Reading a process memory

views:

104

answers:

+2 Q:

Reading a process memory

I'm trying to read the process memory of a console program using ReadProcessMemory() API function.

Updated Code:

    HWND hWnd = FindWindow(NULL, "Read Memory Window");
    DWORD ProcessId;
    ProcessId = GetProcessId(hWnd);
    GetWindowThreadProcessId(hWnd, &ProcessId);
    HANDLE hProcess = OpenProcess(PROCESS_VM_READ,FALSE, ProcessId);

    SIZE_T NumberOfBytesRead;
    CHAR Buffer[128] = {0};
    dwAddr = 0x0012FD6C; //address of array to get
    BOOL sucess = ReadProcessMemory(hProcess, &dwAddr, &Buffer, 128, &NumberOfBytesRead);

I get null and garbage values as i run the program along with program to read the array.

+2 A:

your using a fixed address, that is generally a very bad idea, even more so now that windows vista and windows 7 use ASLR, making it unsafe for even fixed based modules(even without ASLR its unsafe, because the image can reallocated for various reasons).

also, that address looks very dodgy, how did you derive that address? and is it adjusted correctly as a virtual address and not a relative address?

finally and most importantly, you shouldn't be passing the address and buffer as you do, it should be passed like so:

BOOL sucess = ReadProcessMemory(hProcess, (LPVOID)dwAddr, &Buffer[0], 128, &NumberOfBytesRead);

BOOL sucess = ReadProcessMemory(hProcess, (LPVOID)dwAddr, Buffer, 128, &NumberOfBytesRead);

Necrolis 2010-02-20 04:36:14

Using the LPVOID to cast the DWORD dwAddr helps, actually when I was trying to read the data from process, I tried to change the array to integer type, int Buffer[128]. so there I made a mistake, In fourth level of ReadProcessMemory() the number of bytes to read should be 128*4 = 512 Bytes.

Dave18 2010-02-20 09:04:28

ansaurus

tags:

views:

answers:

Reading a process memory

related questions