Code:#include <windows.h> #include <stdio.h> #include <tlhelp32.h> unsigned long _GetProcessId( char* szProcName ) { PROCESSENTRY32 pe32; HANDLE hHandle; hHandle = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); pe32.dwSize = sizeof( PROCESSENTRY32 ); if( !Process32First( hHandle, &pe32 ) ) return 0; while( Process32Next( hHandle, &pe32 ) ) { if( strcmp( szProcName, pe32.szExeFile ) == 0 ) { CloseHandle( hHandle ); return pe32.th32ProcessID; } } CloseHandle( hHandle ); return 0; } unsigned long _ScanForBytes( char* szProcess, char* szBytes ) { HANDLE hHandle; SYSTEM_INFO sysInfo; MEMORY_BASIC_INFORMATION mbi; unsigned long dwMemAddr; unsigned long x; hHandle = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_OPERATION|PROCESS_VM_READ, FALSE, _GetProcessId( szProcess ) ); if( hHandle == INVALID_HANDLE_VALUE || hHandle == NULL ) return 0; GetSystemInfo( &sysInfo ); dwMemAddr = (unsigned long)sysInfo.lpMinimumApplicationAddress; while( dwMemAddr < (unsigned long)sysInfo.lpMaximumApplicationAddress ) { if( VirtualQueryEx( hHandle, (unsigned long*)dwMemAddr, &mbi, sizeof(mbi) ) == sizeof(mbi) ) { if( (mbi.Protect != PAGE_NOACCESS) && (mbi.State == MEM_COMMIT) ) { char* szMemDump = (char*)malloc(mbi.RegionSize+1); ReadProcessMemory( hHandle, (unsigned long*)dwMemAddr, szMemDump, mbi.RegionSize, NULL ); for( x=0; x<mbi.RegionSize; x++ ) { if( memcmp( (void*)(szMemDump+x), (void*)szBytes, strlen( szBytes ) ) == 0 ) { free( szMemDump ); return (unsigned long)( dwMemAddr + x ); } } free( szMemDump ); } } dwMemAddr = (unsigned long)mbi.BaseAddress + mbi.RegionSize; } CloseHandle( hHandle ); return 0; }