How to find the memory address of a variable (File handle)?

Question

5.00/5 (2 votes)

See more:

In an attempt to reopen a file with a different share option, I have injected a DLL into the process, and attempt to write to a specific memory address which I thought was the address where a file hook was stored... But it ended up crashing the application.

I had been using TSearch to look for the numerical representation of the handle in 4 bytes, and originally I had found 7 memory addresses that changed with the file handle I could find by intercepting CreateFile. I attempted to create a new file handle using ReOpenFile, and overwrote those 7 memory addresses with the new file handle, but that caused the application to crash However after the application crashed, I can no longer find a memory address that consistently shows the file handle.

This is the method I used to overwrite the old handle.... But even if it is correct I can't find where to overwrite....

C#

IntPtr[] memAddr = { new IntPtr(0x18971C), new IntPtr(0x617B9AAC), new IntPtr(0x645106DC), new IntPtr(0x660CC0EC), new IntPtr(0x6F861728), new IntPtr(0x74E300BC), new IntPtr(0x7500011C) };
foreach (IntPtr iter in memAddr)
{
    IntPtr iinn = Marshal.ReadIntPtr(iter, Marshal.SizeOf(typeof(IntPtr)));
    IntPtr outt = ReOpenFile(iinn, 0x00000001, 0x00000001, 0x00000000);
    Marshal.WriteIntPtr(iter, Marshal.SizeOf(typeof(IntPtr)), outt);
}
Queue.Push(memAddr.Length + " memory addresses patched!");

Posted 9-Nov-11 16:10pm

KairuByte

Updated 17-Nov-11 15:56pm

v9

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

BobJanova · Answer 1 · 2011-11-10T06:14:00

Solution 1

This is into pretty deep hackery now, but I think you need to something like suspend execution, get one of those debug tools that will allow you to see what file handles are owned by what process, find the value of the file handle and search the memory space for it. That's if decompiling the bit of the code you think it must be set in (which I guess you tried first) doesn't help locate the variable.

The easiest way would be to work with the game's author, of course :P

Posted 10-Nov-11 6:14am

BobJanova

Comments

KairuByte 10-Nov-11 12:33pm

Hrm...

Well, for the most part I will be starting the processes in suspended state when I can, but there is a possibility that my program will be run after the game is already running, which is why I am trying to find a way to reopen the file.

I have no idea how to search memory space for a variable in C#....

BobJanova 10-Nov-11 12:53pm

To be honest, nor do I. You are beyond my depth on this type of issue now, I'm afraid.

KairuByte 10-Nov-11 13:03pm

Lol, no worries, it's beyond my depth of knowledge as well.

I'm actually way past my comfort zone on this one, but I started it and now I need to finish it. Plus it would be something cool to learn....

I don't even know where to start looking though, that's the one issue at the moment... Hopefully someone will have some ideas.