Are addresses from VMMap readable?

Question

I'm using VMMap to view the address space of a process. In the left corner is the address. I attempted to copy the address and read it from the process.

Here's an example:

I attempted to see if I could read this address with a quick bit of code below. The call to VirtualQueryEx doesn't fail as the response is not 0. But, my problem is State returns a value that indicates the address does not exist and Protect returns PAGE_NOACCESS.

Code:

int pid = 10964;
DWORD_PTR addr = 0x2C1811E0000;
MEMORY_BASIC_INFORMATION data;

HANDLE pHandler = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (pHandler == NULL) {
    printf("Could not find process with id: %i", pid);
    return -1;
}

int mResult = VirtualQueryEx(pHandler, addr, &data, sizeof(MEMORY_BASIC_INFORMATION));
if (!mResult) {
    printf("Could not query virtual memory. Error: %i", GetLastError());
    return -1;
}

printf("Base address: %#010x\n", data.BaseAddress);
printf("Address state: %#010x\n", data.State);
printf("Address protection: %#010x\n", data.Protect);

Are the address in VMMap readable or am I doing something wrong?

anyway you need `%#p` format instead `%#010x` when print pointer (`data.BaseAddress`). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes. `DWORD_PTR addr = 0x2C1811E0000;` - in 32 bit will be truncated to `0x811e0000` and must be compiler warning about this — RbMm, Jan 03 '19 at 03:40
@RbMm You're right. I changed to use `MEMORY_BASIC_INFORMATION64` and targeting `x64` and all works fine. If you put that as a complete answer I can accept. — BugHunterUK, Jan 03 '19 at 11:13
You could just answer it yourself at this point, and mark it community if you prefer. — StayOnTarget, Aug 30 '22 at 01:17

Are addresses from VMMap readable?

0 Answers0