CODEWITHSUNDEEP
c++windows-7reverse-engineering
Anne Quinn
Anne Quinn

Reputation: 13000

Can programs detect if I am using ReadProcessMemory on it?

I'm writing a program to read a game's memory as it runs. I want to avoid the game noticing me however, since it might behave differently under observation. Is it possible for processes to detect the act of me inspecting it's memory from another process?

This is the method I'm using to inspect it:

// this is how I gain the target process's handle

HANDLE findHandle(const wchar * exeFilename) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    HANDLE target = NULL;
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
    if (Process32First(snapshot, &entry) == TRUE) {
        while (Process32Next(snapshot, &entry) == TRUE) {
            if (wcscmp(entry.szExeFile, exeFilename) == 0) {  
                target = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
                break;
            }
        }
    }
    CloseHandle(snapshot);
    return target;
}

// dst = destination buffer that the other process's memory is read into
// src = source address from within the other process
// hProcess = handle of the process we are inspecting
// protectedAccess = this allows us around some obstacle, though I'm not sure what/how specifically?
// returns the amount of memory read successfully

size_t patchedRead(char* dst, char* src, uint32 size, HANDLE hProcess, bool protectedAccess) {
    SIZE_T readTotal = 0;
    if (protectedAccess) {
        DWORD oldprotect;
        if(!VirtualProtectEx(hProcess, src, size, PAGE_EXECUTE_READWRITE, &oldprotect))
            return 0;
        ReadProcessMemory(hProcess, src, dst, size, &readTotal);
        if(!VirtualProtectEx(hProcess, src, size, oldprotect, &oldprotect))
            return 0;
    } else {
        ReadProcessMemory(hProcess, src, dst, size, &readTotal);
    }
    return size_t(readTotal);
}

Upvotes: 1

Views: 1744

Answers (2)

Remy Lebeau
Remy Lebeau

Reputation: 596397

Is it possible for processes to detect the act of me inspecting it's memory from another process?

No, it is not. Well, not without injecting code into every running process (such as with AppInit_DLLs or SetWindowsHookEx()) that then hooks/detours the ReadProcessMemory() function directly.

Upvotes: 2

SoronelHaetir
SoronelHaetir

Reputation: 15162

It's not possible to detect a ReadProcessMemory or WriteProcessMemory but it is possible to detect the preceding OpenProcess that is needed to gain access.

Upvotes: 2

Related Questions