forked from cheat-engine/cheat-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmemscan.h
121 lines (101 loc) · 3.01 KB
/
memscan.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include <windef.h>
#ifdef AMD64
#define PAGETABLEBASE 0xfffff68000000000ULL
//win10 1607 it's random
#else
#define PAGETABLEBASE 0xc0000000
#endif
typedef struct _ADDRESSENTRY {
DWORD Address;
BYTE size;
BOOLEAN frozen;
PVOID frozendata;
} ADDRESSENTRY;
typedef struct _MEMREGION //only holds regions that are allowed
{
DWORD BaseAddress;
DWORD Size;
} MEMREGION;
typedef struct _MEMSCANOPTIONS
{
BYTE ShowAsSigned; //obsolete (clientside now)
BYTE BinariesAsDecimal; //obsolete (clientside now)
WORD max;
DWORD buffersize;
BYTE skip_page_no_cache; //hmmmm
BYTE UseDebugRegs;
BYTE UseDBKQueryMemoryRegion; //always true
BYTE UseDBKReadWriteMemory; //always true
BYTE UseDBKOpenProcess; //always true
} MEMSCANOPTIONS;
MEMSCANOPTIONS MemscanOptions;
typedef struct _SCANDATA {
PEPROCESS process;
DWORD Start;
DWORD Stop;
BYTE Vartype;
BYTE Scantype;
BYTE ScanOptions;
BYTE scanvaluelength;
char *scanvalue;
BOOLEAN scanning;
BOOLEAN ThreadActive;
} SCANDATA;
SCANDATA CurrentScan;
typedef struct
{
UINT64 StartAddress;
UINT64 EndAddress;
} PRANGE, *PPRANGE;
typedef struct
{
PRANGE Range;
void *Next;
} PENTRY, *PPENTRY;
#ifdef CETC
BOOLEAN FirstScan(PEPROCESS ActivePEPROCESS, DWORD start,DWORD stop,BYTE vartype,BYTE scantype,BYTE scanvaluesize,char *scanvalue,BYTE ScanOptions);
#endif
NTSTATUS ReadPhysicalMemory(char *startaddress, UINT_PTR bytestoread, void *output);
BOOLEAN ReadProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer);
BOOLEAN WriteProcessMemory(DWORD PID,PEPROCESS PEProcess,PVOID Address,DWORD Size, PVOID Buffer);
BOOLEAN IsAddressSafe(UINT_PTR StartAddress);
BOOLEAN GetMemoryRegionData(DWORD PID,PEPROCESS PEProcess, PVOID mempointer,ULONG *regiontype, UINT_PTR *memorysize,UINT_PTR *baseaddress);
NTSTATUS markAllPagesAsNeverAccessed(PEPROCESS PEProcess);
int enumAllAccessedPages(PEPROCESS PEProcess);
int getAccessedPageList(PPRANGE List, int ListSizeInBytes);
UINT_PTR getPageTableBase();
UINT_PTR getPEThread(UINT_PTR threadid);
ADDRESSENTRY *AddressList;
unsigned int AddressListSize;
unsigned int AddressListEntries;
KSPIN_LOCK AddressListSpinlock;
PVOID FrozenData; //holds the buffer of all frozen data records
int FrozenDataSize;
LARGE_INTEGER FreezeInterval;
HANDLE addressfile;
HANDLE valuefile;
BOOLEAN HiddenDriver;
//scanoptions
#define SO_FASTSCAN (0x1)
#define SO_HEXADECIMAL (0x2)
#define SO_READONLY (0x4)
#define SO_FINDONLYONE (0x8)
#define SO_ISBINARY (0x10)
#define SO_UNICODE (0x20)
//scantype
#define ST_Exact_value 0
#define ST_Increased_value 1
#define ST_Increased_value_by 2
#define ST_Decreased_value 3
#define ST_Decreased_value_by 4
#define ST_Changed_value 5
#define ST_Unchanged_value 6
#define ST_Advanced_Scan 7
#define ST_String_Scan 8
#define ST_SmallerThan 9
#define ST_BiggerThan 10
#define ST_Userdefined 11
//scanerrors
#define SE_IncorrectType -1
#define SE_NotSupported -2
#define SE_NoMemoryFound -3