I need to scan another process' memory in Windows. The ReadProcessMemory function does it just fine but it copies each time memory from the target process to one of my buffers.. is there any way to access another process' memory without copying it to my process' memory every time? If there were I could use pointers to access the other process' memory
Debuggers use ReadProcessMemory, so if you're implementing something that functions like a debugger, that's the right way to do it.
If you're implementing something else, you're probably heading into the weeds and you should give us a higher-level view of the problem you're trying to solve.
Related
I am would like to know if my assumption is correct, in my project i would like to know exactly what memory my process and child process allocated, so after a research i cam across win32 api, GetProcessHeaps(), the documentation tells me i can enumerate all heaps that process has allocated, and gets its size. However i ran into another question, where a stack would be located in each thread. I expiremented with GetCurrentThreadStackLimits() which returns start address and end address. But i was not able to read directly from this memory.
Maybe some one can direct me in the right way, or explain a bit about how Locate each chunk of memory that the process uses.
Basically a debugger somehow knows what part of memory u have reserved and what parts of it u did not. therefore, some part of virtual memory you can read, and some parts you just cant, cause you haven't reserved it, and it is not mapped to physical memory.
Question is mostly about, enumerating allocation, determine their location and size, and reading from them. Just like a debugger does.
Is it's possible to get access to memory that located outside current application? For example I need to check how App2 is using it's memory (check memory fragmentation). afaik every app have own virtual memory, but I need to check memory that located outside it.
Yes, that's how debuggers work, and you can allocate shared memory if the two program will cooperate on it. You can also request access to the raw system memory through the kernel if your program is running with sufficient administrator powers and the system is configured for it.
On Windows, there is a function called ReadProcessMemory that will make a copy for you. On Linux, you can open /proc/[pid]/mem and access it through that. You can also look up tutorials on how to write a debugger and attach to a process that way.
However, I wouldn't attempt this yourself unless you're already experienced... It is so much harder than you realize to get anything useful. Instead, try using existing programs like debuggers and memory analyzers, or instrument your App2 to report on itself.
I want to read memory of process A but when the process A is disposed. I have run A, it displays address of some variable, I closed it.
I have run B where I input address of A's variable. It causes error "Access violation...".
I use Borland C++ builder and Windows 7.
Is there any way to watch ram when process is closed? Maybe some tools will help me. Could you give me names of tools to read memory by absolute address after memory deallocation?
Maybe it should be some sort of leak detectors?
I don't know after it is closed, but while running, you can use ReadProcessMemory() with CreateRemoteThread
On most systems, separate processes exist in completely separate virtual address spaces. The pointers you see in one process are completely meaningless in another.
Consequently, you have to explicitly share memory if you want to do this; I'm no Windows expert, but I believe that CreateSharedMemory() may be what you need.
I am thinking about a problem I have been having for some time now.. I would like to write a C/C++ program (under windows first) that can access(read/change values) the memory(stack, heap, everything) of other running programs. (Not like shared memory but any memory the computer has..) Without having to start the application from my own application..
I have seen something like this before but I just can't figure out how it's done.. If I were to access the memory of any running program I would get errors from the OS right?
Any help is appreciated!
As #sharptooth said, this requires support from the OS. Different OS does it differently. Since you are on Windows, there are a few steps you could follow:
Call OpenProcess, or CreateProcess to access, or launch a new process. In this call, you must request PROCESS_VM_READ access.
Call ReadProcessMemory to read a chunk of memory in that opened process.
If you want to change memory of another process, you then need PROCESS_VM_WRITE access and use WriteProcessMemory to achieve that.
In Linux, for example, you'd use ptrace to attach to a process and peek, poke its memory.
You can start a process (another program) from your own application, and access some of its information (especially shared memory). The contrary is very difficult, the CPU fakes the memory addresses so each process believes that it has the whole memory available...
You might be interested in taking a look at the Toolhelp32ReadProcessMemory function.
I want to scan the entire heap of a currently running native application through another process.
For example, I want to know what follows all the instances of the ASCII sequence "test" in this process memory (in this case I would scan for "test" and keep reading after it).
I tried to google for more information but didn't find much: I found ReadProcessMemory which looked interesting, but how can I know the memory addresses a process has allocated?
Try VirtualQueryEx.
If you're finding that you're accessing a lot of memory in the other process, consider using CreateRemoveThread (sample code). This will allow you to inject your own DLL into the other process and run code there directly. Once you're running code in the other process, you'll be able to access memory as normal, without needing to use ReadProcessMemory. (You'll still need VirtualQuery to determine the process's memory layout.)