0

Using Cheat Engine I find an array of bytes at address 0x10456554. I want to find the array of bytes in C#, so I open the game process with permissions 0x1F0FFF (all access) first, then I do a ReadProcessMemory() from 0x00000000 - 0x7FFFFFFF (entire process) and that section of bytes (0x10000000, etc.) is all empty.

So I tried stepping through every module and dumping the data to individual dump files. However that address section (0x10000000) was never dumped, almost like it got skipped over. Even cheat engine says that section of memory doesn't belong to a specific module. So I have no idea where it's coming from.

public IntPtr pHandle = OpenProcess(0x1F0FFF, 1, id);
public Process procs = Process.GetProcessById(id);

//dump main module first
byte[] test = new byte[procs.MainModule.ModuleMemorySize];
ReadProcessMemory(pHandle, (UIntPtr)((int)procs.MainModule.BaseAddress), test, (UIntPtr)procs.MainModule.ModuleMemorySize, IntPtr.Zero);
File.WriteAllBytes(procs.MainModule.BaseAddress.ToString("x8") + " " + procs.MainModule.ModuleName + ".dmp", test);

//now dump all other modules
foreach (ProcessModule p in procs.Modules)
{
    byte[] test2 = new byte[p.ModuleMemorySize];
    ReadProcessMemory(pHandle, (UIntPtr)((int)p.BaseAddress), test2, (UIntPtr)p.ModuleMemorySize, IntPtr.Zero);
    File.WriteAllBytes(p.BaseAddress.ToString("x8") + " " + p.ModuleName + ".dmp", test2);
}
Jacob Fliss
  • 81
  • 2
  • 8
  • 1
    If it doesn't belong to any module then it is allocated at runtime by `VirtualAlloc` for example. You don't even read those dynamic regions in your code. Why do you think that the memory around 0x10000000 is zeroes? I don't see where you read/write it – Tamas Hegedus Aug 02 '17 at 13:03
  • When I dump from 0x00000000 - 0x7FFFFFFF to a dump file and read with a hex reader section 0x10000000 is all 0's. – Jacob Fliss Aug 02 '17 at 13:43
  • 1
    Because you cannot read unallocated pages, the whole read will fail. If you check the output, not only 0x1000000 is zeroes but the whole array after. You can ensure if a read succeeded by checking the bytesReadCount out parameter – Tamas Hegedus Aug 03 '17 at 06:57

1 Answers1

0

Thank you @Tamas Hegedus for answering. I found a good solution by using VirtualQueryEx with MEMORY_BASIC_INFORMATION.

I found this code at https://www.codeproject.com/Articles/716227/Csharp-How-to-Scan-a-Process-Memory

long proc_min_address_l = (long)procs.MainModule.BaseAddress;
long proc_max_address_l = (long)procs.VirtualMemorySize64;

MEMORY_BASIC_INFORMATION mem_basic_info = new MEMORY_BASIC_INFORMATION();
while (proc_min_address_l < proc_max_address_l)
{
    VirtualQueryEx(pHandle, proc_min_address, out mem_basic_info, Marshal.SizeOf(mem_basic_info));
    byte[] buffer = new byte[(int)mem_basic_info.RegionSize];
    UIntPtr test = (UIntPtr)((int)mem_basic_info.RegionSize);
    UIntPtr test2 = (UIntPtr)((int)mem_basic_info.BaseAddress);

    ReadProcessMemory(pHandle, test2, buffer, test, IntPtr.Zero);
    proc_min_address_l += (int)mem_basic_info.RegionSize;
    proc_min_address = new IntPtr(proc_min_address_l);
}
Jacob Fliss
  • 81
  • 2
  • 8