Jump to content
Tuts 4 You

Reading tons of memory?

high6

By high6
in Programming and Coding

Recommended Posts

high6

high6

Posted
Posted

I need to dump a processes structure and its references.

An example is I have an array like

struct SomeStruct

{

char * PtrToSomething;

int a_num;

};

now luckily it is very simple and they are all aligned in 1 block but sadly the PtrToSomething is a pointer to a completely different location in memory.

I was wondering how I should handling dumping the structure (Using ReadProcessMemory).

because there are 1000-10000 of these sometimes.

I was thinking of reading all the structures and then pairing the ptrs together and reading blocks that way I read more than 1 PtrToSomething at a time. Then read the bytes from the blocks etc etc.

Thoughts?

Link to comment
CondZero

CondZero

Posted
Posted
I was thinking of reading all the structures and then pairing the ptrs together and reading blocks that way

This kind of processing would be similar to that used in a progress bar dialog when

reading a huge block of data. I don't see any problems with it. You can obviously dump each block read

with the append option in CreateFile:

hFile = CreateFileA(savebuffer,	 // file to create
FILE_APPEND_DATA,	   // open for writing
FILE_SHARE_READ|FILE_SHARE_WRITE,		// share
NULL,				   // default security
OPEN_ALWAYS,			  // overwrite existing
FILE_ATTRIBUTE_NORMAL,  // normal file
NULL);

cheers

Link to comment
GamingMasteR

GamingMasteR

Posted
Posted

Hi

If there's much of these structures then reading 1 by 1 will be a slow process ... you can grab the readable/writable pages from that process then search inside it .

Use VirtualQueryEx to get every page size/attributes from 0x10000->0x7FFFFFFF and depending on the page type you can determine if search inside it or no .

Link to comment
high6

high6

Posted
  • Author
Posted
Hi

If there's much of these structures then reading 1 by 1 will be a slow process ... you can grab the readable/writable pages from that process then search inside it .

Use VirtualQueryEx to get every page size/attributes from 0x10000->0x7FFFFFFF and depending on the page type you can determine if search inside it or no .

That's what I was thinking XD.

Can you give a C++ example on VirtualQueryEx though? Never used it before.

Link to comment
GamingMasteR

GamingMasteR

Posted
Posted

I hope this helps :

int main()
{
	HANDLE hProcess = GetCurrentProcess();
	DWORD Address = 0x10000;
	MEMORY_BASIC_INFORMATION mbi;
	VirtualQueryEx(hProcess, (PVOID)Address, &mbi, sizeof(mbi));
	do
	{
		if (mbi.State != MEM_FREE)
		{
			DWORD page_attr = PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY;
			if (mbi.Protect & page_attr)
			{
				// do something here ...
				printf("ADDRESS -> 0x%p \n\r", mbi.BaseAddress);
			};
		};
		Address += mbi.RegionSize;
	}while(VirtualQueryEx(hProcess, (PVOID)Address, &mbi, sizeof(mbi)));	system("PAUSE");
	return 0;
};
Link to comment
high6

high6

Posted
  • Author
Posted
I hope this helps :
int main()
{
	HANDLE hProcess = GetCurrentProcess();
	DWORD Address = 0x10000;
	MEMORY_BASIC_INFORMATION mbi;
	VirtualQueryEx(hProcess, (PVOID)Address, &mbi, sizeof(mbi));
	do
	{
		if (mbi.State != MEM_FREE)
		{
			DWORD page_attr = PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY;
			if (mbi.Protect & page_attr)
			{
				// do something here ...
				printf("ADDRESS -> 0x%p \n\r", mbi.BaseAddress);
			};
		};
		Address += mbi.RegionSize;
	}while(VirtualQueryEx(hProcess, (PVOID)Address, &mbi, sizeof(mbi)));	system("PAUSE");
	return 0;
};

Thanks, also how much memory read with readmemoryprocess would be too much? And should I use malloc/new/virtualalloc to make space for the read memory?

Link to comment
GamingMasteR

GamingMasteR

Posted
Posted (edited)
how much memory read with readmemoryprocess would be too much?

It's ok since you are reading valid memory pages ... use mbi.RegionSize for actual size.

And should I use malloc/new/virtualalloc to make space for the read memory?

When you walk through memory pages you should allocate buffer to copy each block to it ... use VirtualAlloc for large buffers.

DO NOT save the whole victim process memory in your own process memory if you are dealing with "TONS OF MEMORY" ... use external file for this .

Allocate buffer -> copy memory to buffer -> append buffer to file -> free buffer -> allocate buffer -> copy memory ...

This can be optimized too by allocating a large buffer 1st time and use it alway except when readed memory size is bigger ... this will save time of allocating and freeing buffers every time .

Edited by Sadistic-X
Link to comment
high6

high6

Posted
  • Author
Posted

Thanks for all the help.

Also what I was planning on doing is this.

loop through all the pages checking if any address is in that page if so then read the page into my program with virtualalloc/readprocessmemory. Then copy all the values I need from it and virtualfree the memory and continue.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...