I always used this code on x86 machines without problems:
PIDHandle:= OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or
PROCESS_VM_READ, false, Struct.th32ProcessID);
if (PIDHandle <> 0)
ScanMemory(PIDHandle, Struct.szExeFile);
procedure TForm1.ScanMemory(PIDHandle: THandle; const ProcessName: string);
var
MemStart, ReceivedBytes: SIZE_T;
MemInfo: MEMORY_BASIC_INFORMATION;
begin
MemStart:= 0;
while (VirtualQueryEx(PIDHandle, Pointer(MemStart), MemInfo, SizeOf(MemInfo)) <> 0) do
begin
if ((MemInfo.State = MEM_COMMIT) and (not (MemInfo.Protect = PAGE_GUARD)
or (MemInfo.Protect = PAGE_NOACCESS)) and (MemInfo.Protect = PAGE_READWRITE)) then
begin
SetLength(Buff, MemInfo.RegionSize);
if (ReadProcessMemory(PIDHandle, MemInfo.BaseAddress, Buff,
MemInfo.RegionSize, ReceivedBytes)) then
begin
//do particular stuff with memory
end; //if readprocessmemory
end; //if mempages
MemStart:= MemStart + MemInfo.RegionSize;
end;
end;
Now I compiled a x64 binary and it stops responding in some random processes, which I'm not sure if they are x86/x64...
Are there any known issue on running ReadProcessMemory from a x64 bin, into x86 processes? Is really necessary to keep a x86 bin to read memory of other x86 processes and a x64 bin to read x64 processes? Or there are any workaround?
The problem is not with ReadProcessMemory(), it is with VirtualQueryEx().
The MEMORY_BASIC_INFORMATION documentation says:
To enable a debugger to debug a target that is running on a different architecture (32-bit versus 64-bit), use one of the explicit forms of this structure.
typedef struct _MEMORY_BASIC_INFORMATION32 { DWORD BaseAddress; DWORD AllocationBase; DWORD AllocationProtect; DWORD RegionSize; DWORD State; DWORD Protect; DWORD Type; } MEMORY_BASIC_INFORMATION32, *PMEMORY_BASIC_INFORMATION32; typedef struct DECLSPEC_ALIGN(16) _MEMORY_BASIC_INFORMATION64 { ULONGLONG BaseAddress; ULONGLONG AllocationBase; DWORD AllocationProtect; DWORD __alignment1; ULONGLONG RegionSize; DWORD State; DWORD Protect; DWORD Type; DWORD __alignment2; } MEMORY_BASIC_INFORMATION64, *PMEMORY_BASIC_INFORMATION64;
So, use MEMORY_BASIC_INFORMATION32 when querying a 32bit process, and use MEMORY_BASIC_INFORMATION64 when querying a 64bit process. However, Delphi does not declare these record types, so you will have to do so manually in your code.
Delphi's declaration of MEMORY_BASIC_INFORMATION in the Windows unit is modeled after the old 32-bit version:
typedef struct _MEMORY_BASIC_INFORMATION {
PVOID BaseAddress;
PVOID AllocationBase;
DWORD AllocationProtect;
SIZE_T RegionSize;
DWORD State;
DWORD Protect;
DWORD Type;
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
PMemoryBasicInformation = ^TMemoryBasicInformation;
_MEMORY_BASIC_INFORMATION = record
BaseAddress : Pointer;
AllocationBase : Pointer;
AllocationProtect : DWORD;
RegionSize : SIZE_T;
State : DWORD;
Protect : DWORD;
Type_9 : DWORD;
end;
{$EXTERNALSYM _MEMORY_BASIC_INFORMATION}
TMemoryBasicInformation = _MEMORY_BASIC_INFORMATION;
MEMORY_BASIC_INFORMATION = _MEMORY_BASIC_INFORMATION;
{$EXTERNALSYM MEMORY_BASIC_INFORMATION}
This only works when used in a 32-bit calling process, not when used in a 64-bit calling process.
Use IsWow64Process() to check whether PIDHandle is a handle to a 32-bit or 64-bit process, and then scan its memory using the appropriate record type, eg:
// 32-bit and 64-bit processes can scan the full address space of a 32-bit process,
// but a 32-bit process cannot scan the full address space of a 64-bit process
type
PMEMORY_BASIC_INFORMATION32 = ^MEMORY_BASIC_INFORMATION32;
MEMORY_BASIC_INFORMATION32 = record
BaseAddress: DWORD;
AllocationBase: DWORD;
AllocationProtect: DWORD;
RegionSize: DWORD;
State: DWORD;
Protect: DWORD;
_Type: DWORD;
end;
{$IFDEF WIN64}
PMEMORY_BASIC_INFORMATION64 = ^MEMORY_BASIC_INFORMATION64;
{$ALIGN 16}
MEMORY_BASIC_INFORMATION64 = record
BaseAddress: ULONGLONG;
AllocationBase: ULONGLONG;
AllocationProtect: DWORD;
_alignment1: DWORD;
RegionSize: ULONGLONG;
State: DWORD;
Protect: DWORD;
_Type: DWORD;
_alignment2: DWORD;
end;
{$ENDIF}
function VirtualQueryEx32(hProcess: THandle; lpAddress: Pointer; var lpBuffer: MEMORY_BASIC_INFORMATION32; dwLength: SIZE_T): SIZE_T; stdcall; external 'kernel32' name 'VirtualQueryEx';
{$IFDEF WIN64}
function VirtualQueryEx64(hProcess: THandle; lpAddress: Pointer; var lpBuffer: MEMORY_BASIC_INFORMATION64; dwLength: SIZE_T): SIZE_T; stdcall; external 'kernel32' name 'VirtualQueryEx';
{$ENDIF}
procedure TForm1.DoSomethingWithBuff(const ProcessName: string);
begin
// do particular stuff with Buff
end;
procedure TForm1.ScanMemory32(PIDHandle: THandle; const ProcessName: string);
var
MemStart: DWORD;
ReceivedBytes: SIZE_T;
MemInfo: MEMORY_BASIC_INFORMATION32;
begin
MemStart := 0;
while (VirtualQueryEx32(PIDHandle, Pointer(MemStart), MemInfo, SizeOf(MemInfo)) <> 0) do
begin
if ((MemInfo.State = MEM_COMMIT) and (not (MemInfo.Protect = PAGE_GUARD)
or (MemInfo.Protect = PAGE_NOACCESS)) and (MemInfo.Protect = PAGE_READWRITE)) then
begin
SetLength(Buff, MemInfo.RegionSize);
if (ReadProcessMemory(PIDHandle, Pointer(MemInfo.BaseAddress), Buff,
MemInfo.RegionSize, ReceivedBytes)) then
begin
DoSomethingWithBuff(ProcessName);
end;
end;
Inc(MemStart, MemInfo.RegionSize);
end;
end;
{$IFDEF WIN64}
procedure TForm1.ScanMemory64(PIDHandle: THandle; const ProcessName: string);
var
MemStart: ULONGLONG;
ReceivedBytes: SIZE_T;
MemInfo: MEMORY_BASIC_INFORMATION64;
begin
MemStart := 0;
while (VirtualQueryEx64(PIDHandle, Pointer(MemStart), MemInfo, SizeOf(MemInfo)) <> 0) do
begin
if ((MemInfo.State = MEM_COMMIT) and (not (MemInfo.Protect = PAGE_GUARD)
or (MemInfo.Protect = PAGE_NOACCESS)) and (MemInfo.Protect = PAGE_READWRITE)) then
begin
SetLength(Buff, MemInfo.RegionSize);
if (ReadProcessMemory(PIDHandle, Pointer(MemInfo.BaseAddress), Buff,
MemInfo.RegionSize, ReceivedBytes)) then
begin
DoSomethingWithBuff(ProcessName);
end;
end;
Inc(MemStart, MemInfo.RegionSize);
end;
end;
{$ENDIF}
procedure TForm1.ScanMemory(PIDHandle: THandle; const ProcessName: string);
var
Is32Bit: BOOL;
begin
if not IsWow64Process(PIDHandle, @Is32Bit) then
RaiseLastOSError;
if Is32Bit then begin
ScanMemory32(PIDHandle, ProcessName);
end
{$IFDEF WIN64}
else begin
ScanMemory64(PIDHandle, ProcessName);
end
{$ENDIF};
end;