I want to read memory of process A but when the process A is disposed. I have run A, it displays address of some variable, I closed it.
I have run B where I input address of A's variable. It causes error "Access violation...".
I use Borland C++ builder and Windows 7.
Is there any way to watch ram when process is closed? Maybe some tools will help me. Could you give me names of tools to read memory by absolute address after memory deallocation?
Maybe it should be some sort of leak detectors?
I don't know after it is closed, but while running, you can use ReadProcessMemory() with CreateRemoteThread
On most systems, separate processes exist in completely separate virtual address spaces. The pointers you see in one process are completely meaningless in another.
Consequently, you have to explicitly share memory if you want to do this; I'm no Windows expert, but I believe that CreateSharedMemory() may be what you need.
Related
Is it's possible to get access to memory that located outside current application? For example I need to check how App2 is using it's memory (check memory fragmentation). afaik every app have own virtual memory, but I need to check memory that located outside it.
Yes, that's how debuggers work, and you can allocate shared memory if the two program will cooperate on it. You can also request access to the raw system memory through the kernel if your program is running with sufficient administrator powers and the system is configured for it.
On Windows, there is a function called ReadProcessMemory that will make a copy for you. On Linux, you can open /proc/[pid]/mem and access it through that. You can also look up tutorials on how to write a debugger and attach to a process that way.
However, I wouldn't attempt this yourself unless you're already experienced... It is so much harder than you realize to get anything useful. Instead, try using existing programs like debuggers and memory analyzers, or instrument your App2 to report on itself.
When every process has its own private memory space that no external process has access to, how does a debugger access a process' memory space?
For eg, I can attach gdb to a running process using gdb -p <pid>
The I can access all the memory of this process via gdb.
How is gdb able to do this?
I read the relevant questions in SO and no post seems to answer this point.
Since the question is tagged Linux and Unix, I'll expand a little on what David Scwartz says, which in short is "there is an API for that in the OS". The same basic principle applies in Windows as well, but the actual implementation is different, and although I suspect the implementation inside the OS does the same thing, there's no REAL way to know that, since we can't inspect the source code for Windows (one can, however, understanding how an OS and a processor works, sort of figure out what must be happening!)
Linux has a function called ptrace, that allows one process (following some checking of privileges) to inspect another process in various ways. It is one call, but the first parameter is a "what do you want to do". Here are some of the most basic examples - there are a couple of dozen others for less "common" operations:
PTRACE_ATTACH - connect to the process.
PTRACE_PEEKTEXT - look at the attached process' code memory (for example to disassemble the code)
PTRACE_PEEKDATA - look at the attached process' data memory (to display variables)
PTRACE_POKETEXT - write to process' code memory
PTRACE_POKEDATA - write to process' data memory.
PTRACE_GETREGS - copy the current register values.
PTRACE_SETREGS - change the current register values (e.g. a debug command of set variable x = 7, if x happens to be in a register)
In Linux, since memory is "all the same", PTRACE_PEEKTEXT and PTRACE_PEEKDATA are actually the same functionality, so you can give an address in code for PTRACE_PEEKDATA and an address, say, on the stack for PTRACE_PEEKTEXT and it will perfectly happily copy that back for you. The distinction is made for OS/processor combinations where memory is "split" between DATA memory and CODE memory. Most modern OS's and processors do not make that distinction. Same obviously applies to PTRACE_POKEDATA and PTRACE_POKETEXT.
So, say that the "debugger process" uses:
long data = ptrace(PTRACE_PEEKDATA, pid, 0x12340128, NULL);
When the OS is called with a PTRACE_PEEKDATA for address 0x12340128 it will "look" at the corresponding memory mapping for the memory at 0x12340128 (page-aligned that makes 0x12340000), if it exists, it will get mapped into the kernel, the data is then copied out from address 0x12340128 into the local memory, the memory unmapped, and the copied data passed back as the return value.
The manual states the initiating of the usage as:
The parent can initiate a trace by calling fork(2) and having the
resulting child do a PTRACE_TRACEME, followed (typically) by an exec(3).
Alternatively, the parent may commence trace of an existing process
using PTRACE_ATTACH.
For several pages more information do man ptrace.
When every process has its own private memory space that no external process has access to ...
That's false. External processes with the correct permissions and using the correct APIs can access other process' memory.
For linux debugging there is a system call ptrace which makes it possible to control another process on the system. Indeed, you need the rights to do that, which is typically given, if you are the owner of the process and you have not removed the permissions manually.
The os call ptrace itself enables access to memory, program counter, registers and nearly all other related things to read and write.
Please see man ptrace for details.
If you are interested how it works in a debugger, please have a look for the files in
gdb-x.x.x/gdb/linux-nat.c. There you can find the core stuff for accessing other processes to debug.
I need to scan another process' memory in Windows. The ReadProcessMemory function does it just fine but it copies each time memory from the target process to one of my buffers.. is there any way to access another process' memory without copying it to my process' memory every time? If there were I could use pointers to access the other process' memory
Debuggers use ReadProcessMemory, so if you're implementing something that functions like a debugger, that's the right way to do it.
If you're implementing something else, you're probably heading into the weeds and you should give us a higher-level view of the problem you're trying to solve.
I am thinking about a problem I have been having for some time now.. I would like to write a C/C++ program (under windows first) that can access(read/change values) the memory(stack, heap, everything) of other running programs. (Not like shared memory but any memory the computer has..) Without having to start the application from my own application..
I have seen something like this before but I just can't figure out how it's done.. If I were to access the memory of any running program I would get errors from the OS right?
Any help is appreciated!
As #sharptooth said, this requires support from the OS. Different OS does it differently. Since you are on Windows, there are a few steps you could follow:
Call OpenProcess, or CreateProcess to access, or launch a new process. In this call, you must request PROCESS_VM_READ access.
Call ReadProcessMemory to read a chunk of memory in that opened process.
If you want to change memory of another process, you then need PROCESS_VM_WRITE access and use WriteProcessMemory to achieve that.
In Linux, for example, you'd use ptrace to attach to a process and peek, poke its memory.
You can start a process (another program) from your own application, and access some of its information (especially shared memory). The contrary is very difficult, the CPU fakes the memory addresses so each process believes that it has the whole memory available...
You might be interested in taking a look at the Toolhelp32ReadProcessMemory function.
Greetings,
I have recently started to code in C++ and have come across a problem to which I was unable to find the answer, so I thought maybe somebody else might know the answer.
Is it possible to retrieve a variable value from another program if you know a variable address? Imagine that I have a memory address displayed in a program, something like: 0x7fff5fbff758 and I would like (in my own program which is not related to the first one) to get the value stored in that memory address.
Is that possible? If so, could somebody please explain me how.
Thank you in advance.
On today operating systems, the programs handle virtual addresses, not physical ones. Shortly, a specific address for one programs will not point to the same physical location for other programs.
To do what you want on modern operating systems, you can, for instance, set up a shared memory location.
But there is a lot of easier way to pass a value from one program to another.
If you are just wondering that out of curiosity, that's a good question, you can look at what "virtual memory" is.
C++ has no comment on this, one way or the other. It depends entirely on the platform on which your program is running. If you're using Windows, for example, you can use the ReadProcessMemory() function to read the memory of another process (assuming you have adequate permissions).
Note that modern operating systems are designed to protect processes from interfering with each other. One of the ways they do this is by giving each process its own address space. Processes can't access memory outside this space without using special APIs.
It is possible, but it is OS-specific (there is no common C support for it). In general, your second program needs to have the permission that debugger has, and use the same kind of OS calls that a debugger uses.
On most modern general-purpose OSes (Windows, Linux, etc), you cannot do that. Different programs run in different processes, and each process has its very own memory space. Address 0x7fff5fbff758 in one probably points to a very different place in RAM than address 0x7fff5fbff758 in another (if that address even exists in the other).
This is why modern OSes have interprocess communications mechanisims, like pipes, shared memory, COM, etc.
Edit: This obsolete, because the question has changed.
If you know the type of the variable, its possible.
For an int variable, you need to insert lines like
int* addr = (int*)0x7fff5fbff758;
std::cout << *addr << std::endl;
somewhere in the affected program.
Accessing the variable from a different program is generally not easily done in a modern operating system, each process has it's own address space so the same address in different processes may map to different physical memory location.
It depends on the OS, for example in linux you need to trace a process if you want to do it from a different process, see man ptrace. You can read the data in this case with PTRACE_PEEKDATA.