We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

[Delphi] Readprocessmemory and openprocess.

l3m0n
l3m0n asked
on
Medium Priority
3,076 Views
Last Modified: 2012-05-11
hi what is wrong with my code:
Readprocessmemory:
library dll;

uses
  SysUtils,
  Classes,
  windows;

var
    DblWord: DWORD;
    hHandle: THandle;

procedure DllMain(reason: integer) ;
begin 
   case reason of
      DLL_PROCESS_ATTACH:
      begin 
         hHandle:=LoadLibrary('Kernel32.dll');
         DblWord:=DWORD(GetProcAddress(hHandle,'ReadProcessMemory'))+5;
      end; 
      DLL_PROCESS_DETACH:
      begin
         FreeLibrary(hHandle); 
      end;
   end; 
end;

function myReadProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL;
begin
 asm
      mov edi,edi
      push ebp
      mov esp,ebp
      jmp [DblWord]
   end;
end;

exports myReadProcessMemory;

begin 
   DllProc := @DllMain; 
   DllProc(DLL_PROCESS_ATTACH) ; 
end.

Open in new window


OpenProcess:
library open;

uses
  SysUtils,
  Classes,
  windows;

var
    DblWord: DWORD;
    hHandle: THandle;

procedure DllMain(reason: integer) ;
begin 
   case reason of
      DLL_PROCESS_ATTACH:
      begin 
         hHandle:=LoadLibrary('Kernel32.dll');
         DblWord:=DWORD(GetProcAddress(hHandle,'OpenProcess'))+5;
      end; 
      DLL_PROCESS_DETACH:
      begin
         FreeLibrary(hHandle); 
      end;
   end; 
end;

function myOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: Boolean; dwProcessId: DWORD): DWORD;
begin
   asm
      mov edi,edi 
      push ebp 
      mov esp,ebp 
      jmp [DblWord]
   end; 
end;

exports myOpenProcess;

begin 
   DllProc := @DllMain; 
   DllProc(DLL_PROCESS_ATTACH) ; 
end.

Open in new window


Using:
function myReadProcessMemory(hProcess: THandle; const lpBaseAddress: Pointer; lpBuffer: Pointer; nSize: DWORD; var lpNumberOfBytesRead: DWORD): BOOL; stdcall external 'Read.dll' name 'myReadProcessMemory';
function myOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: Boolean; dwProcessId: DWORD): DWORD; stdcall external 'Open.dll' name 'myOpenProcess';

Open in new window


myReadProcessMemory is working fine, but myOpenProcess gives AV when i try to use it.
AV message:
Project Peeper.exe raised exception class EAccessViolation with message 'Access violation at address 00000000. Read of address 00000000'. Process stopped. Use Step or Run to continue.

What is wrong? Please help
Comment
Watch Question

Commented:
What application you are doing?   From all your previous post that I see until now is open,  I think your building an anti-virus.

Getting function names used by an application or a library?   ////possible using asm, but your test is wrong, why? because your testing your own application.
Getting application signatures from memory ? //possible by Delphi alone.

I doubt you are making an av, or if not, your making some malicious code.

Please explain what application you're trying to do

Author

Commented:
i need to open game written by my friend in c++ it is a multi player game but now he is only testing it. I said him that he must "block" functions like: "readprocessmemory" etc. He done it, but i saw that i can read something from memory using this code, but i have problem with do OpenProcess and i dont know why. Could you help me? When i done it maybe i can help with do protection.

Commented:
jimyX, Ewangoya, Thommy and Geert is the most active user here in Delphi zone as I noticed it,  and you can view it on the overall Delphi zone experts.

So, I think they are the one whos caplable of helping you deep.

Commented:
The library's declare without stdcall indicator but the using code have "stdcall".

Author

Commented:
it isnt make differences.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
it is working thanks
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.