Article: C++ Querying Process Modules

30 December 2016

Spending a lot of time external reversing, I developed a function to scan pages of memory within a specified module. In simple terms we can scan for say a byte pattern in "Game.exe" or "Client.dll". To get started, all modules in the process are retrieved using EnumProcessModulesEx, requiring the PROCESS_QUERY_INFORMATION access flag. The next step is finding where our module is assigned in memory by iterating over all the modules and comparing their names against the constructor's "ModuleName". Once found, we now have our starting point to work from.

At this point we will begin looping over this specific module's pages in memory until we fall out of its region. This is possible by using VirtualQueryEx to collect MEMORY_BASIC_INFORMATION which contains information on those pages. Specifically, the AllocationBase must match the "StartAddress" otherwise it means we are no longer scanning within that module. Here you can see that VirtualQueryEx is being called successively on each region size of the module. In this case I just continue the iteration when the memory protection is PAGE_NOACCESS, but with process opened with PROCESS_VM_OPERATION you can reassign the protection such as:

VirtualProtectEx(handle, (LPVOID)dwCurrent, sizeof(mbi.RegionSize), PAGE_EXECUTE_READWRITE, NULL);