C++ ReadProcessMemory into char * alternative

Question

I have a process that was being used externally and is now internal, this program uses ReadProcessMemory to copy data from memory into a Char *. Below is the code.

char* szMemDump = (char*)malloc(mbi.RegionSize+1);
ReadProcessMemory( NULL, (unsigned long*)dwMemAddr, szMemDump, mbi.RegionSize, NULL );

I am now doing this from within the program and my objective is to read that information into the same array without the use of RPM.

I have attempted memcpy although this seems to crash the program, since I am reading through large amounts of memory it is difficult to discover why is this happening.

memcpy(szMemDump, (void*)dwMemAddr, mbi.RegionSize);

The alternative to this program that uses RPM does not have any issues and allows data scanning accurately so I can only assume memcpy is incorrect.

Edit: The new code is being loaded as a DLL within the process, this should allow for values to be read internally.

Edit Update code.

    if( VirtualQuery((unsigned long*)dwMemAddr, &mbi, sizeof(mbi) ) == sizeof(mbi) )
    {
        if( (mbi.Protect != PAGE_NOACCESS) && (mbi.State == MEM_COMMIT) )
        {
            char* szMemDump = (char*)malloc(mbi.RegionSize+1);
            //ReadProcessMemory( NULL, (unsigned long*)dwMemAddr, szMemDump, mbi.RegionSize, NULL );
            memcpy(szMemDump, (unsigned long*)dwMemAddr, mbi.RegionSize);


            for( x=0; x<mbi.RegionSize; x++ )
            {
                //Loop actions      
            }
            free( szMemDump );
        }
    }

Processes don't have direct access to others memory, hence failure of `memcpy` and `ReadProcessMemory`. What's wrong with the latter? Memory Mapped Files is the API that allows to get rid of RPM. — Roman R., Sep 22 '13 at 19:54
In the current code is the data to be read in another process or in the current one? Incidentally, RPM is *never* the right solution (unless you are debugging or messing with processes that you have no other way to control), since it is *not* a proper IPC method. — Matteo Italia, Sep 22 '13 at 19:55
See [Fastest IPC method on Windows 7](http://stackoverflow.com/questions/7127242/fastest-ipc-method-on-windows-7/7127312#7127312) — Roman R., Sep 22 '13 at 19:56
What I meant was the program is now being Loaded as a DLL and within memory of the process being scanned. — Daniel Filipe, Sep 22 '13 at 19:56
Well, that `memcpy` is correct as long as `dwMemAddr` is correct. Where do you get that address from? And what is its type? What kind of crash are you getting? — Matteo Italia, Sep 22 '13 at 19:58

Hans Passant · Answer 1 · 2013-09-22T20:23:36.723

3

You are getting a FALSE return from ReadProcessMemory() when you use an invalid address. One you don't check so you are just oblivious to getting it wrong.

That happy oblivion ends when you use an invalid address for memcpy(), that's a kaboom to remind you more forcibly that you got it wrong, it is not a function that checks arguments like RPM does.

Use VirtualQuery() to discover valid memory addresses. And be sure to use the MEMORY_BASIC_INFORMATION.BaseAddress, not the address you queried for.

edited Sep 22 '13 at 20:23

answered Sep 22 '13 at 20:07

Hans Passant

922,412
146
1,693
2,536

VirtualQuery is used, please see updated source. – Daniel Filipe Sep 22 '13 at 20:16
You must use mbi.BaseAddress, not dwMemAddr. – Hans Passant Sep 22 '13 at 20:22

C++ ReadProcessMemory into char * alternative

1 Answers1