Getting the base address of a process in vb.net - vb.net

OK this is a weird on. I need to get the base address of a process in vb.net (not my application). To delve into the memory of the other process (to explore the values I needed before coding it into vb.net) I used cheat engine. Cheat engine gives me an address like so:
Client.exe + 00BBD310
The issue here is that the Client.exe address changes whenever I re-run the program. I have a declaration of the process in my code already so I've tried this:
bAddress = handle_s.MainModule.BaseAddress
Where handle_s is the process in question. The issue here is that the value I get in bAddress isn't the value that is represented by cheat engines "Client.exe" - I can work backward to work out what cheat engine is referring to as it tells me what the result of the above sum is, however as the value changes each time, I need a method by which to simple get the value in vb.net.
Any advice/suggestions welcome.

MainModule.BaseAddress gives you the address where the module was loaded (source)
Therefore it's the absolute dynamic virtual address of the module. If 0x0BBD310 is a relative offset, then adding 0x0BBD310 to MainModule.BaseAddress will give you the address of your variable at run time.
If it's not matching up with what you're seeing in Cheat Engine then you're either attached to the wrong process or you're confused.

Related

.NET Reading windows security event log and expand replacement strings

Running on Windows 7 and Server 2012, I have a VB.NET app that uses the System.Diagnostics.EventLog collection of log entries. When I retrieve one particular Security event log entry's Message property I have a bunch of text that looks like "%%2048" instead of something like "Account Enabled". See the snippet below:
User Account Control:
%%2048
From what I have discovered, this may be a "replacement string" that is a kind of place holder for another string. This is new to me and I would like to know how to translate these codes into their final value. When I use the Event Viewer application the final text ("Account Enabled") is visible instead of the numeric equivalent so I know that the translation is possible.
I have seen some posts that talk about using a different class (EventLogRecord) but I have not seen enough that helps me. Can anyone provide an example of how to get a properly formatted event log entry message?
I wound up trying out the EventLogRecord class. Using the FormatDescription method gave me the properly formatted event message body I was hoping for. It just took quite a bit of trial and error to figure out how to use this class as well as how to format a very basic EventLogQuery string (I was trying to avoid using a query string). The only examples I saw of a query string were very complex (to me) and I just wanted a plain old select all records with no filtering. Fortunately, it only took a couple of tries to stumble upon the right brief syntax.
From what I can tell, the old method worked fine for Win XP and Server 2003 (the OS's that the application had been running on). I am now porting it to Windows 7/Server 2012 and apparently the OS has started using the placeholders in the message body in the newer OS's. The EventLogRecord is specifically for these newer OS versions and as such has the features you need to format the message properly.

Memory Address Range - F7FFF000 converted to what command line option?

First, appreciate you giving this a look. I have an ancient piece of software that writes old Linear PCMCIA cards. In my case, I want to use it in a specialized piece of gear called a Tech2. The software in question is called Memory Card Explorer. Now, I know for a fact it works in Windows XP with Native PCMCIA slots. However, I have a slot that is built on a Dual Systems adapter (basically an Expresscard to PCMCIA adapter).
The issue arises when following the instructions on installation issues, the program refuses to locate the Dual Adapter. Here's the example given in the manual:
"Use a similar address to the PCMCIA adapter. That address can be found using msinfo32.exe.
Eg: if the PCMCIA socket has a memory resource of F8000000 then use a MCE window command of F80D0000 using command line option of WF80D0."
So I get my adapter address which is F7FFF000 but have no idea where to add the "d" to the resource address then change it to a command. I've tried WF7FD0. Am I missing something simple in how these addresses are truncated for command line? Is there a calculator that does the conversion for you somewhere?
Thanks.
It looks like the pattern is to add 0x000D0000 to the address, take the five high nibbles of the address (which makes sense, since these sorts of addresses are typically page-aligned the bottom 3 nibbles will always be 0 on a system with 4KiB pages), and prepend 'W'. Try WF80CF.

vb.net 2010 - reading from registry doesn't work - win 7

I thought this would be dead simple however....
Right, so all I'm simply trying to do is read a value from my registry. I have been through several examples but can't get any of them to work. I've also tried running my application in Admin mode and still nothing. Can someone please help?
From all my examples that I've tried, I'll use the simplest one.
This works:
Dim val As String
val = Registry.LocalMachine.OpenSubKey("Hardware\Description\System\CentralProcessor\0").GetValue("Identifier").ToString()
MsgBox(val)
This (the one I want) doesn't:
Dim val As String
val = Registry.LocalMachine.OpenSubKey("SOFTWARE\PTSClient").GetValue("ConfigDB").ToString()
MsgBox(val)
THe latter path and value is one that I've manually created in the registry. I've checked the permissions between the two and they are the exact same. I've also tried running the app as administrator. I get a runtime error on the val= line, it says: Use the "new" keyword to create an object instance.
Any ideas? All the various online examples have failed and for the life of me, I can't figure out why...
Cheers,
J
Well, I have tried your code with a sample application compiled for x86 and, as expected, it fails with a null value exception.
I assume you are building an application for x86 mode and running in a 64bit environment.
Of course, if this is not the case, let me know and I will delete this answer.
In the situation outlined above, the calls to read/write in the LocalMachine.Software registry path will be automatically changed by the Operating System to read/write in the Software\Wow6432Node subkey and thus, your code is unable to find your manually inserted key ("SOFTWARE\PTSClient").
This code will give a null value as return from Registry.LocalMachine.OpenSubKey("SOFTWARE\PTSClient") leading to the failure to get the ConfigDB value.
You need to add your keys/values to the Software\Wow6432Node path or compile your application for AnyCPU mode or let your code write the value to the register (it will be redirected to the Wow6432Node).

Using /ApplicationPublicName does not change AppName() output

I know it's a long shot that there might be any uniPaaS developers on here, but here goes:
Today for the first time I've gone to duplicate a system we have in uniPaaS 1.5.
In the uniPaaS broker, I added the flag /ApplicationPublicName to change the
APPNAME that the application responds on.
However, the AppName() output that the application generates is still the
original name of the application, not what I specifying as the
ApplicationPublicName.
Our system relies heavily on AppName(). Is there any way to get AppName() to
return the same value as /ApplicationPublicName?
the AppName() function returns that application name as it was defined in settings, application.
If you want the appname to return something else, simply iniput that value to the Magic_Systems section of the ini file.
Better late than never to answer your own question I guess.
To work around this, we internally depreciated the use of the AppName() function, and instead replaced it with our own IntAppName(). Our new function does an INIGet('ApplicationPublicName') and returns that, as AppName() seems to always be fixed to the name of the application when it was compiled.
This was 4 years ago on 1.5 - perhaps v2.0 is different now, but we have continued to use our internal function without issue.

Can I display GUID in windbg?

I am trying to debug some COM components and want to track down CLSID and IIDs in calls to CoCreateInstance.
I am not sure how to display GUID in windbg. Any pointers for that.
Use the "display type" command:
dt GUID [address-of-guid]
For more information see the documentation.
If it is in a local variable (local to the stack frame you're in), use dv /V to dump all local variables.
I don't know anything about COM, but if this is just a normal variable (even if it's a global one), then you can always do:
alt+2 to bring up the watch window and enter the name of the variable there, eg
blahblah.dll!guid
You'll need the symbols for that, possibly need t be in source mode aswell. This is slightly nicer than dv/dt in that you don't have to type it in constantly. You can enter the address as well, I think. Note that if you don't put blahblah! then it can occasionally cause windbg to stall for a few seconds as it searches every module for something called guid.