Download [RELEASE] Memory monitor - check for activity on addresses

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
Memory Monitor XL, the code cave's buddy
A Chuck E attempt

In brief: Tool will monitor an area of memory while you play to see if any of the addresses are in use.
Source files and executable included!


In something bigger than brief:

Hi peeps, whilst searching the addresses of a game with the intention of creating a code cave, I thought it would be nice to have a tool that monitored an area of memory to see if it was used by the game/program. Now, there more than likely are tools out there that can do this, but I thought, hell, I'm gonna make my own.

And here it is:

MemoryMonitorImage1.jpg

All you need to do is:

1) Select the process you wish to attach to (game or whatever)
2) Hit the connect button
3) Enter the start and end addresses (can be the same) of the area you wish to have monitored.
4) Hit the Start button (changes to Stop button)
5) Go in game and play till you think you've done enough to prove that the addresses are in use or not


THE CONTROLS (button, combobox, textbox etc)
The controls will be deactivated until you need to use them. E.g. all controls are deactivated at the start except for the select process one.


Output area - Bottom area of the GUI
The addresses are displayed here.
- Green address = address has not been used
- Red address = address has been used
You can Copy and Paste the addresses into Open Office, and it will retain the colours.


STOP/START
The Start button, when active, will act as both Stop and Start of the address monitoring. Text of the button will switch between Stop and Start.
Start will always start the monitoring afresh. So if needed, make sure you copy the addresses to Open Office (colours are retained).


The number of addresses
Best not to use too many, but if it is more than a couple of thousand then best to disable displaying of the addresses. This tool is ideally for monitoring a small area where you would like to put your code cave.


GOOD LUCK TO ALL WHO TRY THIS OUT :D


DEVELOPMENT:
Visual Studio 2012
C# and WPF
MS Windows 7


CREDITS:
MSDN (https://msdn.microsoft.com/) <-- my main hangout it seems these days!
Min Zhu - for the code for locating text in a RichTextBox <--- see, freaking awesome!!!!
https://social.msdn.microsoft.com/Forums/vstudio/cs-CZ/fc46affc-9dc9-4a8f-b845-89a024b263bc/how-to-find-and-replace-words-in-wpf-richtextbox?forum=wpf
Fleep and the
https://guidedhacking.com/ peeps

DOWNLOAD THE GOODIES HERE :D

2 downloads:
The executable - download it anywhere and run, job done :D
The VS 2012 project files - download to wherever, and open up the solution (must have Visual Studio)


Virus Total scan for MemoryMonitor.zip (executable)
https://www.virustotal.com/en/file/...e3974c5733f16e4a6b405d8d/analysis/1382195493/

Virusscan Jotti for MemoryMonitor.zip (executable)
https://virusscan.jotti.org/en/scanresult/309a2d32f53a5d84af16dc48685c965148d2a027

Virus Total scan for MemoryMonitor VS project files.zip
https://www.virustotal.com/en/file/...8554d837addbe9c7e50c6404/analysis/1382196826/

Virusscan Jotti for MemoryMonitor VS project files.zip
https://virusscan.jotti.org/en/scanresult/93a3cab9fc08435d899ec140c77aa8598e02673e
 

Attachments

Last edited:

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,376
78,998
2,414
Good job, Chuck E-san!

You sir, are getting there! ;)
 

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
Arigatō, Agent Smith-san :D

Took me long enough! About 2 seconds to sort out the memory stuff and 2 days to get RichTextBox to do what I wanted !!!! Me no like WPF RichTextBox!
 
Last edited:

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
So I could monitor changes in my player structure e.g. and then see what happens if I walk etc.?
 

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
So I could monitor changes in my player structure e.g. and then see what happens if I walk etc.?
Yes you can. I forgot to say you can do things like that :D <--- WRONG

Actually, it does not show the contents, but I could make it show the contents.

It also highlights the last address accessed.

I need to sort out the entering of the addresses. Right now you have to leave the input boxes before it tests the contents. A bit of a pain really.
 
Last edited:

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
I made this initially for locating a good place for a code cave, but it might be an idea to expand its use and allow the viewing of the address contents.

Do something like: 2 radio button - address monitor / contents monitor

If contents monitor, then have it use a bigger display area.

I'll do this tomorrow. It'll only require the addition of the radio buttons and to have it increase the size of the GUI and RichTextBox. (famous last words!)... 3 weeks later.... &^%*£ RichTextBox $%£$% WPF ^&&* hate *&% MOTH^& F%$^&% BUTT HOLE!
 
Last edited:

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Sweet release chuck :)

Nonetheless, easiest way to find a codecave is to find a bunch of 0xCC breakpoints between functions. Or just overwrite a few db functions. Monitoring memory isn't that efficient because you might have to do a lot of testing to be sure nothing accesses the memory, otherwise under some rare conditions you'll crash.

So 0xCC ;)
 

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
Sweet release chuck :)

Nonetheless, easiest way to find a codecave is to find a bunch of 0xCC breakpoints between functions. Or just overwrite a few db functions. Monitoring memory isn't that efficient because you might have to do a lot of testing to be sure nothing accesses the memory, otherwise under some rare conditions you'll crash.

So 0xCC ;)
Thanks, c5 :D

Ah ha, 0xCC breakpoints and db functions. I'll remember that, thanks :D

I was going to ask you what to look for, when wanting to create a code cave, but I figured the answer you would give me would put an end to the tool creation, so I just went "what the hell" and made it, lol

I'll look for the 0xCC breakpoints and/or db functions tomorrow, then will create my first code cave :D
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Thanks, c5 :D

Ah ha, 0xCC breakpoints and db functions. I'll remember that, thanks :D

I was going to ask you what to look for, when wanting to create a code cave, but I figured the answer you would give me would put an end to the tool creation, so I just went "what the hell" and made it, lol

I'll look for the 0xCC breakpoints and/or db functions tomorrow, then will create my first code cave :D
Sure thing, good luck :)

I never deal with code caves myself though, just hook what I want. Dealing with code caves is just unnecessary overhead in my opinion.
 

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
Sure thing, good luck :)

I never deal with code caves myself though, just hook what I want. Dealing with code caves is just unnecessary overhead in my opinion.
That shows a level of understanding I have not reached yet.

I think this must be how the Buddy bots work (DemonBuddy, HonorBuddy, etc), as they say they do not inject (one less way their bots can get found out). Hmm, interesting.

I need to work on this hooking thing :D
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Doubt they hook if they don't inject, it's obviously possible but a bit more complex.

But if you understand how code caves work, hooking will be a lot easier to understand because essentially, it's the same thing
 

Fleep

Founder
Meme Tier VIP
May 20, 2012
572
11,023
6
Doubt they hook if they don't inject, it's obviously possible but a bit more complex.

But if you understand how code caves work, hooking will be a lot easier to understand because essentially, it's the same thing
I've been wanting to do this for a while, do you have any reference to the sort of hooking you're talking about?

Fleep
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
I've been wanting to do this for a while, do you have any reference to the sort of hooking you're talking about?

Fleep
Did you mean hooking without injecting? If not, just general E9 jump in the begging of the target function which will jump to your function and do your schnizzle; from there jump to a trampoline if you want to call the original function (so you can do the prolog you overwrote with the jump) and then jump back where you left of. Easiest to get CDetour or MS Detours and see how they work. Obviously there are a few more ways to hook, eg virtual table hooks (aka VMT hooks), or mid function hooks on which I've created a thread here also.

If you had hooking without injecting in mind, you might need to get hang of an runtime assembler for the sake of simplicity and then run a pipe between your program and injected code.

Edit: Maybe I'll create a thread on vtable hooking when I have time aswell.
 

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
I have one of the Buddy team on Skype, but I have not chatted with him for for some months. I'm sure they said they do not inject. I'd really like to know if they still hook.

Gonna ask him... probably think I am a spy, lol

Message sent..oo rsponding..

[10:23:53] Chuck E: Hey
[10:24:13] Chuck E: I'm still working on my game hack studies... question
[10:24:47] Chuck E: I recall that Buddy bots don't use injection, do they use hooking ?
[10:26:03] superreeen: yeah they use "injection" but a way advanced form otherwise hooks won't work :)



You're right, c5 :D
 
Last edited:

Fleep

Founder
Meme Tier VIP
May 20, 2012
572
11,023
6
Did you mean hooking without injecting? If not, just general E9 jump in the begging of the target function which will jump to your function and do your schnizzle; from there jump to a trampoline if you want to call the original function (so you can do the prolog you overwrote with the jump) and then jump back where you left of. Easiest to get CDetour or MS Detours and see how they work. Obviously there are a few more ways to hook, eg virtual table hooks (aka VMT hooks), or mid function hooks on which I've created a thread here also.

If you had hooking without injecting in mind, you might need to get hang of an runtime assembler for the sake of simplicity and then run a pipe between your program and injected code.

Edit: Maybe I'll create a thread on vtable hooking when I have time aswell.
I see, I currently do a lot of codecaving by placing a jump to my own function and then running asm. (Similar to your previous tut)

I assume your method of hooking is not much different?

I'm sure many would appreciate that.

Fleep
 

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
I see, I currently do a lot of codecaving by placing a jump to my own function and then running asm. (Similar to your previous tut)

I assume your method of hooking is not much different?

I'm sure many would appreciate that.

Fleep
Vtable (VMT) hooking is completely different indeed and you can't apply that everywhere. But with MS Detours (I prefer 1.5 version) and CDetours or w/e library, it's essentially the same thing as what you are doing right now, just automates the whole placing jump and restoring overwritten instructions. And you don't need to get the arguments manually with using asm or anything, you just guess the arguments and calling convention the target has and define your own function (ie. instead of defining a naked function and using asm, you actually define your function the same the target function is)

Also forgot to mention IAT/EAT hooking (import address table), where say an windows API function is called, it's address is looked up from IAT and you actually change the address with your function address.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
Sb in, I think gamedeception or unkn0wncheats, provided a routine with which it's possible to do a codecave (E9 jump) but then you can provide a function and the routine will transfer the bytes of the provided function and jump to there. That way you don't need to inject but still don't have to use asm... Maybe I'll find that thread.

EDIT: found it. This could maybe help:
https://gamedeception.net/index.php?threads/hooking-without-dll-injection.8819/
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Sb in, I think gamedeception or unkn0wncheats, provided a routine with which it's possible to do a codecave (E9 jump) but then you can provide a function and the routine will transfer the bytes of the provided function and jump to there. That way you don't need to inject but still don't have to use asm... Maybe I'll find that thread.

EDIT: found it. This could maybe help:
https://gamedeception.net/index.php?threads/hooking-without-dll-injection.8819/
Will only work with one function, otherwise you'll be pissing yourself cause you need to manually fix all the relocations :D
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods