[RELEASE] Memory monitor - check for activity on addresses
Memory Monitor XL, the code cave's buddy
A Chuck E attempt
In brief: Tool will monitor an area of memory while you play to see if any of the addresses are in use.
Source files and executable included!
In something bigger than brief:
Hi peeps, whilst searching the addresses of a game with the intention of creating a code cave, I thought it would be nice to have a tool that monitored an area of memory to see if it was used by the game/program. Now, there more than likely are tools out there that can do this, but I thought, hell, I'm gonna make my own.
And here it is:
All you need to do is:
1) Select the process you wish to attach to (game or whatever)
2) Hit the connect button
3) Enter the start and end addresses (can be the same) of the area you wish to have monitored.
4) Hit the Start button (changes to Stop button)
5) Go in game and play till you think you've done enough to prove that the addresses are in use or not
THE CONTROLS (button, combobox, textbox etc)
The controls will be deactivated until you need to use them. E.g. all controls are deactivated at the start except for the select process one.
Output area - Bottom area of the GUI
The addresses are displayed here.
- Green address = address has not been used
- Red address = address has been used
You can Copy and Paste the addresses into Open Office, and it will retain the colours.
The Start button, when active, will act as both Stop and Start of the address monitoring. Text of the button will switch between Stop and Start.
Start will always start the monitoring afresh. So if needed, make sure you copy the addresses to Open Office (colours are retained).
The number of addresses
Best not to use too many, but if it is more than a couple of thousand then best to disable displaying of the addresses. This tool is ideally for monitoring a small area where you would like to put your code cave.
GOOD LUCK TO ALL WHO TRY THIS OUT
Visual Studio 2012
C# and WPF
MS Windows 7
MSDN (https://msdn.microsoft.com/) <-- my main hangout it seems these days!
Min Zhu - for the code for locating text in a RichTextBox <--- see, freaking awesome!!!!
Fleep and the https://guidedhacking.com/ peeps
DOWNLOAD THE GOODIES HERE
The executable - download it anywhere and run, job done
The VS 2012 project files - download to wherever, and open up the solution (must have Visual Studio)
Virus Total scan for MemoryMonitor.zip (executable)
Virusscan Jotti for MemoryMonitor.zip (executable)
Virus Total scan for MemoryMonitor VS project files.zip
Virusscan Jotti for MemoryMonitor VS project files.zip
Last edited by Chuck E; 10-19-2013 at 11:14 AM.
Post Thanks / Like - 1 Thanks
thanked for this post
Good job, Chuck E-san!
You sir, are getting there!
Arigatō, Agent Smith-san
Took me long enough! About 2 seconds to sort out the memory stuff and 2 days to get RichTextBox to do what I wanted !!!! Me no like WPF RichTextBox!
Last edited by Chuck E; 10-19-2013 at 11:13 AM.
So I could monitor changes in my player structure e.g. and then see what happens if I walk etc.?
Yes you can. I forgot to say you can do things like that <--- WRONG
Originally Posted by till0sch97
Actually, it does not show the contents, but I could make it show the contents.
It also highlights the last address accessed.
I need to sort out the entering of the addresses. Right now you have to leave the input boxes before it tests the contents. A bit of a pain really.
Last edited by Chuck E; 10-19-2013 at 01:55 PM.
I made this initially for locating a good place for a code cave, but it might be an idea to expand its use and allow the viewing of the address contents.
Do something like: 2 radio button - address monitor / contents monitor
If contents monitor, then have it use a bigger display area.
I'll do this tomorrow. It'll only require the addition of the radio buttons and to have it increase the size of the GUI and RichTextBox. (famous last words!)... 3 weeks later.... &^%*£ RichTextBox $%£$% WPF ^&&* hate *&% MOTH^& F%$^&% BUTT HOLE!
Last edited by Chuck E; 10-19-2013 at 02:07 PM.
Sweet release chuck
Nonetheless, easiest way to find a codecave is to find a bunch of 0xCC breakpoints between functions. Or just overwrite a few db functions. Monitoring memory isn't that efficient because you might have to do a lot of testing to be sure nothing accesses the memory, otherwise under some rare conditions you'll crash.
Sure thing, good luck
Originally Posted by Chuck E
I never deal with code caves myself though, just hook what I want. Dealing with code caves is just unnecessary overhead in my opinion.
That shows a level of understanding I have not reached yet.
Originally Posted by c5
I think this must be how the Buddy bots work (DemonBuddy, HonorBuddy, etc), as they say they do not inject (one less way their bots can get found out). Hmm, interesting.
I need to work on this hooking thing