Page 1 of 1
How Properly Read Module/Process Memory
Posted: Sat Jul 02, 2016 8:09 am
by rimba
Please advice How Properly Read Module/Process Memory e.g. Concept:
Code: Select all
aProcess := process('Notepad.exe');
aModule := aProcess.MainModule;
BytesToRead:= ?? //Need to find size of Notepad in memory
GetMem (ReadBuff, BytesToRead); //Allocate buf for all bytes
GlobalLock ( ?? ) //How to protect readed memory
aProcess.ReadMemory (aModule.Memory, ReadBuff, BytesToRead); // Can I use this?
Re: How Properly Read Module/Process Memory
Posted: Sat Jul 02, 2016 9:07 am
by madshi
What purpose do you need this for? What do you want to achieve and why?
Re: How Properly Read Module/Process Memory
Posted: Sat Jul 02, 2016 11:44 am
by rimba
The purpose is to find a smaller byte array with wildcards in the process and get the pointer to that occurence. Notepad serves only as example.
Re: How Properly Read Module/Process Memory
Posted: Sat Jul 02, 2016 12:28 pm
by madshi
Are you sure that this array is part of the DLL/EXE image in RAM? Or maybe it's an allocated array? If it's allocated, it could be *anywhere*. You'd have to read the whole RAM area of the target process to find it.
Re: How Properly Read Module/Process Memory
Posted: Sun Jul 03, 2016 4:17 am
by rimba
I am searching a code sequece in process memory. That sequence is located version from version at different place.
Wildcards are jmp addresses in code. So my idea is read code from memory to another allocated place and do the search here. I noticed you have public IProcess.ReadMemory function so I am interesting if it is some way better than Windows.ReadProcessMemory.
Re: How Properly Read Module/Process Memory
Posted: Sun Jul 03, 2016 4:41 am
by rimba
.. and another problem is how to find out the "size" of code.
Re: How Properly Read Module/Process Memory
Posted: Sun Jul 03, 2016 5:13 am
by rimba
I found answer to my last question:
Code: Select all
aModule := aProcess.MainModule;
modInfoSize := sizeof(TModuleInfo);
GetMem (modInfo, modInfoSize);
OK := GetModuleInformation (aProcess.Handle.Handle, aModule.Handle, modInfo, modInfoSize);
where modInfo structure holds needed info
Re: How Properly Read Module/Process Memory
Posted: Sun Jul 03, 2016 8:16 am
by madshi
Yeah, ReadProcessMemory or IProcess.ReadMemory are the best way. Well, another way would be to inject a dll into the target process. But I think ReadProcessMemory is less obtrusive.