Memory Hacking Software

I had never really thought of it before, but MHS seems to have a super effective way to perform a pointer search (this probably applies to all the other searches, too). I tried to implement the simplest pointer search ever but using it takes forever. MHS does the same in less than a second.

I need to search through the memory for references to a static string to beat the DMA, but the method I'm using right now is just way too slow. So, how does MHS search through the memory so fast? I'm examining the source code right now but it would help if I got a general explanation of what's the idea behind the code. I can't use L. Spiro script because the search will need to be integrated into a program. Implementing it in C++ is the only option.

Thanks in advance.

The largest amount of overhead induced by Pointer Search comes from dereferencing them to determine if they actually point to a valid block of RAM.
We want to avoid this at all costs, so we have to determine that the value is not a pointer as quickly as possible.

The functions that return pointers are supposed to follow some basic rules that we can exploit to quickly weed them out before dereferencing them.
#1: C/C++ standard requires pointers returned by ::malloc()/new to point to a location that is aligned properly for the largest primitive data type. That means 8 bytes.
The standard C library ignores this in Windows and returns pointers that point to addresses aligned to 4-bytes.
Thus if the value we are testing to be a pointer fails to meet (VALUE & 0x3) it is discarded as not being a pointer.

#2: Pointers may not point above and below certain addresses.
Use ::GetSystemInfo() to determine this range and discard values that point too low or too high.

#3: Pointers themselves are always aligned on 4-byte addresses on x86 and 8-byte addresses on x64. Only check these addresses in your scan.

These 3 checks will help you eliminate many values before you are required to do the last check.
#4: Pointers must point to a valid location in memory. Use VirtualQueryEx() to check the properties of the address where the value points.
If the page is not valid, the value is not a pointer.


L. Spiro

Thanks a lot.

Btw. does MHS use VirtualQueryEx to "walk" through the memory to find the areas that are committed?

It does.

One common mistake is to walk and scan at the same time.
Build a table of the addresses you are going to scan (and the chunk sizes) and then scan them.
This is not only more organized, it allows you to easily break a chunk into multiple chunks. This is required for searching emulators etc., which have ROM images stored in 512-megabyte chunks, which will probably fail to be allocated for your local scan buffer.


L. Spiro

Thanks for the tip, I guess I should rewrite my memory scanner.