How Properly Read Module/Process Memory

delphi package - easy access to kernel objects etc.
Post Reply
rimba
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

How Properly Read Module/Process Memory

Post by rimba »

Please advice How Properly Read Module/Process Memory e.g. Concept:

Code: Select all

  aProcess := process('Notepad.exe');
  aModule := aProcess.MainModule;
  BytesToRead:= ??                                   //Need to find size of Notepad in memory
  GetMem (ReadBuff, BytesToRead);        //Allocate buf for all bytes 
  GlobalLock ( ?? )                                   //How to protect readed memory

  aProcess.ReadMemory (aModule.Memory, ReadBuff, BytesToRead); // Can I use this?

madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: How Properly Read Module/Process Memory

Post by madshi »

What purpose do you need this for? What do you want to achieve and why?
rimba
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Post by rimba »

The purpose is to find a smaller byte array with wildcards in the process and get the pointer to that occurence. Notepad serves only as example.
madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: How Properly Read Module/Process Memory

Post by madshi »

Are you sure that this array is part of the DLL/EXE image in RAM? Or maybe it's an allocated array? If it's allocated, it could be *anywhere*. You'd have to read the whole RAM area of the target process to find it.
rimba
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Post by rimba »

I am searching a code sequece in process memory. That sequence is located version from version at different place.
Wildcards are jmp addresses in code. So my idea is read code from memory to another allocated place and do the search here. I noticed you have public IProcess.ReadMemory function so I am interesting if it is some way better than Windows.ReadProcessMemory.
rimba
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Post by rimba »

.. and another problem is how to find out the "size" of code.
rimba
Posts: 8
Joined: Sat Mar 22, 2008 1:20 pm

Re: How Properly Read Module/Process Memory

Post by rimba »

I found answer to my last question:

Code: Select all

aModule := aProcess.MainModule;
modInfoSize := sizeof(TModuleInfo);
GetMem (modInfo, modInfoSize);

OK := GetModuleInformation (aProcess.Handle.Handle, aModule.Handle, modInfo, modInfoSize);
where modInfo structure holds needed info
madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: How Properly Read Module/Process Memory

Post by madshi »

Yeah, ReadProcessMemory or IProcess.ReadMemory are the best way. Well, another way would be to inject a dll into the target process. But I think ReadProcessMemory is less obtrusive.
Post Reply