3

I need to read a program's memory from a different application. I have the whole process and application 'connection' in place.

I have a function that searches for a pattern in the memory of the opened process, and that thanks to a signature returns a valid entry point to the function I'm interested in.

Problem is, the assembly instruction that leads me to the data (which I can't find through an offset or signature), is the following:

H5Calc.exe+12DDC5B - E8 10F1FFFF           - call H5Calc.exe+12DCD70

I've searched around and found that this might serve my purpose:

return (MainClass*) *(DWORD*) PatternPointer;

but the problem is that the line above would work if using 'injection', and I'm using ReadProcessMemory since I'm not allowed to do so.

So, can somebody help 'translating' the

(MainClass*) *(DWORD*) PatternPointer;

pointer operation into a ReadProcessMemory call, considering the assembly instruction? Given that I'm opening from another application, I don't have access to the H5Calc memory area if not with ReadProcessMemory (which I can call regularly for other operations).

Any help appreciated.

Thanks.

Alpha cockroach
  • 35
  • 1
  • 7
  • `ReadProcessMemory(hProc, (void *)0x12DCD70, &data, sizeof data, NULL);`, maybe? (assuming that `data` is a `DWORD` or a pointer, of course.) –  Oct 29 '13 at 06:42
  • I agree that seems logic, but I can't figure how to get `'12dcd70'` out from the `'e8 10f1ffff'` nor from the `1sddc5b <= this one the address i get to from the signature` :( – Alpha cockroach Oct 29 '13 at 06:50
  • it's on the right side of the code you posted... –  Oct 29 '13 at 07:02
  • truly, but that's debug information from the debugger. While using my pattern finding routine, that information is unknown and I only have access to the `e8 10f1ffff0` byte sequence. – Alpha cockroach Oct 29 '13 at 07:13
  • 3
    in that case, [here's how you can do that](http://stackoverflow.com/questions/10376787/need-help-understanding-e8-asm-call-instruction-x86). –  Oct 29 '13 at 07:27
  • Please make an answer out of your comment so that I can accept it and close the question. – Alpha cockroach Oct 30 '13 at 03:44

2 Answers2

1

You can calculate the actual address as described here, i. e. you take the address of the instruction following the jump, which is

0x12DDC5B + 5 = 0x12DDC60

then you take the offset which is a 32-bit little endian 2's complement signed integer, so

"0x10 0xF1 0xFF 0xFF" = 0xFFFFF110 - 0x100000000 = -0xEF0

Then you add the offset to the base address computed above to obtain

0x12DDC60 + (-0xEF0) = 0x12DCD70

In C, this would look something like:

unsigned char *jmp_ptr = (unsigned char *)0x12DDC5B;
int offset; // or use ptrdiff_t if it's 32 bits wide
ReadProcessMemory(hProc, jmp_ptr + 1, &offset, sizeof offset, NULL);
unsigned char *target_ptr = jmp_ptr + 5 + offset;

(apply stylistic mash-ups to obtain C++ code. Also check the return value of the function, etc.)

You can now feed the resulting address to another call to ReadProcessMemory() in order to obtain the pointer to the instance:

MainClass *instance = NULL;
ReadProcessMemory(hProc, target_ptr, &instance, sizeof instance, NULL);
Community
  • 1
  • 1
  • This works perfectly, however I now have what seems a similar issue: `H5Calc.exe+989E2A - 8B 0D 888C1D03 - mov ecx,[H5Calc.exe+2DD8C88]` By debugging memory, I think that should lead me to 002BC768, but the above logic doesn't seem to apply. (damn can't we put line breaks in comments?). I realize the MOV instruction supports both values and addresses on the right side, yet I fail to understand how is `888C1D03` to be interpreted. – Alpha cockroach Nov 03 '13 at 11:19
  • @Alphacockroach I guess the `mov` instruction doesn't have the same binary encoding scheme that the `call` instruction has. –  Nov 03 '13 at 18:02
0

You could use shared memory between processes. If you want to know how to do this I can post some code. The Windows API uses CreateFileMapping() and MapViewOfFile(). Then both processes can see the same memory.

resigned
  • 1,044
  • 1
  • 10
  • 11
  • thanks but I don't need actual communication between the processes right now. I just needed to understand how to interpret the ASM and be able to use readprocessmemory to perform the required operations. – Alpha cockroach Oct 30 '13 at 03:45