stackoom
  简体   繁体   中英

Read memory from application which does not allow it

 原文  2017-04-18 20:39:01       c++/ windows/ memory/ dump/ openprocess

Question

I am currently trying to read the entirety of the memory of a game which blocks calls to OpenProcess and ReadProcessMemory (I believe this is done through a windows driver/service, although I'm not sure how).

I use the following code to do try and open the process and read its memory to a file: 

HANDLE process = OpenProcess(PROCESS_VM_READ, 0, pid);
if (!process) {
    cout << "Failed to open process.";
    return 1;
}
cout << "Successfully opened processs." << endl << "Dumping memory to mem.dmp..." << endl;

ofstream fout;
fout.open("mem.dmp");

char *base = (char *)0;
char *readCount = (char *)0;
do {
    char buffer[PAGE_SIZE];

    if (ReadProcessMemory(process, base, buffer, PAGE_SIZE, NULL) != 0)
    {
        fout << buffer;
    }

    base += PAGE_SIZE;
    readCount++;
} while (base != 0);
if (readCount == 0) {
    cout << "Warning: No memory was read from the process." << endl;
}
fout.flush();
fout.close();

However, when run, this cannot even open the process.

The only way to get past the driver blocking the process from being opened for memory reading is to dump the entirety of the physical memory to a file. I have no idea how to do this, other than having to set windows to dump all of the physical memory on a blue screen, and then forcing my computer to shutdown with a blue screen. This is obviously quite inconvenient as I will want to analyse the application's memory quite frequently.

Is there any way to dump all of the physical memory without using this method on Windows? I know virtually nothing about the driver or how it works so it would be almost impossible to work out another way of bypassing it.

1 answers

solution1
 0  2017-04-18 21:52:41

You are trying to access the "0th" memory position, that is not possible (SO does not allow you to do it): 

char *base = (char *) 0;

You should set correcly the address where you wanna read, and that address must be a readable address. Check the ReadProcessMemory doc here

lpBaseAddress [in] : A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails.

Check also the examples in this post here

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Which value does atomic read operation with memory_order_seq_cst read in this situation? How to read 3rd party application's variables from memory? how to run gtkmm application which does not block my main terminal and allow multi tasking Application Verifier does not allow to start my application Does any OS allow moving memory from one address to another without physically copying it? C++ function calling from C# application. Attempted to read or write protected memory How to read a third party application's chat / log from the computer memory Why does dynamic memory allow arrays to be manipulated during runtime? Read process memory of a process does not return everything Does constructing an iostream (c++) read data from the hard drive into memory?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM