Looking for strings in RAM?

[authenticgeek]

Essentially, I'd like to find a string from an application that's open in my RAM and it's location. Hopefully I can grab this from another application in C# but that's another question altogether...

Does anyone know a good way to do this? Either an application that will let me search the contents of my RAM for strings or a debugger for an open app that will let me do the same. Clearly, I've never done this before so I'm open to suggestions.

 

[DaveSimmons]

Might be possible in 98/ME but 2000/XP should prevent one user process from inspecting the memory of another.

A debugger running with kernel privileges (maybe a device driver debugger) could possibly do this.

If you aren't trying to hack someone else's program (break copy protection, etc.) there are many ways for two running applications to intentionally share data.

 

[CZroe]

I once used a program called Cheat-o-Matic. I believe it had that functionality.

I used it to isolate values for cheating in games. I was using an NES emulator (RockNES) and I used Cheat-o-Matic to enhance Zelda with unlimited lives, bombs, rupees, etc...

 

[Nothinman]

The other application needs to cooperate, meaning it needs to setup shared memory so that other processes can read it. The only thing that can access other processes VM space is the kernel, so you would need to write a driver to do what you want.

 

[Barnaby W. Füi]

Afaik you can access other processes' memory if you're superuser ('strings /dev/mem' should accomplish this on linux), but I don't know about on windows.

 

[Nothinman]

Afaik you can access other processes' memory if you're superuser ('strings /dev/mem' should accomplish this on linux), but I don't know about on windows.

/dev/mem and /dev/kmem work because there's a driver doing the magic for you, I don't know if Windows has something similar.

 

[CTho9305]

I've used a program thta did this on XP... I was tracking the location of the game's score in a program, for obvious reasons . I don't remember what it was called, but it listed all the memory areas and whether it could read/write to them. Obviously you could only mess with writeable pages. I wondered why it wasn't all read-only for anti-cheating purposes.

 

[Nothinman]

I wondered why it wasn't all read-only for anti-cheating purposes

Because you can't seperate write and execute on x86.

 

[Barnaby W. Füi]

That's how game console cheat devices (game shark et al) work. In fact that's probably the first computerey-ish hacking/programming/fiddling-type stuff I ever did - screwing around with a game shark. They had a game shark pro that let you analyze memory and watch for certain values and then check later and see if they changed in a certain way, so you could narrow things down and find where, say, your health is located, and then you could make a code that would always write the maximum value to it. It was kinda flaky though.

 

[CTho9305]

Originally posted by: Nothinman

I wondered why it wasn't all read-only for anti-cheating purposes

Because you can't seperate write and execute on x86.

We've been over this - you can, but that's not the point. Why should any process be able to read any other process's memory?

 

[Barnaby W. Füi]

Reverse engineering/hacking, snooping, satisfying curiosity. Can't really think of any better reasons right now. I think allowing it, but restricting it to root/admin is a sensible way to do it.

 

[CZroe]

I see my brother accidentally posted as me in this thread so I'll chime in too...

Originally posted by: BingBongWongFooey
Reverse engineering/hacking, snooping, satisfying curiosity. Can't really think of any better reasons right now. I think allowing it, but restricting it to root/admin is a sensible way to do it.

How about fixing broken applications? For instance, you can put your PC in DMZ behind your router but KaZaa will continue reporting your IP address as 192.168.x.x and most connections will be impossible. KaNAT fixes this. Every time you switch nodes you have to tell KaNAT to refresh that location in memory again because KaZaa would re-write the incorrect IP address. Why people bother fixing and using such a junky application is beyond me

BTW, I've done a lot of Gamesharking too.

 

[Nothinman]

How about fixing broken applications? For instance, you can put your PC in DMZ behind your router but KaZaa will continue reporting your IP address as 192.168.x.x and most connections will be impossible. KaNAT fixes this. Every time you switch nodes you have to tell KaNAT to refresh that location in memory again because KaZaa would re-write the incorrect IP address. Why people bother fixing and using such a junky application is beyond me

Or you could have your NAT router do the fixing for you on the network, that's a lot more reliable and less intrusive.

 

[CTho9305]

Originally posted by: Nothinman

How about fixing broken applications? For instance, you can put your PC in DMZ behind your router but KaZaa will continue reporting your IP address as 192.168.x.x and most connections will be impossible. KaNAT fixes this. Every time you switch nodes you have to tell KaNAT to refresh that location in memory again because KaZaa would re-write the incorrect IP address. Why people bother fixing and using such a junky application is beyond me

Or you could have your NAT router do the fixing for you on the network, that's a lot more reliable and less intrusive.

In some retarded protocols, the IP is sent as part of the data, and the NAT can't tell that it needs to edit the data.

 

[Nothinman]

In some retarded protocols, the IP is sent as part of the data, and the NAT can't tell that it needs to edit the data.

Depends on the device doing the NAT. Even something like a Cisco PIX can fix some protocols like FTP PASV mode with the fixup protocol command, unless the data is encrypted you can fix the packet and there are a bunch of Linux netfilter modules that do that for things like FTP, quake, IRC, etc.

 

[CZroe]

Originally posted by: Nothinman

In some retarded protocols, the IP is sent as part of the data, and the NAT can't tell that it needs to edit the data.

Depends on the device doing the NAT. Even something like a Cisco PIX can fix some protocols like FTP PASV mode with the fixup protocol command, unless the data is encrypted you can fix the packet and there are a bunch of Linux netfilter modules that do that for things like FTP, quake, IRC, etc.

Well, I haven't seen someone dispute the need for KaNAT's existance. Couldn't modifying all outbound packets containg the raw IP address break some protocols the router doesn't understand? I mean, I'm sure it would understand unencrypted VPN but something LIKE that? Also, there's no way in hell my Linksys WRT54G is going to be able to do that without a serious Linux mod

 

[Nothinman]

Well, I haven't seen someone dispute the need for KaNAT's existance. Couldn't modifying all outbound packets containg the raw IP address break some protocols the router doesn't understand? I mean, I'm sure it would understand unencrypted VPN but something LIKE that? Also, there's no way in hell my Linksys WRT54G is going to be able to do that without a serious Linux mod

You don't modify all packets, the module is written to identify and only modify packets for the protocol it understands. As I said there already modules for things like Quake, IRC, FTP, etc.

And IIRC a Linksys WRT54G is a Linux box.

 

[CZroe]

Originally posted by: Nothinman

Well, I haven't seen someone dispute the need for KaNAT's existance. Couldn't modifying all outbound packets containg the raw IP address break some protocols the router doesn't understand? I mean, I'm sure it would understand unencrypted VPN but something LIKE that? Also, there's no way in hell my Linksys WRT54G is going to be able to do that without a serious Linux mod

You don't modify all packets, the module is written to identify and only modify packets for the protocol it understands. As I said there already modules for things like Quake, IRC, FTP, etc.

And IIRC a Linksys WRT54G is a Linux box.

Yeah, I know it's Linux-based but they've removed the ping hack and you have to flash it with a totally custom firmware to log in to it and run your own applications. Also, are there any KaZaa modules (For curiosity's sake... Not that I'd ever install that crap again)?

This doesn't help Newnan Utilities customers any. Their cable Internet service is about 10x faster than Charter Pipeline Gold but you are using static non-routable IP addresses. You can use VPN to get an outside IP address for a price, but sloppy programs like KaZaa STILL report your non routable IP address. If you set VPN to be the default TCP/IP connection, the login pops up and crashes many full-screen applications (Like Quake3 Arena).

 

[Nothinman]

Also, are there any KaZaa modules (For curiosity's sake... Not that I'd ever install that crap again)?

Not that I know of, but I believe Kazaa uses HTTP-like syntax for it's protocol so it shouldn't be too hard to fix.

This doesn't help Newnan Utilities customers any. Their cable Internet service is about 10x faster than Charter Pipeline Gold but you are using static non-routable IP addresses. You can use VPN to get an outside IP address for a price, but sloppy programs like KaZaa STILL report your non routable IP address. If you set VPN to be the default TCP/IP connection, the login pops up and crashes many full-screen applications (Like Quake3 Arena).

And that's probably why it's so fast...