Memory modifier test version

 

Development Environment VC ++ 6.0

1. Obtain the process window handle

Windows APIs have powerful memory operations

To modify the memory of a process

First, find the process.

Findwindow is used to obtain the hwnd process.

This method has two parameters.

The first is the class name of the window .. Generally, we do not know what the class name of a process window is, so it is usually null.
The second is the title of the window .. This is intuitive to see... Therefore, text (Title name) is generally used)

Hwnd =: findwindow (null, text (lpname ));

Obtain the window handle of the process.

This part of the problem
1. There are too many Chinese characters and special characters in the title of some windows, so that you cannot enter the title name correctly, and you cannot get the window handle.

Expectations for this part
1. If you want to list the processes, directly select the processes to connect.

Problem Solving

1. OpenProcess is directly connected using the PID of the process

2. Obtain the process PID

The easiest way to get the process PID is to look at it directly in the task manager.

However, the average person does not know how to find this PID. The average person can only find the title of the process window, so... This

We have to do the process of obtaining the process PID. We have obtained the process's window handle before. Now we can use this window handle to obtain the process's
PID

Define a dword pid first;
Getwindowthreadprocessid (hwnd, & pid );
In this way, the PID is obtained.

This part of the problem
1. in the above section, there are too many Chinese characters and special characters in the title of some windows, so that the title name cannot be entered correctly.
The process can only be connected directly through the PID of the process, so that many people who do not look at the task manager will not be able to connect to the process.

Expected
1. As shown in the preceding section, you can directly select a process to connect to the process list for ease of use.

3. Obtain Process Handle

Now we have obtained the PID. Haha, now this process is yours.

Handle hprocess =: OpenProcess (process_all_access, false, pid );

Process_all_access indicates that all possible channel tags of the Process object are allowed.
False: The returned handle cannot inherit a new process created by the current process (confused? I am confused. The original English version is specifies whether

Returned handle can be inherited by a new process created by the current process. If true, the handle is

Inheritable. Hey .. I am not good at English .. (English)

PID .. Of course, it's the process ID.

· Now the connection process has been completed. The following describes how to read the memory address of a process.

4. read data from an address in the virtual memory

Lpvoid lpbaseaddress = (lpvoid) 0x1f2e;
DWORD dwvalue;
Readprocessmemory (hprocess, lpbaseaddress, (void *) & dwvalue, sizeof (DWORD), 0 );

The above process is to save the value in the virtual memory address 0x1f2e used by the hprocess in dwvalue.

I don't know how to use it.

5. Write Data to an address in the virtual memory
Lpvoid lpbaseaddress = (lpvoid) 0x1f2e;
DWORD dwvalue = 999;
Writeprocessmemory (hprocess, lpbaseaddress, (void *) & dwvalue, sizeof (DWORD), 0 );

The preceding process writes the dwvalue value to the virtual address 0x1f2e of the hprocess.

6. Search for memory and modify

We use readprocessmemory to find the memory address of the value we want to find,
How to find this address ....... It is obviously enumerative pulling .... Repeat all possible memory addresses.
Obviously, this address is not the same, so we had to search for at least twice when using the game modifier.

I saved the linked list for the first time and found all the memory addresses that meet the conditions.
That is, when the linked list is empty in the program implementation, all possible memory addresses are enumerated.
If the linked list is not empty, the addresses saved in all linked lists store the values that are searched again in the linked list. (Find a way to change the value to be modified and search again)
Continue until a memory address is found to meet the conditions.

Now you can use writeprocessmemory to change the value in the virtual memory address to any value you want to modify (haha .. My evil smile, my proud smile)

This part of the problem
1. Since it is so easy to modify the value in the memory address we want to modify, isn't the program storing data in the client virtual memory very dangerous ???

There must be many ways to avoid this problem. I guess the virtual memory can be set to unsearchable (who knows)

But one of the methods I have determined to avoid being modified is what I found when I tried to modify Diablo ....

Diablo is abnormal !!! It manages sensitive data with five virtual addresses, but it does not have any effect at all. (Depending on luck, poor luck will lead to a game

(Incorrect) Maybe you need to modify all five at the same time .... It doesn't seem very useful either .. Haha...
Of course... Although it uses N addresses to manage a sensitive data, it can still be modified...
For example, the most convenient Diablo memory (archive) modifier is specially designed for Diablo... Attackers can modify sensitive data in an evil way .... Yes

It's useless to change the data too much --

2. in this search, I searched for a full 4G address. Of course, I don't have to worry about it. When I go to the toilet, eat ice cream, eat an apple, and play games, after a nap.

.... No result is returned !! Painful waiting ..
Of course, this problem is well solved. How can we solve it?

VII. Search Optimization

 

Actually .. The virtual memory addresses used by different operating systems to allow program processes are not 4 GB in size.

System_info sysinfo
Getsysteminfo (& sysinfo)
A system_info structure can be obtained.

Lpminimumapplicationaddress, lpmaximumapplicationaddress
Attribute is the maximum and minimum range of virtual memory addresses allowed by the operating system.

However, it is still a huge task to search for the entire region.

The status of the Virtual Memory Page is divided into three types,
In fact, only when the Page Status of a process is submitted is the virtual memory address used by the process.

Virtualquery (
Handle hprocess,
Lpvoid lpaddress,
Pmemory_basic_information lpbuffer
DWORD dwlength
);
You can obtain the status of a page.
The state attribute in the pmemory_basic_information Structure
That is, the status of this page if it is MEM--COMMIT is submitted, then this page needs to be scanned.

The system_info structure has a dwpagesize attribute.
Indicates the size of a page in the current system.

In this way, we can enumerate all pages,
Search is only a page for submitting properties.

Problems encountered in this section:
1. The regionsize attribute of the pmemory_basic_information structure indicates the size of the page with the same attributes starting from baseaddress.
I think using this attribute can narrow the search scope and improve the attributes.
This attribute may still be used in the next version.

 

Summary:

Still unsolved,

1. One Variable cannot be controlled for multiple addresses.
2. The efficiency is still very slow. When Kingsoft Ranger is used, the results will be instantly displayed, and I have to wait for 1 or 2 minutes.
Is there a way to narrow down the search scope again, or use a lower-level language ???
3. The interface is unfriendly. This problem will be improved in the next version.