[CELua] heaplist

Place snippets of code and scripts under here to share with others. Archives and .Lua extensions are allowed


Moderator: Table Moderator

Post Reply
User avatar
J1327
Donor
Donor
Apprentice Hacker
Apprentice Hacker
Posts: 65
Joined: Mon Jul 25, 2022 5:00 pm
Answers: 0
Location: Baltic States
x 72

[CELua] heaplist

Post by J1327 »

[Celua] Heaplist

I might share this here too am not sure...
All this because CE's heaplist sometimes on some applications doesn't work -- i created something I can look at or...

Also, long/short writing, heaps regions in some cases helps find values quicker than usual.
Instead of using 0x0 and 0x7ffff... you can use the first process heap region and last heap region or lowest heap address of region and highest address of heap region.

I was collecting data, but it was scraped, because usually values goes beyond process heaps region which am looking for...

... but uhm as more I do stuff, it seems some applications uses to store important values at process heap region...

(Tested: Cheat Engine Tutorial, few UE games which data result is mixed up)

Install: No. Code set to be executed directly through lua engine.

Full Code at (form)

NOTE: Process might crash while getting ALL or certain regions, this is could be because heaps region was deallocated during getting heaps (heapwalk) (I didn't use HeapLock / HeapUnlock -- to prevent deadlock situation) or due other stuff. Currently then getting heaps you can't stop process.

If you want to get only heaps regions addresses then you can use this (from the code)

    GetProcessHeaps = {}
    GetProcessHeaps._ = {}

function GetProcessHeaps._:Count()
    return executeCodeEx(nil, nil, 'GetProcessHeaps', 0, 0)
end

function GetProcessHeaps._:GetProcessHeap()
    return executeCodeEx(nil, nil, 'GetProcessHeap')
end

function GetProcessHeaps.Update()
    local s = 0
    local c = GetProcessHeaps._:Count()

    AM = allocateMemory(0x1)
    local a = AM -- might lead to corruption?
    executeCodeEx(nil, nil, 'GetProcessHeaps', c, a)
    local low, high = s, s
    local d
    for i = 1, c do
        if targetIs64Bit() then
            d = readQword(a + s)
        else
            d = readInteger(a + s)
        end

        if low == 0 or d < low then
            low = d
        elseif d > high then
            high = d;
        end

        local o = string.format("%X", d)
        if o ~= GetProcessHeaps[i] then
            if targetIs64Bit() then
                GetProcessHeaps[i] = string.format("%X", readQword(a + s))
                s = s + 8
            else
                GetProcessHeaps[i] = string.format("%X", readInteger(a + s))
                s = s + 4
            end
        end
    end

    if GetProcessHeaps.First ~= GetProcessHeaps[1] or GetProcessHeaps.First == nil then
        GetProcessHeaps.First = GetProcessHeaps[1]
    end
    if GetProcessHeaps.Last ~= GetProcessHeaps[c] or GetProcessHeaps.Last == nil then
        GetProcessHeaps.Last = GetProcessHeaps[c]
    end
    if GetProcessHeaps.High == nil or high ~= tonumber(GetProcessHeaps.High, 16) then
        GetProcessHeaps.High = string.format("%X", high)
    end
    if GetProcessHeaps.Low == nil or high ~= tonumber(GetProcessHeaps.Low, 16) then
        GetProcessHeaps.Low = string.format("%X", low)
    end

    deAlloc(AM)

    -- In case in need , don't repeat yourself
    local _ = {

        getFirst = function(self)
            return GetProcessHeaps.First
        end,
        getLast = function(self)
            return GetProcessHeaps.Last
        end,
        getHigh = function(self)
            return GetProcessHeaps.High
        end,
        getLow = function(self)
            return GetProcessHeaps.Low
        end
    }

    return _

end

to use this run GetProcessHeaps.Update() and if process didn't crashed (shouldn't from running this code): address should be filled example:

GetProcessHeaps.Update()
return GetProcessHeaps.Low,GetProcessHeaps.High

Image

Image


Moved from Third Party Tools to Lua Snippets and Scripts on Sun Dec 01, 2024 2:35 am by Seneekikaant

Post Reply