1

I am trying to read an address of a process which should be the number 20. I determined this address was located at the dll base offset + a number with an offset of 10. I am using

ReadProcessMemory(phandle, (void*)address, &number, sizeof(number), 0);

to read a specific address. My question is how do I correctly search for the address located at "57B86F68" + the 10 offset?

Improve this question
9
  • Remember unless you disabled it you probably have to deal with ASLR. en.wikipedia.org/wiki/Address_space_layout_randomization Commented Aug 24, 2016 at 1:49
  • This is a bit confusing. Are you looking for the address 0x57b86f68 + 10 or are you looking for the address (or some other kind of value) stored at that location? Either way, you shouldn't need to search for anything. Commented Aug 24, 2016 at 2:05
  • @drescherjm, I made sure to grab the base address through code so that isn't a problem as far as I am aware of. Commented Aug 24, 2016 at 2:52
  • @molbdnilo sorry for the confusion, so there is a static pointer at a certain location. I found this location, it points to an address which that address with the offset of 10 is the value I am looking to read. I am unsure of how I can do this though. For example, I am reading address a, which points to b. I am than trying to get the value of b + 10, would there be a simple way to do this? Commented Aug 24, 2016 at 2:56
  • 1
    @Jack After call of ReadProcessMemory call GetLastError to get more information about the reason of ReadProcessMemory failure. Check your OpenProcess flags, PROCESS_VM_READ also should be there. Commented Aug 24, 2016 at 5:39

1 Answer 1

Reset to default
2

You can read the data from handle if your phandle is a process handle with PROCESS_VM_READ access granted:

ReadProcessMemory(phandle, (void*)(0x57B86F68 + 0x10), &number, sizeof(number), 0);

To get proper access rights for the process handle check your OpenProcess flags, PROCESS_VM_READ should be there.

If it still not working things are much more complex. You should translate your virtual address to physical address and after that get direct access to the memory via kernel mode.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.