1

I'm having some problems implementing an algorithm to read a foreign process' memory. Here is the main code:

            System.Diagnostics.Process.EnterDebugMode();
            IntPtr retValue = WinApi.OpenProcess((int)WinApi.OpenProcess_Access.VMRead | (int)WinApi.OpenProcess_Access.QueryInformation, 0, (uint)_proc.Id);
            _procHandle = retValue;

            WinApi.MEMORY_BASIC_INFORMATION[] mbia = getMemoryBasicInformation().Where(p => p.State == 0x1000).ToArray();

            foreach (WinApi.MEMORY_BASIC_INFORMATION mbi in mbia) {
                byte[] buffer = Read((IntPtr)mbi.BaseAddress, mbi.RegionSize);

                foreach (IntPtr addr in ByteSearcher.FindInBuffer(buffer, toFind, (IntPtr)0, mbi.RegionSize, increment)) {
                    yield return addr;
                }
            }

Read() ... method

        if (!WinApi.ReadProcessMemory(_procHandle, address, buffer, size, out numberBytesRead)) {
            throw new MemoryReaderException(
                string.Format(
                "There was an error with ReadProcessMemory()\nGetLastError() = {0}",
                WinApi.GetLastError()
                ));
        }

Although generally it seems to work correctly, the problem is that for some memory values ReadProcessMemory is returning false, and GetLastError is returning 299. From what I've googled, it seems to happen on vista because some params of OpenProcess were updated. Anyone knows what this is about? And what values should I try? Notice that as they changed, I wouldn't want to know if it's VM_READ or so, I want to know exactly what the values are.

EDIT: maybe it has something to do with not calling VirtualProtect()/VirtualProtectEx()? as seen on this SO url: WriteProcessMemory/ReadProcessMemory fail

Edit2: That was it! ^^ That is the solution, calling to VirtualProtectEx() first and after ReadProcessMemory()!

Improve this question
1
  • This approach is going to wreak havoc on the victim process, if you're going to do this, you have to freeze the process. Commented Aug 26, 2009 at 16:13

2 Answers 2

Reset to default
1 
C:\Debuggers>kd -z C:\Windows\notepad.exe
0:000> !error 0n299
Error code: (Win32) 0x12b (299) - Only part of a ReadProcessMemory 
    or WriteProcessMemory request was completed.

This means you tried to read a block that was partially unmapped addresses (i.e. if the app itself did this, it'd AV)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

That'd be strange, as as you can see in the code, i am only going after memory blocks given by MEMORY_BASIC_INFORMATION structs. Or am I doing something wrong?
Is the process suspended? Or are you reading from a live process?
I'm running it on a running process. May that be the reason?
Of course - as you're collecting the MEMORY_BASIC_INFORMATION (i.e. the PTEs), the process is allocating and deallocating memory.
1

You store the handle to the newly opened process in a local variable (retValue), but you don't pass it to your getMemoryBasicInformation function, so I can only assume that it actually fetches information about the current process. I suspect you're really using your own process's address ranges as though they belong to the other process. Many of the address ranges will probably be the same between processes, so that error wouldn't be immediately apparent.

Improve this answer

2 Comments

Keep in mind that I just put together this parts of the code but actually it is more complex. I have tested this and it is reading data from another process.
I see. My crystal ball is in the shop for repairs. In the meantime, I can only comment on code I've been shown.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.