All geek questions in one place

In Ruby, how do I read memory values ​​from an external process?

So, all I just want to do is make a Ruby program that reads some values ​​from a known memory address into another process virtual memory. Thanks to my research and basic knowledge of hex editing a running x86 process in memory, I found the base address and offsets for the values ​​I want. I do not want to change them; I just want to read them. I asked the developer of the memory editor how to approach this abstract of the language and start the Windows platform. He said Win32API calls to OpenProcess, CreateProcess, ReadProcessMemory and WriteProcessMemory are a way to use C or C ++. I think the way is to simply use the Win32API class and map its two instances; One for OpenProcess or CreateProcess, depending on whether the user is already running in the process or not,and another instance will be mapped to ReadProcessMemory. I probably still need to find a function to get a list of running processes, so I know which running process is the one I want if it is already running.

It will take some work to put everything together, but I suppose it would not be so bad to code. This is just a new programming area for me, since I have never worked at this low level with a high level language (well, at a higher level than C anyways). I'm just wondering how to do this. I could just use a bunch of Win32API calls or calls, but that means having to deal with a set of strings and arrays and system-dependent unpacking. I want this work to become cross-platform, since the process I am reading is from (I know that the memory address changes from system to system. The idea is to have a flat file that contains all the memory mappings, therefore a Ruby program can simply match the current platform environment to map the appropriate memory.),but from the looks of things, I just have to make a class that wraps all the current function calls related to the shared memory library of the current platform.

, Ruby, , . , , , , , , , - Ruby , , - Ruby , . , , , - , , , , . Ruby C ++, . x86, ++, C, ANSI C, .

, ? , , , . , , ?

, Grg

PS: , Win32API kernel32.dll.

+3
2

win32utils. , , , , , . , C.

+2

Ruby-FFI:

C Win32 API, Ruby-FFI gem. Ruby-FFI C, Win32.

Win32 CreateFileMapping( ) MapViewOfFile( ).

# WINBASEAPI HANDLE WINAPI CreateFileMappingA(HANDLE,LPSECURITY_ATTRIBUTES,DWORD,DWORD,DWORD,LPCSTR);
# WINBASEAPI PVOID WINAPI MapViewOfFile(HANDLE,DWORD,DWORD,DWORD,DWORD);

0xFFFFFFFF CreateFileMapping, .

, . ( , , , , .)

Ruby:

require 'ffi'

module Win32
   extend FFI::Library
   ffi_lib 'kernel32'  # see winbase.h
   attach_function :CreateFileMapping, 
            :CreateFileMappingA,[ :uint, :pointer, :long, :long, :long, :pointer ], :pointer   
            # suffix A indicates the ASCII version
   attach_function :MapViewOfFile, 
            :MapViewOfFile,[ :pointer, :long, :long, :long, :long ], :pointer  
end

memoryName = "Share Memory Name"
sz_buf = 1000  # bytes  (250 ints, 4 bytes each)
num_ints = sz_buf / 4

# Windows constants
PAGE_READWRITE = 0x0004
FILE_MAP_WRITE = 2

# Get handle to shared memory
hMemory = Win32.CreateFileMapping(0xFFFFFFFF, nil, PAGE_READWRITE, 0, sz_buf, memoryName)

# Create pointer into shared memory in the reader memory space 
pMemory = FFI::MemoryPointer.new(:int, num_ints )
pMemory = Win32.MapViewOfFile(hMemory, FILE_MAP_WRITE, 0, 0, sz_buf)

# Read from shared memory buffer
puts pMemory.read_array_of_int(sz_buf).join(" ")

:

+2

Source: https://habr.com/ru/post/1745527/

More articles:


All Articles