I have succesfully injected chrome.exe(x64) to filter DNS queries. I have a problem with 64bit processes. My test project contains signed driver, windows service for injection(x64), injection dll(x64) and desktop app (x64). Injected dll sends WM_COPYDATA with data contains processid, pointer and data size to desktop app. Then desktop app receives this message open process with PROCESS_VM_READ flag and try to read data at pointer. After using ReadProcessMemory I get ERROR_PARTIAL_COPY error (by using GetLastError). I read somewhere this error generally result of trying to read x64 process memory from x86 process. But I am using x64 process. Some of my code.
This is IPC messaging structure
Code: Select all
Type TIPCMessage = record
pid : Integer;
IP : ShortString;
Port : Integer;
Sock : Integer;
Size : Integer;
Address : Cardinal;
MsgType : Integer;
End;
injection dll
Code: Select all
msg : TIPCMessage;
aCopyData : TCopyDataStruct;
with aCopyData do
begin
dwData := 0;
cbData := SizeOf(msg);
lpData := @msg;
end;
SendMessageTimeoutW(hTargetWnd, WM_COPYDATA,WPARAM(666), LPARAM(@aCopyData),0, 10000,@smresult)
Code: Select all
var
msg : TIPCMessage;
BytesRead : NativeUInt;
DataBytesByteArray : PByteArray;
ReadProcessMemory(Proc, Pointer(msg.Address), DataBytesByteArray, msg.Size, BytesRead)