flat assembler
Message board for the users of flat assembler.
Index
> Windows > HELP HELP HELP |
Author |
|
AsmGuru62 28 Aug 2013, 20:07
What is PID = 2844?
What process are you trying to read? P.S. Just noticed: "Post #1024" Epic! |
|||
28 Aug 2013, 20:07 |
|
labron 28 Aug 2013, 20:39
PID correctly I put
|
|||
28 Aug 2013, 20:39 |
|
labron 28 Aug 2013, 20:39
ReadProcessMemory returns 0
|
|||
28 Aug 2013, 20:39 |
|
AsmGuru62 28 Aug 2013, 21:47
So, how did you know the PID?
Did you open Task Manager and saw it there? Because, I think that the PID will be different next time the same process runs. P.S. Why 'bufer' never allocated? It must be pointing somewhere. |
|||
28 Aug 2013, 21:47 |
|
labron 28 Aug 2013, 23:13
OpenProcess - goodwork
VirtualQueryEx - goodwork ReadProcessMemory - not work, return 0 |
|||
28 Aug 2013, 23:13 |
|
AsmGuru62 29 Aug 2013, 15:50
I was working on your code, but now I am not home, so I just explain few things:
1. Buffer which is used to read process memory must be allocated at some size. I used 1Mb, but it may not be enough, so some reallocation must be done. 2. PROCESS_ALL_ACCESS may not work on latest Windows versions. It works on XP, but Win7, Win8, Vista may not be forgiving. It is recommended to use a combination: PROCESS_QUERY_INFORMATION and PROCESS_VM_READ. 3. VirtualQueryEx returns the state of pages you examining. Not all pages can be read with ReadProcessMemory, but only pages in state MEM_COMMIT, so you have to check that flag before using ReadProcessMemory. 4. When using ReadProcessMemory you begin with address NULL (you did that correctly). But after you get the RegionSize -- just add that size to the address. Do not use any of mbi.AllocationBase or mbi.BaseAddress -- it will give ERROR_PARTIAL_READ errors. Instead just use this pseudo-code: Code: Address = NULL; while (VirtualQueryEx (... Address, ...) == sizeof.MEMORY_BASIC_INFORMATION) { if (bmi.State has bit MEM_COMMIT) { if (RegionSize > allocated for buffer) { ReAllocate buffer ... } ReadProcessMemory (... Address, ... RegionSize); _lwrite (...); } Address += RegionSize; } As a result of all this, you will have a file with sections from the process you are reading, but there will be no indication at which address the data was in the process. It will be just chunks of bytes appended together. If you are trying to dump the process memory, then it is better to make a HEX dump into a text file (it will be huge file) with the address of every dumped section. |
|||
29 Aug 2013, 15:50 |
|
AsmGuru62 30 Aug 2013, 02:55
@labron:
Please read this thread from StackOverflow: http://stackoverflow.com/questions/4457171/why-does-readprocessmemory-have-lpnumberofbytesread Also take a look at the attached files. The dumper works, but sometimes I get the ERROR_PARTIAL_COPY.
|
|||||||||||||||||||||
30 Aug 2013, 02:55 |
|
labron 30 Aug 2013, 21:35
ok, big thx
|
|||
30 Aug 2013, 21:35 |
|
labron 30 Aug 2013, 22:43
I made, all thanks a lot!!!
|
|||
30 Aug 2013, 22:43 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.