How to read the RAM at the address?

A

aab1372019-02-19 11:16:34

Python

aab137, 2019-02-19 11:16:34

An address is given, such as 02FB690C. It is necessary to read what is in the RAM under this address.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Sergey Gornostaev, 2019-02-19
@aab137

Something like this

import sys
import ctypes
import ctypes.wintypes as wintypes


PROCESS_VM_READ = 0x0010
BUF_SIZE = 64

kernel32 = ctypes.windll.kernel32

kernel32.OpenProcess.restype = wintypes.HANDLE
kernel32.OpenProcess.argtypes = [
    wintypes.DWORD,
    wintypes.BOOL,
    wintypes.DWORD
]

kernel32.CloseHandle.restype = wintypes.BOOL
kernel32.CloseHandle.argtypes = [ wintypes.HANDLE ]

kernel32.ReadProcessMemory.restype = wintypes.BOOL
kernel32.ReadProcessMemory.argtypes = [ 
    wintypes.HANDLE,
    wintypes.LPCVOID,
    wintypes.LPVOID,
    ctypes.c_size_t,
    ctypes.POINTER(ctypes.c_size_t)
]

pid = int(sys.argv[1])
addr = int(sys.argv[2], 16)

buf = ctypes.create_string_buffer(BUF_SIZE)
read = ctypes.c_size_t()

ph = kernel32.OpenProcess(PROCESS_VM_READ, False, pid)
r = kernel32.ReadProcessMemory(ph, addr, ctypes.byref(buf), BUF_SIZE, ctypes.byref(read))
kernel32.CloseHandle(ph)

print(buf.value)

Naturally, it is better to add error handling.