Hooking to process memory - where to start?
-
Many debuggers can hook to a program and read its memory. Even if it's protected/private. I'm thinking about writing a simple debugging tool, but I don't know how to read process memory. Should I use
SetWindowsHookEx? Some advice would be greatly appriciated Regards, Griffith
Everything you say will be misquoted, ripped out of context and used against you.
-
Many debuggers can hook to a program and read its memory. Even if it's protected/private. I'm thinking about writing a simple debugging tool, but I don't know how to read process memory. Should I use
SetWindowsHookEx? Some advice would be greatly appriciated Regards, Griffith
Everything you say will be misquoted, ripped out of context and used against you.
Try ReadProcessMemory() Dave
-
Try ReadProcessMemory() Dave
I've been doing a fair amount of work on something pretty similar, I've been interested in debuggers and how programs work at the lowest levels for a while now after starting off as a bit of a coding idiot :) The best places I can recommend to start is if you can afford it, buy John Robbin's "Debugging Windows Applications" because he truely is the king of all things debugger. His Bugslayer articles in MSDN give good ideas too and there are a couple of articles here on CP that can help, search for APIHijack because that gives a good idea of how to get started. John Robbins really is the king though, just had to say that again :)
-
Try ReadProcessMemory() Dave
Thanks for the suggestion, but this is what I read on MSDN
ReadProcessMemory copies the data in the specified
address range from the address space of the specified process into
the specified buffer of the current process. Any process that has a
handle with PROCESS_VM_READ access can call the function. The process
whose address space is read is typically, but not necessarily, being
debugged.The entire area to be read must be accessible. If it is not, the
function fails as noted previously.Regular processes don't have PROCESS_VM_READ... I doubt windows has a simple api that allows one process to read and modify the memory of another one. (What would be the use of Protected memory then?) Or is there a way to make
ReadProcessMemorywork? Kind regards, Griffith
Everything you say will be misquoted, ripped out of context and used against you.
-
Thanks for the suggestion, but this is what I read on MSDN
ReadProcessMemory copies the data in the specified
address range from the address space of the specified process into
the specified buffer of the current process. Any process that has a
handle with PROCESS_VM_READ access can call the function. The process
whose address space is read is typically, but not necessarily, being
debugged.The entire area to be read must be accessible. If it is not, the
function fails as noted previously.Regular processes don't have PROCESS_VM_READ... I doubt windows has a simple api that allows one process to read and modify the memory of another one. (What would be the use of Protected memory then?) Or is there a way to make
ReadProcessMemorywork? Kind regards, Griffith
Everything you say will be misquoted, ripped out of context and used against you.
-
I've been doing a fair amount of work on something pretty similar, I've been interested in debuggers and how programs work at the lowest levels for a while now after starting off as a bit of a coding idiot :) The best places I can recommend to start is if you can afford it, buy John Robbin's "Debugging Windows Applications" because he truely is the king of all things debugger. His Bugslayer articles in MSDN give good ideas too and there are a couple of articles here on CP that can help, search for APIHijack because that gives a good idea of how to get started. John Robbins really is the king though, just had to say that again :)
Thanks carrie The book looks promissing, but it's 45 bucks on amazon :( APIHijack's nice, I'll check out its sourcecode. Kind regards, Griffith
Everything you say will be misquoted, ripped out of context and used against you.
-
easy way out: u gotta Create the process u wanna read urself, then open it using PROCESS_ALL_ACCESS, than read the memory Papa while (TRUE) Papa.WillLove ( Bebe ) ;
exactly like that, if you use CreateProcess and supply the flag to show that the program you're writing is debugging the one you are wanting to debug, you can get access to read into its memory space. Just forked out for that book myself about a month ago, its full of amazing code so I'm more than happy to have paid so much for it. Can't live without it now :)
-
exactly like that, if you use CreateProcess and supply the flag to show that the program you're writing is debugging the one you are wanting to debug, you can get access to read into its memory space. Just forked out for that book myself about a month ago, its full of amazing code so I'm more than happy to have paid so much for it. Can't live without it now :)
Okay, I'll try that then. I know for sure it's possible to read the memory of existing processes though. Thanks a lot guys Griffith
Everything you say will be misquoted, ripped out of context and used against you.