Very weird kernel32 memory reading results.
-
I'm making a memory reading application, but after some programming I noticed I actually get the same result for no matter which process. :wtf: I'll give a very clear example of my problem. This piece of code opens three processes, and reads their memory at position 0x0000FFFF. The processes can be whatever I want (as long as they're running, obviously), but for this example I took Firefox, TeaTimer (background process of Spybot) and Nexcal (a calculator program).
public static void Test() { IntPtr bytesRead = new IntPtr(); // firefox IntPtr firefox = OpenProcess(PROCESS_ALL_ACCESS, 0, (uint)Process.GetProcessesByName("firefox")[0].Id); byte[] firefoxBuffer = new byte[3]; Trace.WriteLine("Firefox reading success: " + ReadProcessMemory(firefox, new IntPtr(65536), firefoxBuffer, (uint)3, out bytesRead)); foreach (byte b in firefoxBuffer) { Trace.WriteLine(b.ToString()); } CloseHandle(firefox); // teatimer IntPtr tea = OpenProcess(PROCESS_ALL_ACCESS, 0, (uint)Process.GetProcessesByName("TeaTimer")[0].Id); byte[] teaBuffer = new byte[3]; Trace.WriteLine("TeaTimer reading success: " + ReadProcessMemory(tea, new IntPtr(65536), teaBuffer, (uint)3, out bytesRead)); foreach (byte b in teaBuffer) { Trace.WriteLine(b.ToString()); } CloseHandle(tea); // nexcal IntPtr nex = OpenProcess(PROCESS_ALL_ACCESS, 0, (uint)Process.GetProcessesByName("Nexcal")[0].Id); byte[] nexBuffer = new byte[3]; Trace.WriteLine("Nexcal reading success: " + ReadProcessMemory(nex, new IntPtr(65536), nexBuffer, (uint)3, out bytesRead)); foreach (byte b in nexBuffer) { Trace.WriteLine(b.ToString()); } CloseHandle(nex); }Now here's the output of this code: Firefox reading success: 1 61 0 58 TeaTimer reading success: 1 61 0 58 Nexcal reading success: 1 61 0 58 I even used different buffers just so I won't make a mistake with accidentally just printing the previous result again. Anyways, it explicitly says it succeeded reading that certain process at that certain position of their memory, but it still returns exactly the same result for the three processes. Now I was thinking this might be an absolute memory location -
I'm making a memory reading application, but after some programming I noticed I actually get the same result for no matter which process. :wtf: I'll give a very clear example of my problem. This piece of code opens three processes, and reads their memory at position 0x0000FFFF. The processes can be whatever I want (as long as they're running, obviously), but for this example I took Firefox, TeaTimer (background process of Spybot) and Nexcal (a calculator program).
public static void Test() { IntPtr bytesRead = new IntPtr(); // firefox IntPtr firefox = OpenProcess(PROCESS_ALL_ACCESS, 0, (uint)Process.GetProcessesByName("firefox")[0].Id); byte[] firefoxBuffer = new byte[3]; Trace.WriteLine("Firefox reading success: " + ReadProcessMemory(firefox, new IntPtr(65536), firefoxBuffer, (uint)3, out bytesRead)); foreach (byte b in firefoxBuffer) { Trace.WriteLine(b.ToString()); } CloseHandle(firefox); // teatimer IntPtr tea = OpenProcess(PROCESS_ALL_ACCESS, 0, (uint)Process.GetProcessesByName("TeaTimer")[0].Id); byte[] teaBuffer = new byte[3]; Trace.WriteLine("TeaTimer reading success: " + ReadProcessMemory(tea, new IntPtr(65536), teaBuffer, (uint)3, out bytesRead)); foreach (byte b in teaBuffer) { Trace.WriteLine(b.ToString()); } CloseHandle(tea); // nexcal IntPtr nex = OpenProcess(PROCESS_ALL_ACCESS, 0, (uint)Process.GetProcessesByName("Nexcal")[0].Id); byte[] nexBuffer = new byte[3]; Trace.WriteLine("Nexcal reading success: " + ReadProcessMemory(nex, new IntPtr(65536), nexBuffer, (uint)3, out bytesRead)); foreach (byte b in nexBuffer) { Trace.WriteLine(b.ToString()); } CloseHandle(nex); }Now here's the output of this code: Firefox reading success: 1 61 0 58 TeaTimer reading success: 1 61 0 58 Nexcal reading success: 1 61 0 58 I even used different buffers just so I won't make a mistake with accidentally just printing the previous result again. Anyways, it explicitly says it succeeded reading that certain process at that certain position of their memory, but it still returns exactly the same result for the three processes. Now I was thinking this might be an absolute memory locationlook here: http://www.codeproject.com/KB/trace/minememoryreader.aspx[^]
Silence is the voice of complicity. Strange women lying in ponds distributing swords is no basis for a system of government. -- monty python Might I suggest that the universe was always the size of the cosmos. It is just that at one point the cosmos was the size of a marble. -- Colin Angus Mackay
-
look here: http://www.codeproject.com/KB/trace/minememoryreader.aspx[^]
Silence is the voice of complicity. Strange women lying in ponds distributing swords is no basis for a system of government. -- monty python Might I suggest that the universe was always the size of the cosmos. It is just that at one point the cosmos was the size of a marble. -- Colin Angus Mackay
I tried the example you gave, and it gives exactly the same result as my code. Hehehe, it seems my code was just totally perfect. Apparently many processes in Windows have certain pieces of their allocated memory identically. Is it some Windows-header or so? Anyway, I tried some other more unusual processes, like winlogon.exe (some Windows process), and he just gives something else. And I also tried some other memory positions alot further than 0xFFFF, like 0x20083, and that gives results different from process to process. Just got unlucky to try the wrong processes at the wrong places. Edit: I suddenly notice I actually succeeded reading the memory of a windows process (winlogon.exe), it didn't work after I tried it again... :wtf: