Working with DMA - PCIe Screamer

Hi guys. I have a PCIe Screamer and I am writing a program like Cheat Engine. So far I have implemented search and filtering, but already ran into some questions. I tried to google and figure it out myself, but it didn't give much results. I hope someone can give me a hint and help with a solution.
For example, I took the Terraria game, found a 4 byte number and then repeated it in my program. It took a lot longer, since I either searched all over my memory, or grabbed a lot of unnecessary things, I don't really know. Now in more detail:
I am using MemProcFS with Dokany. I find the game at "M:\name\Terraria.exe-*", there is a 256 TB memory.vmem file. There is a pte.txt file in the memmap folder where the address ranges are listed and I go through each one. Here is the content of this file:

Code:

   #    PID    Pages      Range Start-End              FLAGS   Description                                                     
--------------------------------------------------------------------------                                                     
0000   8564        1 00000000001c0000-00000000001c0fff -r-- 32 Terraria.exe
0001   8564        1 00000000001c2000-00000000001c2fff -r-- 32 Terraria.exe
***
0017   8564        1 00000000013c0000-00000000013c0fff -r--
0018   8564        8 00000000013e0000-00000000013e7fff -rw-
***                                                                
006c   8564        1 0000000003870000-0000000003870fff -r-- 32 _DATA-0x3870000.dll
006d   8564        5 0000000003872000-0000000003876fff -r-- 32 _DATA-0x3870000.dll
etc...

[Only registered and activated users can see links. Click Here To Register...]

I noticed that I can skip lines containing .dll in the Description as they are clearly not related to game memory. However, this is still a lot. For example, a Cheat Engine search for a 4 byte took 1 second and found 884 addresses, ranging from 01A79AD4 to 5923B7BC. My program scanned for 24 seconds (I admit that my methods are not as perfect as those of CE + I use only one thread), but I found 1408 addresses with a range from 001E72A3 to 76555294.
And here my first question is, how does CE find the beginning and end of the memory related to the game, or how does the CE skip everything unnecessary? Probably need to skip 1-2 page / -r-- / -rw- / -rwx ranges, but I'm not sure about that, and I don't want to accidentally skip the addresses I need.
Then I would like to know how to search for pointers to addresses in order to find the correct address after a restart. I think this is also related to my first question. I know how to do this in CE, but have not yet figured out how to implement it myself.
Perhaps someone has already asked similar questions somewhere on the forum, and I would be very grateful for a tip, or at least a hint where to look. I'm not as advanced as the guys on this forum, but I want to learn.
PS: not for sale, purely for my own use.

Quote:
Originally Posted by AcTiViSioN911
Hi guys. I have a PCIe Screamer and I am writing a program like Cheat Engine. So far I have implemented search and filtering, but already ran into some questions. I tried to google and figure it out myself, but it didn't give much results. I hope someone can give me a hint and help with a solution.
For example, I took the Terraria game, found a 4 byte number and then repeated it in my program. It took a lot longer, since I either searched all over my memory, or grabbed a lot of unnecessary things, I don't really know. Now in more detail:
I am using MemProcFS with Dokany. I find the game at "M:\name\Terraria.exe-*", there is a 256 TB memory.vmem file. There is a pte.txt file in the memmap folder where the address ranges are listed and I go through each one. Here is the content of this file:
Code:
   #    PID    Pages      Range Start-End              FLAGS   Description                                                     
--------------------------------------------------------------------------                                                     
0000   8564        1 00000000001c0000-00000000001c0fff -r-- 32 Terraria.exe
0001   8564        1 00000000001c2000-00000000001c2fff -r-- 32 Terraria.exe
***
0017   8564        1 00000000013c0000-00000000013c0fff -r--
0018   8564        8 00000000013e0000-00000000013e7fff -rw-
***                                                                
006c   8564        1 0000000003870000-0000000003870fff -r-- 32 _DATA-0x3870000.dll
006d   8564        5 0000000003872000-0000000003876fff -r-- 32 _DATA-0x3870000.dll
etc...
[Only registered and activated users can see links. Click Here To Register...]

I noticed that I can skip lines containing .dll in the Description as they are clearly not related to game memory. However, this is still a lot. For example, a Cheat Engine search for a 4 byte took 1 second and found 884 addresses, ranging from 01A79AD4 to 5923B7BC. My program scanned for 24 seconds (I admit that my methods are not as perfect as those of CE + I use only one thread), but I found 1408 addresses with a range from 001E72A3 to 76555294.
And here my first question is, how does CE find the beginning and end of the memory related to the game, or how does the CE skip everything unnecessary? Probably need to skip 1-2 page / -r-- / -rw- / -rwx ranges, but I'm not sure about that, and I don't want to accidentally skip the addresses I need.
Then I would like to know how to search for pointers to addresses in order to find the correct address after a restart. I think this is also related to my first question. I know how to do this in CE, but have not yet figured out how to implement it myself.
Perhaps someone has already asked similar questions somewhere on the forum, and I would be very grateful for a tip, or at least a hint where to look. I'm not as advanced as the guys on this forum, but I want to learn.
PS: not for sale, purely for my own use.

Cheat engine filter writable/readable memory regions to speed up the process and use multithreading for scans so its even faster.

Here is the logic it follows:

1) Query Mem regions and filter valid ones (store in a struct (baseAddress, size))
For each valid region increment totalMemorySize
2) Obtain scan block size (totalMemorySize / threadCount), last block will be a bit longer, so don't forget to append rest.
3) Make scan threads structs
3.a) Read process memory is super slow so don't call it on a loop for reading lets say (4 bytes), call it to read a fixed buffer size, (CE uses 1024*4 buffer size for dword scans i think) then perform your "mini scan" in that buffer.
3.b) Make scan functions that works for you, when searching for aligned memory you will skip a lot but scan speed is increased.
4) Start and wait for scan threads to end.

1)

Spoiler

Code:

  //VIRTUAL QUERY REGIONS
  while (Virtualqueryex(processhandle,pointer(currentBaseAddress),mbi,sizeof(mbi))<>0) and (currentBaseAddress<stopaddress) and ((currentBaseAddress+mbi.RegionSize)>currentBaseAddress) do  
  begin

    begin
      if PtrUint(mbi.BaseAddress)<startaddress then
      begin
        dec(mbi.RegionSize, startaddress-PtrUint(mbi.BaseAddress));
        mbi.BaseAddress:=pointer(startaddress);
      end;

      if PtrUint(mbi.BaseAddress)+mbi.RegionSize>=stopaddress then
        mbi.RegionSize:=stopaddress-PtrUint(mbi.BaseAddress);

      // FLAGS TO FILTER REGIONS
      validRegion:=(mbi.State=mem_commit);
      validRegion:=validregion and (PtrUint(mbi.BaseAddress)<stopaddress);
      validregion:=validregion and ((mbi.Protect and page_guard)=0);
      validregion:=validregion and ((mbi.protect and page_noaccess)=0);
      validRegion:=validRegion and (not (not scan_mem_private and (mbi._type=mem_private)));
      validRegion:=validregion and (not (not scan_mem_image and (mbi._type=mem_image)));
      validRegion:=validregion and (not (not scan_mem_mapped and (mbi._type=mem_mapped)));
      validRegion:=validregion and (not (Skip_PAGE_NOCACHE and ((mbi._type and PAGE_NOCACHE)>0)));
      validRegion:=validregion and (not (Skip_PAGE_WRITECOMBINE and ((mbi._type and PAGE_WRITECOMBINE)>0)));

      if validregion then
      begin
        //initial check passed, check the other protection flags to see if it should be scanned

        //fill in isWritable, isExecutable, isCopyOnWrite: boolean;
        isWritable:=((mbi.protect and PAGE_READWRITE)>0) or
                    ((mbi.protect and PAGE_WRITECOPY)>0) or //writecopy IS writable
                    ((mbi.protect and PAGE_EXECUTE_READWRITE)>0) or
                    ((mbi.protect and PAGE_EXECUTE_WRITECOPY)>0);

        isExecutable:=((mbi.protect and PAGE_EXECUTE)>0) or
                      ((mbi.protect and PAGE_EXECUTE_READ)>0) or
                      ((mbi.protect and PAGE_EXECUTE_READWRITE)>0) or
                      ((mbi.protect and PAGE_EXECUTE_WRITECOPY)>0);

        isCopyOnWrite:=((mbi.protect and PAGE_WRITECOPY)>0) or
                       ((mbi.protect and PAGE_EXECUTE_WRITECOPY)>0);

       
        isdirty:=(mbi.protect and PAGE_DIRTY)>0;


        // scan filter options
        case scanWritable of
          scanInclude: validregion:=validregion and isWritable;
          scanExclude: validregion:=validregion and (not isWritable);
        end;

        case scanExecutable of
          scanInclude: validregion:=validregion and isExecutable;
          scanExclude: validregion:=validregion and (not isExecutable);
        end;

        case scanCopyOnWrite of
          scanInclude: validregion:=validregion and isCopyOnWrite;
          scanExclude: validregion:=validregion and (not isCopyOnWrite);
        end;

        {$ifdef darwin}
        case scanDirty of
          scanInclude: validregion:=validregion and isDirty;
          scanExclude: validregion:=validregion and (not isDirty);
        end;
        {$endif}
      end;

      if not validregion then
      begin
        // ignore region 
        currentBaseAddress:=PtrUint(mbi.BaseAddress)+mbi.RegionSize;

        continue;
      end;


      //still here, so valid

        // store region data
        memRegion[memRegionPos].BaseAddress:=PtrUint(mbi.baseaddress);  //just remember this location
        memRegion[memRegionPos].MemorySize:=mbi.RegionSize;
        memRegion[memRegionPos].startaddress:=pointer(ptrUint(totalProcessMemorySize)); //starts from 0, for unknown scans

        inc(memRegionPos);
        if (memRegionPos mod 16)=0 then // reallocate if needed
          setlength(memRegion,length(memRegion)+16);
   
      inc(totalProcessMemorySize,mbi.RegionSize); //add this size to the total


    end;


    currentBaseAddress:=PtrUint(mbi.baseaddress)+mbi.RegionSize;

  end;

Spoiler

Code:

 scannersCS.Enter; //block access by the mainthread on the scanners object, could scanner[14] has not yet been created when doing a progress request
  try
    setlength(scanners,threadcount);
    j:=0; //start at memregion 0
    leftfromprevious:=0;
    offsetincurrentregion:=0;

    for i:=0 to threadcount-1 do
    begin
    //  OutputDebugString(format('Creating scanner %d',[i]));
      scanners[i]:=tscanner.Create(true, OwningMemScan.ScanresultFolder);
      scanners[i].scannernr:=i;
      scanners[i].OwningScanController:=self;


      scanners[i]._startregion:=j;
      scanners[i].startaddress:=memRegion[j].BaseAddress+offsetincurrentregion;

      //scanners[i].maxregionsize:=0; //Original Code, no longer needed
      currentblocksize:=0;
      inc(currentblocksize,memregion[j].MemorySize-offsetincurrentregion);
      scanners[i].maxregionsize:=currentblocksize;


      if i=(threadcount-1) then
      begin
        //if it's the last thread, just give it what's left
        scanners[i].stopaddress:=stopaddress;
        scanners[i]._stopregion:=memregionpos-1;

        //define maxregionsize , go from current till end (since it'll scan everything that's left)
        while j<memregionpos do
        begin
          if scanners[i].maxregionsize<memregion[j].MemorySize then
            scanners[i].maxregionsize:=memregion[j].MemorySize;

          inc(j);
        end;
      end
      else
      begin
        //not the last thread
        inc(j);

        while (currentblocksize<blocksize) and (j<memregionpos) do
        begin
          if scanOption<>soUnknownValue then //not a unknown initial value scan, so it doesn't need overlap
          begin
            if scanners[i].maxregionsize<memregion[j].MemorySize then
              scanners[i].maxregionsize:=memregion[j].MemorySize;
          end;

          inc(currentblocksize,memregion[j].MemorySize);
          inc(j);
        end;
        dec(j);

        if scanners[i].maxregionsize=0 then //(currentblocksize<blocksize)
          scanners[i].maxregionsize:=memregion[j].MemorySize;

        scanners[i]._stopregion:=j;
        scanners[i].stopaddress:=(memregion[j].BaseAddress+memregion[j].MemorySize);

        //take off the bytes that are too many for this block
        leftfromprevious:=currentblocksize-blocksize;
        dec(scanners[i].stopaddress,leftfromprevious);

        if leftfromprevious=0 then
        begin
          inc(j); //nothing left in this region
          offsetincurrentregion:=0;
        end else offsetincurrentregion:=memregion[j].MemorySize-leftfromprevious;


      end;
    //  OutputDebugString(format('startregion = %d',[scanners[i]._startregion]));
    //  OutputDebugString(format('stopregion = %d',[scanners[i]._stopregion]));
    //  OutputDebugString(format('startaddress = %x',[scanners[i].startaddress]));
    //  OutputDebugString(format('stopaddress = %x',[scanners[i].stopaddress]));

    //  OutputDebugString(format('j = %d',[j]));
    //  OutputDebugString(format('leftfromprevious = %x',[leftfromprevious]));
    //  OutputDebugString(format('offsetincurrentregion = %x',[offsetincurrentregion]));



      if scanners[i].maxregionsize>buffersize then
        scanners[i].maxregionsize:=buffersize;

   //   OutputDebug String(format('maxregionsize = %x',[scanners[i].maxregionsize]));
              

      //now configure the scanner thread with the same info this thread got, with some extra info
      scanners[i].compareToSavedScan:=compareToSavedScan;
      scanners[i].savedscanname:=savedscanname;
      scanners[i].scanType:=scanType; //stFirstScan obviously
      scanners[i].scanoption:=scanoption;
      scanners[i].variableType:=VariableType;
      scanners[i].customType:=CustomType;
      scanners[i].roundingtype:=roundingtype;
      scanners[i].scanValue1:=scanvalue1; //usual scanvalue
      scanners[i].scanValue2:=scanValue2; //2nd value for between scan
      scanners[i].unicode:=unicode;
      scanners[i].OnlyOne:=OnlyOne or isUnique;
      scanners[i].caseSensitive:=caseSensitive;
      scanners[i].percentage:=percentage;
      scanners[i].hexadecimal:=hexadecimal;
      scanners[i].binaryStringAsDecimal:=binaryStringAsDecimal;

      scanners[i].fastscanalignsize:=fastscanalignsize;
      scanners[i].fastscanmethod:=fastscanmethod;
      scanners[i].fastscandigitcount:=fastscandigitcount;
      scanners[i].variablesize:=variablesize;
      scanners[i].floatscanWithoutExponents:=floatscanWithoutExponents;
      scanners[i].inverseScan:=inverseScan;
      scanners[i].luaformula:=luaformula;
      scanners[i].newluastate:=newluastate;



      if i=0 then //first thread gets the header part
      begin
        if scanoption=soUnknownValue then
          datatype:='REGION'
        else
          datatype:='NORMAL';

        scanners[i].AddressFile.WriteBuffer(datatype,sizeof(datatype));

      end;

    end;
  finally
    scannersCS.Leave;
  end;

3.a)

Spoiler

3.b)

Spoiler

You can look at CE code its a bit messy but better than nothing
[Only registered and activated users can see links. Click Here To Register...]