Access process's memory
in [Win32 API]
|
Prev: [ANN] Idle Scripting Language 0.4 beta
Next: API returns memory related error when calling inside a DLL
From: Your Name on 23 Jul 2008 06:12 Hi, I'd like to access another Win32 process's memory. I don't want to do this in the "nice" way, which involves using OpenProcess() and ReadProcessMemory (), because the target process might deny access. I want to just directly read (and write) memory. I understand that this is generally considered malicious behavior. Would this require writing a kernel-mode driver? I'd like to avoid this unless it's the only way. Thanks.
From: none on 24 Jul 2008 11:43 Your Name <none(a)none.none> wrote: > I'd like to access another Win32 process's memory. I don't want to do > this in the "nice" way, which involves using OpenProcess() and > ReadProcessMemory (), because the target process might deny access. I > want to just directly read (and write) memory. > > I understand that this is generally considered malicious behavior. > > Would this require writing a kernel-mode driver? I'd like to avoid > this unless it's the only way. I'll assume the lack of responses means two things... 1) Yes, this is considered malicious behavior, and 2) Yes, a kernel-mode driver is the only way. Not that it really matters, but I have no malicious intentions. Just good old fashioned reverse engineering. I guess it's a matter of opinion whether that's malicious or not.
From: Alex on 24 Jul 2008 15:51 Your Name wrote: > Hi, > > I'd like to access another Win32 process's memory. I don't want to do this > in the "nice" way, which involves using OpenProcess() and ReadProcessMemory > (), because the target process might deny access. I want to just directly > read (and write) memory. ReadProcessMemory() is the usual method. You can adjust Debug privilege if needed.
From: none on 24 Jul 2008 23:21 Alex <alex(a)np.com> wrote: >> I'd like to access another Win32 process's memory. I don't want to >> do this in the "nice" way, which involves using OpenProcess() and >> ReadProcessMemory (), because the target process might deny access. >> I want to just directly read (and write) memory. > > ReadProcessMemory() is the usual method. > You can adjust Debug privilege if needed. Really? How? I don't see anything in the documentation other than the "dwDesiredAccess" flags in the OpenProcess() function. That let's you specify that you want read and/or write access to the memory, but in testing I found that most running processes refuse to grant this access. Is there a separate call to adjust the "debug privilege?" Thanks.
From: none on 24 Jul 2008 23:51
none <none(a)none.none> wrote: > Alex <alex(a)np.com> wrote: > >>> I'd like to access another Win32 process's memory. I don't want to >>> do this in the "nice" way, which involves using OpenProcess() and >>> ReadProcessMemory (), because the target process might deny access. >>> I want to just directly read (and write) memory. >> >> ReadProcessMemory() is the usual method. >> You can adjust Debug privilege if needed. > > Really? How? I don't see anything in the documentation other than > the "dwDesiredAccess" flags in the OpenProcess() function. That let's > you specify that you want read and/or write access to the memory, but > in testing I found that most running processes refuse to grant this > access. Is there a separate call to adjust the "debug privilege?" Scratch that... I just found "AdjustTokenPrivileges()" and it seems to work well. Very cool. I am happy about not having to write a kernel-mode driver. My only concern now is that the target process might have some way of detecting that I am reading its memory. Thanks. |