L. Spiro
September 11th, 2005, 02:41
This is a plug-in for my software, Memory Hacking Software.
Although it is a separate release, it now comes bundled with Memory Hacking Software.
This plug-in allows you to monitor all file activity in the target process and break when it loads any part of a file you want to catch.
When it breaks, it tells you where the file portion is being stored in the process space of the target process, and allows you to set an “access” or a “read” breakpoint on that location.
When this breakpoint is hit, you will be taken directly to the code that actually parses the data loaded from the file.
What this means is that you will be able to follow the code that loads the file, allowing you to decompress/decrypt/decode any file format for any process you like.
The instructions are included in the ZIP file containing the plug-in (“FileWatcher.zip”).
Since my site flags some warnings for some people, the direct link to this plug-in included in the bundle is:
http://www.gwforum.ca/l-spiro/MemHack/MemHack%202.0.5.4.zip
I have also released the source to this plug-in which you may feel free to modify to suite your own needs.
The code is documented and explains the essentials in creating plug-ins for Memory Hacking Software.
The source code:
http://www.gwforum.ca/l-spiro/MemHack/FileWatcher.rar
L. Spiro
The plug-in was updated to use a CreateFileW() hook instead of CreateFileA(). The only difference in performance is that it catches the names of more files being opened.
Although it is a separate release, it now comes bundled with Memory Hacking Software.
This plug-in allows you to monitor all file activity in the target process and break when it loads any part of a file you want to catch.
When it breaks, it tells you where the file portion is being stored in the process space of the target process, and allows you to set an “access” or a “read” breakpoint on that location.
When this breakpoint is hit, you will be taken directly to the code that actually parses the data loaded from the file.
What this means is that you will be able to follow the code that loads the file, allowing you to decompress/decrypt/decode any file format for any process you like.
The instructions are included in the ZIP file containing the plug-in (“FileWatcher.zip”).
Since my site flags some warnings for some people, the direct link to this plug-in included in the bundle is:
http://www.gwforum.ca/l-spiro/MemHack/MemHack%202.0.5.4.zip
I have also released the source to this plug-in which you may feel free to modify to suite your own needs.
The code is documented and explains the essentials in creating plug-ins for Memory Hacking Software.
The source code:
http://www.gwforum.ca/l-spiro/MemHack/FileWatcher.rar
L. Spiro
The plug-in was updated to use a CreateFileW() hook instead of CreateFileA(). The only difference in performance is that it catches the names of more files being opened.
.