Search code examples
c++windowsdebuggingwinapireadprocessmemory

How to read each byte within another process's memory?


How do we read each bytes within a process's memory? After we are done reading, how do we make a "hex" dump of the process?

For an example:

Process A.exe:

00400000: 00 00
00400002: 74 05
...

Scanning:

00 74 05 ...

Dumping A.exe to A.txt:

00 74 05

My compiler is visual c++ 2010 and I am planning on writing a win32 application, which will be using this function. The OS that I will be working on is Window 8. However, my application should work for Windows 8 and at least Window XP.

So far, this is what I've got...

#include <windows.h>

void ScanForBytes( const char* TargetName, DWORD dwFromAddress, DWORD dwToAddress ) {
    HANDLE hProc; // I guess we will be needing the handle to the process.
   //And this is where I stopped and asked for help...
}

int main() {
   ScanForBytes( "Chrome.exe", 0x00400000, 0x00400001 );
   return 0;
}

Solution

  • The function you're looking for is ReadProcessMemory. You can find the documentation for that function here on MSDN.

    This function copies the data in the specified address range of a particular process into the specified buffer. You will need to ensure that your application is running with the appropriate privileges to do this. Generally, that is debug privileges—only debuggers need to read and/or modify the private memory of other processes. The function will fail if you do not have the required privileges across the entire specified memory block. You'll find more information about access privileges here on MSDN. If you are not already familiar with the security model at work here, I recommend reading the document carefully.

    Naturally, your process will also need to match the bitness of the process whose memory you wish to read. In other words, if you want to read the memory from a Chrome process, Chrome is compiled as a 32-bit application, so your application will need to be one as well. You will need to re-compile as a 64-bit application if you want to dump the memory from another 64-bit application. That's tripped up a number of the commenters on the MSDN page.

    It goes without saying that you need to check all of the return values and handle errors appropriately. This kind of thing should be expected to fail under common conditions.

    Once ReadProcessMemory returns successfully, the array you specified will contain the requested data. From there, it's a simple matter of doing whatever you wish with it, like writing it into a text file.