Looking for strings in RAM?

authenticgeek

Junior Member
Apr 3, 2004
1
0
0
Essentially, I'd like to find a string from an application that's open in my RAM and it's location. Hopefully I can grab this from another application in C# but that's another question altogether...

Does anyone know a good way to do this? Either an application that will let me search the contents of my RAM for strings or a debugger for an open app that will let me do the same. Clearly, I've never done this before so I'm open to suggestions.
 

DaveSimmons

Elite Member
Aug 12, 2001
40,730
670
126
Might be possible in 98/ME but 2000/XP should prevent one user process from inspecting the memory of another.

A debugger running with kernel privileges (maybe a device driver debugger) could possibly do this.

If you aren't trying to hack someone else's program (break copy protection, etc.) there are many ways for two running applications to intentionally share data.
 

CZroe

Lifer
Jun 24, 2001
24,195
857
126
I once used a program called Cheat-o-Matic. I believe it had that functionality.

I used it to isolate values for cheating in games. I was using an NES emulator (RockNES) and I used Cheat-o-Matic to enhance Zelda with unlimited lives, bombs, rupees, etc...
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
The other application needs to cooperate, meaning it needs to setup shared memory so that other processes can read it. The only thing that can access other processes VM space is the kernel, so you would need to write a driver to do what you want.
 

Barnaby W. Füi

Elite Member
Aug 14, 2001
12,343
0
0
Afaik you can access other processes' memory if you're superuser ('strings /dev/mem' should accomplish this on linux), but I don't know about on windows.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Afaik you can access other processes' memory if you're superuser ('strings /dev/mem' should accomplish this on linux), but I don't know about on windows.

/dev/mem and /dev/kmem work because there's a driver doing the magic for you, I don't know if Windows has something similar.
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
I've used a program thta did this on XP... I was tracking the location of the game's score in a program, for obvious reasons ;). I don't remember what it was called, but it listed all the memory areas and whether it could read/write to them. Obviously you could only mess with writeable pages. I wondered why it wasn't all read-only for anti-cheating purposes.
 

Barnaby W. Füi

Elite Member
Aug 14, 2001
12,343
0
0
That's how game console cheat devices (game shark et al) work. In fact that's probably the first computerey-ish hacking/programming/fiddling-type stuff I ever did - screwing around with a game shark. They had a game shark pro that let you analyze memory and watch for certain values and then check later and see if they changed in a certain way, so you could narrow things down and find where, say, your health is located, and then you could make a code that would always write the maximum value to it. It was kinda flaky though.
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
Originally posted by: Nothinman
I wondered why it wasn't all read-only for anti-cheating purposes

Because you can't seperate write and execute on x86.

We've been over this - you can, but that's not the point. Why should any process be able to read any other process's memory?
 

Barnaby W. Füi

Elite Member
Aug 14, 2001
12,343
0
0
Reverse engineering/hacking, snooping, satisfying curiosity. Can't really think of any better reasons right now. I think allowing it, but restricting it to root/admin is a sensible way to do it.
 

CZroe

Lifer
Jun 24, 2001
24,195
857
126
I see my brother accidentally posted as me in this thread so I'll chime in too...

Originally posted by: BingBongWongFooey
Reverse engineering/hacking, snooping, satisfying curiosity. Can't really think of any better reasons right now. I think allowing it, but restricting it to root/admin is a sensible way to do it.

How about fixing broken applications? For instance, you can put your PC in DMZ behind your router but KaZaa will continue reporting your IP address as 192.168.x.x and most connections will be impossible. KaNAT fixes this. Every time you switch nodes you have to tell KaNAT to refresh that location in memory again because KaZaa would re-write the incorrect IP address. Why people bother fixing and using such a junky application is beyond me
rolleye.gif


BTW, I've done a lot of Gamesharking too.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
How about fixing broken applications? For instance, you can put your PC in DMZ behind your router but KaZaa will continue reporting your IP address as 192.168.x.x and most connections will be impossible. KaNAT fixes this. Every time you switch nodes you have to tell KaNAT to refresh that location in memory again because KaZaa would re-write the incorrect IP address. Why people bother fixing and using such a junky application is beyond me

Or you could have your NAT router do the fixing for you on the network, that's a lot more reliable and less intrusive.
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
Originally posted by: Nothinman
How about fixing broken applications? For instance, you can put your PC in DMZ behind your router but KaZaa will continue reporting your IP address as 192.168.x.x and most connections will be impossible. KaNAT fixes this. Every time you switch nodes you have to tell KaNAT to refresh that location in memory again because KaZaa would re-write the incorrect IP address. Why people bother fixing and using such a junky application is beyond me

Or you could have your NAT router do the fixing for you on the network, that's a lot more reliable and less intrusive.

In some retarded protocols, the IP is sent as part of the data, and the NAT can't tell that it needs to edit the data.
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
In some retarded protocols, the IP is sent as part of the data, and the NAT can't tell that it needs to edit the data.

Depends on the device doing the NAT. Even something like a Cisco PIX can fix some protocols like FTP PASV mode with the fixup protocol command, unless the data is encrypted you can fix the packet and there are a bunch of Linux netfilter modules that do that for things like FTP, quake, IRC, etc.
 

CZroe

Lifer
Jun 24, 2001
24,195
857
126
Originally posted by: Nothinman
In some retarded protocols, the IP is sent as part of the data, and the NAT can't tell that it needs to edit the data.

Depends on the device doing the NAT. Even something like a Cisco PIX can fix some protocols like FTP PASV mode with the fixup protocol command, unless the data is encrypted you can fix the packet and there are a bunch of Linux netfilter modules that do that for things like FTP, quake, IRC, etc.

Well, I haven't seen someone dispute the need for KaNAT's existance. Couldn't modifying all outbound packets containg the raw IP address break some protocols the router doesn't understand? I mean, I'm sure it would understand unencrypted VPN but something LIKE that? Also, there's no way in hell my Linksys WRT54G is going to be able to do that without a serious Linux mod ;)
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Well, I haven't seen someone dispute the need for KaNAT's existance. Couldn't modifying all outbound packets containg the raw IP address break some protocols the router doesn't understand? I mean, I'm sure it would understand unencrypted VPN but something LIKE that? Also, there's no way in hell my Linksys WRT54G is going to be able to do that without a serious Linux mod

You don't modify all packets, the module is written to identify and only modify packets for the protocol it understands. As I said there already modules for things like Quake, IRC, FTP, etc.

And IIRC a Linksys WRT54G is a Linux box.
 

CZroe

Lifer
Jun 24, 2001
24,195
857
126
Originally posted by: Nothinman
Well, I haven't seen someone dispute the need for KaNAT's existance. Couldn't modifying all outbound packets containg the raw IP address break some protocols the router doesn't understand? I mean, I'm sure it would understand unencrypted VPN but something LIKE that? Also, there's no way in hell my Linksys WRT54G is going to be able to do that without a serious Linux mod

You don't modify all packets, the module is written to identify and only modify packets for the protocol it understands. As I said there already modules for things like Quake, IRC, FTP, etc.

And IIRC a Linksys WRT54G is a Linux box.

Yeah, I know it's Linux-based but they've removed the ping hack and you have to flash it with a totally custom firmware to log in to it and run your own applications. Also, are there any KaZaa modules (For curiosity's sake... Not that I'd ever install that crap again)?

This doesn't help Newnan Utilities customers any. Their cable Internet service is about 10x faster than Charter Pipeline Gold but you are using static non-routable IP addresses. You can use VPN to get an outside IP address for a price, but sloppy programs like KaZaa STILL report your non routable IP address. If you set VPN to be the default TCP/IP connection, the login pops up and crashes many full-screen applications (Like Quake3 Arena).
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Also, are there any KaZaa modules (For curiosity's sake... Not that I'd ever install that crap again)?

Not that I know of, but I believe Kazaa uses HTTP-like syntax for it's protocol so it shouldn't be too hard to fix.

This doesn't help Newnan Utilities customers any. Their cable Internet service is about 10x faster than Charter Pipeline Gold but you are using static non-routable IP addresses. You can use VPN to get an outside IP address for a price, but sloppy programs like KaZaa STILL report your non routable IP address. If you set VPN to be the default TCP/IP connection, the login pops up and crashes many full-screen applications (Like Quake3 Arena).

And that's probably why it's so fast...