Reading a processes memory

Hi Matt:

Every process in Win32 has it's own address space, and actually if you
check the BaseAddress for every process on the system you'll find many
of them are the same.

To pull this off you'll need to PInvoke OpenProcess and
ReadProcessMemo ry. Looking those API functions up in the SDK on MSDN
will get you started. ReadProcessMemo ry will copy bytes from the other
process into your address space.

--
Scott
http://www.OdeToCode.com

On Mon, 16 Aug 2004 11:05:04 -0500, "Matt Burland" <wjousts@[no
spam]hotmail.com> wrote:

I am trying to read the memory being used by a process but I can't
quite figure out how to do it (or if it's even possible). I can get a
reference to the process using Process.GetProc essesByName and I can get the
base address using Process.MainMod ule.BaseAddress (which returns a IntPtr).
I thought that by using IntPtr.ToPointe r() and casting to a char* I would be
able to read the memory as a stream of chars but it doesn't work because it
always throws a NullReferenceEx ception when I try and dereference the
pointer.
Can anybody help me out here?

Thanks
class Class1 { [STAThread] static unsafe void Main(string[] args) {
Process[] p = Process.GetProc essesByName("no tepad"); ProcessModule pm =
p[0].MainModule; Console.WriteLi ne(pm.BaseAddre ss); char* ptr = (char*)
pm.BaseAddress .ToPointer(); char c = *ptr; // Throws
System.NullRef erenceException Console.WriteLi ne(c);
Console.ReadLi ne(); } }

Thanks for your help. I checked out the OpenProcess and ReadProcessMemo ry
and with a little fiddling managed to get it to read the memory. Great. Now
the problem is to see if I can alter it and write it back. I tried using
WriteProcessMem ory, and I've set the DesiredAccess when opening the process
to PROCESS_VM_READ | PROCESS_VM_WRIT E but it comes back with a system error
code for ERROR_ACCESS_DE NIED?
Any ideas what I need to do to be able to write stuff back (if it's even
possible)? Here's my code now, it opens the process, reads 200 bytes,
displays it on the console and then tries to write the same 200 bytes back:

class Class1

{

[DllImport("Kern el32.dll")]

public static extern IntPtr OpenProcess(int dwDesiredAccess , bool
bInheritHandle, Int32 dwProcessId);

[DllImport("Kern el32.dll")]

public static extern unsafe bool ReadProcessMemo ry(IntPtr hProcess, IntPtr
lpBaseAddress, byte* lpBuffer, int nSize, int* lpNumberOfBytes Read);

[DllImport("Kern el32.dll")]

public static extern unsafe bool WriteProcessMem ory(IntPtr hProcess, IntPtr
lpBaseAddress, byte* lpBuffer, int nSize, int* lpNumberOfBytes Written);

[DllImport("Kern el32.dll")]

public static extern int GetLastError();

public static readonly int PROCESS_VM_READ = 0x0010;

public static readonly int PROCESS_VM_WRIT E = 0x0020;

[STAThread]

static unsafe void Main(string[] args)

{

Process[] p = Process.GetProc essesByName("no tepad");

ProcessModule pm = p[0].MainModule;

Console.WriteLi ne(pm.BaseAddre ss + ":" + p[0].Id);

byte[] buffer = new byte[200];

fixed(byte* cptr = &buffer[0])

{

int x = 0;

int* xptr = &x;

IntPtr hProcess = OpenProcess(PRO CESS_VM_READ,fa lse,p[0].Id);

Console.WriteLi ne(hProcess);

bool result = ReadProcessMemo ry(hProcess,pm. BaseAddress,cpt r,200,xptr);

Console.WriteLi ne(result + ":" + x);

for (int i=0; i<200; i++)

{

byte b = *(cptr+i);

string s = b.ToString("x") ;

s = s.PadLeft(2,'0' );

Console.Write(s + " ");

}

x = 0;

Console.WriteLi ne();
result = WriteProcessMem ory(hProcess,pm .BaseAddress,cp tr,200,xptr);

Console.WriteLi ne(result+":"+* xptr);

Console.WriteLi ne(GetLastError ());
}

Console.ReadLin e();

}

}
"Scott Allen" <bitmask@[nospam].fred.net> wrote in message
news:fu******** *************** *********@4ax.c om...

Hi Matt:

Every process in Win32 has it's own address space, and actually if you
check the BaseAddress for every process on the system you'll find many
of them are the same.

To pull this off you'll need to PInvoke OpenProcess and
ReadProcessMemo ry. Looking those API functions up in the SDK on MSDN
will get you started. ReadProcessMemo ry will copy bytes from the other
process into your address space.

--
Scott
http://www.OdeToCode.com

On Mon, 16 Aug 2004 11:05:04 -0500, "Matt Burland" <wjousts@[no
spam]hotmail.com> wrote:

I am trying to read the memory being used by a process but I can't
quite figure out how to do it (or if it's even possible). I can get a
reference to the process using Process.GetProc essesByName and I can get thebase address using Process.MainMod ule.BaseAddress (which returns a IntPtr).I thought that by using IntPtr.ToPointe r() and casting to a char* I would beable to read the memory as a stream of chars but it doesn't work because italways throws a NullReferenceEx ception when I try and dereference the
pointer.
Can anybody help me out here?

Thanks
class Class1 { [STAThread] static unsafe void Main(string[] args) {
Process[] p = Process.GetProc essesByName("no tepad"); ProcessModule pm =
p[0].MainModule; Console.WriteLi ne(pm.BaseAddre ss); char* ptr = (char*)
pm.BaseAddress .ToPointer(); char c = *ptr; // Throws
System.NullRef erenceException Console.WriteLi ne(c);
Console.ReadLi ne(); } }

Actually I forgot to add the PROCESS_VM_WRIT E in my sample and from looking
at the documentation I noticed I also need PROCESS_VM_OPER ATION. When I set
both of those I get a different error: ERROR_NOACCESS.

"Matt Burland" <wjousts@[no spam]hotmail.com> wrote in message
news:cf******** **@hood.uits.in diana.edu...

Thanks for your help. I checked out the OpenProcess and ReadProcessMemo ry
and with a little fiddling managed to get it to read the memory. Great. Now the problem is to see if I can alter it and write it back. I tried using
WriteProcessMem ory, and I've set the DesiredAccess when opening the process to PROCESS_VM_READ | PROCESS_VM_WRIT E but it comes back with a system error code for ERROR_ACCESS_DE NIED?
Any ideas what I need to do to be able to write stuff back (if it's even
possible)? Here's my code now, it opens the process, reads 200 bytes,
displays it on the console and then tries to write the same 200 bytes back:
class Class1

{

[DllImport("Kern el32.dll")]

public static extern IntPtr OpenProcess(int dwDesiredAccess , bool
bInheritHandle, Int32 dwProcessId);

[DllImport("Kern el32.dll")]

public static extern unsafe bool ReadProcessMemo ry(IntPtr hProcess, IntPtr
lpBaseAddress, byte* lpBuffer, int nSize, int* lpNumberOfBytes Read);

[DllImport("Kern el32.dll")]

public static extern unsafe bool WriteProcessMem ory(IntPtr hProcess, IntPtr lpBaseAddress, byte* lpBuffer, int nSize, int* lpNumberOfBytes Written);

[DllImport("Kern el32.dll")]

public static extern int GetLastError();

public static readonly int PROCESS_VM_READ = 0x0010;

public static readonly int PROCESS_VM_WRIT E = 0x0020;

[STAThread]

static unsafe void Main(string[] args)

{

Process[] p = Process.GetProc essesByName("no tepad");

ProcessModule pm = p[0].MainModule;

Console.WriteLi ne(pm.BaseAddre ss + ":" + p[0].Id);

byte[] buffer = new byte[200];

fixed(byte* cptr = &buffer[0])

{

int x = 0;

int* xptr = &x;

IntPtr hProcess = OpenProcess(PRO CESS_VM_READ,fa lse,p[0].Id);

Console.WriteLi ne(hProcess);

bool result = ReadProcessMemo ry(hProcess,pm. BaseAddress,cpt r,200,xptr);

Console.WriteLi ne(result + ":" + x);

for (int i=0; i<200; i++)

{

byte b = *(cptr+i);

string s = b.ToString("x") ;

s = s.PadLeft(2,'0' );

Console.Write(s + " ");

}

x = 0;

Console.WriteLi ne();
result = WriteProcessMem ory(hProcess,pm .BaseAddress,cp tr,200,xptr);

Console.WriteLi ne(result+":"+* xptr);

Console.WriteLi ne(GetLastError ());
}

Console.ReadLin e();

}

}
"Scott Allen" <bitmask@[nospam].fred.net> wrote in message
news:fu******** *************** *********@4ax.c om...

Hi Matt:

Every process in Win32 has it's own address space, and actually if you
check the BaseAddress for every process on the system you'll find many
of them are the same.

To pull this off you'll need to PInvoke OpenProcess and
ReadProcessMemo ry. Looking those API functions up in the SDK on MSDN
will get you started. ReadProcessMemo ry will copy bytes from the other
process into your address space.

--
Scott
http://www.OdeToCode.com

On Mon, 16 Aug 2004 11:05:04 -0500, "Matt Burland" <wjousts@[no
spam]hotmail.com> wrote:

I am trying to read the memory being used by a process but I can't
quite figure out how to do it (or if it's even possible). I can get a
reference to the process using Process.GetProc essesByName and I can get thebase address using Process.MainMod ule.BaseAddress (which returns a IntPtr).I thought that by using IntPtr.ToPointe r() and casting to a char* I

would

beable to read the memory as a stream of chars but it doesn't work

because

italways throws a NullReferenceEx ception when I try and dereference the
pointer.
Can anybody help me out here?

Thanks
class Class1 { [STAThread] static unsafe void Main(string[] args) {
Process[] p = Process.GetProc essesByName("no tepad"); ProcessModule pm =
p[0].MainModule; Console.WriteLi ne(pm.BaseAddre ss); char* ptr = (char*)
pm.BaseAddress .ToPointer(); char c = *ptr; // Throws
System.NullRef erenceException Console.WriteLi ne(c);
Console.ReadLi ne(); } }

Hi Matt:

I'm afraid I have not worked with WriteProcessMem ory much to know how
to troubleshoot this. I do know some pages will be marked as read only
pages - not sure if there is a guaranteed solution to unprotect
them... :/

--s

On Mon, 16 Aug 2004 15:57:29 -0500, "Matt Burland" <wjousts@[no
spam]hotmail.com> wrote:

Actually I forgot to add the PROCESS_VM_WRIT E in my sample and from looking
at the documentation I noticed I also need PROCESS_VM_OPER ATION. When I set
both of those I get a different error: ERROR_NOACCESS.

--
Scott
http://www.OdeToCode.com