0

I was trying to read a memory from explorer.exe. With a program process hacker I found that on the address 0xfa07f8 this string is stored: \??\C:\Program Files\Process Hacker 2\ProcessHacker.exe

When I try to read the string of this address, I get only the first character of the string back. The '\' char. How can I read the whole string?

char buffer[255] = { 0 };
unsigned addr = 0xfa07f8;
if (ReadProcessMemory(proc, (LPVOID)addr, &buffer, sizeof(buffer), NULL))
{
    MessageBoxA(NULL, buffer, NULL, NULL);
}
Improve this question
13
  • 6
    The string will be in Unicode UTF-16 and every other byte will be 0 for the ASCII characters. Commented Jun 30, 2021 at 20:57
  • 3
    What do you see when you inspect the contents of buffer with your debugger? Commented Jun 30, 2021 at 20:58
  • @RichardCritten Does windows use UTF-16 internally? Commented Jun 30, 2021 at 21:01
  • You probably read a bstr_t value from that address, the `\??\` represent the prefixed string length, that you see printable characters there is just by chance. Commented Jun 30, 2021 at 21:01
  • 1
    @TedLyngmo yes it worked. just replaced the MessageBoxA function with MessageBoxA Commented Jun 30, 2021 at 21:21

1 Answer 1

Reset to default
2

You are reading wide characters from the process memory. MessageBoxA is for displaying "narrow" characters.

To display wide characters, use MessageBoxW.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.