Reading process memory
While writing a tiny library to read/write process memory I came across a rather unusual problem. While I can write to the process memory without a hitch, I have discovered a wierd bug that would crash the process of which you are reading the memory and I'm not sure why this happens. What I have actually done is use the ToolHelp32 library to traverse the module list and wait until a certain module is loaded (sleeping 10 milliseconds if not found), get it's base address and base size and then proceed to read it's memory with what I have written below. The problem is that the module fails in really odd manners after I try to read it with the code below. My write routine is very similar and produces no faults.
Code:
|
Hmmm. I would suggest using OllyDbg on your program to see where the problem is. Watch the registers as you step through your code. Pay attention to the LastErr flag. My guess is one of your invoke statements is producing an error. Use Olly to find which one and troubleshoot.
|
you must have read access to entire area that you trying to read
that means if a byte is straddling on other page than you need Read access to both the pages use IsBadReadPtr() and also intersperse your Calls with GetLastError() or set a seh to trap failures that way you can easily pinpoint the failures to certain areas rathere than looking from scratch |
umm but isnt he setting read access on the entire area of pages covered by the buf?!
|
here's a code snippet form a tool I'm writing. it's in C++ but might help.
The concept is to wrap the real ReadProcessMemory and use the new one. The code I wrote in C++ is useful because for classes derived from the one here attached there's nothing to change, and you might write the code as before. I hope it helps: despite you are programming in ASM the concepts are the same and also the code structure doesn't change that much. AccessMemory.h Code:
#include <windows.h> Code:
CAccessMemory::CAccessMemory() |
Thanks for all the replies guys :)
My function does succeed in reading the entire block and copying it, that's not really the problem. The problem is the module not playing so nicely with me afterwards :/ I did set the protection to read/write/execute in any case to allow all acces... Perhaps this is deadly when code is actually executing in there, heh. Shub-Nigurrath, I love the idea to use IsBadReadPtr/IsBadWritePtr to check the memory range for desired access, but wouldn't this simply give you the access rights for YOUR process's pages in that range? I don't see those functions taking in a handle to the target process, but then again I never used them before. Innocent: Olly is MY debugger of choice, for all debugging and 'other' tasks. There is no direct problem with my code, but aparently the target code doesn't like to be read, or have it's protections changed (haven't really looked at that). The point is that this generic write routine fails by all means with my current target, and so would Shub-Nigurrath's. My workaround was to map the target file to memory and get whatever info I need for there. On a side note, is there any way to pause execution of the target process? I would probably need to stop all of it's threads, then later resume them... Best would be to save the thread's run state (some may be paused and if they were, they should be paused when I'm done) |
2 FEARHQ
not really using that permissions you can gain access right for any process, even external processes: I used it for a loader which launches an external program and everything works fine. |
Hi Shub-Nigurrath !
Sorry first if I have a wrong idea. I think the IsBadReadPtr and IsBadWritePtr can not be used to check memory access right for a memory range of another process. In your code, you really call them to check read/write right for a memory range in your virtual memory process with the addess value is same as lpAddress (of beging loaded process). FEARHQ, if one of a call to ReadProcessMemory failed, the protection flag of those memory pages will be not restored to original flag (je Failed). Some coders/programs uses PAGE_NOACCESS to allocate memory when need. Regards, TQN |
humm. You are right: I got the wrong point because I used since now it for loaders, so the target process, even if external, is launched by my loader, a "child", works also for protected memory sections of the target..but a process of this type is different than an external already running process.
Effectively for opened processes it doesn't work, or better, works the reading but not the writing: it returns a casual value (negative also) and do not write anything. |
TQN so if isBadReadPtr() wont work for processes opened by OpenProcess
then what do we use is it VirtualQuery() ?? how does one ascertain if one really has access to that process for read write etc without getting the code in debugger and looking for every return values |
Hi JuneMouse !
Sorry if I wrong. In my experience, the safe way is call VirtualQueryEx to detect read/write right of a virtual memory page of a external process. Call GetSystemInfo to get page size, scan one page one. |
All times are GMT +8. The time now is 15:34. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX