Page 1 of 1

How Properly Read Module/Process Memory

Posted: Sat Jul 02, 2016 8:09 am
by rimba
Please advice How Properly Read Module/Process Memory e.g. Concept:

Code: Select all

  aProcess := process('Notepad.exe');
  aModule := aProcess.MainModule;
  BytesToRead:= ??                                   //Need to find size of Notepad in memory
  GetMem (ReadBuff, BytesToRead);        //Allocate buf for all bytes 
  GlobalLock ( ?? )                                   //How to protect readed memory

  aProcess.ReadMemory (aModule.Memory, ReadBuff, BytesToRead); // Can I use this?


Re: How Properly Read Module/Process Memory

Posted: Sat Jul 02, 2016 9:07 am
by madshi
What purpose do you need this for? What do you want to achieve and why?

Re: How Properly Read Module/Process Memory

Posted: Sat Jul 02, 2016 11:44 am
by rimba
The purpose is to find a smaller byte array with wildcards in the process and get the pointer to that occurence. Notepad serves only as example.

Re: How Properly Read Module/Process Memory

Posted: Sat Jul 02, 2016 12:28 pm
by madshi
Are you sure that this array is part of the DLL/EXE image in RAM? Or maybe it's an allocated array? If it's allocated, it could be *anywhere*. You'd have to read the whole RAM area of the target process to find it.

Re: How Properly Read Module/Process Memory

Posted: Sun Jul 03, 2016 4:17 am
by rimba
I am searching a code sequece in process memory. That sequence is located version from version at different place.
Wildcards are jmp addresses in code. So my idea is read code from memory to another allocated place and do the search here. I noticed you have public IProcess.ReadMemory function so I am interesting if it is some way better than Windows.ReadProcessMemory.

Re: How Properly Read Module/Process Memory

Posted: Sun Jul 03, 2016 4:41 am
by rimba
.. and another problem is how to find out the "size" of code.

Re: How Properly Read Module/Process Memory

Posted: Sun Jul 03, 2016 5:13 am
by rimba
I found answer to my last question:

Code: Select all

aModule := aProcess.MainModule;
modInfoSize := sizeof(TModuleInfo);
GetMem (modInfo, modInfoSize);

OK := GetModuleInformation (aProcess.Handle.Handle, aModule.Handle, modInfo, modInfoSize);
where modInfo structure holds needed info

Re: How Properly Read Module/Process Memory

Posted: Sun Jul 03, 2016 8:16 am
by madshi
Yeah, ReadProcessMemory or IProcess.ReadMemory are the best way. Well, another way would be to inject a dll into the target process. But I think ReadProcessMemory is less obtrusive.