MEMORY_BASIC_INFORMATION mem_basic_info = new MEMORY_BASIC_INFORMATION() this will store any information we get from VirtualQueryEx() StreamWriter sw = new StreamWriter( " dump.txt") OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_WM_READ, false, process.Id) opening the process with desired access level IntPtr processHandle = Process process = Process.GetProcessesByName( " notepad") Long proc_max_address_l = ( long)proc_max_address saving the values as long ints so I won't have to do a lot of casts later long proc_min_address_l = ( long)proc_min_address IntPtr proc_max_address = sys_info.maximumApplicationAddress IntPtr proc_min_address = sys_info.minimumApplicationAddress SYSTEM_INFO sys_info = new SYSTEM_INFO() REQUIRED STRUCTS public struct MEMORY_BASIC_INFORMATION IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength) Static extern int VirtualQueryEx( IntPtr hProcess, Static extern void GetSystemInfo( out SYSTEM_INFO lpSystemInfo) ( int hProcess, int lpBaseAddress, byte lpBuffer, int dwSize, ref int lpNumberOfBytesRead) Public static extern bool ReadProcessMemory ( int dwDesiredAccess, bool bInheritHandle, int dwProcessId) REQUIRED CONSTS const int PROCESS_QUERY_INFORMATION = 0x0400 Methods that will be required (including the ones above): So, the remaining solution is to scan almost every possible address (we get this using GetSystemInfo()) and check if it belongs to the target process (with VirtualQueryEx()): if it does, we read the values from there ( ReadProcessMemory()). Basically, Windows won't tell us a range of addresses where we can find the program's data. It tries to allocate any free memory available for the User-Mode - so the allocated memory won't be contiguous. Whenever a process starts, the system allocates enough memory for its heap, stack and regions - however Windows won't allocate an 'entire block' of memory. * spaces between chars (empty bytes) are caused by Notepad's usage of Unicode Encoding. Here's a small image that shows the outcome: Notepad allocates about 1-2MB of memory and the generated dump file has about 38MB (however, I also include the memory address for each byte and newlines). In this tutorial, I'll try to output all memory allocated by Notepad, I recommend you target processes that don't take too much RAM memory. There are also other methods that imply pointers, offsets and Assembly or injecting some DLL in the target application, but.this is C#. Since C# is quite a high level programming language, I think this is the only method available to do this.Īnd since someone asked how to search a string in a process' memory - well, the easiest way would be to search in this generated memory dump. This article is about how to get the memory dump of a process, by checking almost all memory addresses that can store data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |