0

i want to suspend and read a processes whole memory into a byte buffer. How can i do that? Also how to calculate the memory size? Im thinking to use ReadProcessMemory

Thanks

Peter Ruderman
  • 12,241
  • 1
  • 36
  • 58
JustANoobCoder
  • 51
  • 1
  • 8
  • 5
    If you have a particular operating system in mind, it's probably worth adding that to the question. This is going to be very platform-specific. – Useless Feb 07 '19 at 13:02

3 Answers3

5

Virtual memory is not often contiguous. (That's actually the point.) Thus, it doesn't really make sense, and may be indeed impossible, to copy a process' entire virtual memory space into a single contiguous buffer. There will be gaps in virtual memory that will have to be filled with some value in the buffer. These gaps could be large, and the buffer could be huge.

Tools that do this sort of thing (e.g. for forensic purposes) often save off ranges of memory, with metadata indicating the source virtual memory addresses for later re-assembly.

Windows

You can first use VirtualQueryEx to discover the virtual memory ranges of the target process.

See this question: Enumerate the pages in a memory range

Then use ReadProcessMemory to copy data from the remote process' virtual memory into a buffer in your local process.

Of course, none of these actions are atomic. If the target process is running, the virtual memory space could change while you are working.

There are "tool help" APIs available as well: Taking a Snapshot and Viewing Processes

Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
1

It sounds like you're looking for MiniDumpWriteDump and associated functions. Don't invent the wheel yourself.

MSalters
  • 173,980
  • 10
  • 155
  • 350
0

You can find a solution easily on the google, like I found a few months ago. But in short you can achieve this with EnumProcesses, GetProcessMemoryInfo nad GetProcessImageFileName functions.

the list of process identifiers you can get like this:

DWORD adwProcesses[1024], dwNeeded, dwProcesses;
if (!EnumProcesses(adwProcesses, sizeof(adwProcesses), &dwNeeded)) { return 1; }

where you get all process identifiers. So you need know the exact number, how many processes were returned

dwProcesses = dwNeeded / sizeof(DWORD);

print or save the memory usage for as many times as many processes you have

HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, adwProcesses[k]);
PROCESS_MEMORY_COUNTERS pmc;
//Get process memory info and path to process
GetProcessMemoryInfo(hProcess, &pmc, sizeof(pmc));
GetProcessImageFileName(hProcess, szProcessName, sizeof(szProcessName) / sizeof(TCHAR));

so you get data for process path:

strProcessName.Format(_T("PATH: %s"), szProcessName);

page file memory usage:

strProcessPFMemory.Format(_T("%u K"), (pmc.PagefileUsage / 1024));

peak page file memory usage:

strProcessPPFMemory.Format(_T("%u K"), (pmc.PeakPagefileUsage / 1024));

and so on.

bibik
  • 1