Help with memory functions etc

Frawley

I'm trying to create a signature search that can find the address of whatever bytes you input. For example, if I set buffer to 0x04AF, the function will search through the process' memory untill it finds an address that holds that value. Unfotunatly, I've run into a lot of difficulty. Any Help would be greatly appreciated. Here is the full source code. The return value always seems to be zero, even when I know the buffer is equal to the memory.

Code Snippet

#include <windows.h>

#include <iostream>

using namespace std;

DWORD* FindSignature(HANDLE hProcess, byte* signature, DWORD* dwStartAddress, unsigned int length);

BOOL CompareBytes(byte* buffer1, byte* buffer2, unsigned int length);

int main()

{

byte buffer[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

DWORD* test = FindSignature(GetCurrentProcess(), buffer, NULL, 1000);

system("pause");

}

DWORD* FindSignature(HANDLE hProcess, byte* signature, DWORD* dwStartAddress, unsigned int length)

{

if(dwStartAddress == NULL)

{

dwStartAddress = (DWORD*)0x00400000;

}

byte buffer[sizeof(signature)];

for(unsigned int i = 0; i < length; i++)

{

ReadProcessMemory(hProcess, (LPVOID)dwStartAddress, buffer, sizeof(signature), NULL);

if(CompareBytes(buffer, signature, sizeof(signature)))

{

cout << "Match Found";

return (DWORD*)(dwStartAddress + i);

}

}

return 0;

}

BOOL CompareBytes(byte* buffer1, byte* buffer2, unsigned int length)

{

for(unsigned int i = 0; i < length; i++)

{

if(buffer1[i] != buffer2[i])

{

return false;

}

}

return true;

}

valikac

You need to consider the value read from the last parameter of ReadProcessMemory().

valikac

Frawley

I thought that only tells me how many bytes were read I dont understand how.

valikac

Pass in the returned value as the last parameter of the comparison function. Advance the start address as you traverse.

valikac

Frawley

That helped, but didn't work. I think the problem is "signature". When I breakpoint it, signature always has a zero length array. (It just comes out as a single byte). I can't understand why this happens. Even if I set the size of the byte array to 10 it stills reverts to 0.

Aleksandr Tokarev

Your code will not work.

You read the same adress in the memory in cycle.

dwStartAddress - never changed.

for(unsigned int i = 0; i < length; i++)

{

ReadProcessMemory(hProcess, (LPVOID)dwStartAddress, buffer, sizeof(signature), NULL);

if(CompareBytes(buffer, signature, sizeof(signature)))

{

cout << "Match Found";

return (DWORD*)(dwStartAddress + i);

}

}

byte buffer[sizeof(signature)]; // sizeof(signature) == 4 always.

So, it equals

byte buffer[4];

if(CompareBytes(buffer, signature, 4))

compares only for bytes.

Thus, you read and compare first 4 byte in cycle, so you never find anything.

And the last memory in Windows allocated by pages, some pages there can be a gap, thus scaning through all memory is not good idea.

Frawley

Wow, I fell like an idiot. How can I find the number of bytes that are in signature since sizeof() always returns 4 in this case.

Help with memory functions etc

Re: Visual C++ General Help with memory functions etc

Re: Visual C++ General Help with memory functions etc

Re: Visual C++ General Help with memory functions etc

Re: Visual C++ General Help with memory functions etc

Re: Visual C++ General Help with memory functions etc

Re: Visual C++ General Help with memory functions etc