Page 2 of 2 First 12
  • Jump to page:
    #16
  1. Contributing User

    Join Date
    Aug 2003
    Location
    UK
    Posts
    5,109
    Rep Power
    1802
    Originally Posted by BotHelp
    i can get :
    0001C700
    but not the addresses i want like 0034FD90
    I really cannot fathom why you think one is right and the other is wrong - an address is an address what makes you believe that the first is somehow more "correct" that the second?
  2. #17
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    186
    Rep Power
    82
    First of all, thanx to Jakotheshadows for translating your post.

    My post tried to point you in the right direction toward resolving your problem. I have Proof OF Concept (POC) code that does dump a process' private address space. So, I'm not posting misinformation. I'm using the POC code as a testing/verification means for my posts.

    But anyway, do you honestly think your code which follows will work?

    Code:
    unsigned char *addr = 0;
        HANDLE hProc;
        int pid = 5044;
        MEMORY_BASIC_INFORMATION meminfo;
        hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
        if(hProc)
        {
            printf("Open Process succeed!");
            while(1)
            {
                if(VirtualQueryEx(hProc,addr,&meminfo,sizeof(meminfo)) == 0){
                    break;
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by BobS0327
    First of all, thanx to Jakotheshadows for translating your post.

    My post tried to point you in the right direction toward resolving your problem. I have Proof OF Concept (POC) code that does dump a process' private address space. So, I'm not posting misinformation. I'm using the POC code as a testing/verification means for my posts.

    But anyway, do you honestly think your code which follows will work?

    Code:
    unsigned char *addr = 0;
        HANDLE hProc;
        int pid = 5044;
        MEMORY_BASIC_INFORMATION meminfo;
        hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
        if(hProc)
        {
            printf("Open Process succeed!");
            while(1)
            {
                if(VirtualQueryEx(hProc,addr,&meminfo,sizeof(meminfo)) == 0){
                    break;
    i can replace the addr with the minimum address as you did with ur check. but i steel cant see how its going to change the output to print private address
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    186
    Rep Power
    82
    Proof of concept code follows:

    Code:
    #pragma comment(lib, "advapi32.lib")
    #include <windows.h>
    #include <stdio.h>
     
    BOOL DumpProcessMemory(DWORD dwPid)
    {
        HANDLE pHandle;
        SYSTEM_INFO si;
        MEMORY_BASIC_INFORMATION mbi;
        LPVOID lpMem;
        DWORD dwReturn, dwTotalRead;
     
        pHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPid);
        if (pHandle == NULL)
        {
            printf("OpenProcess failed for PID: %d\n",dwPid);
            return FALSE;
        }
        GetSystemInfo(&si);
        lpMem = si.lpMinimumApplicationAddress;
        while (lpMem < si.lpMaximumApplicationAddress)
        {
            mbi.RegionSize = 0;
            dwReturn = VirtualQueryEx(pHandle, lpMem, &mbi, sizeof(mbi));
            if (dwReturn == sizeof(mbi)) {
                if ((mbi.Type == MEM_PRIVATE) && (mbi.State == MEM_COMMIT))
                {
                    if (mbi.RegionSize > 0)
                    {
                        const BYTE* cbBuffer = (BYTE*)HeapAlloc(GetProcessHeap(), NULL, mbi.RegionSize);
                        if (cbBuffer == NULL)
                        {
                            printf ("HeapAlloc failed\n");
                            return FALSE;
                        }
                        ReadProcessMemory(pHandle, mbi.BaseAddress, (LPVOID)cbBuffer, mbi.RegionSize, &dwTotalRead);
                        printf("Base Address %08X   RegionSize %08X\n",mbi.BaseAddress,mbi.RegionSize);
                        HeapFree(GetProcessHeap(), NULL, (LPVOID)cbBuffer);
                    }
                }
                lpMem = (LPVOID)((DWORD)mbi.BaseAddress + mbi.RegionSize);
            }
            else break;
        }
        CloseHandle(pHandle);
        return TRUE;
    }
     
    INT main(INT argc, CHAR **argv)
    {
        DumpProcessMemory(atoi(argv[1]));
        return 0;
    }
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo