dcsimg
CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 3 of 3

Thread: ReadProcessMemory questions

  1. #1
    Join Date
    Mar 2005
    Posts
    23

    ReadProcessMemory questions

    Hello. I am trying to understand how a process in memory is stuctured. To explore this I am trying to use ReadProcessMemory to write the memory of a process to a byte array, and I am then printing that array to a file. I believe I am using ReadProcessMemory incorrectly since it is only giving me a single page at a time and will not give me all of the pages when I offset the base address of the process.

    1) Is sysinfo.lpMinimumApplicationAddress the correct second parameter for VirtualQueryEx?

    2) Is offsetting the base address in ReadProcessMemory the correct way to access the next page?

    Note: Before I call this function I will already have set the token priviledges to SE_DEBUG_NAME and and opened the process.

    Thank you for your help.

    Code:
    //Serialization is a byte array manager
    
    bool ReadMemory(HANDLE HProcess, Serialization &SProcessImage)
    {
    	DWORD dwBytesRead;
    	MEMORY_BASIC_INFORMATION mbi;
    	SYSTEM_INFO sysinfo;
    
    	Serialization s;
    	Byte *b;
    	list<Serialization> pages;
    
    	GetSystemInfo(&sysinfo);
    	if(VirtualQueryEx(HProcess, sysinfo.lpMinimumApplicationAddress, &mbi, sizeof(mbi)) == 0)
    	{
    		cout << "Error with VirtualQueryEx!\n";
    		cout << "Error: " << GetLastError() << endl;
    		return 0;
    	}
    	
    	s.SetSize(sysinfo.dwPageSize);
    	s.GiveOffset(&b, 0); //Set the byte pointer to the beginnning  of the array
    	int n=1;
    
    	while(ReadProcessMemory(HProcess, (void*)((int)mbi.BaseAddress*n), b, sysinfo.dwPageSize, &dwBytesRead))
    	{
    		pages.push_back(s);
    		cout << "Page " << n << " read.\n";
    		n++;
    	}
    
    	//Compile the pages onto a continuous byte array
    	SProcessImage.SetSize((n-1)*sysinfo.dwPageSize);
    	n = 0;
    	for(list<Serialization>::iterator I=pages.begin();I!=pages.end();I++)
    	{
    		SProcessImage.PlaceObject(*I,  n*sysinfo.dwPageSize);
    		n++;
    	}
    	cout << "SProcessImage size: " << SProcessImage.GiveSize() << endl;
    
    	//View the data
    	SProcessImage.GiveOffset(&b, 0);
    	ofstream out("out1.txt");
    	for(int i=0;i<SProcessImage.GiveSize();i++)
    	{
    		out << setw(4) << (int) b[i];
    		if((i+1)%100 == 0) out << endl;
    	}
    	out.close();
    	out.open("out2.txt");
    	for(i=0;i<SProcessImage.GiveSize();i++)
    	{
    		out << b[i] << " ";
    	}
    	out.close();
    	return 1;
    }

  2. #2
    Join Date
    Apr 2004
    Posts
    102

    Re: ReadProcessMemory questions

    1) Is sysinfo.lpMinimumApplicationAddress the correct second parameter for VirtualQueryEx?

    2) Is offsetting the base address in ReadProcessMemory the correct way to access the next page
    Give the following a try...

    Code:
    void ListMem(HANDLE hProcess)
    {
    char *p = NULL;
        DWORD dwStart = 0;
        SIZE_T lpRead;
        SYSTEM_INFO si;
    
    	GetSystemInfo(&si);
    	while(dwStart < (DWORD)si.lpMaximumApplicationAddress)
        {
            MEMORY_BASIC_INFORMATION mbi;
            VirtualQueryEx( hProcess,
                            (void *)dwStart,
                            &mbi,
                            sizeof(MEMORY_BASIC_INFORMATION));
    
            if(    (mbi.State == MEM_COMMIT)
                    &&
                    (mbi.Protect != PAGE_READONLY)
                    &&
                    (mbi.Protect != PAGE_EXECUTE_READ)
                    &&
                    (mbi.Protect != PAGE_GUARD)
                    &&
                    (mbi.Protect != PAGE_NOACCESS)
                    )
            {
               printf("Memory at %02x, size %d\n",
                       mbi.BaseAddress,
                       mbi.RegionSize);
    
                p = (char *)malloc(mbi.RegionSize);
                if(!ReadProcessMemory( hProcess,
                                       (void *)dwStart, p,
                                       mbi.RegionSize, &lpRead))
                {
                       printf("ReadProcessMemory failed %d\nRead %d",
                       GetLastError(), lpRead);
                }
    	        if(mbi.RegionSize != lpRead)
                {
                       printf("Not enough bytes read %d != %d\n",
                       mbi.RegionSize,
                       lpRead);
                }
            }
            if(dwStart + mbi.RegionSize < dwStart) break;
            dwStart += mbi.RegionSize;
        }
    }

  3. #3
    Join Date
    Mar 2005
    Posts
    23

    Thumbs up Re: ReadProcessMemory questions

    BobS0327, thanks a lot for your post. This makes a lot more sense now.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Windows Mobile Development Center


Click Here to Expand Forum to Full Width




On-Demand Webinars (sponsored)