Click here to Skip to main content
15,867,324 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello,

my ultimate goal is to try and read virtualmemory from a process. Currently I have spawned a System thread that's running in a selected process.

here is a sample of code i thought would work
MEMORY_BASIC_INFORMATION* memory = ExAllocatePoolWithTag(PagedPool, sizeof(MEMORY_BASIC_INFORMATION), '1gaT');
    PSIZE_T returnLength = 1;
    PVOID readAddr = 0;

NTSTATUS status = ZwQueryVirtualMemory(PsGetProcessId(IoGetCurrentProcess());, readAddr, MemoryBasicInformation, memory, sizeof(MEMORY_BASIC_INFORMATION), returnLength);


What I have tried:

According to the docs the ZwQueryVirtualMemory takes in a ProcessHandle as the first parameter. PsGetProcessId returns a processHandle (PID), so I'm a little confused on why its not working.

I have tried the
ZwCurrentProcess()

function as the ProcessHanlde parameter which returns -1. Other forums suggested that this -1 value is a special value which all functions that take in a processHandle understand that -1 is the current process, however, when used in
PsLookupProcessByProcessId(ZwCurrentProcess(), &peprocess);

I get
STATUS_INVALID_CID

which means An invalid client ID was specified.

any clarification on why this is the behavior would be appreciated.
Thanks
Posted
Updated 19-May-20 20:56pm

1 solution

The obvious reason is that the ID is invalid. A common reason is your process hasnt the rights to access it. Try as admin.

A system process has some special rights so even an admin process may have problems. Try to create some memory with lower rights. I remembering to have created some named objects with a "Global\\" prefix some years ago.
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900