VirtualQueryEx does not show AllocationBase

[T1ran1403]

And hello again to everyone! Has anyone by any chance encountered such a problem that AllocationBase shows 0 if you register an address equal to 0 in lpAddress?

Code: Select all

_MEMORY_BASIC_INFORMATION := Buffer(A_PtrSize = 8 ? 48 : 28, 0)
NumPut("UInt", _MEMORY_BASIC_INFORMATION.Size, _MEMORY_BASIC_INFORMATION, 0)

if (DllCall("VirtualQueryEx", "Ptr", ProcessHandle, "Ptr", 0, "Ptr", _MEMORY_BASIC_INFORMATION, "Ptr", _MEMORY_BASIC_INFORMATION.Size))
{
	AllocationBase := NumGet(_MEMORY_BASIC_INFORMATION, 8, "Ptr")
	MsgBox(Format("{:02X}", AllocationBase))
}

When I insert a ready-made address, AllocationBase works well. If anything, I have a 64bit AHK script, a 32bit test application. I would be grateful if someone knows what the problem is.

[swagfag]

why do u assume there is a problem? have u checked

The state of the pages in the region. This member can be one of the following values.
MEM_FREE
0x10000
Indicates free pages not accessible to the calling process and available to be allocated. For free pages, the information in the AllocationBase, AllocationProtect, Protect, and Type members is undefined.

?

[T1ran1403]

@swagfag
To be honest, I didn't quite figure out how VirtualQueryEx works. When I read memory using ReadProcessMemory I need to specify lpBaseAddress and nSize for the function to work correctly. But I don't specify the exact memory address as I want to find the exact address using my own AOBScan. Do you happen to know how to find out within what limits the address is, if I search for it by a pre-found array of bytes referring to the exact address, as does OllyDbg or Cheat Engine (it shows AllocationBase and Size)?

[swagfag]

well, then read the docs on MSDN. they explain more than thoroughly enough how VirtualQueryEx works. u specify a start address and it enumerates a sequence of all consecutive pages with identical attributes and access rights, until another page with different attributes/access rights is encountered. then it gives u some information about the sequence of pages u just enumerated. if u wont bother checking that information, why even call the function in the first place?

---

babbys first memory scanner:

• call VirtualQueryEx in a loop
• check if ure allowed to touch the memory (optionally if ure an advanced babby, unprotect the pages)
• RPM to copy the memory into ur own process's address space
• run whatever byte matching algorithm uve implemented on the copied memory (if there was a match, the address will be whatever address u passed to RPM + the byte offset at which the match was detect, which ur algorithm is supposed to keep track of)
• (if u were an advanced babby and care about it/not lazy, restore the protection back to what it originally was)
• repeat until uve matched something or VirtualQueryEx fails

[T1ran1403]

@swagfag
Thank you very much! It turns out I did everything right, I just thought if I specify 0 in lpAddress it will show me all the memory pages. It turns out that this had to be done in a loop, I just didn’t quite understand how VirtualQueryEx works! Now I have all the base addresses and page sizes in less than one second. Thanks again for giving a more detailed explanation about VirtualQueryEx!)

[T1ran1403]

@swagfag
Forgive me for distracting you again, I see you are well versed in DllCall. I have a question about the buffer. Do you happen to know how to load the entire contents of the buffer into a variable? At the moment, I'm using a loop and NumGet to load the contents into a variable. It works but unfortunately very slowly. As far as I understand, the buffer already stores everything I need, but I don't know how to load it into a variable in one move. Here is how I do it now:

Code: Select all

if (DllCall("ReadProcessMemory", "UInt", ProcessHandle, "UInt", base_address, "Ptr", bytes, "Ptr", scan_size, "UInt", 0))
{
	loop scan_size
	{
		search_byte := NumGet(bytes, A_Index - 1, "UChar")
		format_byte_to_hex := Format("{:02X}", search_byte)
		buff_mem .= format_byte_to_hex
	}
}

[swagfag]

Code: Select all

CRYPT_STRING_HEX := 0x00000004
CRYPT_STRING_NOCRLF := 0x40000000
if !DllCall("Crypt32\CryptBinaryToString", "Ptr", bytes, "UInt", scan_size, "UInt", dwFlags := CRYPT_STRING_HEX | CRYPT_STRING_NOCRLF, "Ptr", 0, "UInt*", cchNeeded := 0)
	throw

VarSetCapacity(buf, cchNeeded * (A_IsUnicode ? 2 : 1))
if !DllCall("Crypt32\CryptBinaryToString", "Ptr", bytes, "UInt", scan_size, "UInt", dwFlags, "Ptr", &buf, "UInt*", cchNeeded)
	throw

buff_mem := StrGet(&buf)