Memory data how to read a process.

/*
Two key functions of ReadProcessMemory and VirtualQueryEx was not thorough understanding, so that there may be a little problem, but the whole process should be so, I hope to help you. In addition, a lot of places no error checking, no guarantee can be used in your environment.
Please the great spirit.
*/
#include<iostream>
#include <fstream>
#include<windows.h>
#include<tlhelp32.h>
using namespace std;

int main()
{
char app[1024];
cout<<"Please input image (including.Exe) \n: ctfmon.exe\n:";
cin>>app;
fstream fp("dump.txt",ios::binary|ios::out);
BOOL flag=0;
HANDLE htoken;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&htoken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(htoken,0,&tkp,NULL,NULL,0);
CloseHandle(htoken);
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hprosnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hprosnap==INVALID_HANDLE_VALUE)
{
cout<<"Snapshot failed!"<<endl;
}
if(Process32First(hprosnap,&pe32))
{
do
{
if(!strcasecmp(app,pe32.szExeFile))
{
cout<<"Program is dumping..."<<endl;
flag=true;
break;
}
}
while(::Process32Next(hprosnap,&pe32));
}
CloseHandle(hprosnap);
if(!flag)
{
cout<<"Process not found!\n";
system("pause");
return 1;
}
SYSTEM_INFO si;
GetSystemInfo(&si);
HANDLE htarget=OpenProcess(PROCESS_ALL_ACCESS,0,pe32.th32ProcessID);
if(htarget==NULL)
{
cout<<"Open Process Error!\n";
return 2;
}
MEMORY_BASIC_INFORMATION mbi;
char *onepagebuf=new char [si.dwPageSize];
for(DWORD start=(DWORD)si.lpMinimumApplicationAddress; start<(DWORD)si.lpMaximumApplicationAddress-si.dwPageSize; start+=si.dwPageSize)
{
if(!VirtualQueryEx(htarget,(void *)start,&mbi,sizeof(mbi))==sizeof(mbi))
break;
if(mbi.State==MEM_COMMIT)
{
ReadProcessMemory(htarget,(void *)start,onepagebuf,si.dwPageSize,NULL);
fp.write(onepagebuf,si.dwPageSize);
}
}
cout<<"done\n";
CloseHandle(htarget);
fp.close();
delete []onepagebuf;
system("pause");
return 0;
}

Very practical procedures and look forward to your evaluation´╝ü

Started by Edgar at December 08, 2016 - 10:21 AM

ReadProcessMemory can read

Posted by Opera at December 17, 2016 - 10:22 AM

The example in MSDN98 walker or pwalk. A complete list of the specified process memory usage, show the process address space, loading which DLL, code, data, stack segment distribution in where, can be used to detect memory leaks, monitoring memory usage.

Posted by Norton at December 29, 2016 - 11:12 AM

Thank you very much! Has been resolved

Posted by Edgar at January 04, 2017 - 12:49 PM

ReadProcessMemory,

Posted by Allison at January 11, 2017 - 11:56 AM