Reading process memory

you must have read access to entire area that you trying to read
that means if a byte is straddling on other page than you need Read access
to both the pages

use IsBadReadPtr() and also intersperse your Calls with GetLastError()
or set a seh to trap failures that way you can easily pinpoint the failures to certain areas rathere than looking from scratch

[upb]

umm but isnt he setting read access on the entire area of pages covered by the buf?!

[Shub-Nigurrath]

here's a code snippet form a tool I'm writing. it's in C++ but might help.
The concept is to wrap the real ReadProcessMemory and use the new one. The code I wrote in C++ is useful because for classes derived from the one here attached there's nothing to change, and you might write the code as before.

I hope it helps: despite you are programming in ASM the concepts are the same and also the code structure doesn't change that much.

AccessMemory.h

Code:

#include <windows.h>

typedef BOOL (__stdcall *ACCESS_PROCESS_MEMORY_FCN)(HANDLE, LPVOID, LPVOID, DWORD, LPDWORD );

class CAccessMemory  
{
public:
	CAccessMemory();
	virtual ~CAccessMemory();

	BOOL ReadProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytesRead);
	BOOL WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytesWritten);

private:
	BOOL _accessProcessMemory(
		ACCESS_PROCESS_MEMORY_FCN fcn, 
		HANDLE hProcess, 
		LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytesWritten);

};

AccessMemory.cpp

Code:

CAccessMemory::CAccessMemory()
{

}

CAccessMemory::~CAccessMemory()
{

}

//A wrapper for the ::ReadProcessMemory which set also the memory 
//access right properly
BOOL CAccessMemory::ReadProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytesRead) {
	
	ACCESS_PROCESS_MEMORY_FCN fcn;
	
	//There's a little difference between the two function pointers or 
	//::ReadProcessMemory and ::WriteProcessMemory, because the two prototypes are different
	//This trick cast the pointer of the function pointer of ::ReadProcessMemory to a 
	//void* then cast it back to an ACCESS_PROCESS_MEMORY_FCN function pointer. 
	//The differences between these two prototypes are not important and 
	//everything works excellently.
	fcn=(ACCESS_PROCESS_MEMORY_FCN)((void*)&(::ReadProcessMemory));
	
	return _accessProcessMemory(fcn, hProcess, lpBaseAddress, lpBuffer,
		nSize, lpNumberOfBytesRead);
}

//A wrapper for the ::WriteProcessMemory which set also the memory 
//access right properly
BOOL CAccessMemory::WriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytesWritten)
{
	ACCESS_PROCESS_MEMORY_FCN fcn;

	//Assign the function pointer, this time there are no problems, 
	//because ACCESS_PROCESS_MEMORY_FCN is the prototype of ::WriteProcessMemory
	fcn=::WriteProcessMemory; 
	
	return _accessProcessMemory(fcn, hProcess, lpBaseAddress, lpBuffer,
		nSize, lpNumberOfBytesWritten);
}

//It is used by the WriteProcessMemory and ReadProcessMemory methods. 
//It worry to grant access to memory.
BOOL CAccessMemory::_accessProcessMemory(
		ACCESS_PROCESS_MEMORY_FCN fcn, 
		HANDLE hProcess, 
		LPVOID lpBaseAddress, LPVOID lpBuffer,
		DWORD nSize, LPDWORD lpNumberOfBytes)
{
	DWORD OldProtection=0;
	//It is not really used because the VirtualProtectEx function always requires a valid
	//variable to hold the old page protection values, otherwise fails. When restoring the 
	//protection values of the page, on the existing of this program, the old values are not
	//important of course.
	DWORD dummyProtection=0;

	BOOL bVal=FALSE;

	int tries=0;
	
	//Do 3 tries loop, so as not the block forever..
	while(tries<3) {
		__try {
			tries++;
			bVal=fcn(hProcess, lpBaseAddress, lpBuffer,nSize, lpNumberOfBytes);
			if(!bVal) 
				//The RaiseException function raises an exception in the calling thread.
				RaiseException(1, // exception code 
                0,                // continuable exception (non death exception)
                0, NULL);         // no arguments 
		}
		__except(TRUE) {
			if(IsBadReadPtr(lpBaseAddress, nSize) || IsBadWritePtr(lpBaseAddress, nSize))
				VirtualProtectEx(hProcess, lpBaseAddress, nSize, 
					PAGE_EXECUTE_READWRITE, &OldProtection);
			continue;
		}
		break;
	}
	
	//Restore the previous protections of the patched address.
	//OlProtection is !=0 if the previous VirtualProtectEx has been done.
	if(OldProtection!=0)
		VirtualProtectEx(hProcess, lpBaseAddress, nSize, 
			OldProtection, &dummyProtection);

	return bVal;

}

[FEARHQ]

Thanks for all the replies guys

My function does succeed in reading the entire block and copying it, that's not really the problem. The problem is the module not playing so nicely with me afterwards :/ I did set the protection to read/write/execute in any case to allow all acces... Perhaps this is deadly when code is actually executing in there, heh.

Shub-Nigurrath, I love the idea to use IsBadReadPtr/IsBadWritePtr to check the memory range for desired access, but wouldn't this simply give you the access rights for YOUR process's pages in that range? I don't see those functions taking in a handle to the target process, but then again I never used them before.

Innocent: Olly is MY debugger of choice, for all debugging and 'other' tasks. There is no direct problem with my code, but aparently the target code doesn't like to be read, or have it's protections changed (haven't really looked at that). The point is that this generic write routine fails by all means with my current target, and so would Shub-Nigurrath's. My workaround was to map the target file to memory and get whatever info I need for there.

On a side note, is there any way to pause execution of the target process? I would probably need to stop all of it's threads, then later resume them... Best would be to save the thread's run state (some may be paused and if they were, they should be paused when I'm done)

[Shub-Nigurrath]

2 FEARHQ

not really using that permissions you can gain access right for any process, even external processes: I used it for a loader which launches an external program and everything works fine.