Sign in to follow this  
Idov

CreateProcess and memory access

Recommended Posts

Hi!

I have a small process "A" which prints an address of a variable and keeps running.
I also have a process "B" which opens process "A" using "CreateProcessA" and it works fine.

But when I debug process "B" and check what's in that address (in the watch window)
I don't get the value that really exists in the variable in "A".

what is going on???

thanks :)

Share this post


Link to post
Share on other sites
Processes each have their own address space. A memory address used by one process is more or less meaningless to another process without using system calls like ReadProcessMemory().

Share this post


Link to post
Share on other sites
Quote:
Original post by SiCrane
Processes each have their own address space. A memory address used by one process is more or less meaningless to another process without using system calls like ReadProcessMemory().


I know, but since process "A" for some reason took control of process "B"'s console I was hoping they might use shared memory. :)

ReadProcessMemory is the only way to do it?

Share this post


Link to post
Share on other sites
There's no EASIER way than ReadProcessMemory.

You could also:

- Redirect stdout (it sounds like you're already doing this)
- Named pipes
- Memory mapped file (recommended if you have the source code for both programs)
- Windows messages
- Sockets
- Code Injection (last resort if you don't have the source code for one program)

Share this post


Link to post
Share on other sites
Quote:
Original post by Nypyren
There's no EASIER way than ReadProcessMemory.

You could also:

- Redirect stdout (it sounds like you're already doing this)
- Named pipes
- Memory mapped file (recommended if you have the source code for both programs)
- Windows messages
- Sockets
- Code Injection (last resort if you don't have the source code for one program)
Command line arguments and environment variables can also come in handy if you just want to pass on a couple of settings.

Share this post


Link to post
Share on other sites
But can ReadProcessMemory read the process' stack itself?
I'm trying to read the return address of the method
so I'm getting the frame pointer, and read the value of the return value.
As far as I understand I'm supposed to get a value equals to m_stackframe.AddrReturn.Offset, but:

1. If I add the Esp to the frame pointer address - ReadProcessMemory returns false.
2. If I simply use the address frame offset - I get a wrong value.



//Reading the top method in the stack.
bool ok = StackWalk64(IMAGE_FILE_MACHINE_I386,m_processInfo.Handle ,m_threadInfo.Handle, &m_stackframe,&m_threadContext,
0,SymFunctionTableAccess64,SymGetModuleBase64,0);

// the Esp register is the base address of the stack, right?
DWORD baseAddressOfCallstack = m_threadContext.Esp;
// Getting the absolute address by adding the ESP to the stack frame address.
DWORD absoluteAddressInCallstack = m_stackframe.AddrFrame.Offset + baseAddressOfCallstack ;
// Converting it to a pointer.
DWORD* addressInCallStack = (DWORD*)absoluteAddressInCallstack;
DWORD val = 0;
SIZE_T bytesRead = 0;
// and trying to read it from the process...
ok = ReadProcessMemory(m_processInfo.Handle, addressInCallStack, (void*)&val, sizeof(DWORD),&bytesRead);




can anybody tell me what's wrong with it?
thanks :)

Share this post


Link to post
Share on other sites
Quote:
Original post by no such user
AddrFrame.Offset doesn't mean what you think it means. It actually is the frame pointer address. It's not an offset into the stack.


Ok, so in order to read the return address directly from the stack:

ReadProcessMemory(m_processInfo.Handle, m_stackframe.AddrFrame.Offset, (void*)&val, sizeof(DWORD),&bytesRead);



should work, right?
because according to wikipedia (http://en.wikipedia.org/wiki/Call_stack)
the return address is just above the frame pointer... :)

Share this post


Link to post
Share on other sites
Quote:
Original post by no such user
Why would you read the return value from the stack? It's returned as one of the entries of the STACKFRAME64.


I know. That's how I know I'm not getting the right result...
I'm trying to do something a bit weird. I don't want to call StackWalk too many times, and I think I'll need to read this value later. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this