Thread: ReadProcessMemory etc in VB6
View Single Post
  #8  
Old 01-26-2007, 13:05
Ghandi2006 Ghandi2006 is offline
VIP
  
Join Date: Jan 2006
Posts: 110
Rept. Given: 23
Rept. Rcvd 39 Times in 26 Posts
Thanks Given: 0
Thanks Rcvd at 28 Times in 23 Posts
Ghandi2006 Reputation: 39
ReadProcessMemory
The ReadProcessMemory API isn't limited to small chunks of memory.

You just need to ensure that:

The buffer you are passing to the call is large enough to receive the data.
You are asking for it to read from a valid address.
The region(s) you are attempting to read from have the correct permissions.

To ensure the permissions are correct, use VirtualProtectEx (not available in Win 9x) and set them to PAGE_READWRITE before calling ReadProcessMemory, then restore the original permissions afterward.

Some easy ways to find the SizeOfImage (which is what you want for allocating the correct buffer size and also for reading the correct amount of bytes) are:

1. Using the DWORD value we can find in the PE Header, aptly named 'SizeOfImage'.


2. Using the CreateToolHelp32Snapshot API, then Module32First to get information about the process. We can also use the Module32Next to build a complete list of modules (dll's and such) loaded & use it for import rebuilding.


3. Use the DWORD value from the PE Header, called 'ImageBase' as a base address & use VirtualQueryEx (not available in Win 9x) to build a 'map' of the processes memory. (You'll need to handle the logic that decides where the process memory ends if this wont return the complete image size though.)

4. Use the VirtualAddress & VirtualSize values from the last section header found in the Section Table, add them together and there's your image size. If you want, you can pay attention to the alignment and round it up, but be careful that you don't overestimate, otherwise ReadProcessMemory may fail with an ERROR_PARTIAL_COPY result.



About TerminateProcess, what do you mean 'if i am careful'?

If you are referring to the way the process doesn't appear to die after calling TerminateProcess, are you detaching from the process at all?

I found that if i launched a process from within my own debug loaders, it wouldn't disappear from the running processes list until i had either exited the debugger also, or (after getting frustrated so many times & experimanting) calling DebugActiveProcessStop (not available on Win 9x) before calling TerminateProcess. Once i learned of this API, no more termination problems...

Ghandi
Last edited by Ghandi2006; 01-26-2007 at 13:09.
Reply With Quote