tags:

views:

182

answers:

4
+1  Q: 

C ReadProcessMemory - how to examine the memory area associated with a process

Hi,

I wans to read all of the memory associated with a particular process. I am aware of ReadProcessMemory, but as I have little experience of using it and I am fearful that I will just get a load of rubbish out (rubbish in...).

a) how do I work out, from the base pointer to the end) the total region that I can read b) what is the best way/safest to iterate over this area of memory and print it c) how do I print it given that I don't know what values it will contain so that I can look at it?

I would also like to be able to include the actual location of each piece of data from within memory in my output.

Thanks R.

+1  A: 

Memory is accessible in units of pages (typically 4096 bytes). If you read each page individually, you can know that if the read fails, that page is not readable and you can skip it.

#define PAGESIZE 4096
char *base = (char *)0;
do {

    char buffer[PAGESIZE];

    if (ReadProcessMemory(handle, base, buffer, PAGESIZE, NULL) != 0)
    {
        // buffer is valid

        // the address of buffer[X] is base+X
    }

    base += PAGESIZE;

// keep looping going until we wrap back around to 0
} while (base != 0);
R Samuel Klatchko  2010-02-25 01:24:57
+2  A: 

Start with VirtualQueryEx to determine what parts of the process's address space have pages backing them up, then once you know what is where, you can use ReadProcessMemory to look at the actual data.

John Knoeller  2010-02-25 01:38:27
+1  A: 

There are a couple of things you generally need (or at least want) to use to make much use of ReadProcessMemory. For your first question, finding blocks of memory that can be read, you can use VirtualQueryEx to find the regions of memory in a process, and how the virtual memory manager has marked each region.

To find things like locations of individual variables, you normally need to use the debugging API -- specifically the Symbol part -- SymInitialize, SymGetSymFromName, and possibly SymEnumerateSymbols should get you a decent start. There are quite a few more though...

Jerry Coffin  2010-02-25 01:42:43
A: 

what types of memory are you wanting? the mapped .exe and .dlls? stack? heap? etc. what really are you trying to do?

steelbytes  2010-02-25 01:55:24

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS