0

I am using VirtualQuery to access all of the readable memory of a running process, I then scan this memory to find specific strings, I am concerned though that this might eventually lead to a situation where the memory I am trying to access is released somewhere else, how should I proceed to make sure the memory I am reading is valid and will remain valid until I am done reading the whole page ?

Thanks!

awpsoleet
  • 257
  • 1
  • 3
  • 11
  • 2
    Robust SEH Exception handling? – Chris Becke May 25 '16 at 13:05
  • 3
    Just the process of reading memory can change things (see for example Guard Pages), so what you're doing if fraught with danger. That said, if you can [suspend the process](http://stackoverflow.com/questions/11010165/how-to-suspend-resume-a-process-in-windows) then you're much more likely to succeed. However, CreateRemoteThread and the like will still scupper you. – Mike Vine May 25 '16 at 13:06
  • Suspending the process is not possible, this is for a video game, I guess SEH exceptions will be the way to do sadly! – awpsoleet May 25 '16 at 13:11
  • 1
    @ChrisBecke: How is SEH of any value here? If you want to make sure that a process' state is valid for a period of time, you'll have to stop time for that process. Usually by suspending all of its threads. – IInspectable May 25 '16 at 13:12
  • @IInspectable, I had assumed that stopping the process for any amount of time was undesirable, and scanning an entire process for strings is not going to take an insignificant amount of time. I just didn't consider stopping the process an option worth mentioning. – Chris Becke May 25 '16 at 13:17
  • @ChrisBecke: The question is clear: *"[H]ow [...] to make sure the memory I am reading is valid and will remain valid until I am done reading the whole page"*. Suspending the process is the only viable option to meet that requirement, however undesirable that may be, for this particular user. – IInspectable May 25 '16 at 13:43
  • So...you want to dig in the internals of another process's memory *safely*? Surely you realize that is an oxymoron. If you don't stop the world (read: freeze the other process), the world will continue on without you. You will be left behind. What are you trying to *do* with this information anyway, once you've scanned through it? Are you hoping to modify the strings? If you just want a dump, suspend the process and make a dump. – Cody Gray - on strike May 25 '16 at 16:12
  • 1
    *"If you just want a dump, suspend the process and make a dump."* - Incidentally, that's precisely what [MiniDumpWriteDump](https://msdn.microsoft.com/en-us/library/windows/desktop/ms680360.aspx) does. – IInspectable May 25 '16 at 16:52

1 Answers1

5

The best way (and only way I can think of which is supported) is to basically be a debugger. In this way, you can suspend/resume the process and whilst its suspended read its memory just like any debugger can do. This assumes that suspending the process is an acceptable solution for you (and the process being paused doesn't have anti-debug like functionality, although that is rare).

See for a starting point DebugActiveProcess

You still need to handle reading memory can change it [by, for example, removing PAGE_GUARD before reading a page and restoring it after], but its now a much more constrained problem.

Mike Vine
  • 9,468
  • 25
  • 44