RVA

[James]

My brain is fried haha. I know I'm doing something retarded, but I can't figure out what it is. Anything wrong with this bit?

Code:

            DWORD ProcessStuff; 
            GetWindowThreadProcessId( hWnd2, &ProcessStuff ); 
            HANDLE ProcessMe = GetModuleHandle("ShoreWareAgent.exe");
            DWORD  Memory       = (DWORD)ProcessMe + 0x00002630;

            DWORD ProcessID; 
            GetWindowThreadProcessId( hWnd2, &ProcessID ); 
            HANDLE Process = OpenProcess( PROCESS_VM_READ|PROCESS_VM_OPERATION, FALSE, ProcessID ); 

            BYTE data;
            DWORD datasize = sizeof(data);
            //Read the data from memory0x011A2630
            ReadProcessMemory(Process,((LPCVOID)Memory), &data, datasize, 0);

I'm trying to read the memory, but the address keeps changing. So I need to take the base + the last 4 of the offset (since this is the only static section).

I know the offset is correct. The app compiles fine, but this bit I posted above doesn't work.

Any ideas?

[hummingbird]

GetModuleHandle doesnt work on a remote process,
and if you are trying to get an address from a local process and use that to read in another process?

[James]

Hmm,
Yeah I'm trying to figure out how to get the PEB.

I'm reading I need to use NtQueryInformationProcess();

so I'm assuming I have this:

NtQueryInformationProcess(Process, ProcessBasicInformation, PROCESS_BASIC_INFORMATION, 4, 4);

[hummingbird]

Hmm,
Yeah I'm trying to figure out how to get the PEB.

I'm reading I need to use NtQueryInformationProcess();

so I'm assuming I have this:

NtQueryInformationProcess(Process, ProcessBasicInformation, PROCESS_BASIC_INFORMATION, 4, 4);

PEB in the local process is easy:

Code:

PPEB peb = (PPEB)__readfsdword(0x30);

remote process is a bit more work, but it should be smth like this:

Code:

HANDLE hProc = OpenProcess( xxx );
PROCESS_BASIC_INFORMATION pbi = { 0 };
DWORD dwRead = 0;
NTSTATUS ntRet = NtQueryInformationProcesss( hProc, ProcessBasicInformation, &pbi, sizeof(pbi), &dwRead );
PEB peb = {0};
dwRead = 0;
ReadProcessMemory( hProc,(LPCVOID)pbi.PebBaseAddress, &peb, sizeof(peb), &dwRead );

[James]

I can't tell you how much I appreciate your help with this. Maybe I was looking in the wrong places, but I couldn't find a legit source to look at for help anywhere. Thanks for this. I'll give it a go.

[James]

For some odd reason I'm having a problem with this line:

Code:

NTSTATUS ntRet = NtQueryInformationProcesss( hProc, ProcessBasicInformation, &pbi, sizeof(pbi), &dwRead );

Does it have to be global or local? I currently have everything declared locally.
My code is really ugly I admit, but it does work.

[hummingbird]

what is the return value?

[Razo[R]apiD]

Does it compile or throw errors?

You may need to import it from ntdll.dll or use additional headers.

[James]

Sorry for the delay, the holidays kept me a bit busier than I anticipated. I'm attaching the source code here. It compiles fine if I have it commented out, but then the app doesn't work right (it doesn't read from the offset like it should).

[James]

Err I completly rewrote the code and still nadda.

I used tsearch to get the offsets and here it is:

Code:

B22630
13B2630

As you can see the ending is always constant, but the beginning is dynamic and it's just such a pain in the ass. ERRRRR


Return Value:
---------------------------
Testing
---------------------------
Base Address: 00274F90 Value: 0
---------------------------
OK
---------------------------

Syntax

Set Globally:

Code:

typedef NTSTATUS (NTAPI *_NtQueryInformationProcess)
(
    HANDLE ProcessHandle,
    DWORD ProcessInformationClass,
    PVOID ProcessInformation,
    DWORD ProcessInformationLength,
    PDWORD ReturnLength
);

PVOID GetPebAddress(HANDLE Process)
{
    DWORD ProcessID; 
    GetWindowThreadProcessId( hWnd2, &ProcessID ); 
    Process = OpenProcess( PROCESS_VM_READ|PROCESS_VM_OPERATION, FALSE, ProcessID ); 

    _NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
    PROCESS_BASIC_INFORMATION pbi;

    NtQueryInformationProcess(Process, 0, &pbi, sizeof(pbi), NULL);

    return pbi.PebBaseAddress;
}

And in LRESULT WINAPI myProc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
in a timer

Code:

if(hWnd1 && hWnd2)
            {
                
                DWORD ProcessID; 
                GetWindowThreadProcessId( hWnd2, &ProcessID ); 
                HANDLE ProcessX = OpenProcess( PROCESS_VM_READ|PROCESS_VM_OPERATION, FALSE, ProcessID ); 

                PROCESS_BASIC_INFORMATION pbi = { 0 };
                DWORD dwRead = 0;
                GetPebAddress(ProcessX);
                PEB peb = {0};
                dwRead = 0;

                BYTE data;
                DWORD datasize = sizeof(data);

                char buffer [512];
                
                ReadProcessMemory( ProcessX, (LPCVOID)pbi.PebBaseAddress, &peb, sizeof(peb), &dwRead );

                sprintf (buffer, "Base Address: %p Value: %i", GetPebAddress(ProcessX), peb);


                if(ProcessX)
                {
                    if((int)data == 1)
                    {
                        if(GetAsyncKeyState(VK_RBUTTON))
                        {
                            //MessageBox(0, "Value is 1", "Testing", MB_OK);
                            MessageBox(0, buffer, "Testing", MB_OK);
                        }
                    }
                    else if((int)data == 0)
                    {
                        if(GetAsyncKeyState(VK_RBUTTON))
                        {
                            //MessageBox(0, "Value is 0", "Testing", MB_OK);
                            MessageBox(0, buffer, "Testing", MB_OK);
                        }
                    }

                    CloseHandle(ProcessX);
                }

            }