1

I am trying to explore win32 for a bit, and trying to find a string of a variable or something in memory of another process.

I have started notepad, written "hello", and cant find it in its memory dumb, also did the same with python interperter, saving a variable.

Im not sure whats even the issue here, tbh, as it seems like i went through the API allrigh...

my code:

from pymem.ressources.structure import MEMORY_BASIC_INFORMATION, SYSTEM_INFO
from ctypes import windll, wintypes as w, POINTER, c_size_t
from pymem import Pymem
from ctypes import byref, sizeof, c_ulonglong, create_string_buffer
import win32security, win32api

VIRTUALQUERYEX = windll.kernel32.VirtualQueryEx
VIRTUALQUERYEX.argtypes = w.HANDLE, w.LPCVOID, POINTER(MEMORY_BASIC_INFORMATION), c_size_t
GETSYSTEMINFO = windll.kernel32.GetSystemInfo
READPROCESSMEMORY = windll.kernel32.ReadProcessMemory
READPROCESSMEMORY.argtypes = w.HANDLE, w.LPCVOID, w.LPVOID, c_size_t, POINTER(c_size_t)
READPROCESSMEMORY.restype = w.BOOL

MEM_COMMIT = 0x1000

MEM_IMAGE_TYPE = 0x1000000
MEM_MAPPED_TYPE = 0x40000
MEM_PRIVATE_TYPE = 0x20000


def get_system_info():
    system_info = SYSTEM_INFO()
    GETSYSTEMINFO(byref(system_info))
    return system_info


def AdjustPrivilege(priv):
    flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
    htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), flags)
    id = win32security.LookupPrivilegeValue(None, priv)
    newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
    val = win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges)
    print(val)
    print(win32api.GetLastError())

process_handle = Pymem()
process_handle.open_process_from_id(41616)
AdjustPrivilege("seDebugPrivilege")
system_info = get_system_info()
min_addr = system_info.lpMinimumApplicationAddress
max_addr = system_info.lpMaximumApplicationAddress
page_size = system_info.dwPageSize
memory_offset = min_addr
hello = b"\x68\x65\x6C\x6C\x6F"


while memory_offset < max_addr:
    memory_basic_information = MEMORY_BASIC_INFORMATION()
    count = c_ulonglong(0)
    if VIRTUALQUERYEX(
            process_handle.process_handle,
            memory_offset,
            byref(memory_basic_information),
            sizeof(memory_basic_information)
    ) == sizeof(memory_basic_information):
        memory_offset = memory_basic_information.BaseAddress

        memory_commit_region = memory_basic_information.State & MEM_COMMIT
        memory_type_mapped = memory_basic_information.Type & (MEM_MAPPED_TYPE | MEM_IMAGE_TYPE | MEM_PRIVATE_TYPE)
        if memory_commit_region and memory_type_mapped:
            buffer = create_string_buffer(memory_basic_information.RegionSize)
            if READPROCESSMEMORY(
                process_handle.process_handle,
                memory_offset,
                buffer,
                memory_basic_information.RegionSize,
                byref(count)
            ):
                print(hello in buffer.raw)
                if hello in buffer:
                    break
                print(buffer.raw)
            memory_offset += memory_basic_information.RegionSize
        else:
            memory_offset += page_size

The code is a bit long, so a short summary...

i am setting seDebugPrivilege privileges to my current process, looking through the GetSystemInfo Function to get the process memory boundries and page size, and then looping through mapped memory pages and looking for the hex value of "hello".

Am i doing anything wrong?

Thanks in advance.

Improve this question
5
  • 2
    Windows is Unicode-based, so as Notepad, so as almost everything in Windows, so you might want to change your hello variable definition. Commented Jul 27, 2022 at 15:14
  • @SimonMourier thanks for the fast comment, isnt all strings in python3 are unicode based as well? also, i tried to encode it to unicode on some websites online, and it seems to be the same hex bytes Commented Jul 27, 2022 at 15:28
  • 1
    I don't know much about python. Maybe you can try simply hello = "hello" and use create_unicode_buffer instead of create_string_buffer over raw memory, or something like that Commented Jul 27, 2022 at 15:30
  • 3
    Unicode consists of two parts: 1 A database that maps numeric values (code points) to character(-like) entities, and 2 several ways to encode code points into sequences of octets. The former is fixed while the latter allows clients to make choices. Windows settled on UTF-16LE, so you would need to add a \0x00 after each ASCII character in your code to transform your ASCII encoding (which happens to be UTF-8) into UTF-16LE. Commented Jul 27, 2022 at 16:29
  • @IInspectable it still doesnt seem to work, but i did find some other (hard coded words) of some dll and stuff that way, so that means the encoding is now correct. i guess i will try to do that in c++ to check if its the matter or anything, tbh at this point i dont even know what to look for.. Commented Jul 28, 2022 at 13:12
Related questions
1
ReadProcessMemory keeps returning 0
17
How can I read the memory of another process in Python in Windows?
5
Read process memory of a process does not return everything
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.