comparing bytes from memory in cpp

Question

I'm pretty new to C++, and I feel like this is an easy thing to do, but I have been stuck on it for too long now.

I am trying to compare a value in memory and a const buffer.

The issue seems to be that my buffer is being declared as char validFuncCall[] = "4c8bd1b8"; and the value in memory is being encoded as UTF-16LE (I'm using Windows).

A bit of code:

bool checkEqual(char* src, char* dst, size_t length) {
    return memcmp(src, dst, length) == 0;
}

char validFuncCall[] = "4c8bd1b8" ;
PVOID NTwf = GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtWriteFile");
std::cout << "memory values: ";
unsigned char* p = (unsigned char*)NTwf;
for (int i = 0; i < 4; i++) {
    printf("%02hhX ", p[i]);
}
std::cout << std::endl;
if (checkEqual((char*) NTwf, validFuncCall, 4)) {
    std::cout << "True" << std::endl;
}
else {
    std::cout << "False" << std::endl;
}

Output:

memory values: 4C 8B D1 B8
False

I noticed this question: How can I search for a string in the memory of another process?, but the answer is using ReadProcessMemory(), which I would rather not use, as the value is in my own process space.

`char validFuncCall[] = "4c8bd1b8" ;` is an 8 character string. You want 4 chars (bytes). — Mike Vine, Oct 03 '22 at 11:27
Or `char validFuncCall[] = "\x4c\x8b\xd1\xb8";`. Although it won't affect your code as shown (since you've hardcoded lengths of 4) bear in mind that a string literal is nul terminated, so this approach results in `sizeof(validFuncCall)` having a value of 5, not 4. — Peter, Oct 03 '22 at 12:13
Even better, use a vector. Nothing good comes from mixing C constructs (arrays) with C++. The sight of `char *` in a language where you should not have to work on pointers *at all* makes my skin crawl. — DevSolar, Oct 03 '22 at 21:11
@motishaku If No one wants to write an answer and you prefer, you can answer yourself for completion. — YangXiaoPo-MSFT, Oct 04 '22 at 02:35

comparing bytes from memory in cpp

0 Answers0