I am trying to explore win32 for a bit, and trying to find a string of a variable or something in memory of another process.
I have started notepad, written "hello", and cant find it in its memory dumb, also did the same with python interperter, saving a variable.
Im not sure whats even the issue here, tbh, as it seems like i went through the API allrigh...
my code:
from pymem.ressources.structure import MEMORY_BASIC_INFORMATION, SYSTEM_INFO
from ctypes import windll, wintypes as w, POINTER, c_size_t
from pymem import Pymem
from ctypes import byref, sizeof, c_ulonglong, create_string_buffer
import win32security, win32api
VIRTUALQUERYEX = windll.kernel32.VirtualQueryEx
VIRTUALQUERYEX.argtypes = w.HANDLE, w.LPCVOID, POINTER(MEMORY_BASIC_INFORMATION), c_size_t
GETSYSTEMINFO = windll.kernel32.GetSystemInfo
READPROCESSMEMORY = windll.kernel32.ReadProcessMemory
READPROCESSMEMORY.argtypes = w.HANDLE, w.LPCVOID, w.LPVOID, c_size_t, POINTER(c_size_t)
READPROCESSMEMORY.restype = w.BOOL
MEM_COMMIT = 0x1000
MEM_IMAGE_TYPE = 0x1000000
MEM_MAPPED_TYPE = 0x40000
MEM_PRIVATE_TYPE = 0x20000
def get_system_info():
system_info = SYSTEM_INFO()
GETSYSTEMINFO(byref(system_info))
return system_info
def AdjustPrivilege(priv):
flags = win32security.TOKEN_ADJUST_PRIVILEGES | win32security.TOKEN_QUERY
htoken = win32security.OpenProcessToken(win32api.GetCurrentProcess(), flags)
id = win32security.LookupPrivilegeValue(None, priv)
newPrivileges = [(id, win32security.SE_PRIVILEGE_ENABLED)]
val = win32security.AdjustTokenPrivileges(htoken, 0, newPrivileges)
print(val)
print(win32api.GetLastError())
process_handle = Pymem()
process_handle.open_process_from_id(41616)
AdjustPrivilege("seDebugPrivilege")
system_info = get_system_info()
min_addr = system_info.lpMinimumApplicationAddress
max_addr = system_info.lpMaximumApplicationAddress
page_size = system_info.dwPageSize
memory_offset = min_addr
hello = b"\x68\x65\x6C\x6C\x6F"
while memory_offset < max_addr:
memory_basic_information = MEMORY_BASIC_INFORMATION()
count = c_ulonglong(0)
if VIRTUALQUERYEX(
process_handle.process_handle,
memory_offset,
byref(memory_basic_information),
sizeof(memory_basic_information)
) == sizeof(memory_basic_information):
memory_offset = memory_basic_information.BaseAddress
memory_commit_region = memory_basic_information.State & MEM_COMMIT
memory_type_mapped = memory_basic_information.Type & (MEM_MAPPED_TYPE | MEM_IMAGE_TYPE | MEM_PRIVATE_TYPE)
if memory_commit_region and memory_type_mapped:
buffer = create_string_buffer(memory_basic_information.RegionSize)
if READPROCESSMEMORY(
process_handle.process_handle,
memory_offset,
buffer,
memory_basic_information.RegionSize,
byref(count)
):
print(hello in buffer.raw)
if hello in buffer:
break
print(buffer.raw)
memory_offset += memory_basic_information.RegionSize
else:
memory_offset += page_size
The code is a bit long, so a short summary...
i am setting seDebugPrivilege privileges to my current process, looking through the GetSystemInfo Function to get the process memory boundries and page size, and then looping through mapped memory pages and looking for the hex value of "hello".
Am i doing anything wrong?
Thanks in advance.