How Properly Read Module/Process Memory

delphi package - easy access to kernel objects etc.

How Properly Read Module/Process Memory

Postby rimba » Sat Jul 02, 2016 8:09 am

Please advice How Properly Read Module/Process Memory e.g. Concept:

Code: Select all
  aProcess := process('Notepad.exe');
  aModule := aProcess.MainModule;
  BytesToRead:= ??                                   //Need to find size of Notepad in memory
  GetMem (ReadBuff, BytesToRead);        //Allocate buf for all bytes
  GlobalLock ( ?? )                                   //How to protect readed memory

  aProcess.ReadMemory (aModule.Memory, ReadBuff, BytesToRead); // Can I use this?

rimba
 
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Postby madshi » Sat Jul 02, 2016 9:07 am

What purpose do you need this for? What do you want to achieve and why?
madshi
Site Admin
 
Posts: 9143
Joined: Sun Mar 21, 2004 5:25 pm

Re: How Properly Read Module/Process Memory

Postby rimba » Sat Jul 02, 2016 11:44 am

The purpose is to find a smaller byte array with wildcards in the process and get the pointer to that occurence. Notepad serves only as example.
rimba
 
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Postby madshi » Sat Jul 02, 2016 12:28 pm

Are you sure that this array is part of the DLL/EXE image in RAM? Or maybe it's an allocated array? If it's allocated, it could be *anywhere*. You'd have to read the whole RAM area of the target process to find it.
madshi
Site Admin
 
Posts: 9143
Joined: Sun Mar 21, 2004 5:25 pm

Re: How Properly Read Module/Process Memory

Postby rimba » Sun Jul 03, 2016 4:17 am

I am searching a code sequece in process memory. That sequence is located version from version at different place.
Wildcards are jmp addresses in code. So my idea is read code from memory to another allocated place and do the search here. I noticed you have public IProcess.ReadMemory function so I am interesting if it is some way better than Windows.ReadProcessMemory.
rimba
 
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Postby rimba » Sun Jul 03, 2016 4:41 am

.. and another problem is how to find out the "size" of code.
rimba
 
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Postby rimba » Sun Jul 03, 2016 5:13 am

I found answer to my last question:

Code: Select all
aModule := aProcess.MainModule;
modInfoSize := sizeof(TModuleInfo);
GetMem (modInfo, modInfoSize);

OK := GetModuleInformation (aProcess.Handle.Handle, aModule.Handle, modInfo, modInfoSize);

where modInfo structure holds needed info
rimba
 
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Postby madshi » Sun Jul 03, 2016 8:16 am

Yeah, ReadProcessMemory or IProcess.ReadMemory are the best way. Well, another way would be to inject a dll into the target process. But I think ReadProcessMemory is less obtrusive.
madshi
Site Admin
 
Posts: 9143
Joined: Sun Mar 21, 2004 5:25 pm


Return to madKernel

Who is online

Users browsing this forum: No registered users and 1 guest

cron