Hi,
I am a programmer, new to Windows systems development. I want to access the .text section (i.e. the code) of a running process on Windows 7 and above. Basically, I am doing this as a self-study exercise. I can inspect a PE file, and print-out the code disassembly. Instead of static inspection, I now want to perform dynamic inspection of the code section in the loaded process, iterate over the code pages and print the code (or do a checksum, etc.). I am also open to writing a driver module if need be.
I briefly googled and found functions such as ZwQueryInformationProcess, ReadProcessMemory, VirtualQueryEx, etc. Also, I had a quick look at the EPROCESS structure and its members. Please suggest the best way to approach this problem. I know that EPROCESS structure varies between Windows versions and am willing to live with one particular version for now.
I am also wondering what would happen when we read the code pages that are swapped out to the disk. Will the above inspection functions and structures generate a page fault internally and fetch the page in the physical memory for reading?
Thanks.
What I have tried:
Tried looking at code examples that use ZwQueryInformationProcess, ReadProcessMemory, VirtualQueryEx, etc. and some EPROCESS structure details.
Submit an article or tip