[Tutor] How do I scan memory for singles, doubles and so on?

Mats Wichmann mats at wichmann.us
Sat Oct 7 21:58:06 EDT 2017 

it might help if you mention what you are trying to do. if it is forensics, there a bunch of python tools in that area. your problem may already have solutions you could use.

On October 7, 2017 3:00:25 PM MDT, Michael C <mysecretrobotfactory at gmail.com> wrote:
>Hi all:
>
>I am working on a memory scanner, and the source code and output is as
>following:
>
>Now, I know why my buffer from read process memory looks like values
>such
>as "67108864" ; it's because I read into the buffer entire chunk of
>memory
>at a time, because I fed read process memory this:  "mbi.RegionSize"
>
>Now, how do I read for values such as doubles?
>I am guessing I need to use a for loop to scan for small bits of memory
>chunk
>at a time.
>
>Is there a way to do it?
>
>Thanks!
>
>
>
>
>>output starts
>
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(6385664)
>buffer is:  c_ulong(67108864)
>buffer is:  c_ulong(7761920)
>buffer is:  c_ulong(7798784)
>buffer is:  c_ulong(7872512)
>buffer is:  c_ulong(8007680)
>buffer is:  c_ulong(8044544)
>buffer is:  c_ulong(8069120)
>buffer is:  c_ulong(8216576)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(3976)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(1318755581)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(0)
>buffer is:  c_ulong(0)
>
>> code starts
>
>buffer = ctypes.c_uint()
>nread = SIZE_T()
>
>start = ctypes.c_void_p(mbi.BaseAddress)
>
>ReadProcessMemory = Kernel32.ReadProcessMemory
>
>MEM_COMMIT = 0x00001000;
>PAGE_READWRITE = 0x04;
>
>current_address = sysinfo.lpMinimumApplicationAddress
>end_address = sysinfo.lpMaximumApplicationAddress
>
>while current_address < end_address:
>    Kernel32.VirtualQueryEx(Process, \
>    current_address, ctypes.byref(mbi),ctypes.sizeof(mbi))
>
>    if mbi.Protect == PAGE_READWRITE and mbi.State == MEM_COMMIT :
>
>        if ReadProcessMemory(Process, current_address,
>ctypes.byref(buffer), \
>                           ctypes.sizeof(buffer), ctypes.byref(nread)):
>                print('buffer is: ',buffer)
>        else:
>                raise ctypes.WinError(ctypes.get_last_error())
>
>    current_address += mbi.RegionSize
>_______________________________________________
>Tutor maillist  -  Tutor at python.org
>To unsubscribe or change subscription options:
>https://mail.python.org/mailman/listinfo/tutor

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the Tutor mailing list