|
|
#1
01-05-2007, 08:02
|
|||
|
|||
|
ReadProcessMemory etc in VB6
Ok, gang, need some help here. I want to make ProgramA take a memory snapshot of ProgramB after it is loaded into memory,
and before it runs. I am doing this in VB6. To do this, I have determined I should probably use CreateProcess(?). Two of the parameters for CreateProcess include STARTUPINFO and PROCESSINFORMATION. I have them properly TYPEd and DIMmed; the CreateProcess call seems to work, as the target program launches, and the STARTUPINFO and PROCESSINFORMATION structures have data in them. I also think I need to use ReadProcessMemory(?). This function requires a handle to the target program and the starting address to read from, among others. I believe one of the items in PROCESSINFORMATION, called HProcess, will do for the handle(?). But I am not sure what starting address to use. Isn't it true that, while a program has a preferred load address, it may be relocated by windows? So, I need to determine where the real starting address of the target program is. I don't see any item in either STARTUPINFO or PROCESSINFORMATION that would seem to indicate that. So, I think I may need to use VirtualQueryEx before ReadProcessMemory(?). VirtualQueryEx requires MEMORYBASICINFORMATION as a paramter. I have that properly TYPEd and DIMmed. It requires a handle to the target program, and again I am using HProcess. It also requires an address. But what address? This cannot be the load address of the target program, as I don't know it yet. The definition of this parameter is "A pointer to the base address of the region of pages to be queried". I'm not sure this is what I want (Jeez, I'm not even sure what it means). But if it's not, what do I need to do to get the real starting address of my target program? Or is this the wrong path? (I know the function works using a dummy address, as the return value is correct and the MEMORYBASICINFORMATION structure has data in it.) I have Googled a lot (a lot!) of C and C++ code that seem to do this, but apparently I'm not knowledgeable enough to translate it well. And, little of the sample code in MSDN is in VB. Even most of the posts on ReadProcessMemory here on this board are C/C++ based. I know that I have to close/terminate the target when I'm done. So, to recap: 1. CreateProcess 2. VirtualQueryEx 3. ReadProcessMemory 4. Terminate. Here's my code snippet. Assume that the declarations, structures, etc, are correct. *Start the target program y = CreateProcess(Nil, "C:\Documents and Settings\Owner\Desktop\Project1.exe", ByVal 0&, ByVal 0&, 1&, NORMAL_PRIORITY_CLASS, ByVal 0&, Nil, SUInfo, ProcInfo) *Get the load address y = VirtualQueryEx(ProcInfo.hProcess, &h0, MBI, Len(MBI)) *Make a buffer; MySize is known to be the correct length of the target program buffer = String(MySize, 0) *Read the target program memory y = ReadProcessMemory(ProcInfo.hProcess, ByVal MBI.BaseAddress, buffer, MySize, count) *End the target program y = TerminateProcess(ProcInfo.hProcess, 0&) y = CloseHandle(ProcInfo.hThread) y = CloseHandle(ProcInfo.hProcess) I think/hope I'm close, and am just missing something small. Thanks all. Sarge 
|
|
|
Threaded Mode