Unable to search for patterns outside of modules

Rob-- / memoryjs

Read and write process memory in Node.js (Windows API functions exposed via Node bindings)

MIT License

632 stars 86 forks source link

Unable to search for patterns outside of modules #79

Closed Strikeeaglechase closed 2 years ago

Strikeeaglechase commented 3 years ago

Using a program like cheat engine I can clearly see the data I am searching for is there. I also manually printed out a 512-byte chunk around the memory location and sure enough, it was there, however, findPattern does not locate it. Cheat engine also does not mention any module tied to the address (which is normal, its just not a part of a module). How do I scan over the main process itself rather than just modules (in cheat engine this is equivalent to setting memory scan options to "All".

omiinaya commented 3 years ago

+1, doesnt seem to be a way to scan outside of modules

gelonsoft commented 2 years ago

Bad workaround with performance and memoryLeak issues:

const memoryjs = require('memoryjs')
const ffi = require('ffi-napi')

const kernel32 = new ffi.Library('kernel32', {
    ReadProcessMemory: ['bool',['long','int64','pointer','long','long']],
    WriteProcessMemory: ['bool', ['long', 'int64', 'pointer', 'long', 'long']],
});

const processObject = memoryjs.openProcess("someprogram.exe")
const searchValue1=Buffer.from("0100A0","hex")
const replaceValueBuffer=Buffer.from("0200A0","hex")

const regions = memoryjs.getRegions(processObject.handle)
for (const x of regions) {
    const buf=Buffer.alloc(x.RegionSize)
    const retB = kernel32.ReadProcessMemory(processObject.handle,x.BaseAddress,buf,buf.length,0)
    for(let index=buf.indexOf(searchValue1);index>0;index=buf.indexOf(searchValue1,index+1)) {
        const address=x.BaseAddress+index
        console.log("Found1 "+x.BaseAddress.toString(16)+" "+address.toString(16))
        kernel32.WriteProcessMemory(processObject.handle,x.BaseAddress+index,replaceValueBuffer,replaceValueBuffer.length,0)
    }
}

xetrics commented 2 years ago

The base executable counts as a module itself. This is true for all programs. findModule("processname.exe", pid)

BasBuur commented 2 years ago

+1, This indeed is (still) aproblem. Using the executable as the module name does not search in the main application. As @Strikeeaglechase mentioned, it's the same as CE's 'All' option. Selecting the executable name there also does not search in the main application.

Rob-- commented 2 years ago

Change a32ceee adds support for pattern matching outside of modules.

Closing this issue as #48 discusses this same problem and includes more details about the update to findPattern.

You can now pattern match outside of modules by specifying the region you want to pattern match in:

const address = memoryjs.findPattern(handle, baseAddress, pattern, flags, patternOffset);

Usage of findPattern in this way will search for the module or region that the specified baseAddress lies inside, and will pattern match that module or region of memory.

You can also do a blanket search across all modules or regions by not specifying a module name or base address:

const address = memoryjs.findPattern(handle, pattern, flags, patternOffset);

NB: you can fetch regions of memory by using memoryjs.getRegions, which will return a list of pages.