::ReadProcessMemory fails with ERROR_PARTIAL_COPY
-
Hey everybody. I wrote (according to articles I found on the net) the following code, in order to get the command line of another process (it is not the "full code", just until it fails.
HANDLE hproc = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if(!hproc)
{
printf("OpenProcess() failed: 0x%x", ::GetLastError());
return _T("");
}_NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION pbi;
DWORD size_written;
NTSTATUS nt = NtQueryInformationProcess(hproc, ProcessBasicInformation, (void*)&pbi, sizeof(PROCESS_BASIC_INFORMATION), &size_written); // get pbi
if(nt)
{
printf("NtQueryInformationProcess() failed: 0x%x", nt);
return _T("");
}PEB* peb = pbi.PebBaseAddress;
ULONG session_id = peb->SessionId;
SIZE_T read_size;
RTL_USER_PROCESS_PARAMETERS* proc_params = NULL;
DWORD old_protection;
if(!::VirtualProtectEx(hproc, peb->ProcessParameters, sizeof(RTL_USER_PROCESS_PARAMETERS*), PAGE_EXECUTE_READWRITE, &old_protection))
{
printf("VirtualProtectEx() failed: 0x%x", ::GetLastError());
return _T("");
}// ************ FAILS HERE !!!! ***************
if(!::ReadProcessMemory(hproc, peb->ProcessParameters, (RTL_USER_PROCESS_PARAMETERS*)proc_params, sizeof(RTL_USER_PROCESS_PARAMETERS*), &read_size))
{
printf("ReadProcessMemory() failed: 0x%x", ::GetLastError());
return _T("");
}if(!::VirtualProtectEx(hproc, peb->ProcessParameters, sizeof(RTL_USER_PROCESS_PARAMETERS*), old_protection, NULL))
{
printf("VirtualProtectEx() failed: 0x%x", ::GetLastError());
return _T("");
}The output is that ReadProcessMemory() fails with ERROR_PARTIAL_COPY. The code works in XP for processes in the same session. Currently I am trying to make it work in windows 7, for a process in the same session. ANY IDEAS any one ???? :confused: Thanks!
-
Hey everybody. I wrote (according to articles I found on the net) the following code, in order to get the command line of another process (it is not the "full code", just until it fails.
HANDLE hproc = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if(!hproc)
{
printf("OpenProcess() failed: 0x%x", ::GetLastError());
return _T("");
}_NtQueryInformationProcess NtQueryInformationProcess = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION pbi;
DWORD size_written;
NTSTATUS nt = NtQueryInformationProcess(hproc, ProcessBasicInformation, (void*)&pbi, sizeof(PROCESS_BASIC_INFORMATION), &size_written); // get pbi
if(nt)
{
printf("NtQueryInformationProcess() failed: 0x%x", nt);
return _T("");
}PEB* peb = pbi.PebBaseAddress;
ULONG session_id = peb->SessionId;
SIZE_T read_size;
RTL_USER_PROCESS_PARAMETERS* proc_params = NULL;
DWORD old_protection;
if(!::VirtualProtectEx(hproc, peb->ProcessParameters, sizeof(RTL_USER_PROCESS_PARAMETERS*), PAGE_EXECUTE_READWRITE, &old_protection))
{
printf("VirtualProtectEx() failed: 0x%x", ::GetLastError());
return _T("");
}// ************ FAILS HERE !!!! ***************
if(!::ReadProcessMemory(hproc, peb->ProcessParameters, (RTL_USER_PROCESS_PARAMETERS*)proc_params, sizeof(RTL_USER_PROCESS_PARAMETERS*), &read_size))
{
printf("ReadProcessMemory() failed: 0x%x", ::GetLastError());
return _T("");
}if(!::VirtualProtectEx(hproc, peb->ProcessParameters, sizeof(RTL_USER_PROCESS_PARAMETERS*), old_protection, NULL))
{
printf("VirtualProtectEx() failed: 0x%x", ::GetLastError());
return _T("");
}The output is that ReadProcessMemory() fails with ERROR_PARTIAL_COPY. The code works in XP for processes in the same session. Currently I am trying to make it work in windows 7, for a process in the same session. ANY IDEAS any one ???? :confused: Thanks!
Are you running the application with elevated privileges (Run as administrator)?
«_Superman_»
I love work. It gives me something to do between weekends. -
Are you running the application with elevated privileges (Run as administrator)?
«_Superman_»
I love work. It gives me something to do between weekends.Yes. :-)