challenging one
-
Hello, What I'm attempting to do here is access the memory of a process which i have already created for 'read' purposes. I feel that I'm close, but can't quite get it to work and its chalenging. After reading i then want all the info of the memory read to be displayed and save into a file I need to have finished this by the end of the week, pliz assist. Part of the code is below: int main(int argc, char **argv) { PROCESS_INFORMATION pi; /* filled in by CreateProcess */ STARTUPINFO si; /* startup info for the new process*/ HANDLE hProcess = pi.hProcess; BYTE buf[2000]; DWORD bufsize = sizeof buf; DWORD baseaddr = 1; DWORD error = GetLastError(); LPCVOID lpAddress; PMEMORY_BASIC_INFORMATION lpBuffer; DWORD dwLength; DWORD flNewProtect; PDWORD lpflOldProtect; DWORD dwSize =0; LPCVOID lpBaseAddress; DWORD nSize; LPDWORD lpNumberOfBytesRead; printf("Process %d reporting for creation\n",GetCurrentProcessId()); GetStartupInfo(&si); // Call CreateProcess, telling it to run an exe file CreateProcess(NULL, /* lpApplicationName */ "numbers.exe", /* lpCommandLine assumes to use curent process directory*/ NULL, /* lpsaProcess */ NULL, /* lpsaThread */ FALSE, /* bInheritHandles */ CREATE_NEW_CONSOLE, /* dwCreationFlags */ NULL, /* lpEnvironment */ NULL, /* lpCurDir */ &si, /* lpStartupInfo */ &pi /* lpProcInfo */ ); printf("New Process ID: %d ",pi.dwProcessId); printf("has started \n"); //============================================ OpenProcess( PROCESS_ALL_ACCESS, // access flag 0, // handle inheritance flag pi.dwProcessId // process identifier ); //=============================================== GetModuleHandle( "numbers.exe" // address of module name to return handle // for ); //============================================================ // ImageNtHeader( // 1 // ); //============================================================ VirtualQueryEx( hProcess, // handle to process lpAddress, // address of region lpBuffer,// address of information buffer dwLength
-
Hello, What I'm attempting to do here is access the memory of a process which i have already created for 'read' purposes. I feel that I'm close, but can't quite get it to work and its chalenging. After reading i then want all the info of the memory read to be displayed and save into a file I need to have finished this by the end of the week, pliz assist. Part of the code is below: int main(int argc, char **argv) { PROCESS_INFORMATION pi; /* filled in by CreateProcess */ STARTUPINFO si; /* startup info for the new process*/ HANDLE hProcess = pi.hProcess; BYTE buf[2000]; DWORD bufsize = sizeof buf; DWORD baseaddr = 1; DWORD error = GetLastError(); LPCVOID lpAddress; PMEMORY_BASIC_INFORMATION lpBuffer; DWORD dwLength; DWORD flNewProtect; PDWORD lpflOldProtect; DWORD dwSize =0; LPCVOID lpBaseAddress; DWORD nSize; LPDWORD lpNumberOfBytesRead; printf("Process %d reporting for creation\n",GetCurrentProcessId()); GetStartupInfo(&si); // Call CreateProcess, telling it to run an exe file CreateProcess(NULL, /* lpApplicationName */ "numbers.exe", /* lpCommandLine assumes to use curent process directory*/ NULL, /* lpsaProcess */ NULL, /* lpsaThread */ FALSE, /* bInheritHandles */ CREATE_NEW_CONSOLE, /* dwCreationFlags */ NULL, /* lpEnvironment */ NULL, /* lpCurDir */ &si, /* lpStartupInfo */ &pi /* lpProcInfo */ ); printf("New Process ID: %d ",pi.dwProcessId); printf("has started \n"); //============================================ OpenProcess( PROCESS_ALL_ACCESS, // access flag 0, // handle inheritance flag pi.dwProcessId // process identifier ); //=============================================== GetModuleHandle( "numbers.exe" // address of module name to return handle // for ); //============================================================ // ImageNtHeader( // 1 // ); //============================================================ VirtualQueryEx( hProcess, // handle to process lpAddress, // address of region lpBuffer,// address of information buffer dwLength
This piece of code:
PROCESS_INFORMATION pi; /* filled in by CreateProcess */
STARTUPINFO si; /* startup info for the new process*/
HANDLE hProcess = pi.hProcess;Seems a bit buggy :-), you haven't invoked CreateProcess yet, so hProcess is set to whatever is at the memory location pi.hProcess. Why is there two calls to
ReadProcessMemory? When you've invoked ReadProcessMemory, the second invocation :-), you could call GetLastError to let Windows tell you what went wrong. At the moment I guess it would say that hProcess is an invalid parameter :-D "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian Graus -
This piece of code:
PROCESS_INFORMATION pi; /* filled in by CreateProcess */
STARTUPINFO si; /* startup info for the new process*/
HANDLE hProcess = pi.hProcess;Seems a bit buggy :-), you haven't invoked CreateProcess yet, so hProcess is set to whatever is at the memory location pi.hProcess. Why is there two calls to
ReadProcessMemory? When you've invoked ReadProcessMemory, the second invocation :-), you could call GetLastError to let Windows tell you what went wrong. At the moment I guess it would say that hProcess is an invalid parameter :-D "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian GrausCreateProcess has been invoked, the missing part was the BOOL EnableDebugPrivNT(); which enables access to the specified memory.The ReadProcessMemory has been removed now. About pi.process i thought the created process will be the one to readmemory of... oam
-
CreateProcess has been invoked, the missing part was the BOOL EnableDebugPrivNT(); which enables access to the specified memory.The ReadProcessMemory has been removed now. About pi.process i thought the created process will be the one to readmemory of... oam
mpapeo wrote: About pi.process i thought the created process will be the one to readmemory of... You tell me :-) What is wrong in the code though, is that you declare the variable
pi, which is to be filled by the functionCreateProcess. However, before actually filling that struct, you assign the value of one of it's members to the variablehProcess. I don't know about the rest of the code, but you have to switch the steps here from:PROCESS_INFORMATION pi; /* filled in by CreateProcess */
HANDLE hProcess = pi.hProcess;to
PROCESS_INFORMATION pi; /* filled in by CreateProcess */
HANDLE hProcess = NULL...
// Call CreateProcess, telling it to run an exe file
CreateProcess(NULL, /* lpApplicationName */
"numbers.exe", /* lpCommandLine assumes to use curent process directory*/
NULL, /* lpsaProcess */
NULL, /* lpsaThread */
FALSE, /* bInheritHandles */
CREATE_NEW_CONSOLE, /* dwCreationFlags */
NULL, /* lpEnvironment */
NULL, /* lpCurDir */
&si, /* lpStartupInfo */
&pi /* lpProcInfo */
);hProcess = pi.hProcess;
That is of course assuming that
CreateProcesssucceeded. There is, in my opinion, a lack of result testing. This is of course essential to production code, but also when you are in a test phase, it would help you a lot in finding the errors. "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian Graus -
mpapeo wrote: About pi.process i thought the created process will be the one to readmemory of... You tell me :-) What is wrong in the code though, is that you declare the variable
pi, which is to be filled by the functionCreateProcess. However, before actually filling that struct, you assign the value of one of it's members to the variablehProcess. I don't know about the rest of the code, but you have to switch the steps here from:PROCESS_INFORMATION pi; /* filled in by CreateProcess */
HANDLE hProcess = pi.hProcess;to
PROCESS_INFORMATION pi; /* filled in by CreateProcess */
HANDLE hProcess = NULL...
// Call CreateProcess, telling it to run an exe file
CreateProcess(NULL, /* lpApplicationName */
"numbers.exe", /* lpCommandLine assumes to use curent process directory*/
NULL, /* lpsaProcess */
NULL, /* lpsaThread */
FALSE, /* bInheritHandles */
CREATE_NEW_CONSOLE, /* dwCreationFlags */
NULL, /* lpEnvironment */
NULL, /* lpCurDir */
&si, /* lpStartupInfo */
&pi /* lpProcInfo */
);hProcess = pi.hProcess;
That is of course assuming that
CreateProcesssucceeded. There is, in my opinion, a lack of result testing. This is of course essential to production code, but also when you are in a test phase, it would help you a lot in finding the errors. "After all it's just text at the end of the day. - Colin Davies "For example, when a VB programmer comes to my house, they may say 'does your pool need cleaning, sir ?' " - Christian GrausWell, you have the idea but now i found it crushing. i get this error, " The value of the ESP was not properly saved accross a function call ... Well how can i call the ReadProcessMemory to return the size of memory the "CreateProcess()" has occupied as that i can extract it? oam