Can VB Monitor Memory Changes
I'm trying to write a trainer creator for games using vb. In this, I need to pick a running process and be able to monitor changes it makes to memory locations.
Is this something VB can do, and if so, where do I start? Code examples would be of great help.
Thanks in advance
-Skip
Is this something VB can do, and if so, where do I start? Code examples would be of great help.
Thanks in advance
-Skip
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Bob, I'll check that out.
What I have:
Currently, I can list the running processes and select one.
I found code online that will allow me to write to a specific memory address (i.e. &HC847BC) but I'm not at that point yet
What I don't have yet:
hwnd = FindWindow(vbNullString, WinName) doesn't return a value even for a valid open window
From there I would like to search that processes memory space for a specific value, and store those values.
Then search within those values for the new value.
Once identified, I'd like to store that memory space into another list that I can modify in the future.
Also, I'd like it to save that information so i can come back to it another day.
What I have:
Currently, I can list the running processes and select one.
I found code online that will allow me to write to a specific memory address (i.e. &HC847BC) but I'm not at that point yet
What I don't have yet:
hwnd = FindWindow(vbNullString, WinName) doesn't return a value even for a valid open window
From there I would like to search that processes memory space for a specific value, and store those values.
Then search within those values for the new value.
Once identified, I'd like to store that memory space into another list that I can modify in the future.
Also, I'd like it to save that information so i can come back to it another day.
ASKER
iHadi,
the one solution you provided is very close. I just need to identify which memory location the specific process is using. I don't want to have to crawl the entire memory.
How would I know where the memory starts and ends for a process (Start at address &x end at address &x)?
the one solution you provided is very close. I just need to identify which memory location the specific process is using. I don't want to have to crawl the entire memory.
How would I know where the memory starts and ends for a process (Start at address &x end at address &x)?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The second url is a link to a vb program that enums processes and scans a process memory only not the entire memory looking for a value to replace. It lists the addresses all the found instances of the value relative to the process memory (with an offset to the main memory).
To demonstrate whats happening open notepad and past the text: I AM A STRING then choose the notepad from the program list and press start search button. When it finds it remember the address
Open another notepad instance and dont write anything in it. Select it from the program list after rerunning the program to refresh the windows list, enter an address before the previous found one and start search and you'll see that it doesn't find anything at the same address. Stop search and select the other notepad and do the same for the begining address and search, and you'll find the the text at the memory address.
What we conclude is that the code is scanning the process address not the entire address using tha api ReadProcessMemory and the bellow is a description of this api and I doubt you'll find it in allapi.net:
**************************
The ReadProcessMemory function reads memory in a specified process. The entire area to be read must be accessible, or the operation fails.
BOOL ReadProcessMemory(
HANDLE hProcess, // handle of the process whose memory is read
LPCVOID lpBaseAddress, // address to start reading
LPVOID lpBuffer, // address of buffer to place read data
DWORD nSize, // number of bytes to read
LPDWORD lpNumberOfBytesRead // address of number of bytes read
);
Parameters
hProcess
Identifies an open handle of a process whose memory is read. The handle must have PROCESS_VM_READ access to the process.
lpBaseAddress
Points to the base address in the specified process to be read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds; otherwise, the function fails.
lpBuffer
Points to a buffer that receives the contents from the address space of the specified process.
nSize
Specifies the requested number of bytes to read from the specified process.
lpNumberOfBytesRead
Points to the actual number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
Return Values
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The function fails if the requested read operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies the data in the specified address range from the address space of the specified process into the specified buffer of the current process. Any process that has a handle with PROCESS_VM_READ access can call the function. The process whose address space is read is typically, but not necessarily, being debugged.
The entire area to be read must be accessible. If it is not, the function fails as noted previously.
**************************
To demonstrate whats happening open notepad and past the text: I AM A STRING then choose the notepad from the program list and press start search button. When it finds it remember the address
Open another notepad instance and dont write anything in it. Select it from the program list after rerunning the program to refresh the windows list, enter an address before the previous found one and start search and you'll see that it doesn't find anything at the same address. Stop search and select the other notepad and do the same for the begining address and search, and you'll find the the text at the memory address.
What we conclude is that the code is scanning the process address not the entire address using tha api ReadProcessMemory and the bellow is a description of this api and I doubt you'll find it in allapi.net:
**************************
The ReadProcessMemory function reads memory in a specified process. The entire area to be read must be accessible, or the operation fails.
BOOL ReadProcessMemory(
HANDLE hProcess, // handle of the process whose memory is read
LPCVOID lpBaseAddress, // address to start reading
LPVOID lpBuffer, // address of buffer to place read data
DWORD nSize, // number of bytes to read
LPDWORD lpNumberOfBytesRead // address of number of bytes read
);
Parameters
hProcess
Identifies an open handle of a process whose memory is read. The handle must have PROCESS_VM_READ access to the process.
lpBaseAddress
Points to the base address in the specified process to be read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access. If this is the case, the function proceeds; otherwise, the function fails.
lpBuffer
Points to a buffer that receives the contents from the address space of the specified process.
nSize
Specifies the requested number of bytes to read from the specified process.
lpNumberOfBytesRead
Points to the actual number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
Return Values
If the function succeeds, the return value is nonzero.
If the function fails, the return value is zero. To get extended error information, call GetLastError.
The function fails if the requested read operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies the data in the specified address range from the address space of the specified process into the specified buffer of the current process. Any process that has a handle with PROCESS_VM_READ access can call the function. The process whose address space is read is typically, but not necessarily, being debugged.
The entire area to be read must be accessible. If it is not, the function fails as noted previously.
**************************
>>>the one solution you provided is very close. I just need to identify which memory location the specific process is using. I don't want to have to crawl the entire memory.
You have no choice by walk the memory and look for changes when your Money, Lives", etc change.
You have no choice by walk the memory and look for changes when your Money, Lives", etc change.
ASKER
BrianGEFF719,
How'd you find the memory location addresses? Do you have a prog that will do that?
-Skip
How'd you find the memory location addresses? Do you have a prog that will do that?
-Skip
http://www.allapi.net/ has some good info on using the WIN API will allow you to work with memory locations.