Permanent Memory Address

Question

With my basic knowledge of C++, I've managed to whip together a simple program that reads some data from a program (using ReadProcessMemory) and sends it to my web server every five minutes, so I can see the status of said program while I'm not at home.

I found the memory addresses to read from using a program designed to hack games called "Memory Hacking Software." The problem is, the addresses change whenever I move the program to another machine.

My question is: is there a way to find a 'permanent' address that is the same on any machine? Or is this simply impossible. Excuse me if this is a dumb question, but I don't know a whole lot on the subject. Or perhaps another means to access information from a running program.

Thanks for any and all help!

Answer 1

What you are asking for is impossible by design. ASLR is designed specifically to prevent this kind of snooping.

What kind of information are you getting from the remote process?

Answer 2

There are ways to do it such as being able to recognise memory patterns around the thing you're looking for. Crackers can use this to find memory locations to patch even with software that "moves around", so to speak (as with operating systems that provide randomisation of address spaces).

For example, if you know that there are fixed character strings always located X bytes beyond the area of interest, you can scan the whole address space to find them, then calculate the area of interest from that.

However, it's not always as reliable as you might think.

I would instead be thinking of another way to achieve your ends, one that doesn't involve battling the features that are protecting such software from malicious behaviour.

Think of questions like:

Why exactly do you need access to the address space at all?

Does the program itself provide status information in a more workable manner?

If the program is yours, can you modify it to provide that information?

If you only need to know if the program is doing its job, can you simply "ping" the program (e.g., for a web page, send an HTML request and ensure you get a valid response)?

As a last resort, can you convince the OS to load your program without address space randomisation then continue using your (somewhat dubious) method?

---

Given your comment that:

I use the program on four machines and I have to "re-find" the addresses (8 of them) on all of them every time they update the program.

I would simply opt for automating this process. This is what some cracking software does. It scans files or in-memory code and data looking for markers that it can use for locating an area of interest.

If you can do it manually, you should be able to write a program that can do it. Have that program locate the areas of interest (by reading the process address space) and, once they're found, just read your required information from there. If the methods of finding them changes with each release (instead of just the actual locations), you'll probably need to update your locator routines with each release of their software but, unfortunately, that's the price you pay for the chosen method.

It's unlikely the program you're trying to read will be as secure as some - I've seen some move their areas of interest around as the program is running, to try and confuse crackers.

Answer 3

Sorry, this isn't possible. The memory layout of processes isn't going to be reliably consistent.

You can achieve your goal in a number of ways:

• Add a client/server protocol that you can connect to and ask "what's your status?" (this also lends itself nicely to asking for more info).
• Have the process periodically touch a file, the "monitor" can check the modification time of that file to see if the process is dead.