With my basic knowledge of C++, I’ve managed to whip together a simple program that reads some data from a program (using ReadProcessMemory) and sends it to my web server every five minutes, so I can see the status of said program while I’m not at home.
I found the memory addresses to read from using a program designed to hack games called “Memory Hacking Software.” The problem is, the addresses change whenever I move the program to another machine.
My question is: is there a way to find a ‘permanent’ address that is the same on any machine? Or is this simply impossible. Excuse me if this is a dumb question, but I don’t know a whole lot on the subject. Or perhaps another means to access information from a running program.
Thanks for any and all help!
There are ways to do it such as being able to recognise memory patterns around the thing you’re looking for. Crackers can use this to find memory locations to patch even with software that “moves around”, so to speak (as with operating systems that provide randomisation of address spaces).
For example, if you know that there are fixed character strings always located
Xbytes beyond the area of interest, you can scan the whole address space to find them, then calculate the area of interest from that.However, it’s not always as reliable as you might think.
I would instead be thinking of another way to achieve your ends, one that doesn’t involve battling the features that are protecting such software from malicious behaviour.
Think of questions like:
Why exactly do you need access to the address space at all?
Does the program itself provide status information in a more workable manner?
If the program is yours, can you modify it to provide that information?
If you only need to know if the program is doing its job, can you simply “ping” the program (e.g., for a web page, send an HTML request and ensure you get a valid response)?
As a last resort, can you convince the OS to load your program without address space randomisation then continue using your (somewhat dubious) method?
Given your comment that:
I would simply opt for automating this process. This is what some cracking software does. It scans files or in-memory code and data looking for markers that it can use for locating an area of interest.
If you can do it manually, you should be able to write a program that can do it. Have that program locate the areas of interest (by reading the process address space) and, once they’re found, just read your required information from there. If the methods of finding them changes with each release (instead of just the actual locations), you’ll probably need to update your locator routines with each release of their software but, unfortunately, that’s the price you pay for the chosen method.
It’s unlikely the program you’re trying to read will be as secure as some – I’ve seen some move their areas of interest around as the program is running, to try and confuse crackers.