开发者

Why does ReadProcessMemory always return zeros?

问答 作者:

Given the code below, ReadProcessMemory always returns an array of zeros. I'm trying to locate a string (which may be numeric) in a running process and identify all the locations where that string exists. But ReadProcessMemory always returns an array of zeros. Why is that?

  • I've tried running VS as administrator and removing the unsafe block.
  • processPointer has a correct value for the process handle.
  • BaseAddress does correctly iterate by one, and appears to be the memory location I'm looking for.
  • Despite obviously not finding any matches, it does run fairly quickly. Several seconds for a 72MB process.

.

// (other stuff in method...)
IntPtr baseAddress = process.MainModule.BaseAddress;
IntPtr lastAddress = baseAddress + process.MainModule.ModuleMemorySize;
processPointer = OpenProcess((uint)(0x0020), 1, (uint)PID);
for (int addr = (int)baseAddress; addr + value.Length < (int)lastAddress; addr++)
{
    string ActualValue = ReadMemory((IntPtr)addr, (uint)value.Length, (IntPtr)addr);
    if (string.IsNullOrEmpty(ActualValue)) continue;
    if (ActualValue.Trim().ToLower() == value.Trim().ToLower())
        PossibleAddresses.Add((IntPtr)addr);
}
// (other stuff in method...)

CloseHandle(processPointer);

private string ReadMemory(IntPtr memAddress, uint size, IntPtr  BaseAddress)
{
    byte[] buffer = new byte[size];
    IntPtr bytesRead;
    unsafe
    {
        ReadProcessMemory(processPointer, BaseAddress, buffer, size, out bytesRead);
        return BitConverter.ToString(buffer); // always "00-00-00-00....."
    }
    return Encoding.Default.GetString(buffer); // Another way I tried to read the data
}


[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Int32 bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
public static extern Int32 CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll")]
public static extern开发者_StackOverflow Int32 ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, UInt32 size, out IntPtr lpNumberOfBytesRead);

I was opening the handle with the wrong access type. 0x0010 is to read; 0x0020 is to write. I was hoping to get read/write with one open, but it looks like I'll have to handle that separately.

source: http://www.codeproject.com/script/Articles/ViewDownloads.aspx?aid=15680

继续阅读:interopkernel32memorywinapi

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9