1

Topic: How address space of process?

It is necessary to find a certain chain byte in address space. Generally this chain is in loaded dll, only here a trouble, it is not possible to find this dll-ku thus, but, for example, scylla from x64dbg this dll-ku finds... void MyEnumProcessModules () {DWORD processID = GetCurrentProcessId (); HANDLE hProcess = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID); DWORD dwSize = sizeof (HMODULE) * 256;//256 - magic number for simplicity HMODULE* phModules = (HMODULE *) GlobalAlloc (GPTR, dwSize);//Get a list of process modules. if (EnumProcessModulesEx == NULL ||! EnumProcessModulesEx (hProcess, phModules, dwSize, &dwSize, LIST_MODULES_ALL)) {dwSize = sizeof (HMODULE) * 256; if (! EnumProcessModules (hProcess, phModules, dwSize, &dwSize)) dwSize = 0;} const DWORD dwCount = dwSize? dwSize / sizeof (HMODULE): 0; for (DWORD i = 0; i <dwCount; i ++) {char moduleName [MAX_PATH]; ZeroMemory (moduleName, sizeof (moduleName)); if (:: GetModuleFileNameExA (hProcess, phModules [i], moduleName, MAX_PATH)) {//and here it does not appear necessary dll}} GlobalFree (phModules);}

2

Re: How address space of process?

Hello, ksd, you wrote: ksd> it is necessary to find a certain chain byte in address space. Generally this chain is in loaded dll, only here a trouble, it is not possible to find this dll-ku thus, but, for example, scylla from x64dbg this dll-ku finds... Your code will work only if this  is in the list of the loaded units for process. Such  will be there only if it is loaded by "legal" methods through LoadLibrary.  can be injected in process, or it is loaded in it manually, through the . In this case  in the module list will not be though work it can regularly. You should sort out not units, and it is transited on all storage of process, from 0x00000000 address to 0xFFFFFFFF with step in 0x10000, at first to check storage through Query Memory that it is selected and opened for reading. If the condition satisfies, read storage from process and scan it.

3

Re: How address space of process?

Hello, ksd, you wrote: ksd> it is necessary to find a certain chain byte in address space. Generally this chain is in loaded dll, only here a trouble, it is not possible to find this dll-ku thus, but, for example, scylla from x64dbg this dll-ku finds... Try to look, as it does ProcessHacker. It with the open code. How much I remember, it sorts out pages of processes (VAD) through NtQueryVirtualMemory (MemoryBasicInformation), then tries to read the data through NtReadVirtualMemory (). Also it is possible by means of NtQueryVirtualMemory (MemoryMappedFilenameInformation) to learn to what unit (in your case DLL) the page to the address belongs. Here descriptions which be required: typedef enum _MEMORY_INFORMATION_CLASS {MemoryBasicInformation, MemoryWorkingSetInformation, MemoryMappedFilenameInformation} MEMORY_INFORMATION_CLASS; typedef struct _MEMORY_BASIC_INFORMATION32 {PVOID BaseAddress; PVOID AllocationBase; ULONG AllocationProtect; ULONG RegionSize; ULONG State; ULONG Protect; ULONG Type;} MEMORY_BASIC_INFORMATION32, *PMEMORY_BASIC_INFORMATION32; typedef struct DECLSPEC_ALIGN (16) _MEMORY_BASIC_INFORMATION64 {ULONGLONG BaseAddress; ULONGLONG AllocationBase; ULONG AllocationProtect; ULONG __ alignment1; ULONGLONG RegionSize; ULONG State; ULONG Protect; ULONG Type; ULONG __ alignment2;} MEMORY_BASIC_INFORMATION64, *PMEMORY_BASIC_INFORMATION64; #define _MAX_OBJECT_NAME 1024/sizeof (WCHAR) typedef struct _MEMORY_MAPPED_FILE_NAME_INFORMATION {UNICODE_STRING Name; WCHAR Buffer [_MAX_OBJECT_NAME];} MEMORY_MAPPED_FILE_NAME_INFORMATION, *PMEMORY_MAPPED_FILE_NAME_INFORMATION; Truth concerning reading  spaces through NtReadVirtualMemory () it is not up to the end confident. At ProcessHacker'a in the driver the mechanism of reading of storage of processes is implemented. But like before to use it, it at first tries NtReadVirtualMemory (). In general look there...

4

Re: How address space of process?

Hello, ksd, you wrote: ksd> it is necessary to find a certain chain byte in address space. Generally this chain is in loaded dll, only here a trouble, it is not possible to find this dll-ku thus, but, for example, scylla from x64dbg this dll-ku finds... Richter has an example 14 VMMap.exe, it is possible to download source codes and to look. There there is a search of units of storage of process, well and to organize search of the necessary data inside - business of pair minutes. I somehow on the basis of this example too did for a long time a search engine something in storage of process - perfectly worked.