Single hex dump - Error codes / Plain errors...

[Blackroot]

Ok, I've been working on this peice of code for about 4 days now. It still won't work. I've looked up every google peice of infortmation I could think of. What I'm trying to do is hex dump single values of another program (Google had one for hex dumping the entire program, I found it thanks to nvoight). Failing at so much as reproducing that example, I tried at least displaying a single value from my own program. And that's my current failed attempt -,-.

I'm getting the error codes (299, ReadProcessMemory or WriteProcessMemory could not be completed.) Sence I only use ReadProcessMemory, it has to be that. Error code 998 I have no idea what this error means... At all. I'll quote msdn though; (Multiply accumulate instruction used without /QMR4121, /QMViper, /QMR5400, /QMmips32, or /QMmips64)

Now, I thought I could Read my own process' memory without giving it tokens. I tried giving the debug priviledge token, but it doesn't change anything. Token granting code;

Code:

 HANDLE TokenHandle;
 LUID debugid;
 TOKEN_PRIVILEGES tp;

 LookupPrivilegeValue(NULL, "SeDebugPrivilege", &debugid);
 tp.Privileges[0].Luid = debugid;
 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 AdjustTokenPrivileges(TokenHandle, FALSE, &tp, NULL, NULL, NULL);

The rest is pritty simple, this is my current test program, it outputs the last error repeatdly. It also crashs after a small amount of time. I thought it would be easier to try with my own program, but it's just making things more complicated >.<.

Code:

#include <iostream>
#include <windows.h>
#include <conio.h>
#include <String.h>
using namespace std;

int* Search(int SearchValue, HANDLE op, DWORD add) {
 MEMORY_BASIC_INFORMATION mbi;
 SYSTEM_INFO sys;
 LPVOID lpMem;
 string buffer;

 GetSystemInfo(&sys);
 lpMem = sys.lpMinimumApplicationAddress;

 while(lpMem < sys.lpMaximumApplicationAddress) {
  mbi.RegionSize = 0;
  VirtualQueryEx(op, lpMem, &mbi, sizeof(mbi));

  ReadProcessMemory(op, &add, &buffer, mbi.RegionSize, NULL);

  lpMem = (LPVOID)((DWORD)mbi.BaseAddress + (DWORD)mbi.RegionSize);
  cout << GetLastError() << endl;
 }

 return 0;
}

int main() {
 int srak = 4;
 HANDLE CURRENTPROCESS = GetCurrentProcess();
 DWORD ProcessId;
 HANDLE tProc;

 tProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
 if(!tProc) {
  cout << "Could not open the process o-O";
  getch();
  return 0;
 }

 cout << *Search(srak, tProc, ProcessId);
}

From reading all thoes google tutorials, I actualy understand the virtual memory quite well, but accessing it seems to be a really vague subject (Or maybe I just suck at searching) I've seen tutorials for hex dumping my own program without treating my program as if I don't control it, but that's not helpful to me.

-Thank you for any help -,-.

[dwks]

Code:

#include <String.h>

Filenames are case-sensitive under UNIX-like systems. I strongly recommend that you use a lowercase 's'. (Unless String.h is not the same as string.h.)

[Blackroot]

Ah, I haven't used C/C++ in awhile - a bit out of my element, thanks for poiting that out.

The problem is not the tokens, I've fixed up the tokens to grant debug priv's and practicaly all the ones that sounded relevant. It still brings up the error, gah this is so much more complicated then I had hoped.

[anonytmouse]

1. I think you can only read committed memory (where mbi.State == MEM_COMMIT).
2. The second argument to ReadProcessMemory is the address you want to read. In your case, I think you want to use lpMem.
3. The third argument is a pointer to a buffer and the fourth argument is the size of that buffer. A string can not be used like this.
4. You return NULL from the Search function and then try to dereference it.

Here is a little bit of code that will dump the process as a series of bytes:

Code:

 while(lpMem < sys.lpMaximumApplicationAddress)
 {
   VirtualQueryEx(op, lpMem, &mbi, sizeof(mbi));

   if (mbi.State == MEM_COMMIT)
   {
      for (size_t i = 0; i < mbi.RegionSize; i += sizeof(BYTE))
      {
        /* Read this memory block as a series of BYTEs */
        BYTE buffer;
        ReadProcessMemory(op, mbi.BaseAddress + (i * sizeof(BYTE)), &buffer, sizeof(buffer), NULL);
        cout << buffer << endl;
      }
   }

   lpMem = (LPVOID)((DWORD)mbi.BaseAddress + (DWORD)mbi.RegionSize);
 }

Make sure you redirect the output to a text file (program > out.txt) or it will take a long time to run.

[Blackroot]

You just made my day, and quite problably many days after today, anonytmouse .

The program is incredibly noisy when being couted, so looks like I don't have a choice but to output it via file .

Thank you so much! -Blackroot