ReadProcessMemory()

[mpapeo]

I need help guys and i have been going about this for weeks. I want to read a process's memory which i've created using the createdprocess function, but now i have some slight problems but i should think im close to the solution. Pliz help me, my code is below:


#include <windows.h>
#include <stdio.h>
#include <windef.h>
#include <winbase.h>
#include <imagehlp.h>
//Program that creates a process
//This program assumes that numbers.exe is in the PATH!

LPVOID lpMsgBuf;


typedef int BOOL;
int main(int argc, char **argv)
{

PROCESS_INFORMATION pi; /* filled in by CreateProcess */
STARTUPINFO si; /* startup info for the new process*/

HANDLE hProcess = NULL;
BYTE buf[2000];
DWORD bufsize = sizeof buf;
DWORD baseaddr = 1;
DWORD error = GetLastError();
LPCVOID lpAddress;
PMEMORY_BASIC_INFORMATION lpBuffer = 0;
DWORD dwLength;
DWORD flNewProtect;
PDWORD lpflOldProtect = 0;
DWORD dwSize =0;
LPCVOID lpBaseAddress;
DWORD nSize;
LPDWORD lpNumberOfBytesRead;


printf("Process %d reporting for creation\n",GetCurrentProcessId());//print out our process ID
GetStartupInfo(&si);

// Call CreateProcess, telling it to run an exe file
CreateProcess(NULL, /* lpApplicationName */
"numbers.exe", /* lpCommandLine assumes to use curent process directory*/
NULL, /* lpsaProcess */
NULL, /* lpsaThread */
FALSE, /* bInheritHandles */
CREATE_NEW_CONSOLE, /* dwCreationFlags */
NULL, /* lpEnvironment */
NULL, /* lpCurDir */
&si, /* lpStartupInfo */
&pi /* lpProcInfo */
);

// hProcess = pi.hProcess;

printf("New Process ID: %d ",pi.dwProcessId);
printf("has started \n");

BOOL EnableDebugPrivNT();
{
HANDLE hToken;
LUID DebugValue;
TOKEN_PRIVILEGES tkp;

//
// Retrieve a handle of the access token
//
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
return FALSE;
}

//
// Enable the SE_DEBUG_NAME privilege
//
if (!LookupPrivilegeValue((LPSTR) NULL,
SE_DEBUG_NAME,
&DebugValue))
{
return FALSE;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = DebugValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken,
FALSE,
&tkp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);

if (GetLastError() != ERROR_SUCCESS)
{
return FALSE;
}

return TRUE;
}




//============================================
// OpenProcess(
// PROCESS_ALL_ACCESS, // access flag
// 0, // handle inheritance flag
// pi.dwProcessId, // process identifier
// );
//===============================================

GetModuleHandle(
"numbers.exe" // address of module name to return handle
// for
);

// GetModuleInformation(
// hProcess, // handle to the process
// hModule, // handle to the module //HMODULE
// DWORD lpmodinfo, // structure that receives information//LPMODULEINFO
// cb // size of the structure//DWORD
// );


//============================================================

VirtualQueryEx(
hProcess, // handle to process
lpAddress, // address of region
lpBuffer,// address of information buffer
dwLength// size of buffer
// GetLastError()
);

//*to avoid crashing

VirtualProtectEx(
hProcess, // handle to process
lpAddress, // address of region of committed pages
dwSize, // size of region
flNewProtect, // desired access protection
lpflOldProtect // address of variable to get old protection
);

ZeroMemory(buf, sizeof(buf));
if( ReadProcessMemory( hProcess, &baseaddr, &buf, bufsize, NULL ) == FALSE )
{
printf("\nProcess memory read failed", GetLastError());
_exit(1);
}
else
{
printf("\nProcess memory read \n");
printf("\nProcess memory read: \n",buf);
}


return(0);
}

[Darka]

you should tell us what problems you are having if you want some help

[mpapeo]

I get this bug on compiling: E:\createprocess.c(56) : error C2275: 'BOOL' : illegal use of this type as an expression. when using declaring this function BOOL EnableDebugPrivNT();
Otherwise if BOOL is removed it doesn't link when
createprocess.obj : error LNK2001: unresolved external symbol _EnableDebugPrivNT

[NoHero]

Well ...

Code:

typedef int BOOL;

Remove this, BOOL is already defined in windows.h...

Code:

BOOL EnableDebugPrivNT();

And this is an invalid function implementation, because the semicolon at the end tells the compiler that this is only a declaration of the function. Not the implementation. So remove the semicolon:

Code:

BOOL EnableDebugPrivNT ( void )

And EnableDebugPrivNt will not be found by the main() function because, it is unknown at compile time, because it is defined after the call. So write:

Code:

BOOL EnableDebugPrivNT ( void );

Over your main function, to tell the compiler to expect the implementation of EnableDebugPrivNt() somewhere else (that means later in the source code in your case).

[Darka]

Have you missed a closing } after this line ?

Code:

 printf("has started \n");

[mpapeo]

No curly brackets because it goes under the main. But there are still some problems after removing BOOL
Errors
Linking...
createprocess.obj : error LNK2001: unresolved external symbol _EnableDebugPrivNT
Debug/createprocess.exe : fatal error LNK1120: 1 unresolved externals
Error executing link.exe.

[NoHero]

No curly brackets because it goes under the main. But there are still some problems after removing BOOL

Defining a function in a function is not legal. So you have to put a } (closing paranthesis) there.

[Darka]

In that case you are declaring a function within another function, you can't do that.

[NoHero]

In that case you are declaring a function within another function, you can't do that.

Dito. Use the closing paranthesis and suggestions above, and come back if you have other errors. But please, if you post code again: Use the code tags.

[mpapeo]

Well ...

Code:

typedef int BOOL;

Remove this, BOOL is already defined in windows.h...

Code:

BOOL EnableDebugPrivNT();

And this is an invalid function implementation, because the semicolon at the end tells the compiler that this is only a declaration of the function. Not the implementation. So remove the semicolon:

Code:

BOOL EnableDebugPrivNT ( void )

And EnableDebugPrivNt will not be found by the main() function because, it is unknown at compile time, because it is defined after the call. So write:

Code:

BOOL EnableDebugPrivNT ( void );

Over your main function, to tell the compiler to expect the implementation of EnableDebugPrivNt() somewhere else (that means later in the source code in your case).

But now why does it complain about missing function header when the function is on top of main

[Darka]

Please repost the modified code so that we can see the changes you have made.

regards,

[NoHero]

Post your current code again, with code tags!

[mpapeo]

Do you mean it can't be like this?

Code:

#include <windows.h>
#include <stdio.h>
#include <windef.h>
#include <winbase.h>
#include <imagehlp.h>
//Program that creates a process
//This program assumes that numbers.exe is in the PATH!
   
LPVOID lpMsgBuf;

 
//typedef int BOOL;


 BOOL EnableDebugPrivNT(void);
{
    HANDLE hToken;
    LUID DebugValue;
    TOKEN_PRIVILEGES tkp;

    //
    // Retrieve a handle of the access token
    //
    if (!OpenProcessToken(GetCurrentProcess(),
            TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
            &hToken)) 
	{
        return FALSE;
    }

    //
    // Enable the SE_DEBUG_NAME privilege
    //
    if (!LookupPrivilegeValue((LPSTR) NULL,
            SE_DEBUG_NAME,
            &DebugValue)) 
	{
        return FALSE;
    }

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = DebugValue;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges(hToken,
        FALSE,
        &tkp,
        sizeof(TOKEN_PRIVILEGES),
        (PTOKEN_PRIVILEGES) NULL,
        (PDWORD) NULL);

    if (GetLastError() != ERROR_SUCCESS) 
	{
        return FALSE;
    }

    return TRUE;
}


int main(int argc, char **argv) 
{

	PROCESS_INFORMATION pi;       /* filled in by CreateProcess */
	STARTUPINFO si;               /* startup info for the new process*/
	
	HANDLE hProcess = NULL; 
	BYTE buf[2000];							
	DWORD bufsize = sizeof buf;
	DWORD baseaddr = 1;
	DWORD error = GetLastError();
	LPCVOID lpAddress;
	PMEMORY_BASIC_INFORMATION lpBuffer = 0;
	DWORD dwLength;
	DWORD flNewProtect;
	PDWORD lpflOldProtect = 0;
	DWORD dwSize =0;
	LPCVOID lpBaseAddress;
	DWORD nSize;
	LPDWORD lpNumberOfBytesRead;


	printf("Process %d reporting for creation\n",GetCurrentProcessId());//print out our process ID
	GetStartupInfo(&si);

  // Call CreateProcess, telling it to run an exe file
		CreateProcess(NULL,		/* lpApplicationName */
        "numbers.exe",          /* lpCommandLine  assumes to use curent process directory*/
		NULL,					/* lpsaProcess */
		NULL,					/* lpsaThread */
		FALSE,					/* bInheritHandles */
        CREATE_NEW_CONSOLE,     /* dwCreationFlags */
		NULL,					/* lpEnvironment */
        NULL,					/* lpCurDir */
        &si,					/* lpStartupInfo */
		&pi						/* lpProcInfo */
		);

	//	hProcess = pi.hProcess;

  printf("New Process ID: %d ",pi.dwProcessId);
  printf("has started \n");





  

//============================================
//	OpenProcess(
//	PROCESS_ALL_ACCESS,	 // access flag
//	0,					 // handle inheritance flag
//	pi.dwProcessId,		 // process identifier
//	);
//===============================================

	GetModuleHandle(
	"numbers.exe"   // address of module name to return handle 
                         // for
	);



	VirtualQueryEx(
	hProcess,    // handle to process
	lpAddress,  // address of region
	lpBuffer,// address of information buffer
	dwLength// size of buffer
//	GetLastError()
	);

	//*to avoid crashing

	VirtualProtectEx(
	hProcess,     // handle to process
	lpAddress,    // address of region of committed pages
	dwSize,        // size of region
	flNewProtect,  // desired access protection
	lpflOldProtect // address of variable to get old protection
     );

	ZeroMemory(buf, sizeof(buf));
	if( ReadProcessMemory( hProcess, &baseaddr, &buf, bufsize, NULL ) == FALSE )
	{
		printf("\nProcess memory read failed", GetLastError());
		_exit(1);
	}
	else
	{
	printf("\nProcess memory read \n");
	printf("\nProcess memory read: \n",buf);
	}


  return(0);
}

From above code i removed semi colon infront of the first function and it compile but now it returns false not the buf size as i want. Remeber " number.exe "can be a any process like "Notepad.exe"

[NoHero]

Nice try, but code tags not quote tags

Code:

#include <windows.h>
#include <stdio.h>
#include <windef.h>
#include <winbase.h>
#include <imagehlp.h>
//Program that creates a process
//This program assumes that numbers.exe is in the PATH!

LPVOID lpMsgBuf;


//typedef int BOOL;


BOOL EnableDebugPrivNT(void) // Remove ; here
{
HANDLE hToken;
LUID DebugValue;
TOKEN_PRIVILEGES tkp;

//
// Retrieve a handle of the access token
//
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
return FALSE;
}

//
// Enable the SE_DEBUG_NAME privilege
//
if (!LookupPrivilegeValue((LPSTR) NULL,
SE_DEBUG_NAME,
&DebugValue))
{
return FALSE;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = DebugValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken,
FALSE,
&tkp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);

if (GetLastError() != ERROR_SUCCESS)
{
return FALSE;
}

return TRUE;
}


int main(int argc, char **argv)
{

PROCESS_INFORMATION pi; /* filled in by CreateProcess */
STARTUPINFO si; /* startup info for the new process*/

HANDLE hProcess = NULL;
BYTE buf[2000];
DWORD bufsize = sizeof buf;
DWORD baseaddr = 1;
DWORD error = GetLastError();
LPCVOID lpAddress;
PMEMORY_BASIC_INFORMATION lpBuffer = 0;
DWORD dwLength;
DWORD flNewProtect;
PDWORD lpflOldProtect = 0;
DWORD dwSize =0;
LPCVOID lpBaseAddress;
DWORD nSize;
LPDWORD lpNumberOfBytesRead;


printf("Process %d reporting for creation\n",GetCurrentProcessId());//print out our process ID
GetStartupInfo(&si);

// Call CreateProcess, telling it to run an exe file
CreateProcess(NULL, /* lpApplicationName */
"numbers.exe", /* lpCommandLine assumes to use curent process directory*/
NULL, /* lpsaProcess */
NULL, /* lpsaThread */
FALSE, /* bInheritHandles */
CREATE_NEW_CONSOLE, /* dwCreationFlags */
NULL, /* lpEnvironment */
NULL, /* lpCurDir */
&si, /* lpStartupInfo */
&pi /* lpProcInfo */
);

// hProcess = pi.hProcess;

printf("New Process ID: %d ",pi.dwProcessId);
printf("has started \n");







//============================================
// OpenProcess(
// PROCESS_ALL_ACCESS, // access flag
// 0, // handle inheritance flag
// pi.dwProcessId, // process identifier
// );
//===============================================

GetModuleHandle(
"numbers.exe" // address of module name to return handle
// for
);



VirtualQueryEx(
hProcess, // handle to process
lpAddress, // address of region
lpBuffer,// address of information buffer
dwLength// size of buffer
// GetLastError()
);

//*to avoid crashing

VirtualProtectEx(
hProcess, // handle to process
lpAddress, // address of region of committed pages
dwSize, // size of region
flNewProtect, // desired access protection
lpflOldProtect // address of variable to get old protection
);

ZeroMemory(buf, sizeof(buf));
if( ReadProcessMemory( hProcess, &baseaddr, &buf, bufsize, NULL ) == FALSE )
{
printf("\nProcess memory read failed", GetLastError());
_exit(1);
}
else
{
printf("\nProcess memory read \n");
printf("\nProcess memory read: \n",buf);
}


return(0);
}

The ';' says the compiler that the function declaration is only a declaration, not an implementation. The declarations only shows the compiler how a function looks like (name, parameters und return value) and not how it "works". The implementation is used to define how it "works". This shows how to use functoin pre declarations:

Code:

int foo ( void ); // Only a declaration not implementation

int main ( int, char** )
{
    return foo(); // Call declarated function
}

int foo ( void ) // Do not use the ; here, cuz this is the implementation
{
   printf("Hello World\n");
   return 0;
}

[Darka]

looks better, does it compile ?

also, you really should use code tags.