Jump to content
Tuts 4 You

Sniffing Unicode Text?

ChupaChu

By ChupaChu
in Programming and Coding

Recommended Posts

ChupaChu

ChupaChu

Posted
Posted (edited)

I have played around with Anorganix's sources for serial sniffer from eZine#2

DL it here h!!p://arteam.accessroot.com/ezine/dl.php?id=2 (look in chapter 8, sources are included).

Sniffer Source goes like this:

function SniffSerial(PI: PROCESS_INFORMATION; Ctx: _Context): string; 
var 
  X: Cardinal; 
  Buff: PChar; 
begin 
  // allocate some memory 
  GetMem(Buff,50);   // suspend the program and get the context 
  SuspendThread(PI.hThread); 
  GetThreadContext(PI.hThread,Ctx);   // read the value that [EAX] holds (the good serial) 
  ReadProcessMemory(PI.hProcess,Pointer(Ctx.Eax),Buff,50,X);   // set the result and free the buffer 
  Result:=Trim(Buff); 
  FreeMem(Buff); 
end;

Data i'm trying to read looks like this: 31 00 31 00 32 00 33 00 00 ( '1123' unicode string)

What i get with SniffSerial function is just 31 --> or '1' as 00 is interpreted like end of string..

My question is how to Read UNICODE strings as well? (to get '1123' and not just '1')

p.s. Example Sources would be great!

TIA, ChupaChu!

*edit: changed title not to be confusing..

Edited by ChupaChu
human

human

Posted
Posted (edited)

what a stupid question. there is no readprocessmemory unicode due its function to read data not strings, you just read 2x more for unicode than lenght of string and later handle this as unicode.

if you wanna play then look that buff is pointer to char so cant hold word only bytes, and look in trim function what it does.

Edited by human
ChupaChu

ChupaChu

Posted
  • Author
Posted (edited)

I'v got it.. if anyone stucks on same thing; the solution is to change Buff type to PWideChar :)

function PWideToString(  pw : PWideChar  ) : string;
   var
	  p : PChar;
	  iLen : integer;
   begin
		 {Get memory for the string}
	  iLen := lstrlenw(  pw  ) + 1;
	  GetMem(  p,  iLen  );		 {Convert a unicode (PWideChar) to a string}
	  WideCharToMultiByte(  CP_ACP,  0,  pw,  iLen,  p,  iLen * 2,  nil,  nil  );	  Result := p;
	  FreeMem(  p,  iLen  );
   end;
function SniffSerial(PI: PROCESS_INFORMATION; Ctx: _Context): string;
var
  X: DWORD;
  Buff: PWideChar;begin
  GetMem(Buff,255);
	SuspendThread(PI.hThread);
	GetThreadContext(PI.hThread,Ctx);
	 ReadProcessMemory(PI.hProcess,Pointer(Ctx.Edx),buff,255,X);   //@
	 Result:=PWideToString(buff);
 FreeMem(Buff);
end;

Simple as that:)

BR, ChupaChu!

Edited by ChupaChu

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...