How to read memory from other process?(not by OpenProcess)

Started by Externalist, November 26, 2006, 08:46:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Externalist

November 26, 2006, 08:46:29 AM
First of all, sorry for my poor english since it's not my first language :(, but I'll try my best to make the content understandable.
I was making a simple program that would read another process's memory Via the most popular
FindWindow -> GetWindowThreadProcessId -> OpenProcess -> ReadProcessMemory
method and all worked fine while assembling insinde WinAsm IDE and running "inside" the IDE.
But once I started to run the program outside the IDA, in other words when I double clicked on the produced .exe then the program wouldn't function as expected so I went on debugging the program in OllyDbg to find out which API failed.
But the strange thing is, even in OllyDbg, if I press the RUN button the program would run exactly the way it was supposed to(and even read the right values from memory thus, no API failing) but after closing Olly and running the program indepently through double clicking it, it fails again. So I assumed the program which I want to read memory from uses some Anti-Readmemory tricks and indeed, after a little testing I found out that the OpenProcess API returns False.
So my question is, is there any other way to read another process's memory other than the above method? I've searched & looked at other people's code but over 70% use the same method and the other 30% use a programming language I have no knowledge in :(. Thanks in advance.

evlncrn8

#1
November 26, 2006, 02:55:45 PM
sounds like a privilege issue, the ide and ollydbg will set the debugprivilege for you when running from them..

Synfire

#2
November 27, 2006, 04:11:44 AM
Externalist,

What you're doing sounds kinda sketchy, but I would look into DebugActiveProcess to gain debugging privilages over the remote process, then use WaitForDebugEvent to catch the CREATE_PROCESS_DEBUG_EVENT, preform your remote modifications, then use DebugActiveProcessStop to cease the debugging session. Only legitimate reason to modify a remote process is for debugging, IMHO, so if this is what you're trying to do then I suggest reading the MSDN Debugging Reference before you continue with the project. If that's not what you are trying to do, might I suggest reading The Rules (rule number 3 specifically).

Regards,
Bryant Keller

donkey

#3
November 27, 2006, 04:33:28 AM
QuoteSo I assumed the program which I want to read memory from uses some Anti-Readmemory tricks

This line alone tells me that you are attempting to do something that is against the rules of this forum. If the program has "anti-read memory tricks" and you are not sure of it then I would suspect that...

A) the author doesn't want people to read his process memory.
B) that you do not have the authors permission to do so.
C) what you are doing is violating the rules of this forum.

Edgar
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable

sluggy

#4
November 27, 2006, 06:59:25 AM
As donkey mentioned, this thread is treading on shakey ground. It is locked until we (the moderators) receive a good reason to reopen it.

Print
Go Up Pages1
User actions