Hello,
my ultimate goal is to try and read virtualmemory from a process. Currently I have spawned a System thread that's running in a selected process.
here is a sample of code i thought would work
MEMORY_BASIC_INFORMATION* memory = ExAllocatePoolWithTag(PagedPool, sizeof(MEMORY_BASIC_INFORMATION), '1gaT');
PSIZE_T returnLength = 1;
PVOID readAddr = 0;
NTSTATUS status = ZwQueryVirtualMemory(PsGetProcessId(IoGetCurrentProcess());, readAddr, MemoryBasicInformation, memory, sizeof(MEMORY_BASIC_INFORMATION), returnLength);
What I have tried:
According to the docs the ZwQueryVirtualMemory takes in a ProcessHandle as the first parameter. PsGetProcessId returns a processHandle (PID), so I'm a little confused on why its not working.
I have tried the
ZwCurrentProcess()
function as the ProcessHanlde parameter which returns -1. Other forums suggested that this -1 value is a special value which all functions that take in a processHandle understand that -1 is the current process, however, when used in
PsLookupProcessByProcessId(ZwCurrentProcess(), &peprocess);
I get
STATUS_INVALID_CID
which means An invalid client ID was specified.
any clarification on why this is the behavior would be appreciated.
Thanks