[help] small problem with my memory scanner

[anon145236]

EDIT: Removed

[namreeb]

hi folks,

i wrote a memory scanner for wow which searches for a uint32 value (searchValue). i placed excactely 1589 searchValues in wows memory and then scanned for it. instead of 1589 pointers, my scanner delivers 1590 pointers. when i scan with cheatengine i receive the correct amout. so why does my scanner has has one result too much?

i already tried to store my results as keyvalues in a dictionary and .. i got no exception, which means that all found pointers are unique keys ?!... so there shouldnt be any redundant pointers withing my result list ... but that would mean, that my scanner finds more searchValues in memory than cheatEngine does ... and guess what ... i believe the error lies in my source

Code:

public List<IntPtr> Int32Scanner(uint searchValue, Int32 startAddress, Int32 endAddress)
{
int bytesRead;
int bufferSize = 20480;
Int32 currentAddress = startAddress;
List<IntPtr> results = new List<IntPtr>();
int searchAreaSize = endAddress - startAddress;

if (searchAreaSize >= bufferSize)
{
    int numberOfLoops = searchAreaSize/bufferSize;

    for (int i = 0; i < numberOfLoops; i++)
    {
        var buffer = ReadMemoryAtAddress((IntPtr)currentAddress, (uint)bufferSize, out bytesRead);

        if (bytesRead > 0)
        {
            for (int j = 0; j < buffer.Length; j=j+8)
            {
                if (BitConverter.ToUInt32(buffer, j).Equals(searchValue))
                {
                    results.Add((IntPtr)(currentAddress + j));
                }
            }
        }
        currentAddress += bufferSize;
    }

}

if (endAddress - currentAddress >= 0x4)
{
    var buffer = ReadMemoryAtAddress((IntPtr)currentAddress, (uint)(endAddress - currentAddress), out bytesRead);
    if (bytesRead > 0)
    {
        for (int i = 0; i < buffer.Length; i=i+8)
        {
            if (BitConverter.ToUInt32(buffer, i).Equals(searchValue))
                results.Add((IntPtr)(currentAddress + i));
        }
    }
}

MessageBox.Show(results.Count.ToString());  // returns:  1590

return results;
}

hope you can help

A couple of thoughts after a quick glance here. Firstly, I am surprised you are getting a result close to what you expect. You are stepping your search address by 8, instead of 4. Unless I'm crazy, this means you're skipping at least half of the possible locations. Secondly, I think that second if should be an else if. It looks as though you may be counting the same things twice. If it were me, I would redesign the first loop to work for all cases. It will run much faster if you locally buffer the data you're searching through.

[anon145236]

EDIT: Removed

[Bananenbrot]

Ok...

1.) That's nonsense... even if you count in alignment, a struct with 3 pointers would be 16 bytes at max, and there would be pointers at j+4.

2.) it's performance wise perfectly possible, you can either load all bytes at once (just give it a try, if you have enough ram to spare this is the best solution)
or you do it like

Code:

while (currentAddress < endAddress)
{
int memoryRange = endAddress - currentAddress;
int toRead = Math.Min(memoryRange, YourConstantBufferSize);
byte[] buffer = ReadBytesAtAddress(currentAddress, toRead);
// process buffer
currentAddress += toRead;
}

Might be horrible mistakes in there, but you'll get it if you read it.
For "stunning performance" you could even stackalloc that buffer, because your buffer size is already constant by definition.

[anon145236]

EDIT: Removed

[_Mike]

2.) it's performance wise perfectly possible, you can either load all bytes at once (just give it a try, if you have enough ram to spare this is the best solution)

Copying memory is never good for performance. The best* way is to create a scanning thread within wow's address space. Or if you are willing/able to write a kernel driver**, map wow's address space in to your own.
And before anyone claims the above to be overkill for a simple scanner.. Either you care about performance, and will do everything possible to maximize it. Or you don't care, and ReadProcessMemory()'ing 4 bytes at a time is acceptable. There is no middle ground imo

*) best as in highest performance
**) I don't think it's possible to do from user mode but I might be wrong

2.) i tried setting bufferSize to memoryRange( 0x7fffffff) and received an System.OutOfMemoryException despite i have 12gb of RAM

Even if you could allocate that big of a buffer ReadProcessMemory() would fail. You can't read pages that doesn't exist.
And no, you don't need all that redundant code. Bananenbrot's way is perfectly fine.

even though i would love to simplify my code too, i think i have to stick on my "20480 bufferSize"-solution

Again, you can't read pages that doesn't exist. Either blindly read just 1 at a time or make sure you can read them all first.

[sitnspinlock]

i take back what i said

kestackattachprocess() too.

though I don't know how else the second method you mention _mike would be possible, unless you were feeding the information back through an mj_read or an ioctl. nothing i know about at least

[_Mike]

i take back what i said

kestackattachprocess() too.

though I don't know how else the second method you mention _mike would be possible, unless you were feeding the information back through an mj_read or an ioctl. nothing i know about at least

I was thinking along the line of reversing how the memory manager works, and manually remap wow's pages in to both processes at once. I have no idea how to actually implement it, but now I feel like trying just for the fun of it

At first I thought of using KeStackAttachProcess, but I can't think of a way to use it without doing unnecessary data copies.

[sitnspinlock]

I was thinking along the line of reversing how the memory manager works, and manually remap wow's pages in to both processes at once. I have no idea how to actually implement it, but now I feel like trying just for the fun of it

At first I thought of using KeStackAttachProcess, but I can't think of a way to use it without doing unnecessary data copies.

you ever read windows internals 5th edition? the more i thought about this last night, i think it might be possible by walking the eprocess VAD tree in the same way it is to hide virtual pages.

dunno but this might become a little christmas break project for me :O

[anon145236]

EDIT: Removed

[_Mike]

I only read through the code quickly so there might be things I've missed, but

Code:

currentAddress += (uint)mbi.BaseAddress + (uint)mbi.RegionSize;

Is definitely wrong.
Either assign (Base + Size), or increment by Size. Don't do both at the same time

[anon145236]

EDIT: Removed