19

If you could help me with this dilemma I have. Now, I know C \ C++, I know asm, I know about dll injection, I know about virtual memory addressing, but I just can't figure out how software like CheatEngine, and others, manage to change a variable's value in another process.

For those who don't know, 3rd party cheat engine tools can scan for values in the memory space of a program and identify the location of a variable with a given value and change it.

My question is, how do they do it?

Given an address, if I were to write C code, how could I change the value at that address belonging to another process without getting an invalid addressing error?

Thanks.

florin.bunau
  • 1,875
  • 3
  • 17
  • 25

4 Answers4

13

I'm fairly certain those programs are pretending to be debuggers. On Windows, I would start with DebugActiveProcess() and go from there.

Oh, and the very useful looking ReadProcessMemory() function (and WriteProcessMemory()).

i_am_jorf
  • 53,608
  • 15
  • 131
  • 222
  • Thanks this is what i was looking for, works great. (For others reading this solution be sure to use DebugActiveProcessStop when done) – florin.bunau Jun 06 '09 at 17:16
  • Be sure to call DebugSetProcessKillOnExit() if you don't want the process you're debugging to die after you're done debugging it. – mrduclaw Jul 17 '09 at 22:10
5

On unix: ptrace()

Thomas
  • 4,208
  • 2
  • 29
  • 31
3

You can't do this with Standard C or C++ - you have to use operating system specific features. So you need to tell us which OS you are interested in.

  • Sorry i did not specify, i am interested in Windows, but Linux would be great to, i am curious to try it there also – florin.bunau Jun 06 '09 at 16:12
2

You may also be interested in Detours:

Software packaged for detouring Win32 and application APIs.

none
  • 5,701
  • 28
  • 32
  • 1
    Thanks read about detouring http://www.codingthewheel.com/archives/how-i-built-a-working-online-poker-bot-7. Fun experiment ASCII \ graffiti bomb. Too bad it's not freely \ easily available for 64 bit – florin.bunau Jun 06 '09 at 17:21