am sending it ` ReadProcessMemory(phandle, (void*)(baseaddress + address), &testNum, sizeof(testNum), 0); ` Which I thought would set testNum to the address the pointer points to. Than I send ` ReadProcessMemory(phandle, (void*)(testNum + 0x10), &count, sizeof(count), 0) ` which returns something completely wrong like "-9.25596e+61" – Jack Aug 24 '16 at 05:34
  • 1
    @Jack After call of `ReadProcessMemory` call `GetLastError` to get more information about the reason of `ReadProcessMemory` failure. Check your `OpenProcess` flags, `PROCESS_VM_READ ` also should be there. – Nikita Aug 24 '16 at 05:39
  • @Nikita that solved it. Thank you! I was using a different flag for the OpenProcess which appears to have been messing it up. – Jack Aug 24 '16 at 06:04
  • @Jack Nice to hear. Seems you can upvote my answer bellow – Nikita Aug 24 '16 at 06:08

1 Answers1

2

You can read the data from handle if your phandle is a process handle with PROCESS_VM_READ access granted:

ReadProcessMemory(phandle, (void*)(0x57B86F68 + 0x10), &number, sizeof(number), 0);

To get proper access rights for the process handle check your OpenProcess flags, PROCESS_VM_READ should be there.

If it still not working things are much more complex. You should translate your virtual address to physical address and after that get direct access to the memory via kernel mode.

Community
  • 1
  • 1
Nikita
  • 6,270
  • 2
  • 24
  • 37