Click here to Skip to main content
14,872,543 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
How do I find all variables that an exe file uses?
I mean is it possible to fine variable's address, type or name ?
I have an exe file that do not know by what language is written.
But when you run it, a process will begin working and variables will initial in RAM memory.
I know how to read memory
I know variable's (address,type,name) are in memory too.
But I do not know what bytes are for what variable.
There is how i read memory of a process.

What I have tried:

const int PROCESS_WM_READ = 0x0010;
const int PROCESS_ALL_ACCESS = 0x1F0FFF;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);

[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);

public Process process;
public IntPtr processHandle;

void Read()
{
    process = Process.GetProcessesByName("ProcessesName")[0];
    processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);

    IntPtr startOffset = process.MainModule.BaseAddress;
    IntPtr endOffset = IntPtr.Add(startOffset, process.MainModule.ModuleMemorySize);
    string startOffsetStr = startOffset.ToString("X");
    string endOffsetStr = endOffset.ToString("X");

    int start = int.Parse(startOffsetStr, NumberStyles.HexNumber);
    int end = int.Parse(endOffsetStr, NumberStyles.HexNumber);
    int totalBytes = end - start;
    int bytesRead = 0;
    byte[] buffer = new byte[totalBytes];

    ReadProcessMemory((int)processHandle, start, buffer, buffer.Length, ref bytesRead);
    string result = ByteArrayToHexString(buffer);
    File.WriteAllText("C:\\result.txt", result);

}
public static string ByteArrayToHexString(byte[] baytes)
{
    StringBuilder hex = new StringBuilder(baytes.Length * 2);
    for (int i = baytes.Length - 1; i >= 0; i--)
    {

        hex.AppendFormat("{0:x2}", baytes[i]);
    }

    return hex.ToString();
}

Thank you in advanc.
Posted
Updated 11-Jan-21 0:16am
Comments
johannesnestler 15-Oct-18 7:27am
   
"I have an exe file that do not know by what language is written"... [- yes and you won't find out (maybe guessable though with a lot of knowledge) - https://en.wikipedia.org/wiki/.exe ]
"I know variable's (address,type,name) are in memory too." … [ no they are not - it's just an address]
This sentences shows me you should learn alot before you can hack processes or reverse engineer them.
Maybe you tell us your ultimate goal - there may a better way to reach it?

This is not a question that can be answered generally, since if you don't know the compiler used then you can't effectively do what you want.

This is a reverse engineering question which is out of the scope of this forum and requires specialized knowledge which people will not share.
   
You can't.
There are three types of variables in modern programs:
1) Local variables - these are stack based and only exist while the containing method is actually executing. Once the method returns, they are destroyed. The address of these depends on the thread they are executing on, and the order in which the method is called.
2) Class based variables - these are heap based, but are local to the instance of the class that is in use at the time: if you have three instances, then you have three different locations for the variable, one for each instance. (Think of it like a glove box - each car has a separate one, so the location of a glove box depends on the physical location of the car it is part of.) The location of the class instance in memory is not necessarily fixed relative to anything and in modern frameworks may not even stay the same for the lifetime of the app - they can be moved im memory to free up space and compact memory usage.
3) Global (or static) variables. The address of these is fixed when the app starts, but they are not that common in modern apps.

Of all these, the only ones you stand a chance of finding a valid and fixed address for is the last - and they are less used than they used to be.

There's the added complication that unless you are part of the app, the address is pretty much meaningless, as you can't use it to access the other process memory without quite a lot of fudging.

I suspect that whatever it is you are trying to do, you aren't going to find it at all simple - if it's possible. If you are trying to hack games for example, you will probably not find this works at all ...
   
You don't have any method of "finding" these things for you. You just have to be really good at using WinDbg and analyzing the code that is running to determine where the values you're trying to find are stored in process' address space.

There's nothing that's going to do that for you automatically

Oh, and when the code is compiled into an .EXE or .DLL and running, there is no such thing as a "variable". It's just values in memory somewhere.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900