C# .NET reading all of of a process troubles

Question

I'm messing around with a scanning engine I'm working on and I'm trying to read the memory of a process. My code is below (it's a little messy) but for some reason if I read the memory of an application in different states, or after it has a lot of things loaded into memory, I get the same memory size no matter what. Are my entry point addresses and length incorrect?

If I use a memory editor I don't get the same results I do with this.

        Process process = Process.GetProcessesByName(processName)[0];
        List moduleMemory = new List();

        byte[] temp;

            //MessageBox.Show(pm.FileName);
            temp = new byte[pm.ModuleMemorySize];
            int read;

            if (ReadProcessMemory(process.Handle, pm.BaseAddress, temp, temp.Length, out read)) {
                moduleMemory.Add(temp);
            }
        }
        //string d = Encoding.Default.GetString(moduleMemory[0]);
        MessageBox.Show("Size: " + moduleMemory[0].Length);

Ňuf · Accepted Answer

Your problem is probaly caused by the fact, that Process class caches values:

The process component obtains information about a group of properties all at once. After the Process component has obtained information about one member of any group, it will cache the values for the other properties in that group and not obtain new information about the other members of the group until you call the Refresh method. Therefore, a property value is not guaranteed to be any newer than the last call to the Refresh method. The group breakdowns are operating-system dependent.

Therefore after target process loads some additional modules, process instance will still return old values. Calling process.Refresh() should update all cached values and fix the issue.

C# .NET reading all of of a process troubles

Answers (2)

Related Questions