Read Variable, address/location, From Current Process

Question

0.00/5 (No votes)

See more:

I have a string defined as

C++

std::string str ("This is my Test String");
std::cout << str.c_str() << std::endl;

I want to read the memory location of str, which should contain "This is my Test String" and get back the value of "This is my Test String"
I am attempting to read the string as so.

C++

void WorkerThread::ReadMemorySpecific(void* pAddr, SIZE_T count)
	char buff[8192]; 
		ZeroMemory(buff, sizeof(buff));
		SIZE_T bytesRead;
	HANDLE currentProcess = GetCurrentProcess();
		std::ofstream outFile("PATH_TO_FILE\\string.dat", std::ios::out | std::ios::binary);
	ReadProcessMemory(currentProcess,(LPVOID)pAddr,&buff,count+1,&bytesRead);
	outFile.write(buff,sizeof(buff));
	outFile.flush();
	outFile.close();
	std::cout<< "Possible err: " << GetLastError() << std::endl;

	for(int j = 0; j <8192; j++)
		printf("%02X\n",buff[j]);

I am in the current process therefore I shouldn't need to enable debug privileges. I can verify the size & the address of the memory location are correct because I call this function as:

C++

WorkerThread wt; 
wt.ReadMemorySpecific(&str, str.length());

I can't seem to get my string back as ascii text no matter, what I do, I've tried dumping to a binary file and converting the binary back to ascii, I've tried converting the hex. Any suggestions?

Posted 24-Jan-14 6:20am

CdnSecurityEngineer

Add a Solution

Comments

CdnSecurityEngineer 24-Jan-14 13:12pm

Wouldn't reading the string, prevent the compile from optimizing that ?

2 solutions

Solution 1

Have you tried looking at the executable file itself in a hex editor like Hhd[^]?

Compiler optimizations may optimize the variable right out and put the string in the data section of the EXE, or even directly in the code region.

Posted 24-Jan-14 7:06am

Ron Beyer

Comments

CdnSecurityEngineer 24-Jan-14 13:17pm

Wouldn't reading the string, prevent the compile from optimizing that ?

Ron Beyer 24-Jan-14 13:29pm

Some compilers are pretty smart, and remember that they compile to generate the EXE, what you do later has no effect on how the compiler optimizes it. Some compilers are so smart that they will remove entire loops or inline functions without you explicitly setting them to.

CdnSecurityEngineer 24-Jan-14 13:42pm

So what would be your suggestion? I am using VS2012, I just need to get this POC working.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CPallini · Accepted Answer · 2014-01-24T07:12:00

Solution 2

&str gives the string object address (not the address of its internal buffer).
Try, for instance:

C++

std::string foo = "foo"; 
std::cout << (char *) &foo << std::endl;

as opposed to

C++

std::string foo = "foo"; 
std::cout << foo.data() << std::endl;

Posted 24-Jan-14 7:12am

CPallini

Comments

CdnSecurityEngineer 24-Jan-14 13:16pm

OK.... Sure but when you, consider virtual memory allocation. I need to pass the address of the internal buffer, to the function that's reading it. I can't print, stop the the program and then adjust the address I wish for it to read from. Even if I did char* pFoo = "str" and I pass pFoo I am passing a pointer to the memory that contains "str", right??? I still don't get the "str" back.

CPallini 24-Jan-14 13:35pm

I don't get you. To me your code is simply looking at the wrong address.

CdnSecurityEngineer 24-Jan-14 13:41pm

OK, lets assume, the code is looking at the wrong address. How would you change this function call wt.ReadMemorySpecific(&str, str.length()); to make it point at the right address. str.c_str()?

CPallini 24-Jan-14 13:46pm

wt.ReadMemorySpecific(str.data(), str.length());

CdnSecurityEngineer 24-Jan-14 13:51pm

Ok. So you were correct, I was considering the wrong address.
wt.ReadMemorySpecific(str.c_str(), str.length());
or your solution will also work.

CPallini 24-Jan-14 15:07pm

I am right, of course, did you have any doubt? :-D