ReadProcessMemory reads all 0s in a process memory

Question

I am trying to write a process memory scanner that scans for nonzero values in the memory:

MEMORY_BASIC_INFORMATION mbi;
char* addr = 0;
dtype readVal = 0;
while (VirtualQueryEx(hProc, addr, &mbi, sizeof(mbi))) {  // HANDLE hProc is defined earlier
  if (mbi.State == MEM_COMMIT && mbi.Protect != PAGE_NOACCESS) {
        for (int i = 0; i < mbi.RegionSize; i += sizeof(readVal)) {
            BOOL ret = ReadProcessMemory(hProc, (char*) mbi.BaseAddress + i, &readVal, sizeof(readVal), 0);
            printf("ReadProcessMemory returns %d\n", ret); // returns 5 (ERROR_ACCESS_DENIED)
            if (readVal != 0) {
                printf("Found a good value!");
                system("pause");
            }
        }
    }
    addr += mbi.RegionSize;
}

I tried it on chrome.exe and the scanner found a ton of nonzero values. But when I tried it on a game process that comes with an anticheat it fails to work, ReadProcessMemory returns ERROR_ACCESS_DENIED in each call of ReadProcessMemory. The handle hProc had no problem attaching to the game process and the correct PID was found. Why is that and how can we increase our privilege to bypass the anticheat?

Answer 1

A trimmed down version of your code does approximately this:

dtype readVal;
if (readVal != 0) {
    printf("Found a good value!");
    system("pause");
}

There's a (probably) uninitialized value (readVal), some code with a code path that doesn't alter the value, followed by a read access. Doing so has no specified behavior. Its behavior is thus implied to be undefined.

To fix your code you'll need to make two changes:

• readVal needs to be initialized, and reset in the innermost loop. Though without knowing what data type readVal is, it's impossible to know whether it is or isn't initialized. That's left as an exercise.
• ReadProcessMemory can fail. It reports failure by returning FALSE. You will need to check for failure, and optionally call GetLastError if you need extended error information.

---

Why is that and how can we bypass the anticheat?

We don't know, since you decided to keep vital information private (e.g. the specific name and version of the target). Bypassing software protection is designed to be difficult. Spend a decade in binary exploitation and you might be prepared to come up with a way. Not something Stack Overflow can help you with.

Answer 2

According to this thread, you need to enumerate all modules for a process to get a valid handle to the module you are interested in. Then you can use ReadProcessMemory like this running as an Administrator to read the multilevel pointer:

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
#include <tchar.h>

using namespace std;

DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName);
    
int main()
{
    HWND hwnd = FindWindowA(NULL, "Game");
    if (hwnd == NULL)
    {
        cout << "Cannot find window." << endl;
        Sleep(3000);
        exit(-1);
    }
    else
    {
        DWORD procID;
        GetWindowThreadProcessId(hwnd, &procID);
        HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
        DWORD_PTR ModuleBaseAddress = 0;
        ModuleBaseAddress = dwGetModuleBaseAddress(procID, _T("Game.exe"));

        if (procID == NULL)
        {
            cout << "Cannot find process.";
            Sleep(3000);
            exit(-1);
        }
        else {
            while (true)
            {
                DWORD temp;
                ReadProcessMemory(handle, (LPCVOID)(ModuleBaseAddress + 0x43021C), &temp, sizeof(temp), NULL);
                ReadProcessMemory(handle, (LPCVOID)(temp + 0xAC), &temp, sizeof(temp), NULL);
                int curhp;
                ReadProcessMemory(handle, (LPCVOID)(temp + 0x4C), &curhp, sizeof(curhp), NULL);
                cout << "Current HP: "  << curhp << endl;
                Sleep(100);
                system("CLS");
            }
        }
    }
    system("PAUSE");
}

DWORD_PTR dwGetModuleBaseAddress(DWORD dwProcID, TCHAR *szModuleName)
{
    DWORD_PTR dwModuleBaseAddress = 0;
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, dwProcID);
    if (hSnapshot != INVALID_HANDLE_VALUE)
    {
        MODULEENTRY32 ModuleEntry32;
        ModuleEntry32.dwSize = sizeof(MODULEENTRY32);
        if (Module32First(hSnapshot, &ModuleEntry32))
        {
            do
            {
                if (_tcsicmp(ModuleEntry32.szModule, szModuleName) == 0)
                {
                    dwModuleBaseAddress = (DWORD_PTR)ModuleEntry32.modBaseAddr;
                    break;
                }
            } while (Module32Next(hSnapshot, &ModuleEntry32));
        }
        CloseHandle(hSnapshot);
    }
    return dwModuleBaseAddress;
}

For more details, you may research from the internet.