ReadProcessMemory

WetCode (117)
I have been having trouble getting the data I want from the memory.
After I have gotten the buffer I assign it to a string and start searching for a Parameter. Thing is that when it comes up with a hit it returns allot of garbish and unrelated text that I didn't ask for anyone able to shed some light on this?

Output Looks like: http://tinypic.com/r/345oeid/5
How can I get that when I am searching for WetCode?

If I print the hole buffer it returns some text (Windows paths.) but not anything that I put in the parameter for string.find();

I have tryd prinitng iy out in both Mulitbytes and wide characters.
Last edited on
webJose (2948)
1. The image didn't show for me.
2. What is WetCode?
3. Show the code snipped that calls ReadProcessMemory() to try to determine if there's anything wrong there.
4. How are you determining the memory address to be read?
WetCode (117)
Here is a snip of my code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
            while (Addr <= SysInfo.lpMaximumApplicationAddress)
            {
                if (VirtualQueryEx(hOpenProcess, (LPVOID*)Addr, &BasicMemory, sizeof(BasicMemory)) != 0)
                { // We found a memory region now lets Read it.
                    if ( (BasicMemory.State & MEM_COMMIT) )
                    {
                            bytes_to_read = BasicMemory.RegionSize; // The size of the region and the buffer
                            cDataBuffer = new char[bytes_to_read + 1];
                            if (ReadProcessMemory(hOpenProcess, (LPVOID*)Addr, cDataBuffer, bytes_to_read, &bytes_read) != 0)
                            {
                                wcout << L"Region: " << (LPVOID*)Addr << endl;
                                wcout << L"Size: " << bytes_to_read << endl;
                                wcout << L"From: " << CurrentProcEntry.szExeFile << endl;
                                wcout << "Searching: " << endl;
                                Sleep(1000);
                                BufferString.assign(cDataBuffer, bytes_to_read +1);

                                if (IsTextUnicode(cDataBuffer, bytes_read, NULL) != 0)
                                {
                                    // We Got Unicode
                                    wcout << L"We Got Unicode " << endl;

                                    // SerachDataW( StringToWString(BufferString) );

                                } else {
                                    // We got Multibyte Characters
                                    cout << "We got Multibytes" << endl;
                                    SearchData(BufferString);
                                    }

Addr is a unsigned char* Addr = 0;
cDataBuffer is char* cDataBuffer;
WetCode is my nickname that i have pasted 300 times in Notepad and Wordpad to see if i can fint it.
Last edited on
webJose (2948)
I have never used VirtualQueryEx(), so I can only say what I see wrong based on the documentation.

1. Line 3: The cast of Addr is incorrect; it needs to be (LPCVOID).
2. Line 9: You need to use BasicMemory.BaseAddress instead of Addr. The documentation states that, on input, the address is rounded down to the lower page boundary. This means that you should be using the base address that may or may not be equal to Addr at some iteration.
3. Line 14: You must L-prepend the string literal "Searching: ".
4. Line 27: No need to use cout. Just L-prepend the string literal and continue using wcout. Unrelated, I know, but still. :D

Other than that I don't see much of an issue here. As long as the functions are succeeding, you should be able to eventually find your text.
WetCode (117)
Thanks for your replys i was wondering i am using the UNICODE fucntion calls to Process32FirstW, Process32NextW should i be using the regular one? When is it common to use the thes functions and when should i use the rehular ones? Also wont text in memory from notepad and other windows processes be in unicode not multibyte?

Stile no luck with getting the proper text.
kbw (9488)
Windows NT is Unicode. The Ascii versions of API functions are translated to/from Unicode for you in userXX.lib (32 or 64 I presume).

Use Unicode where possible.

If your project defines _UNICODE, you get Unicode calls by default.
Last edited on
Topic archived. No new replies allowed.