Reputation: 52
Reading a process' memory
So i have this function iv'e written in C, it's supposed to scan a process' memory. I'm running it on notepad, but since it's failing iv'e tried a few more processes. It never works properly and the output is always as follows :
0x00010000
0x7FFE0000
0x7FFE1000
When i'm using windows 7 the function works just fine. Here it is :
int ScanProcess(int pid)
{
HANDLE hProc;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
LPVOID *minAddress, *maxAddress;
GetSystemInfo(&si);
minAddress = si.lpMinimumApplicationAddress;
maxAddress = si.lpMaximumApplicationAddress;
hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
if (!hProc) {
printf("[-] OpenProcess() failed.\n");
return 0;}
while (minAddress < maxAddress)
{
printf("0x%08X\n", minAddress);
if(!VirtualQueryEx(hProc, minAddress, &mbi, sizeof(mbi))) printf("[-] VirtualQueryEx() failed. %d\n", GetLastError());
if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_READWRITE)
{
printf("MEM_COMMIT\n"); //When the scan would work i will read the memory and work with it.
}
minAddress = (LPVOID)((long)mbi.BaseAddress + mbi.RegionSize);
}
return 0;
}
Can someone figure out the problem? thanks :)
@Harry Johnston, this is what i got so far.
int ScanProcess(int pid)
{
HANDLE hProc;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
DWORD64 minAddress, maxAddress;
GetSystemInfo(&si);
minAddress = (DWORD64)si.lpMinimumApplicationAddress;
maxAddress = (DWORD64)si.lpMaximumApplicationAddress;
hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
if (!hProc) {
printf("[-] OpenProcess() failed.\n");
return 0;}
while (minAddress < maxAddress)
{
printf("0x%08X\n", minAddress);
if(!VirtualQueryEx(hProc, (LPCVOID)minAddress, &mbi, sizeof(mbi))) printf("[-] VirtualQueryEx() failed. %d\n", GetLastError());
if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_READWRITE)
{
printf("MEM_COMMIT\n"); //When the scan would work i will read the memory and work with it.
}
minAddress = (DWORD64)mbi.BaseAddress + mbi.RegionSize;
}
return 0;
}
Upvotes: 0
Views: 1299
Answers (1)
Reputation: 37202
Try this version:
int ScanProcess(int pid)
{
HANDLE hProc;
SYSTEM_INFO si;
MEMORY_BASIC_INFORMATION mbi;
LPVOID minAddress, maxAddress;
GetSystemInfo(&si);
minAddress = si.lpMinimumApplicationAddress;
maxAddress = si.lpMaximumApplicationAddress;
hProc = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
if (!hProc) {
printf("[-] OpenProcess() failed.\n");
return 0;}
while (minAddress < maxAddress)
{
printf("0x%p\n", minAddress);
if(!VirtualQueryEx(hProc, minAddress, &mbi, sizeof(mbi))) printf("[-] VirtualQueryEx() failed. %d\n", GetLastError());
if (mbi.State == MEM_COMMIT && mbi.Protect == PAGE_READWRITE)
{
printf("MEM_COMMIT\n"); //When the scan would work i will read the memory and work with it.
}
minAddress = (LPBYTE)mbi.BaseAddress + mbi.RegionSize;
}
return 0;
}
It uses LPVOID as a pointer type is fine for this application, the only real change is the pointer arithmetic is done using a cast to LPBYTE (since you can't add void pointers).
The other change is to use %p as the printf formatting string, since this will work correctly with a 64-bit pointer.
Upvotes: 3
Related Questions
- Get size of a process' readable memory?
- Read process memory of a process does not return everything
- Read process memory in C
- C++: reading memory of another process
- Reading a process memory
- How to find the memory used by a process from kernel mode in Windows
- Get process memory information
- Get allocated memory regions of running process
- Reading a process memory
- How to know what amount of memory I'm using in a process? win32 C++