In this tutorial, I'll try to output all memory allocated by Notepad, I recommend you target processes that don't take too much RAM memory. Here's a small image that shows the outcome: Notepad allocates about 1-2MB of memory and the generated dump file has about 38MB (however, I also include the memory address for each byte and newlines). * spaces between chars (empty bytes) are caused by Notepad's usage of Unicode Encoding.
DUMP MEMORY RANGE WITH HOPPER DISASSEMBLER WINDOWS
Whenever a process starts, the system allocates enough memory for its heap, stack and regions - however Windows won't allocate an 'entire block' of memory.
DUMP MEMORY RANGE WITH HOPPER DISASSEMBLER FREE
It tries to allocate any free memory available for the User-Mode - so the allocated memory won't be contiguous. Basically, Windows won't tell us a range of addresses where we can find the program's data. MEMORY_BASIC_INFORMATION mem_basic_info = new MEMORY_BASIC_INFORMATION() this will store any information we get from VirtualQueryEx() StreamWriter sw = new StreamWriter( " dump.txt") OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_WM_READ, false, process.Id) opening the process with desired access level IntPtr processHandle = Process process = Process.GetProcessesByName( " notepad") Long proc_max_address_l = ( long)proc_max_address saving the values as long ints so I won't have to do a lot of casts later long proc_min_address_l = ( long)proc_min_address IntPtr proc_max_address = sys_info.maximumApplicationAddress IntPtr proc_min_address = sys_info.minimumApplicationAddress SYSTEM_INFO sys_info = new SYSTEM_INFO() REQUIRED STRUCTS public struct MEMORY_BASIC_INFORMATION IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength) Static extern int VirtualQueryEx( IntPtr hProcess, Static extern void GetSystemInfo( out SYSTEM_INFO lpSystemInfo) ( int hProcess, int lpBaseAddress, byte lpBuffer, int dwSize, ref int lpNumberOfBytesRead) Public static extern bool ReadProcessMemory ( int dwDesiredAccess, bool bInheritHandle, int dwProcessId) REQUIRED CONSTS const int PROCESS_QUERY_INFORMATION = 0x0400 Methods that will be required (including the ones above): So, the remaining solution is to scan almost every possible address (we get this using GetSystemInfo()) and check if it belongs to the target process (with VirtualQueryEx()): if it does, we read the values from there ( ReadProcessMemory()).
0 kommentar(er)
