Anyone good with messing with system memory?

[SpriggsySpriggs]

If anyone on here knows a good amount about messing with system memory then please lend me a hand. I'm writing a program that reads a string found in memory and then is supposed to write a replacement string to that memory location. I have no problem finding the first location referencing the string and the WriteProcessMemory function does not fail (in the sense that it actually claims to have written the bytes to memory) but I never see anything change because I'm only finding the first reference rather than the one I need. Here is my code so far which uses the PeekPoke library attached. Note: The program can run out of memory depending on the program you are targeting. I've found that notepad++ works fine (in the sense that it doesn't run out of memory finding the first occurence of the string in its memory) so give that a try if you have it installed.

Code: QB64: [Select]

1. OPTION _EXPLICIT
2. $CONSOLE:ONLY
3. _DEST _CONSOLE
4.  
5. CONST PROCESS_VM_READ = &H0010
6. CONST PROCESS_QUERY_INFORMATION = &H0400
7. CONST PROCESS_VM_WRITE = &H0020
8. CONST PROCESS_VM_OPERATION = &H0008
9.  
10. CONST TRUE = -1
11. CONST FALSE = 0
12.  
13. TYPE SYSTEM_INFO
14.     wProcessorArchitecture AS INTEGER
15.     wReserved AS INTEGER
16.     dwPageSize AS LONG
17.     lpMinimumApplicationAddress AS _OFFSET
18.     lpMaximumApplicationAddress AS _OFFSET
19.     dwActiveProcessorMask AS _OFFSET
20.     dwNumberOfProcessors AS LONG
21.     dwProcessorType AS LONG
22.     dwAllocationGranularity AS LONG
23.     wProcessorLevel AS INTEGER
24.     wProcessorRevision AS INTEGER
25. END TYPE
26.  
27. $IF 64BIT THEN
28.     TYPE MEMORY_BASIC_INFORMATION
29.         BaseAddress AS _UNSIGNED _INTEGER64
30.         AllocationBase AS _UNSIGNED _INTEGER64
31.         AllocationProtect AS LONG
32.         alignment1 AS LONG
33.         RegionSize AS _UNSIGNED _INTEGER64
34.         State AS LONG
35.         Protect AS LONG
36.         Type AS LONG
37.         alignment2 AS LONG
38.     END TYPE
39. $ELSE
40.     TYPE MEMORY_BASIC_INFORMATION
41.     BaseAddress AS LONG
42.     AllocationBase AS LONG
43.     AllocationProtect AS LONG
44.     RegionSize AS LONG
45.     State AS LONG
46.     Protect AS LONG
47.     Type AS LONG
48.     END TYPE
49. $END IF
50.  
51. DECLARE DYNAMIC LIBRARY "Kernel32"
52.     FUNCTION OpenProcess& (BYVAL dwDesiredAccess AS LONG, BYVAL bInheritHandle AS _BYTE, BYVAL dwProcessID AS LONG)
53.     SUB GetSystemInfo (BYVAL lpSystemInfo AS _OFFSET)
54.     FUNCTION VirtualQueryEx& (BYVAL hProcess AS LONG, BYVAL lpAddress AS _OFFSET, BYVAL lpBuffer AS _OFFSET, BYVAL dwLength AS LONG)
55.     FUNCTION ReadProcessMemory%% (BYVAL hProcess AS LONG, BYVAL lpBaseAddress AS _OFFSET, BYVAL lpBuffer AS _OFFSET, BYVAL nSize AS LONG, BYVAL lpNumberOfBytesRead AS _OFFSET)
56.     FUNCTION WriteProcessMemory%% (BYVAL hProcess AS LONG, BYVAL lpBaseAddress AS _OFFSET, BYVAL lpBuffer AS _OFFSET, BYVAL nSize AS LONG, BYVAL lpNumberOfBytesWritten AS _OFFSET)
57.     FUNCTION GetCurrentProcessId& ()
58.     FUNCTION GetLastError& ()
59. END DECLARE
60.  
61. DECLARE CUSTOMTYPE LIBRARY "peekpoke"
62.     FUNCTION peekb~%% (BYVAL p AS _UNSIGNED _OFFSET) 'Byte
63.     'SUB pokeb (BYVAL p AS _UNSIGNED _OFFSET, BYVAL n AS _UNSIGNED _BYTE)
64. END DECLARE
65.  
66. DECLARE CUSTOMTYPE LIBRARY
67.     FUNCTION strlen& (BYVAL ptr AS _UNSIGNED _OFFSET)
68. END DECLARE
69.  
70. 'RelaunchAsAdmin 'if uncommented, will make the program launch as administrator (if not already running as administrator)
71.  
72. DIM someData AS STRING
73. someData = "Basic options" + CHR$(0) 'Whatever string you are searching for
74.  
75. DIM pid AS LONG
76. 'pid = GetCurrentProcessId
77. pid = 14264 'Whatever PID for program you want to change
78.  
79. DIM ret AS _OFFSET
80. ret = GetAddressOfData(pid, someData, LEN(someData), "hello!") 'replace "hello!" with whatever you want to attempt
81.  
82. IF ret THEN
83.     PRINT "Found at:"; ret
84.     PRINT PointerToString(ret)
85.     PRINT "Length of pointer string:"; PointerLen(ret)
86. ELSE
87.     PRINT "Not found"
88. END IF
89.  
90. SLEEP
91.  
92. FUNCTION GetAddressOfData%& (pid AS LONG, pdata AS STRING, plen AS LONG, change AS STRING)
93.     DIM process AS LONG
94.     process = OpenProcess(PROCESS_VM_READ OR PROCESS_QUERY_INFORMATION OR PROCESS_VM_WRITE OR PROCESS_VM_OPERATION, FALSE, pid)
95.     IF process THEN
96.         DIM si AS SYSTEM_INFO
97.         GetSystemInfo (_OFFSET(si))
98.         DIM info AS MEMORY_BASIC_INFORMATION
99.         DIM p AS _OFFSET
100.         DO
101.             IF VirtualQueryEx(process, p, _OFFSET(info), LEN(info)) = LEN(info) THEN
102.                 p = info.BaseAddress
103.                 REDIM chunk(info.RegionSize) AS STRING * 32
104.                 DIM bytesRead AS _UNSIGNED _INTEGER64
105.                 DIM processmemory AS LONG
106.                 IF ReadProcessMemory(process, p, _OFFSET(chunk(0)), info.RegionSize, _OFFSET(bytesRead)) THEN
107.                     PRINT "Bytes Read:"; bytesRead
108.                     DIM i AS LONG
109.                     FOR i = 0 TO bytesRead - plen
110.                         IF pdata = PointerToString(p + i) THEN
111.                             GetAddressOfData = p + i
112.                             DIM writes AS LONG
113.                             DIM bytesWritten AS LONG
114.                             writes = WriteProcessMemory(process, p + i, _OFFSET(change), LEN(change), _OFFSET(bytesWritten))
115.                             PRINT bytesWritten
116.                             EXIT FUNCTION
117.                         ELSE
118.                             chunk(i) = "" 'I don't know if this helps. I just figured it "might" free memory?
119.                         END IF
120.                     NEXT
121.                 END IF
122.                 p = p + info.RegionSize
123.             ELSE
124.                 PRINT "0X" + HEX$(GetLastError)
125.                 EXIT FUNCTION
126.             END IF
127.         LOOP WHILE p < si.lpMaximumApplicationAddress
128.     END IF
129. END FUNCTION
130.  
131. FUNCTION PointerToString$ (value AS _OFFSET)
132.     DIM x AS _UNSIGNED INTEGER
133.     DIM offtostring AS STRING
134.     FOR x = 0 TO PointerLen(value)
135.         offtostring = offtostring + CHR$(peekb(value + x))
136.     NEXT
137.     PointerToString = offtostring
138. END FUNCTION
139.  
140. FUNCTION PointerLen& (value AS _OFFSET)
141.     PointerLen = strlen(value)
142. END FUNCTION
143.  
144. SUB RelaunchAsAdmin
145.     DIM adminCheck AS LONG
146.     adminCheck = _SHELLHIDE(">nul 2>&1 " + CHR$(34) + "%SYSTEMROOT%\system32\cacls.exe" + CHR$(34) + " " + CHR$(34) + "%SYSTEMROOT%\system32\config\system" + CHR$(34))
147.     IF adminCheck = 5 THEN 'Not running as administrator
148.         SHELL _HIDE _DONTWAIT "PowerShell Start-Process " + "'" + CHR$(34) + COMMAND$(0) + CHR$(34) + "'" + " -Verb runAs"
149.         SYSTEM
150.     ELSE
151.         EXIT SUB
152.     END IF
153. END SUB

[SpriggsySpriggs]

Never mind! Got it figured out! Going to eventually post a tutorial on making trainers in QB64! Painstaking process, but fun!

Code requires use of threadstack.exe which I have conveniently attached. (not tested in 32 bit compilations as of yet)

Current source (for Hitman Blood Money (retail) Infinite Ammo hack):

Code: QB64: [Select]

1. OPTION _EXPLICIT
2.  
3. $IF 64BIT THEN
4.     TYPE PROCESSENTRY32
5.         dwSize AS LONG
6.         cntUsage AS LONG
7.         th32ProcessID AS _INTEGER64
8.         th32DefaultHeapID AS _UNSIGNED _INTEGER64
9.         th32ModuleID AS LONG
10.         cntThreads AS LONG
11.         th32ParentProcessID AS LONG
12.         pcPriClassBase AS LONG
13.         dwFlags AS LONG
14.         szExeFile AS STRING * 260
15.     END TYPE
16. $ELSE
17.     TYPE PROCESSENTRY32
18.     dwSize AS LONG
19.     cntUsage AS LONG
20.     th32ProcessID AS LONG
21.     th32DefaultHeapID AS _UNSIGNED LONG
22.     th32ModuleID AS LONG
23.     cntThreads AS LONG
24.     th32ParentProcessID AS LONG
25.     pcPriClassBase AS LONG
26.     dwFlags AS LONG
27.     szExeFile AS STRING * 260
28.     END TYPE
29. $END IF
30.  
31. CONST PROCESS_VM_READ = &H0010
32. CONST PROCESS_QUERY_INFORMATION = &H0400
33. CONST PROCESS_VM_WRITE = &H0020
34. CONST PROCESS_VM_OPERATION = &H0008
35.  
36. CONST TRUE = -1
37. CONST FALSE = 0
38.  
39. CONST TH32CS_INHERIT = &H80000000
40. CONST TH32CS_SNAPHEAPLIST = &H00000001
41. CONST TH32CS_SNAPMODULE = &H00000008
42. CONST TH32CS_SNAPMODULE32 = &H00000010
43. CONST TH32CS_SNAPPROCESS = &H00000002
44. CONST TH32CS_SNAPTHREAD = &H00000004
45. CONST TH32CS_SNAPALL = TH32CS_SNAPHEAPLIST OR TH32CS_SNAPMODULE OR TH32CS_SNAPPROCESS OR TH32CS_SNAPTHREAD
46.  
47. CONST STANDARD_RIGHTS_REQUIRED = &H000F0000
48. CONST SYNCHRONIZE = &H00100000
49. CONST PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED OR SYNCHRONIZE OR &HFFFF
50.  
51. DECLARE DYNAMIC LIBRARY "Kernel32"
52.     FUNCTION CreateToolhelp32Snapshot& (BYVAL dwFlags AS LONG, BYVAL th32ProcessID AS LONG)
53.     FUNCTION Process32First%% (BYVAL hSnapshot AS LONG, BYVAL lppe AS _OFFSET)
54.     FUNCTION Process32Next%% (BYVAL hSnapshot AS LONG, BYVAL lppe AS _OFFSET)
55.     FUNCTION OpenProcess& (BYVAL dwDesiredAccess AS LONG, BYVAL bInheritHandle AS _BYTE, BYVAL dwProcessId AS LONG)
56.     FUNCTION ReadProcessMemory%% (BYVAL hProcess AS LONG, BYVAL lpBaseAddress AS _OFFSET, BYVAL lpBuffer AS _OFFSET, BYVAL nSize AS LONG, BYVAL lpNumberOfBytesRead AS _OFFSET)
57.     FUNCTION WriteProcessMemory%% (BYVAL hProcess AS LONG, BYVAL lpBaseAddress AS _OFFSET, BYVAL lpBuffer AS _OFFSET, BYVAL nSize AS LONG, BYVAL lpNumberOfBytesWritten AS _OFFSET)
58.     FUNCTION CloseHandle%% (BYVAL hObject AS LONG)
59. END DECLARE
60.  
61. DECLARE DYNAMIC LIBRARY "User32"
62.     FUNCTION GetKeyState% (BYVAL nVirtKey AS LONG) 'reads Windows key presses independently
63.     FUNCTION MessageBeep%% (BYVAL uType AS _UNSIGNED INTEGER)
64. END DECLARE
65.  
66. DIM hProcessSnap AS LONG
67. DIM SHARED hProcess AS LONG
68. DIM pe32 AS PROCESSENTRY32
69.  
70. DIM SHARED doInfAmmo AS _BYTE
71. DIM ammolevel AS INTEGER
72. doInfAmmo = FALSE
73. DIM SHARED InfiniteAmmoAddress AS _OFFSET
74. DIM SHARED startaddress AS _OFFSET
75. startaddress = &H00000DD8
76. DIM SHARED ammo_offsets(7) AS LONG
77.  
78. ammo_offsets(1) = &HB4
79. ammo_offsets(2) = &H10
80. ammo_offsets(3) = &H4
81. ammo_offsets(4) = &H10
82. ammo_offsets(5) = &H24
83. ammo_offsets(6) = &HB0
84. ammo_offsets(7) = &H94
85.  
86. hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
87. pe32.dwSize = LEN(pe32)
88.  
89. IF Process32First(hProcessSnap, _OFFSET(pe32)) THEN
90.     WHILE Process32Next(hProcessSnap, _OFFSET(pe32))
91.         IF _STRCMP(LEFT$(pe32.szExeFile, INSTR(pe32.szExeFile, ".exe" + CHR$(0)) + 3), "HitmanBloodMoney.exe") = 0 THEN
92.             hProcess = OpenProcess(PROCESS_VM_READ OR PROCESS_QUERY_INFORMATION OR PROCESS_VM_WRITE OR PROCESS_VM_OPERATION, FALSE, pe32.th32ProcessID)
93.             DIM SHARED threadaddress AS LONG
94.             threadaddress = GetThread0Address(pe32.th32ProcessID)
95.             InfiniteAmmoAddress = threadaddress - startaddress
96.  
97.             DIM memo AS _BYTE
98.             DIM result AS _UNSIGNED LONG
99.             memo = ReadProcessMemory(hProcess, InfiniteAmmoAddress, _OFFSET(result), 4, 0)
100.             PRINT HEX$(result)
101.             InfiniteAmmoAddress = result
102.             DIM x AS INTEGER
103.             FOR x = 1 TO 6
104.                 result = 0
105.                 memo = ReadProcessMemory(hProcess, InfiniteAmmoAddress + ammo_offsets(x), _OFFSET(result), 4, 0)
106.                 InfiniteAmmoAddress = result
107.             NEXT
108.             InfiniteAmmoAddress = InfiniteAmmoAddress + ammo_offsets(7)
109.             EXIT WHILE
110.         END IF
111.     WEND
112.     DIM closeh AS LONG
113.     closeh = CloseHandle(hProcessSnap)
114.     IF hProcess = 0 THEN
115.         PRINT "Hitman Blood Money not found"
116.     ELSE
117.         TrainerScreen
118.         WHILE INKEY$ <> CHR$(27)
119.             IF GetKeyState(113) < 0 THEN
120.                 doInfAmmo = NOT doInfAmmo
121.                 DIM procmemory AS _BYTE
122.                 procmemory = ReadProcessMemory(hProcess, InfiniteAmmoAddress, _OFFSET(ammolevel), 4, 0)
123.                 TrainerScreen
124.                 BEEP
125.             END IF
126.             IF doInfAmmo THEN
127.                 ammolevel = 999
128.                 procmemory = WriteProcessMemory(hProcess, InfiniteAmmoAddress, _OFFSET(ammolevel), 4, 0)
129.             END IF
130.         WEND
131.         closeh = CloseHandle(hProcess)
132.     END IF
133. END IF
134.  
135. SUB TrainerScreen
136.     CLS
137.     PRINT HEX$(InfiniteAmmoAddress)
138.     IF doInfAmmo THEN PRINT "[F2] - INFINITE AMMO [ENABLED]" ELSE PRINT "[F2] - INFINITE AMMO [DISABLED]"
139.     _DISPLAY
140. END SUB
141.  
142. FUNCTION GetThread0Address& (PID AS LONG)
143.     SHELL _HIDE "cmd /c threadstack " + _TRIM$(STR$(PID)) + " > " + "threadstack"
144.     OPEN "threadstack" FOR BINARY AS #1
145.     DIM threadline AS STRING
146.     DO
147.         IF NOT EOF(1) THEN
148.             LINE INPUT #1, threadline
149.         END IF
150.     LOOP UNTIL INSTR(threadline, "THREADSTACK 0 BASE ADDRESS: ") OR EOF(1)
151.     threadline = RIGHT$(threadline, LEN(threadline) - INSTR(threadline, "THREADSTACK 0 BASE ADDRESS: ") - LEN("THREADSTACK 0 BASE ADDRESS: ") - 1)
152.     KILL "threadstack"
153.     GetThread0Address = VAL("&H" + threadline)
154. END FUNCTION

Video showing me using the code: