Post
Ask Question
Alan Joyce

Alan Joyce

  • NA
  • 3
  • 0

Reading Process Memory

May 26 2009 7:20 AM

I'm trying to read the memory about a process, this is what i have so far. It takes a snapshot of all the processes running and tries to get and return the memory about a certain one. The ReadProcessMemory function doesn't seem to work however, when i try to debug it, it just exits when it gets to the function. Does anyone have any tips on what needs to be done here?

using System;

using System.Runtime.Remoting;

using System.Runtime.Remoting.Channels;

using System.Runtime.Remoting.Lifetime;

using System.Security.Principal;

using System.Diagnostics;

using System.Xml;

using System.Collections;

using System.Runtime.InteropServices;

using System.Text;

using System.Net;

using System.Timers;

using System.Threading;

using System.Data;

using System.Collections.Specialized;

using Microsoft.Win32;

 

namespace ProcT

{

class Program

{

[StructLayout(LayoutKind.Sequential)]

public struct ProcessEntry32

{

public uint dwSize;

public uint cntUsage;

public uint th32ProcessID;

public IntPtr th32DefaultHeapID;

public uint th32ModuleID;

public uint cntThreads;

public uint th32ParentProcessID;

public int pcPriClassBase;

public uint dwFlags;

[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)]

public string szExeFile;

};

[StructLayout(LayoutKind.Sequential)]

public struct SYSTEM_INFO

{

public uint dwOemId;

public uint dwPageSize;

public uint lpMinimumApplicationAddress;

public uint lpMaximumApplicationAddress;

public uint dwActiveProcessorMask;

public uint dwNumberOfProcessors;

public uint dwProcessorType;

public uint dwAllocationGranularity;

public uint dwProcessorLevel;

public uint dwProcessorRevision;

};

[StructLayout(LayoutKind.Sequential)]

struct MEMORY_BASIC_INFORMATION

{

public IntPtr BaseAddress;

public IntPtr AllocationBase;

public UInt32 AllocationProtect;

public UInt32 RegionSize;

public UInt32 State;

public UInt32 Protect;

public UInt32 lType;

};

#region DLL Imports

[DllImport("KERNEL32.DLL")]

public static extern int CreateToolhelp32Snapshot(uint flags, uint processid);

[DllImport("KERNEL32.DLL")]

public static extern int CloseHandle(int handle);

[DllImport("KERNEL32.DLL")]

public static extern int Process32First(int handle, ref ProcessEntry32 pe);

[DllImport("KERNEL32.DLL")]

public static extern int Process32Next(int handle, ref ProcessEntry32 pe);

[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]

public static extern int OpenProcess(int access, bool inherit, uint processId);

[DllImport("kernel32.dll", SetLastError = true)]

internal static extern void GetSystemInfo(ref SYSTEM_INFO SysInfo);

[DllImport("kernel32.dll")]

static extern uint VirtualQueryEx(int hProcess, int lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, int dwLength);

[DllImport("Kernel32.dll")]

public static extern bool ReadProcessMemory(int hProcess, IntPtr lpBaseAddress, out byte[] lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesRead);

#endregion

int hProcessSnap;

public static readonly int PROCESS_VM_READ = 0x0010;

public static readonly int PROCESS_VM_OPERATION = 0x0008;

public static readonly int PROCESS_QUERY_INFORMATION = 0x0400;

public static readonly uint TH32CS_SNAPPROCESS = 0x00000002;

static void Main(string[] args)

{

Program p = new Program();

StringBuilder envVars = new StringBuilder(8192 * 2);

p.Start(envVars);

}

public void Start(StringBuilder envVars)

{

int res;

Process[] allServers = Process.GetProcessesByName("WIN32HH");

foreach (Process serveProc in allServers)

{

res = MQGetEnvironmentVariables(serveProc.Id, envVars);

}

}

public int MQGetEnvironmentVariables(int pid, StringBuilder envVars)

{

ProcessEntry32 pe32 = new ProcessEntry32();

int hProcess;

StringBuilder sb = new StringBuilder(" ", 256);

pe32.szExeFile = sb.ToString();

// Fill in the size of the structure before using it.

pe32.dwSize = 548;

SnapProcess();

if (hProcessSnap == 0)

return -9;

int check = Process32First(hProcessSnap, ref pe32);

if (check == 0)

{

CloseHandle(hProcessSnap);

return -8;

}

while (check == 1)

{

if (pe32.th32ProcessID == pid)

{

CloseHandle(hProcessSnap);

hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_QUERY_INFORMATION, false, pe32.th32ProcessID);

if (hProcess != 0)

{

GetEnvironment(hProcess, envVars);

return 0;

}

}

check = Process32Next(hProcessSnap, ref pe32);

}

CloseHandle(hProcessSnap);

return 0;

}

public int SnapProcess()

{

if (hProcessSnap != 0)

CloseHandle(hProcessSnap);

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if (hProcessSnap == 0)

return -9;

else

return 0;

}

public void GetEnvironment(int hProcess, StringBuilder envVars)

{

SYSTEM_INFO sysInfo = new SYSTEM_INFO();

MEMORY_BASIC_INFORMATION mbi = new MEMORY_BASIC_INFORMATION();

GetSystemInfo(ref sysInfo);

byte[] bBuffer = new byte[sysInfo.dwPageSize * 2];

UInt32 lpNumberOfBytesRead = 0;

byte bPos;

if (sysInfo.dwPageSize != 0)

{

if (VirtualQueryEx(hProcess, 0x00010000, out mbi, Marshal.SizeOf(mbi)) != 0)

{

if (ReadProcessMemory(hProcess, mbi.BaseAddress, out bBuffer, sysInfo.dwPageSize, ref lpNumberOfBytesRead))

{

//bPos = bBuffer + (0x00010000 - mbi.BaseAddress);

}

}

}

}

}

}