While writing a tiny library to read/write process memory I came across a rather unusual problem. While I can write to the process memory without a hitch, I have discovered a wierd bug that would crash the process of which you are reading the memory and I'm not sure why this happens. What I have actually done is use the ToolHelp32 library to traverse the module list and wait until a certain module is loaded (sleeping 10 milliseconds if not found), get it's base address and base size and then proceed to read it's memory with what I have written below. The problem is that the module fails in really odd manners after I try to read it with the code below. My write routine is very similar and produces no faults.
Code:
;GetProcessMemory proc uses ecx dwProcessId:DWORD, lpAddress:DWORD, dwSize:DWORD, lpBuffer:DWORD
; LOCAL hProcess:DWORD
; LOCAL oldProt:DWORD
; LOCAL dummyProt:DWORD
;
; ; Attempt to open the process for write operations
; invoke OpenProcess, PROCESS_VM_OPERATION+ PROCESS_VM_READ, FALSE, dwProcessId
; .IF eax == 0
; ret
; .endif
; mov hProcess, eax
;
; ; Set the page protection to allow read, write and execute status
; invoke VirtualProtectEx, hProcess, lpAddress, dwSize, PAGE_EXECUTE_READWRITE, addr oldProt
; or eax, eax
; jz Failed
;
; ; Read the target process's memory
; invoke ReadProcessMemory, hProcess, lpAddress, lpBuffer, dwSize, NULL
; or eax, eax
; jz Failed
;
; ; Restore the old page protection
; invoke VirtualProtectEx, hProcess, lpAddress, dwSize, oldProt, addr dummyProt
; or eax, eax
; jz Failed
;
; invoke CloseHandle, hProcess
; ret
;
;Failed:
; invoke CloseHandle, hProcess
; xor eax, eax
; ret
;GetProcessMemory endp