|
-
January 24th, 2009, 02:18 PM
#1
ReadProcessMemory questions
Hello. I am trying to understand how a process in memory is stuctured. To explore this I am trying to use ReadProcessMemory to write the memory of a process to a byte array, and I am then printing that array to a file. I believe I am using ReadProcessMemory incorrectly since it is only giving me a single page at a time and will not give me all of the pages when I offset the base address of the process.
1) Is sysinfo.lpMinimumApplicationAddress the correct second parameter for VirtualQueryEx?
2) Is offsetting the base address in ReadProcessMemory the correct way to access the next page?
Note: Before I call this function I will already have set the token priviledges to SE_DEBUG_NAME and and opened the process.
Thank you for your help.
Code:
//Serialization is a byte array manager
bool ReadMemory(HANDLE HProcess, Serialization &SProcessImage)
{
DWORD dwBytesRead;
MEMORY_BASIC_INFORMATION mbi;
SYSTEM_INFO sysinfo;
Serialization s;
Byte *b;
list<Serialization> pages;
GetSystemInfo(&sysinfo);
if(VirtualQueryEx(HProcess, sysinfo.lpMinimumApplicationAddress, &mbi, sizeof(mbi)) == 0)
{
cout << "Error with VirtualQueryEx!\n";
cout << "Error: " << GetLastError() << endl;
return 0;
}
s.SetSize(sysinfo.dwPageSize);
s.GiveOffset(&b, 0); //Set the byte pointer to the beginnning of the array
int n=1;
while(ReadProcessMemory(HProcess, (void*)((int)mbi.BaseAddress*n), b, sysinfo.dwPageSize, &dwBytesRead))
{
pages.push_back(s);
cout << "Page " << n << " read.\n";
n++;
}
//Compile the pages onto a continuous byte array
SProcessImage.SetSize((n-1)*sysinfo.dwPageSize);
n = 0;
for(list<Serialization>::iterator I=pages.begin();I!=pages.end();I++)
{
SProcessImage.PlaceObject(*I, n*sysinfo.dwPageSize);
n++;
}
cout << "SProcessImage size: " << SProcessImage.GiveSize() << endl;
//View the data
SProcessImage.GiveOffset(&b, 0);
ofstream out("out1.txt");
for(int i=0;i<SProcessImage.GiveSize();i++)
{
out << setw(4) << (int) b[i];
if((i+1)%100 == 0) out << endl;
}
out.close();
out.open("out2.txt");
for(i=0;i<SProcessImage.GiveSize();i++)
{
out << b[i] << " ";
}
out.close();
return 1;
}
-
January 28th, 2009, 09:18 PM
#2
Re: ReadProcessMemory questions
1) Is sysinfo.lpMinimumApplicationAddress the correct second parameter for VirtualQueryEx?
2) Is offsetting the base address in ReadProcessMemory the correct way to access the next page
Give the following a try...
Code:
void ListMem(HANDLE hProcess)
{
char *p = NULL;
DWORD dwStart = 0;
SIZE_T lpRead;
SYSTEM_INFO si;
GetSystemInfo(&si);
while(dwStart < (DWORD)si.lpMaximumApplicationAddress)
{
MEMORY_BASIC_INFORMATION mbi;
VirtualQueryEx( hProcess,
(void *)dwStart,
&mbi,
sizeof(MEMORY_BASIC_INFORMATION));
if( (mbi.State == MEM_COMMIT)
&&
(mbi.Protect != PAGE_READONLY)
&&
(mbi.Protect != PAGE_EXECUTE_READ)
&&
(mbi.Protect != PAGE_GUARD)
&&
(mbi.Protect != PAGE_NOACCESS)
)
{
printf("Memory at %02x, size %d\n",
mbi.BaseAddress,
mbi.RegionSize);
p = (char *)malloc(mbi.RegionSize);
if(!ReadProcessMemory( hProcess,
(void *)dwStart, p,
mbi.RegionSize, &lpRead))
{
printf("ReadProcessMemory failed %d\nRead %d",
GetLastError(), lpRead);
}
if(mbi.RegionSize != lpRead)
{
printf("Not enough bytes read %d != %d\n",
mbi.RegionSize,
lpRead);
}
}
if(dwStart + mbi.RegionSize < dwStart) break;
dwStart += mbi.RegionSize;
}
}
-
January 29th, 2009, 09:40 PM
#3
 Re: ReadProcessMemory questions
BobS0327, thanks a lot for your post. This makes a lot more sense now.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
