0

i have injected my DLL into process and i try to scan memory for addresses with same value as mine, but it results in a crash after i get 1st address , it should be 10 addresses

for(DWORD i = MEM_START; i< MEM_END ;i++)
{
    VirtualQuery((void*)i,pMemInfo,sizeof(MEMORY_BASIC_INFORMATION));
    if(pMemInfo->AllocationProtect == PAGE_READONLY || PAGE_EXECUTE_WRITECOPY || PAGE_READWRITE || PAGE_WRITECOMBINE)
    {
        if(*(DWORD*)i==1337)
        {
           addresses.push_back(i);
        }
    } 
}

I believe my protection check is wrong but not quite sure.

Serg
  • 2,140
  • 1
  • 12
  • 14
user1892003
  • 19
  • 1
  • 5
  • Can you explain the problem you're trying to solve where you think scanning memory will help? Memory scanning is inherently unreliable as an engineering technique, and accessing guard pages can crash the application. – Raymond Chen Jan 03 '13 at 16:50
  • Well the application has multiple managers which all have value of 0810312 and the pointers always change so i cannot use them to get the right addresses, and yes these are the only addresses which have 0810312 as their int value – user1892003 Jan 03 '13 at 18:24

3 Answers3

4

virtual memory scanner

MEMORY_BASIC_INFORMATION mbi = {0};
unsigned char *pAddress   = NULL,
              *pEndRegion = NULL;

DWORD   dwFindData          = 0xBAADF00D,
        dwProtectionMask    = PAGE_READONLY | PAGE_EXECUTE_WRITECOPY 
                              | PAGE_READWRITE | PAGE_WRITECOMBINE;

while( sizeof(mbi) == VirtualQuery(pEndRegion, &mbi, sizeof(mbi)) ){
    pAddress = pEndRegion;
    pEndRegion += mbi.RegionSize;
    if ((mbi.AllocationProtect & dwProtectionMask) && (mbi.State & MEM_COMMIT)){
         for (pAddress; pAddress < pEndRegion ; pAddress++){
             if (*pAddress == dwFindData){
                 // dostaff  
             }
         }
    }
}
Serg
  • 2,140
  • 1
  • 12
  • 14
  • Still results in a crash as soon as i call it – user1892003 Jan 03 '13 at 12:33
  • The application i inject dll into is 32bit,and the scan works on 1st result but after that it reaches unallocated or protected memory and then it crashes, i inserted break; when it finds first address but it seems that virtual query is crashing it , on my original code if i use break it will print out one address – user1892003 Jan 03 '13 at 12:50
1

Yes, several mistakes. You'll need to use the | operator instead of ||. The value of i is not meaningful, you must use MEMORY_BASIC_INFORMATION.AllocationBase to find where a region begins. And .RegionSize to know how big it is. The next value you pass to VirtualQuery should be .AllocationBase + .RegionSize to find the next region.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
0

That's not how the || operator works. You may find it more readable to use a switch statement instead.

for (DWORD i = MEM_START; i < MEM_END ;i++)
{
    VirtualQuery((void*)i, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
    switch (pMemInfo->AllocationProtect)
    {
    case PAGE_READONLY:
    case PAGE_EXECUTE_WRITECOPY:
    case PAGE_READWRITE:
    case PAGE_WRITECOMBINE:
        if(*(DWORD*)i==1337)
        {
           addresses.push_back(i);
        }
    } 
}
Neil
  • 54,642
  • 8
  • 60
  • 72
  • @HansPassant That's a little over-simplifying in the other direction, although I agree it looks as if `|` should work for his use case. – Neil Jan 03 '13 at 00:35
  • Still no idea on how to do this.., always results in a crash – user1892003 Jan 03 '13 at 12:14