-
Notifications
You must be signed in to change notification settings - Fork 72
/
Copy pathclassMemory_AHK2_64bit.ahk
1520 lines (1357 loc) · 81.8 KB
/
classMemory_AHK2_64bit.ahk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
;v1.0 for AutoHotkey v2
;#include classMemory_AHK2.ahk
/*
A basic memory class by RHCP:
This is a wrapper for commonly used read and write memory functions.
It also contains a variety of pattern scan functions.
This class allows scripts to read/write integers and strings of various types.
Pointer addresses can easily be read/written by passing the base address and offsets to the various read/write functions.
Process handles are kept open between reads. This increases speed.
However, if a program closes/restarts then the process handle will become invalid
and you will need to re-open another handle (blank/destroy the object and recreate it)
isHandleValid() can be used to check if a handle is still active/valid.
read(), readString(), write(), and writeString() can be used to read and write memory addresses respectively.
readRaw() can be used to dump large chunks of memory, this is considerably faster when
reading data from a large structure compared to repeated calls to read().
For example, reading a single UInt takes approximately the same amount of time as reading 1000 bytes via readRaw().
Although, most people wouldn't notice the performance difference. This does however require you
to retrieve the values using AHK's numget()/strGet() from the dumped memory.
In a similar fashion writeRaw() allows a buffer to be be written in a single operation.
When the new operator is used this class returns an object which can be used to read that process's
memory space.To read another process simply create another object.
Process handles are automatically closed when the script exits/restarts or when you free the object.
**Notes:
This was initially written for 32 bit target processes, however the various read/write functions
should now completely support pointers in 64 bit target applications. The only caveat is that the AHK exe must also be 64 bit.
If AHK is 32 bit and the target application is 64 bit you can still read, write, and use pointers, so long as the addresses
fit inside a 4 byte pointer, i.e. The maximum address is limited to the 32 bit range.
The various pattern scan functions are intended to be used on 32 bit target applications, however:
- A 32 bit AHK script can perform pattern scans on a 32 bit target application.
- A 32 bit AHK script may be able to perform pattern scans on a 64 bit process, providing the addresses fall within the 32 bit range.
- A 64 bit AHK script should be able to perform pattern scans on a 32 or 64 bit target application without issue.
If the target process has admin privileges, then the AHK script will also require admin privileges.
AHK doesn't support unsigned 64bit ints, you can however read them as Int64 and interpret negative values as large numbers.
Commonly used methods:
read()
readString()
readRaw()
write()
writeString()
writeRaw()
isHandleValid()
getModuleBaseAddress()
Less commonly used methods:
hexStringToPattern()
stringToPattern()
modulePatternScan()
processPatternScan()
addressPatternScan()
rawPatternScan()
numberOfBytesRead()
numberOfBytesWritten()
suspend()
resume()
Internal methods: (some may be useful when directly called)
getAddressFromOffsets() ; This will return the final memory address of a pointer. This is useful if the pointed address only changes on startup or map/level change and you want to eliminate the overhead associated with pointers.
isTargetProcess64Bit()
pointer()
GetModuleInformation()
getNeedleFromAOBPattern()
virtualQueryEx()
patternScan()
bufferScanForMaskedPattern()
openProcess()
closeHandle()
Useful properties: (Do not modify the values of these properties - they are set automatically)
baseAddress ; The base address of the target process
hProcess ; The handle to the target process
PID ; The PID of the target process
currentProgram ; The string the user used to identify the target process e.g. "ahk_exe calc.exe"
isTarget64bit ; True if target process is 64 bit, otherwise false
readStringLastError ; Used to check for success/failure when reading a string
Useful editable properties:
insertNullTerminator ; Determines if a null terminator is inserted when writing strings.
Usage:
; **Note: If you wish to try this calc example, consider using the 32 bit version of calc.exe -
; which is in C:\Windows\SysWOW64\calc.exe on win7 64 bit systems.
; The contents of this file can be copied directly into your script. Alternately, you can copy the classMemory.ahk file into your library folder,
; in which case you will need to use the #include directive in your script i.e.
#Include <classMemory>
; You can use this code to check if you have installed the class correctly.
if (_ClassMemory.__Class != "_ClassMemory")
{
msgbox class memory not correctly installed. Or the (global class) variable "_ClassMemory" has been overwritten
ExitApp
}
; Open a process with sufficient access to read and write memory addresses (this is required before you can use the other functions)
; You only need to do this once. But if the process closes/restarts, then you will need to perform this step again. Refer to the notes section below.
; Also, if the target process is running as admin, then the script will also require admin rights!
; Note: The program identifier can be any AHK windowTitle i.e.ahk_exe, ahk_class, ahk_pid, or simply the window title.
; hProcessCopy is an optional variable in which the opened handled is stored.
calc := new _ClassMemory("ahk_exe calc.exe", "", hProcessCopy)
; Check if the above method was successful.
if !isObject(calc)
{
msgbox failed to open a handle
if (hProcessCopy = 0)
msgbox The program isn't running (not found) or you passed an incorrect program identifier parameter. In some cases _ClassMemory.setSeDebugPrivilege() may be required.
else if (hProcessCopy = "")
msgbox OpenProcess failed. If the target process has admin rights, then the script also needs to be ran as admin. _ClassMemory.setSeDebugPrivilege() may also be required. Consult A_LastError for more information.
ExitApp
}
; Get the process's base address.
; When using the new operator this property is automatically set to the result of getModuleBaseAddress();
; the specific method used depends on the bitness of the target application and AHK.
; If the returned address is incorrect and the target application is 64 bit, but AHK is 32 bit, try using the 64 bit version of AHK.
msgbox % calc.BaseAddress
; Get the base address of a specific module.
msgbox % calc.getModuleBaseAddress("GDI32.dll")
; The rest of these examples are just for illustration (the addresses specified are probably not valid).
; You can use cheat engine to find real addresses to read and write for testing purposes.
; Write 1234 as a UInt at address 0x0016CB60.
calc.write(0x0016CB60, 1234, "UInt")
; Read a UInt.
value := calc.read(0x0016CB60, "UInt")
; Read a pointer with offsets 0x20 and 0x15C which points to a UChar.
value := calc.read(pointerBase, "UChar", 0x20, 0x15C)
; Note: read(), readString(), readRaw(), write(), writeString(), and writeRaw() all support pointers/offsets.
; An array of pointers can be passed directly, i.e.
arrayPointerOffsets := [0x20, 0x15C]
value := calc.read(pointerBase, "UChar", arrayPointerOffsets*)
; Or they can be entered manually.
value := calc.read(pointerBase, "UChar", 0x20, 0x15C)
; You can also pass all the parameters directly, i.e.
aMyPointer := [pointerBase, "UChar", 0x20, 0x15C]
value := calc.read(aMyPointer*)
; Read a utf-16 null terminated string of unknown size at address 0x1234556 - the function will read until the null terminator is found or something goes wrong.
string := calc.readString(0x1234556, length := 0, encoding := "utf-16")
; Read a utf-8 encoded string which is 12 bytes long at address 0x1234556.
string := calc.readString(0x1234556, 12)
; By default a null terminator is included at the end of written strings for writeString().
; The nullterminator property can be used to change this.
_ClassMemory.insertNullTerminator := False ; This will change the property for all processes
calc.insertNullTerminator := False ; Changes the property for just this process
Notes:
If the target process exits and then starts again (or restarts) you will need to free the derived object and then use the new operator to create a new object i.e.
calc := [] ; or calc := "" ; free the object. This is actually optional if using the line below, as the line below would free the previous derived object calc prior to initialising the new copy.
calc := new _ClassMemory("ahk_exe calc.exe") ; Create a new derived object to read calc's memory.
isHandleValid() can be used to check if a target process has closed or restarted.
*/
class _ClassMemory
{
; List of useful accessible values. Some of these inherited values (the non objects) are set when the new operator is used.
static baseAddress, hProcess, PID, currentProgram
, insertNullTerminator := True
, readStringLastError := False
, isTarget64bit := False
, ptrType := "UInt"
, aTypeSize := { "UChar": 1, "Char": 1
, "UShort": 2, "Short": 2
, "UInt": 4, "Int": 4
, "UFloat": 4, "Float": 4
, "Int64": 8, "Double": 8}
, aRights := { "PROCESS_ALL_ACCESS": 0x001F0FFF
, "PROCESS_CREATE_PROCESS": 0x0080
, "PROCESS_CREATE_THREAD": 0x0002
, "PROCESS_DUP_HANDLE": 0x0040
, "PROCESS_QUERY_INFORMATION": 0x0400
, "PROCESS_QUERY_LIMITED_INFORMATION": 0x1000
, "PROCESS_SET_INFORMATION": 0x0200
, "PROCESS_SET_QUOTA": 0x0100
, "PROCESS_SUSPEND_RESUME": 0x0800
, "PROCESS_TERMINATE": 0x0001
, "PROCESS_VM_OPERATION": 0x0008
, "PROCESS_VM_READ": 0x0010
, "PROCESS_VM_WRITE": 0x0020
, "SYNCHRONIZE": 0x00100000}
/*
Method: __new(program, dwDesiredAccess := "", byRef handle := "", windowMatchMode := 3)
Example: derivedObject := new _ClassMemory("ahk_exe calc.exe")
This is the first method which should be called when trying to access a program's memory.
If the process is successfully opened, an object is returned which can be used to read that processes memory space.
[derivedObject].hProcess stores the opened handle.
If the target process closes and re-opens, simply free the derived object and use the new operator again to open a new handle.
Parameters:
program The program to be opened. This can be any AHK windowTitle identifier, such as
ahk_exe, ahk_class, ahk_pid, or simply the window title. e.g. "ahk_exe calc.exe" or "Calculator".
It's safer not to use the window title, as some things can have the same window title e.g. an open folder called "Starcraft II"
would have the same window title as the game itself.
*'DetectHiddenWindows, On' is required for hidden windows*
dwDesiredAccess The access rights requested when opening the process.
If this parameter is null the process will be opened with the following rights
PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, & SYNCHRONIZE
This access level is sufficient to allow all of the methods in this class to work.
Specific process access rights are listed here:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
handle (Output) Optional variable in which a copy of the opened processes handle will be stored.
Values:
Null OpenProcess failed. The script may need to be run with admin rights admin,
and/or with the use of _ClassMemory.setSeDebugPrivilege(). Consult A_LastError for more information.
0 The program isn't running (not found) or you passed an incorrect program identifier parameter.
In some cases _ClassMemory.setSeDebugPrivilege() may be required.
Positive Integer A handle to the process. (Success)
windowMatchMode - Determines the matching mode used when finding the program (windowTitle).
The default value is 3 i.e. an exact match. Refer to AHK's setTitleMathMode for more information.
Return Values:
Object On success an object is returned which can be used to read the processes memory.
Null Failure. A_LastError and the optional handle parameter can be consulted for more information.
*/
__new(program, childName := "", dwDesiredAccess := "", byRef handle := "", windowMatchMode := 3)
{
if A_PtrSize != 8 || A_AhkVersion < 2 {
MsgBox("classMemory_AHK2_64bit.ahk requires AutoHotkey v2 64 bit")
return
}
if this.PID := handle := this.findPID(program, windowMatchMode) ; set handle to 0 if program not found
{
if childName
for process in ComObjGet("winmgmts:").ExecQuery("SELECT * FROM Win32_Process WHERE Name = '" childName "'")
if process.ParentProcessID == this.PID {
this.PID:= process.ProcessID
this.parentPID := process.ParentProcessID
}
; This default access level is sufficient to read and write memory addresses, and to perform pattern scans.
; if the program is run using admin privileges, then this script will also need admin privileges
if !(dwDesiredAccess is "integer")
dwDesiredAccess := this.aRights.PROCESS_QUERY_INFORMATION | this.aRights.PROCESS_VM_OPERATION | this.aRights.PROCESS_VM_READ | this.aRights.PROCESS_VM_WRITE
dwDesiredAccess |= this.aRights.SYNCHRONIZE ; add SYNCHRONIZE to all handles to allow isHandleValid() to work
dwDesiredAccess |= this.aRights.PROCESS_SUSPEND_RESUME ; so we can suspend/resume
if this.hProcess := handle := this.OpenProcess(this.PID, dwDesiredAccess) ; NULL/Blank if failed to open process for some reason
{
this.pNumberOfBytesRead := DllCall("GlobalAlloc", "UInt", 0x0040, "Ptr", A_PtrSize, "Ptr") ; 0x0040 initialise to 0
this.pNumberOfBytesWritten := DllCall("GlobalAlloc", "UInt", 0x0040, "Ptr", A_PtrSize, "Ptr") ; initialise to 0
this.readStringLastError := False
this.currentProgram := program
if this.isTarget64bit := this.isTargetProcess64Bit(this.PID, this.hProcess, dwDesiredAccess)
this.ptrType := "Int64"
else this.ptrType := "UInt" ; If false or Null (fails) assume 32bit
this.BaseAddress := this.getModuleList()
this.GetThreadInfo()
return this
}
}
return
}
__delete()
{
this.closeHandle(this.hProcess)
if this.pNumberOfBytesRead
DllCall("GlobalFree", "Ptr", this.pNumberOfBytesRead)
if this.pNumberOfBytesWritten
DllCall("GlobalFree", "Ptr", this.pNumberOfBytesWritten)
return
}
/* This function retrieves Thread Basic Information and the StackBase and StackLimit of each thread.
On 64bit targets, NT_TIB struct is found at TebBaseAddress. For 32bit targets, a pointer that points
to the struct is found at that address instead. Alternatively, use TebBaseAddress + 0x2000 to go directly
to NT_TIB struct. (see 4th link)
https://forum.cheatengine.org/viewtopic.php?p=5487976#5487976
https://forum.cheatengine.org/viewtopic.php?p=5602055
https://github.com/makemek/cheatengine-threadstack-finder/blob/thread-base-addr/main.cpp
https://stackoverflow.com/questions/34736009/get-32bit-peb-of-another-process-from-a-x64-process
The snapshot code and the thread32first, thread32next codes are taken from autohotkey forum, by jNizM.
https://autohotkey.com/boards/viewtopic.php?t=15943
*/
GetThreadInfo() {
if this.isTarget64bit {
tarPtrType := "Int64"
tarPtrSize := 8
} else {
tarPtrType := "UInt"
tarPtrSize := 4
}
TH32CS_SNAPTHREAD := 0x4
hModule := DllCall( "LoadLibrary"
, "str", "ntdll.dll"
, "uptr")
;https://docs.microsoft.com/en-us/windows/desktop/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot
hSnapshot := DllCall( "CreateToolhelp32Snapshot"
, "uint", TH32CS_SNAPTHREAD
, "uint", this.PID )
/*
typedef struct tagTHREADENTRY32 {
DWORD dwSize;
DWORD cntUsage;
DWORD th32ThreadID; +0x8
DWORD th32OwnerProcessID; +0x12
LONG tpBasePri;
LONG tpDeltaPri;
DWORD dwFlags;
} THREADENTRY32;
Must initialize dwSize to sizeof(THREADENTRY32) or call will fail:
https://docs.microsoft.com/en-us/windows/desktop/api/tlhelp32/ns-tlhelp32-tagthreadentry32
*/
sizeOfTHREADENTRY32 := 28
VarSetCapacity(THREADENTRY32, sizeOfTHREADENTRY32, 0)
NumPut(sizeOfTHREADENTRY32, THREADENTRY32, "uint") ;initialize dwSize to sizeOfTHREADENTRY32
DllCall("Thread32First", "ptr", hSnapshot, "ptr", &THREADENTRY32)
this.Thread := Thread := [], i := 1
while (DllCall( "Thread32Next"
, "ptr", hSnapshot
, "ptr", &THREADENTRY32)) {
if (NumGet(THREADENTRY32, 12, "uint") = this.PID) { ;check if owner is our process
hThread := DllCall( "OpenThread" ;get thread handle
, "uint", 0x0040
, "int", 0
, "uint", NumGet(THREADENTRY32, 8, "uint")
, "ptr")
/* NtQueryInformationThread : THREAD_BASIC_INFORMATION struct
Type Name Offset Size
---- ---- ------ ----
NTSTATUS ExitStatus; 0 4
Padding 4 4
PVOID TebBaseAddress; 8 8
CLIENT_ID ClientId; 16 16
KAFFINITY AffinityMask; 32 8
KPRIORITY Priority; 40 4
KPRIORITY BasePriority; 44 4
https://stackoverflow.com/questions/17152735/getting-the-teb-of-a-64bit-process-on-windows
*/
THREAD_BASIC_INFORMATION := 0x0
sizeOfThreadBasicInfo := 48
VarSetCapacity(ThreadBasicInfo, 48, 0)
DllCall( "ntdll\NtQueryInformationThread"
, "ptr", hThread
, "uint", THREAD_BASIC_INFORMATION
, "ptr", &ThreadBasicInfo
, "uint", 48
, "uint", _)
Thread[i] := {}
Thread[i].TebBaseAddress := NumGet(ThreadBasicInfo, 8, "Int64")
THREAD_QUERY_SET_WIN32_START_ADDRESS := 0x9
DllCall( "ntdll\NtQueryInformationThread"
, "ptr", hThread
, "uint", THREAD_QUERY_SET_WIN32_START_ADDRESS
, "ptr*", ThreadStartAddr
, "uint", A_PtrSize, "uint*", 0)
Thread[i].StartAddr := ThreadStartAddr
Thread[i].ThreadID := NumGet(THREADENTRY32, 8, "UInt")
/* from: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-a-stack-overflow
typedef struct _TEB {
NT_TIB NtTib; <===== TebBaseAddress points to this
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
.....
PVOID DeallocationStack;
.....
} TEB;
typedef struct _NT_TIB {
struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList;
PVOID StackBase; <==== +0x4 if target is 32 bit, +0x8 if 64 bit
PVOID StackLimit; <==== +0x8 if target is 32 bit, +0x16 if 64 bit
.....
} NT_TIB;
*/
if this.isTarget64bit
NT_TIB_base := Thread[i].TebBaseAddress
else
NT_TIB_base := this.read(Thread[i].TebBaseAddress, tarPtrType)
Thread[i].NT_TIB := {}
Thread[i].NT_TIB.StackBase := this.read(NT_TIB_base + tarPtrSize, tarPtrType)
Thread[i].NT_TIB.StackLimit := this.read(NT_TIB_base + tarPtrSize * 2, tarPtrType)
DllCall("CloseHandle", "ptr", hThread)
i++
}
}
DllCall("CloseHandle", "ptr", hSnapshot)
DllCall("FreeLibrary", "ptr", hModule)
this.getThreadStacks(Thread)
}
/* This allows results from patternScan to be fed back into itself -
Turns 0x00007FFF066D3034 into an array := ["0x34", "0x30", "0x6D", "0x06", "0xFF", "0x7F", "0x00", "0x00"]
Useless for now since I am using static addresses
for kernel32.dll's exit functions (32bit and 64bit). See function getThreadStacks(Thread).
*/
hexToAOB(hex) {
hex := StrReplace(hex, "0x")
len := StrLen(hex)
AOB := []
loop len//2
AOB[A_Index] := "0x" . SubStr(hex, len - 2 * A_Index + 1, 2)
return AOB
}
/* Finds and returns CheatEngine's ThreadStack[0], ThreadStack[1], ThreadStack[2] ... etc
*/
getThreadStacks(Thread) {
if this.isTarget64bit
h:=Format("{:016x}", this.modulePatternScan("KERNEL32.DLL", 0x8b, 0xc8, 0xff, 0x15 ,0x5c, 0x62, 0x06, 0x00, 0xcc, 0xff, 0x15, 0x7d, 0x64, 0x06, 0x00, 0xa8, 0x10, 0x74, 0x09, 0xe8, 0x0c, 0x00, 0x00, 0x00))
else
h:=Format("{:08x}", this.modulePatternScan("KERNEL32.DLL", 0x8b, 0xff, 0x55, 0x8b ,0xec, 0x51, 0xa1, 0x50, 0x01, 0x36, 0x75, 0x33, 0xc5, 0x89, 0x45, 0xfc, 0x56, 0x8b, 0xf2, 0x85, 0xc9, 0x75, 0x14, 0xff))
pattern := this.hexToAOB(h)
this.ThreadStack := []
;pattern := this.isTarget64bit ? [0x34, 0x30, 0x6d, 0x06, 0xff, 0x7f, 0x00, 0x00] : [0x60, 0x84, 0xF5, 0x73]
/* Use this script to get these addresses:
#include print.ahk
h := DllCall("GetModuleHandle", str, "kernel32", "ptr")
r := DllCall("GetProcAddress", "Ptr", h, "AStr", "BaseThreadInitThunk" , "ptr")
hprint(r), eprint(DllCall("GetLastError"))
;the procedure name is "BaseThreadInitThunk", and the bit-ness of AHK executable determines the address
;to get 32 bit version you have to run this with 32bit AHK
;the returned address, r, are 0x73f58460 and 0x7fff066d3020
;for 32bit, you can use it as is; for 64 bit you have to add 0x14 to it.
*/
loop Thread.Length() {
i := A_Index
address := Thread[i].NT_TIB.StackLimit
result := this.processPatternScan(address, Thread[i].NT_TIB.StackBase, pattern*)
while result {
this.ThreadStack[i - 1] := result
address := result + 1
result := this.processPatternScan(address, Thread[i].NT_TIB.StackBase, pattern*)
}
}
}
findPID(program, windowMatchMode := "3")
{
; If user passes an AHK_PID, don't bother searching. There are cases where searching windows for PIDs
; wont work - console apps
if RegExMatch(program, "i)\s*AHK_PID\s+(0x[[:xdigit:]]+|\d+)", pid)
return pid.value[1]
if windowMatchMode
{
; This is a string and will not contain the 0x prefix
mode := A_TitleMatchMode
; remove hex prefix as SetTitleMatchMode will throw a run time error. This will occur if integer mode is set to hex and user passed an int (unquoted)
windowMatchMode := StrReplace(windowMatchMode, "0x")
SetTitleMatchMode windowMatchMode
}
pid := WinGetPID(program)
if windowMatchMode
SetTitleMatchMode mode ; In case executed in autoexec
; If use 'ahk_exe test.exe' and winget fails (which can happen when setSeDebugPrivilege is required),
; try using the process command. When it fails due to setSeDebugPrivilege, setSeDebugPrivilege will still be required to openProcess
; This should also work for apps without windows.
if (!pid && RegExMatch(program, "i)\bAHK_EXE\b\s*(.*)", fileName))
{
; remove any trailing AHK_XXX arguments
filename := RegExReplace(filename.value[1], "i)\bahk_(class|id|pid|group)\b.*", "")
filename := trim(filename) ; extra spaces will make process command fail
; AHK_EXE can be the full path, so just get filename
SplitPath(fileName , fileName)
if (fileName) ; if filename blank, scripts own pid is returned
pid := ProcessExist(fileName)
}
return pid ? pid : 0 ; PID is null on fail, return 0
}
/*
Method: isHandleValid()
This method provides a means to check if the internal process handle is still valid
or in other words, the specific target application instance (which you have been reading from)
has closed or restarted.
For example, if the target application closes or restarts the handle will become invalid
and subsequent calls to this method will return false.
Return Values:
True The handle is valid.
False The handle is not valid.
Notes:
This operation requires a handle with SYNCHRONIZE access rights.
All handles, even user specified ones are opened with the SYNCHRONIZE access right.
*/
isHandleValid()
{
return 0x102 = DllCall("WaitForSingleObject", "Ptr", this.hProcess, "UInt", 0)
; WaitForSingleObject return values
; -1 if called with null hProcess (sets lastError to 6 - invalid handle)
; 258 / 0x102 WAIT_TIMEOUT - if handle is valid (process still running)
; 0 WAIT_OBJECT_0 - if process has terminated
}
/*
Method: openProcess(PID, dwDesiredAccess)
***Note: This is an internal method which shouldn't be called directly unless you absolutely know what you are doing.
This is because the new operator, in addition to calling this method also sets other values
which are required for the other methods to work correctly.
Parameters:
PID The Process ID of the target process.
dwDesiredAccess The access rights requested when opening the process.
Specific process access rights are listed here:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684880(v=vs.85).aspx
Return Values:
Null/blank OpenProcess failed. If the target process has admin rights, then the script also needs to be ran as admin.
_ClassMemory.setSeDebugPrivilege() may also be required.
Positive integer A handle to the process.
*/
openProcess(PID, dwDesiredAccess)
{
r := DllCall("OpenProcess", "UInt", dwDesiredAccess, "Int", False, "UInt", PID, "Ptr")
; if it fails with 0x5 ERROR_ACCESS_DENIED, try enabling privilege ... lots of users never try this.
; there may be other errors which also require DebugPrivilege....
if (!r && A_LastError = 5)
{
this.setSeDebugPrivilege(true) ; no harm in enabling it if it is already enabled by user
if (r2 := DllCall("OpenProcess", "UInt", dwDesiredAccess, "Int", False, "UInt", PID, "Ptr"))
return r2
DllCall("SetLastError", "UInt", 5) ; restore original error if it doesnt work
}
; If fails with 0x5 ERROR_ACCESS_DENIED (when setSeDebugPrivilege() is req.), the func. returns 0 rather than null!! Set it to null.
; If fails for another reason, then it is null.
return r ? r : ""
}
/*
Method: closeHandle(hProcess)
Note: This is an internal method which is automatically called when the script exits or the derived object is freed/destroyed.
There is no need to call this method directly. If you wish to close the handle simply free the derived object.
i.e. derivedObject := [] ; or derivedObject := ""
Parameters:
hProcess The handle to the process, as returned by openProcess().
Return Values:
Non-Zero Success
0 Failure
*/
closeHandle(hProcess)
{
return DllCall("CloseHandle", "Ptr", hProcess)
}
/*
Methods: numberOfBytesRead() / numberOfBytesWritten()
Returns the number of bytes read or written by the last ReadProcessMemory or WriteProcessMemory operation.
Return Values:
zero or positive value Number of bytes read/written
-1 Failure. Shouldn't occur
*/
numberOfBytesRead()
{
return !this.pNumberOfBytesRead ? -1 : NumGet(this.pNumberOfBytesRead+0, "Ptr")
}
numberOfBytesWritten()
{
return !this.pNumberOfBytesWritten ? -1 : NumGet(this.pNumberOfBytesWritten+0, "Ptr")
}
/*
Method: read(address, type := "UInt", aOffsets*)
Reads various integer type values
Parameters:
address - The memory address of the value or if using the offset parameter,
the base address of the pointer.
type - The integer type.
Valid types are UChar, Char, UShort, Short, UInt, Int, Float, Int64 and Double.
Note: Types must not contain spaces i.e. " UInt" or "UInt " will not work.
When an invalid type is passed the method returns NULL and sets ErrorLevel to -2
aOffsets* - A variadic list of offsets. When using offsets the address parameter should equal the base address of the pointer.
The address (base address) and offsets should point to the memory address which holds the integer.
Return Values:
integer - Indicates success.
Null - Indicates failure. Check ErrorLevel and A_LastError for more information.
Note: Since the returned integer value may be 0, to check for success/failure compare the result
against null i.e. if (result = "") then an error has occurred.
When reading doubles, adjusting "SetFormat, float, totalWidth.DecimalPlaces"
may be required depending on your requirements.
*/
read(address, type := "UInt", aOffsets*)
{
; If invalid type RPM() returns success (as bytes to read resolves to null in dllCall())
; so set errorlevel to invalid parameter for DLLCall() i.e. -2
if !this.aTypeSize.hasKey(type)
{
ErrorLevel := -2
return ""
}
if DllCall("ReadProcessMemory", "Ptr", this.hProcess, "Ptr", aOffsets.maxIndex() ? this.getAddressFromOffsets(address, aOffsets*) : address, type "*", result, "Ptr", this.aTypeSize[type], "Ptr", this.pNumberOfBytesRead)
return result
return
}
/*
Method: readRaw(address, byRef buffer, bytes := 4, aOffsets*)
Reads an area of the processes memory and stores it in the buffer variable
Parameters:
address - The memory address of the area to read or if using the offsets parameter
the base address of the pointer which points to the memory region.
buffer - The unquoted variable name for the buffer. This variable will receive the contents from the address space.
This method calls varsetCapcity() to ensure the variable has an adequate size to perform the operation.
If the variable already has a larger capacity (from a previous call to varsetcapcity()), then it will not be shrunk.
Therefore it is the callers responsibility to ensure that any subsequent actions performed on the buffer variable
do not exceed the bytes which have been read - as these remaining bytes could contain anything.
bytes - The number of bytes to be read.
aOffsets* - A variadic list of offsets. When using offsets the address parameter should equal the base address of the pointer.
The address (base address) and offsets should point to the memory address which is to be read
Return Values:
Non Zero - Indicates success.
Zero - Indicates failure. Check errorLevel and A_LastError for more information
Notes: The contents of the buffer may then be retrieved using AHK's NumGet() and StrGet() functions.
This method offers significant (~30% and up) performance boost when reading large areas of memory.
As calling ReadProcessMemory for four bytes takes a similar amount of time as it does for 1,000 bytes.
*/
readRaw(address, byRef buffer, bytes := 4, aOffsets*)
{
VarSetCapacity(buffer, bytes)
return DllCall("ReadProcessMemory", "Ptr", this.hProcess, "Ptr", aOffsets.maxIndex() ? this.getAddressFromOffsets(address, aOffsets*) : address, "Ptr", &buffer, "Ptr", bytes, "Ptr", this.pNumberOfBytesRead)
}
/*
Method: readString(address, sizeBytes := 0, encoding := "utf-8", aOffsets*)
Reads string values of various encoding types
Parameters:
address - The memory address of the value or if using the offset parameter,
the base address of the pointer.
sizeBytes - The size (in bytes) of the string to be read.
If zero is passed, then the function will read each character until a null terminator is found
and then returns the entire string.
encoding - This refers to how the string is stored in the program's memory.
UTF-8 and UTF-16 are common. Refer to the AHK manual for other encoding types.
aOffsets* - A variadic list of offsets. When using offsets the address parameter should equal the base address of the pointer.
The address (base address) and offsets should point to the memory address which holds the string.
Return Values:
String - On failure an empty (null) string is always returned. Since it's possible for the actual string
being read to be null (empty), then a null return value should not be used to determine failure of the method.
Instead the property [derivedObject].ReadStringLastError can be used to check for success/failure.
This property is set to 0 on success and 1 on failure. On failure ErrorLevel and A_LastError should be consulted
for more information.
Notes:
For best performance use the sizeBytes parameter to specify the exact size of the string.
If the exact size is not known and the string is null terminated, then specifying the maximum
possible size of the string will yield the same performance.
If neither the actual or maximum size is known and the string is null terminated, then specifying
zero for the sizeBytes parameter is fine. Generally speaking for all intents and purposes the performance difference is
inconsequential.
*/
readString(address, sizeBytes := 0, encoding := "UTF-8", aOffsets*)
{
bufferSize := VarSetCapacity(buffer, sizeBytes ? sizeBytes : 100, 0)
this.ReadStringLastError := False
if aOffsets.maxIndex()
address := this.getAddressFromOffsets(address, aOffsets*)
if !sizeBytes ; read until null terminator is found or something goes wrong
{
; Even if there are multi-byte-characters (bigger than the encodingSize i.e. surrogates) in the string, when reading in encodingSize byte chunks they will never register as null (as they will have bits set on those bytes)
if (encoding = "utf-16" || encoding = "cp1200")
encodingSize := 2, charType := "UShort", loopCount := 2
else encodingSize := 1, charType := "Char", loopCount := 4
Loop
{ ; Lets save a few reads by reading in 4 byte chunks
if !DllCall("ReadProcessMemory", "Ptr", this.hProcess, "Ptr", address + ((outterIndex := A_index) - 1) * 4, "Ptr", &buffer, "Ptr", 4, "Ptr", this.pNumberOfBytesRead) || ErrorLevel
{
this.ReadStringLastError := True
return ""
}
else loop loopCount
{
if NumGet(buffer, (A_Index - 1) * encodingSize, charType) = 0 ; NULL terminator
{
if (bufferSize < sizeBytes := outterIndex * 4 - (4 - A_Index * encodingSize))
VarSetCapacity(buffer, sizeBytes)
break 2
}
}
}
}
if DllCall("ReadProcessMemory", "Ptr", this.hProcess, "Ptr", address, "Ptr", &buffer, "Ptr", sizeBytes, "Ptr", this.pNumberOfBytesRead)
return StrGet(&buffer,, encoding)
{
this.ReadStringLastError := True
return ""
}
}
/*
Method: writeString(address, string, encoding := "utf-8", aOffsets*)
Encodes and then writes a string to the process.
Parameters:
address - The memory address to which data will be written or if using the offset parameter,
the base address of the pointer.
string - The string to be written.
encoding - This refers to how the string is to be stored in the program's memory.
UTF-8 and UTF-16 are common. Refer to the AHK manual for other encoding types.
aOffsets* - A variadic list of offsets. When using offsets the address parameter should equal the base address of the pointer.
The address (base address) and offsets should point to the memory address which is to be written to.
Return Values:
Non Zero - Indicates success.
Zero - Indicates failure. Check errorLevel and A_LastError for more information
Notes:
By default a null terminator is included at the end of written strings.
This behaviour is determined by the property [derivedObject].insertNullTerminator
If this property is true, then a null terminator will be included.
*/
writeString(address, string, encoding := "utf-8", aOffsets*)
{
encodingSize := (encoding = "utf-16" || encoding = "cp1200") ? 2 : 1
requiredSize := StrPut(string, encoding) * encodingSize - (this.insertNullTerminator ? 0 : encodingSize)
VarSetCapacity(buffer, requiredSize)
StrPut(string, &buffer, StrLen(string) + (this.insertNullTerminator ? 1 : 0), encoding)
return DllCall("WriteProcessMemory", "Ptr", this.hProcess, "Ptr", aOffsets.maxIndex() ? this.getAddressFromOffsets(address, aOffsets*) : address, "Ptr", &buffer, "Ptr", requiredSize, "Ptr", this.pNumberOfBytesWritten)
}
/*
Method: write(address, value, type := "Uint", aOffsets*)
Writes various integer type values to the process.
Parameters:
address - The memory address to which data will be written or if using the offset parameter,
the base address of the pointer.
type - The integer type.
Valid types are UChar, Char, UShort, Short, UInt, Int, Float, Int64 and Double.
Note: Types must not contain spaces i.e. " UInt" or "UInt " will not work.
When an invalid type is passed the method returns NULL and sets ErrorLevel to -2
aOffsets* - A variadic list of offsets. When using offsets the address parameter should equal the base address of the pointer.
The address (base address) and offsets should point to the memory address which is to be written to.
Return Values:
Non Zero - Indicates success.
Zero - Indicates failure. Check errorLevel and A_LastError for more information
Null - An invalid type was passed. Errorlevel is set to -2
*/
write(address, value, type := "Uint", aOffsets*)
{
if !this.aTypeSize.hasKey(type)
{
ErrorLevel := -2
return ""
}
return DllCall("WriteProcessMemory", "Ptr", this.hProcess, "Ptr", aOffsets.maxIndex() ? this.getAddressFromOffsets(address, aOffsets*) : address, type "*", value, "Ptr", this.aTypeSize[type], "Ptr", this.pNumberOfBytesWritten)
}
/*
Method: writeRaw(address, pBuffer, sizeBytes, aOffsets*)
Writes a buffer to the process.
Parameters:
address - The memory address to which the contents of the buffer will be written
or if using the offset parameter, the base address of the pointer.
pBuffer - A pointer to the buffer which is to be written.
This does not necessarily have to be the beginning of the buffer itself e.g. pBuffer := &buffer + offset
sizeBytes - The number of bytes which are to be written from the buffer.
aOffsets* - A variadic list of offsets. When using offsets the address parameter should equal the base address of the pointer.
The address (base address) and offsets should point to the memory address which is to be written to.
Return Values:
Non Zero - Indicates success.
Zero - Indicates failure. Check errorLevel and A_LastError for more information
*/
writeRaw(address, pBuffer, sizeBytes, aOffsets*)
{
return DllCall("WriteProcessMemory", "Ptr", this.hProcess, "Ptr", aOffsets.maxIndex() ? this.getAddressFromOffsets(address, aOffsets*) : address, "Ptr", pBuffer, "Ptr", sizeBytes, "Ptr", this.pNumberOfBytesWritten)
}
/*
Method: pointer(address, finalType := "UInt", offsets*)
This is an internal method. Since the other various methods all offer this functionality, they should be used instead.
This will read integer values of both pointers and non-pointers (i.e. a single memory address)
Parameters:
address - The base address of the pointer or the memory address for a non-pointer.
finalType - The type of integer stored at the final address.
Valid types are UChar, Char, UShort, Short, UInt, Int, Float, Int64 and Double.
Note: Types must not contain spaces i.e. " UInt" or "UInt " will not work.
When an invalid type is passed the method returns NULL and sets ErrorLevel to -2
aOffsets* - A variadic list of offsets used to calculate the pointers final address.
Return Values: (The same as the read() method)
integer - Indicates success.
Null - Indicates failure. Check ErrorLevel and A_LastError for more information.
Note: Since the returned integer value may be 0, to check for success/failure compare the result
against null i.e. if (result = "") then an error has occurred.
If the target application is 64bit the pointers are read as an 8 byte Int64 (this.PtrType)
*/
pointer(address, finalType := "UInt", offsets*)
{
For index, offset in offsets
address := this.Read(address, this.ptrType) + offset
Return this.Read(address, finalType)
}
/*
Method: getAddressFromOffsets(address, aOffsets*)
Returns the final address of a pointer.
This is an internal method used by various methods however, this method may be useful if you are
looking to eliminate the overhead overhead associated with reading pointers which only change
on startup or map/level change. In other words you can cache the final address and
read from this address directly.
Parameters:
address The base address of the pointer.
aOffsets* A variadic list of offsets used to calculate the pointers final address.
At least one offset must be present.
Return Values:
Positive integer The final memory address pointed to by the pointer.
Negative integer Failure
Null Failure
Note: If the target application is 64bit the pointers are read as an 8 byte Int64 (this.PtrType)
*/
getAddressFromOffsets(address, aOffsets*)
{
return aOffsets.Pop() + this.pointer(address, this.ptrType, aOffsets*) ; remove the highest key so can use pointer() to find final memory address (minus the last offset)
}
/*
Interesting note:
Although handles are 64-bit pointers, only the less significant 32 bits are employed in them for the purpose
of better compatibility (for example, to enable 32-bit and 64-bit processes interact with each other)
Here are examples of such types: HANDLE, HWND, HMENU, HPALETTE, HBITMAP, etc.
http://www.viva64.com/en/k/0005/
*/
/*
http://stackoverflow.com/questions/3801517/how-to-enum-modules-in-a-64bit-process-from-a-32bit-wow-process
Method: getModuleBaseAddress(module := "", byRef aModuleInfo := "")
Parameters:
moduleName - The file name of the module/dll to find e.g. "calc.exe", "GDI32.dll", "Bass.dll" etc
If no module (null) is specified, the address of the base module - main()/process will be returned
e.g. for calc.exe the following two method calls are equivalent getModuleBaseAddress() and getModuleBaseAddress("calc.exe")
aModuleInfo - (Optional) A module Info object is returned in this variable. If method fails this variable is made blank.
This object contains the keys: name, fileName, lpBaseOfDll, SizeOfImage, and EntryPoint
Return Values:
Positive integer - The module's base/load address (success).
-1 - Module not found
This method requires PROCESS_QUERY_INFORMATION + PROCESS_VM_READ access rights. These are included by default with this class.
*/
getModuleBaseAddress(moduleName := "", byRef aModuleInfo := "")
{
if (moduleName = "") {
aModuleInfo := this.aModule[1]
return this.aModule[1].lpBaseOfDll
}
if !this.aModule.HasKey(moduleName)
return -1
else
{
aModuleInfo := this.aModule[moduleName]
return this.aModule[moduleName].lpBaseOfDll
}
; no longer returns -5 for failed to get module info
}
/*
Method: getModuleFromAddress(address, byRef aModuleInfo)
Finds the module in which the address resides.
Parameters:
address The address of interest.
aModuleInfo (Optional) An unquoted variable name. If the module associated with the address is found,
a moduleInfo object will be stored in this variable. This object has the
following keys: name, fileName, lpBaseOfDll, SizeOfImage, and EntryPoint.
If the address is not found to reside inside a module, the passed variable is
made blank/null.
offsetFromModuleBase (Optional) Stores the relative offset from the module base address
to the specified address. If the method fails then the passed variable is set to blank/empty.
Return Values:
1 Success - The address is contained within a module.
-1 The specified address does not reside within a loaded module.
*/
getModuleFromAddress(address, byRef aModuleInfo, byRef offsetFromModuleBase := "")
{
module := this.aModule
loop module.count
{
if (address >= module.lpBaseOfDll && address < module.lpBaseOfDll + module.SizeOfImage) {
aModuleInfo := module, offsetFromModuleBase := address - module.lpBaseOfDll
return 1
}
}
return -1
}
getEndAddressOfLastModule()
{
return this.aModule[this.aModule.count].lpBaseOfDll + this.aModule[this.aModule.count].SizeOfImage
}
GetModuleInformation(hModule, byRef aModuleInfo)
{
VarSetCapacity(MODULEINFO, A_PtrSize * 3), aModuleInfo := []
r := DllCall("psapi\GetModuleInformation"
, "Ptr", this.hProcess
, "Ptr", hModule
, "Ptr", &MODULEINFO
, "UInt", A_PtrSize * 3)
aModuleInfo := { lpBaseOfDll: hModule
, SizeOfImage: numget(MODULEINFO, A_PtrSize, "UInt")
, EntryPoint: numget(MODULEINFO, A_PtrSize * 2, "Ptr") }
return r
}
/* Must use EnumProcessModuleEx so we can "see" 32bit process from 64bit AHK
*/
getModuleList() {
h_msvcrt := DllCall("LoadLibrary", "str", "msvcrt.dll") ; Preload dll
h_psapi := DllCall("LoadLibrary", "str", "psapi.dll") ; Preload dll
hm_list_size := 1024*8 ;make this larger than necessary
LIST_MODULES_ALL := 0x03
VarSetCapacity( hm_list, hm_list_size, 0 )
VarSetCapacity( hm_list_actual, A_PtrSize )
DllCall("psapi.dll\EnumProcessModulesEx", "Ptr", this.hprocess, "Ptr", &hm_list, "Ptr", hm_list_size, "Ptr*", hm_list_actual, "UInt", LIST_MODULES_ALL)
i := 0
while i < hm_list_actual//A_PtrSize {
hwnd:=NumGet(&hm_list + A_PtrSize*i, "Ptr")
VarSetCapacity(name, 512)
DllCall("psapi.dll\GetModuleBaseName", "Ptr", this.hprocess, "Ptr", hwnd, "Str", name, "UInt", 1024)
this.GetModuleInformation(hwnd, aModuleInfo)
aModuleInfo.name := name
this.aModule[name] := this.aModule[++i] := aModuleInfo
}
this.aModule.count := i
return this.aModule[1].lpBaseOfDll
}
/*
Method: isTargetProcess64Bit(PID, hProcess := "", currentHandleAccess := "")
Determines if a process is 64 bit.
Parameters:
PID The Process ID of the target process. If required this is used to open a temporary process handle.
hProcess (Optional) A handle to the process, as returned by openProcess() i.e. [derivedObject].hProcess
currentHandleAccess (Optional) The dwDesiredAccess value used when opening the process handle which has been
passed as the hProcess parameter. If specifying hProcess, you should also specify this value.
Return Values:
True The target application is 64 bit.
False The target application is 32 bit.
Null The method failed.
Notes:
This is an internal method which is called when the new operator is used.
It is used to set the pointer type for 32/64 bit applications so the pointer methods will work.
This operation requires a handle with PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access rights.
If the currentHandleAccess parameter does not contain these rights (or not passed) or if the hProcess (process handle) is invalid (or not passed)
a temporary handle is opened to perform this operation. Otherwise if hProcess and currentHandleAccess appear valid
the passed hProcess is used to perform the operation.
*/
isTargetProcess64Bit(PID, hProcess := "", currentHandleAccess := "")
{
; If insufficient rights, open a temporary handle
if !hProcess || !(currentHandleAccess & (this.aRights.PROCESS_QUERY_INFORMATION | this.aRights.PROCESS_QUERY_LIMITED_INFORMATION))
closeHandle := hProcess := this.openProcess(PID, this.aRights.PROCESS_QUERY_INFORMATION)
if (hProcess && DllCall("IsWow64Process", "Ptr", hProcess, "Int*", Wow64Process))