64-bit memory reading

[crackdonalds]

Hello people,

 

I've been looking around the forum to find out whether it is possible to read the memory of 64-bit applications. I couldn't find a clear answer. I do see people having trouble with it though because the public UDF's seem to be 32-bit only.

 

1. Is it possible to read the memory of a 64-bit application in AutoIt
2. If so, does anyone have a working example?

 

Thanks for clearing things up.

[JLogan3o13]

@crackdonalds we tend, for obvious reasons, to tread very lightly when it comes to pulling information from memory, as you will see if you have done a search of the forum. With that in mind, can you please explain what, exactly, are you trying to pull from memory, and from what app?

[crackdonalds]

I would like to pull audio values in numbers instead of a graph from a tool called dirac.

[Bert]

7 hours ago, crackdonalds said:

I would like to pull audio values in numbers instead of a graph from a tool called dirac.

I'm looking at the website that puts the software out - I haven't downloaded it but I can see what you want to do. I'm wondering a few things:

1. The website for the software - http://www.dirac.com - you would think they have a support link or something. I see a "contact us" link that may be of help. ...wait...ok, this is what I was looking for: http://helpdesk.dirac.se/index.php?pg=request
    That should allow for you to ask them if the software has some method of extracting the values without having to resort to memory reading.
2. Is the desire to get a number because the software only will give you a graph reading and you want to have it report to you differently? Such as to give your customer a readout of what the room settings are?
3. Are you building a custom interface to see what you need?

[crackdonalds]

Thank you for your reply.

1. There is no method otherwise i wouldn't bother.

2. Almost. Not really for the reporting but more for the ease of optimizing the settings for different situations. Actually knowing the resulting number rather than just seeing a graph and having to guess the value that comes with it.

3. That's what i would like to do. I'm not getting started until my 2 questions are answered though.

I honestly don't see how these returning questions contribute to answering my question. I guess nobody really knows?

[Bert]

2 hours ago, crackdonalds said:

.....

I honestly don't see how these returning questions contribute to answering my question. I guess nobody really knows?

It actually helps a lot for we now know what you want to do. Think of it as high level requirements.

OK, I'm with you in that memory reading is the way to go seeing you can't get the data any other way. We could go the pixel reading route but that is horribly unreliable at best.

In looking around I found this but I may be incorrect on saying this is what you need or not.

I will be honest and say this is beyond my skillset for what you are asking for. I've never messed with memory reading for I never had the need. Saying that - I can tell you trancexx is quite skilled and she most likely could direct you. I'm not sure if she is still around or not. I apologize that I'm not more helpful.

[JLogan3o13]

4 hours ago, crackdonalds said:

I honestly don't see how these returning questions contribute to answering my question. I guess nobody really knows?

Not exactly the tack you want to take when someone is trying to get more information from you so they can assist you. You obviously don't know how to accomplish what you want to do, or you wouldn't be posting here. Then questioning those who volunteer their time to help doesn't really instill in them a desire to continue to assist.

[crackdonalds]

Bert's effort is appreciated. unfortunately not what i was hoping/looking for.

Logan, you know my question couldn't be more clear. i feel that i am being asked questions for commiting a crime called "reading memory" and i have to explain myself for that. i feel a bit impatient because of that.

[JLogan3o13]

And your impatience is going to keep people from helping you. Your thread is obviously not (yet) deemed inappropriate, because it is still open. But the attitude isn't helping you any; everyone answering questions on this forum is a volunteer. If someone is willing to assist you on your issue, I would think you would want to go out of your way to provide them any additional info you can. Just some friendly advice.

[crackdonalds]

I'll answer it myself:

1. Yes
2.

64-bit program:

Global $count = 76567589
while 1
   MsgBox(0,"", $count)
   $count = $count + 1
   WEnd

Read memory:

#include <KryMemory.au3>

$lovehandle = _Process_Open("test.exe")
$val = _Process_ReadMemory($lovehandle, 0x1F9B21FE110, "dword")
MsgBox(0,"", $val)

Since the above is useless: Read memory through pointer

#include <KryMemory.au3>

$lovehandle = _Process_Open("test.exe")
$val = (_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, 0x7FF6ABE142E0, "uint64") + 0x28), "uint64")), "dword"))
MsgBox(0,"", $val)

First I changed Nomadmemory UDF to work with 64-bit but then i figured that KryMemory actually works with 64-bit.

You just have to do things a bit differently...
The pointer calculation doesn't work. not sure why. you'll have to do it manually like i did or fix the function.

 

Maybe someone has a working ReadPointer function? Let me know if u do or if u know an easy way to change the code above into a easy to use function.

[AndyG]

I dont know what you mean with "working ReadPointer function"...

Everything works as it should:

compile and run 64Bit-Program "Test.exe"

#AutoIt3Wrapper_UseX64=y

$struct=dllstructcreate("dword")
dllstructsetdata($struct,1,0xDEADBEEF)
$ptr=dllstructgetptr($struct,1)
MsgBox(262144, 'Debug line ~' & @ScriptLineNumber, 'Selection:' & @CRLF & '$ptr' & @CRLF & @CRLF & 'Return:' & @CRLF & $ptr & @crlf & int($ptr)) ;### Debug MSGBOX

then run 

#include <KryMemory.au3>
#AutoIt3Wrapper_UseX64=y

Local $oProc = _Process_Open("test.exe")

$ptr = 7471840  ;here the ptr from the MsgBox (Test.exe)

$memread = _Process_ReadMemory($oProc, $ptr, "dword")
ConsoleWrite($ptr & "   " & $memread & "   " & Hex($memread,8) & @CRLF)

_Process_Close($oProc)

shows:

7471840   3735928559   DEADBEEF

//EDIT there is no "pointer to a pointer"

Edited October 16, 2016 by AndyG

[crackdonalds]

Thank you for your reply.

i was talking about the _Process_ReadMemoryPointer function in KryMemory. It doesn't work. Is that also what you meant with "there is no pointer to a pointer?

the pointer part works fine like this:

$val = (_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, "0x" & Hex(_Process_ReadMemory($lovehandle, 0x7FF6ABE142E0, "uint64") + 0x28), "uint64")), "dword"))

would be nice if we could use the _Process_ReadMemoryPointer function though (just to make things easier). Did you try that?

I was expecting it to work like this:

#include <KryMemory.au3>
#include <Array.au3>

$lovehandle = _Process_Open("test.exe")

Local $Offset[2]
$Offset[0] = 0
$Offset[1] = 0x28

$pointerrr = _Process_ReadMemoryPointer($lovehandle, 0x7FF6ABE142E0, $Offset, "uint64")
;MsgBox(0,"pointer", $pointerrr)
_ArrayDisplay($pointerrr)

 

No big deal if the function won't work anyway.

[AndyG]

On 14.10.2016 at 3:30 PM, crackdonalds said:

i feel that i am being asked questions for commiting a crime called "reading memory" and i have to explain myself for that.

And your questions/postings are giving reasons for that. 

_Process_ReadMemoryPointer works as expected! It gives back the "last" pointer/result of the "pointer of a pointer"-chain.

I think that you don´t know what´s going on with "ReadMemory" in general nor what these function(s) do.

If i would want to "ReadMemory" of a commercial software, i would ask other questions....

[crackdonalds]

I think you have no idea what you are talking about. If you think it works, come up with some evidence instead of assumptions.

[Melba23]

As this thread seems to be deteriorating rapidly, I suggest you continue the discussion by PM - and so....

<click> (c) Jos

M23