问题描述

我在实现一种算法来读取外部进程的内存时遇到一些问题.这是主要代码:

I'm having some problems implementing an algorithm to read a foreign process' memory. Here is the main code:

            System.Diagnostics.Process.EnterDebugMode();
            IntPtr retValue = WinApi.OpenProcess((int)WinApi.OpenProcess_Access.VMRead | (int)WinApi.OpenProcess_Access.QueryInformation, 0, (uint)_proc.Id);
            _procHandle = retValue;

            WinApi.MEMORY_BASIC_INFORMATION[] mbia = getMemoryBasicInformation().Where(p => p.State == 0x1000).ToArray();

            foreach (WinApi.MEMORY_BASIC_INFORMATION mbi in mbia) {
                byte[] buffer = Read((IntPtr)mbi.BaseAddress, mbi.RegionSize);

                foreach (IntPtr addr in ByteSearcher.FindInBuffer(buffer, toFind, (IntPtr)0, mbi.RegionSize, increment)) {
                    yield return addr;
                }
            }

Read() ... method

        if (!WinApi.ReadProcessMemory(_procHandle, address, buffer, size, out numberBytesRead)) {
            throw new MemoryReaderException(
                string.Format(
                "There was an error with ReadProcessMemory()\nGetLastError() = {0}",
                WinApi.GetLastError()
                ));
        }

尽管通常它似乎可以正常工作，但问题是对于某些内存值，ReadProcessMemory返回的是false，而GetLastError返回的是299.根据我的调查，这似乎是在Vista上发生的，因为已更新了OpenProcess的某些参数.有人知道这是什么吗?我应该尝试什么价值观?请注意，随着它们的更改，我不想知道它是否是VM_READ左右，我想确切地知道这些值是什么.

Although generally it seems to work correctly, the problem is that for some memory values ReadProcessMemory is returning false, and GetLastError is returning 299. From what I've googled, it seems to happen on vista because some params of OpenProcess were updated. Anyone knows what this is about? And what values should I try? Notice that as they changed, I wouldn't want to know if it's VM_READ or so, I want to know exactly what the values are.

编辑:也许与不调用VirtualProtect()/VirtualProtectEx()有关吗?如以下SO网址所示: WriteProcessMemory/ReadProcessMemory失败

maybe it has something to do with not calling VirtualProtect()/VirtualProtectEx()? as seen on this SO url: WriteProcessMemory/ReadProcessMemory fail

Edit2:就是这样！^^这就是解决方案，先调用VirtualProtectEx()，然后再调用ReadProcessMemory()！

That was it! ^^ That is the solution, calling to VirtualProtectEx() first and after ReadProcessMemory()!

推荐答案

C:\Debuggers>kd -z C:\Windows\notepad.exe
0:000> !error 0n299
Error code: (Win32) 0x12b (299) - Only part of a ReadProcessMemory
    or WriteProcessMemory request was completed.

这意味着您试图读取一个部分未映射地址的块(即，如果应用程序本身执行了此操作，则为AV)

This means you tried to read a block that was partially unmapped addresses (i.e. if the app itself did this, it'd AV)

这篇关于使用OpenProcess和ReadProcessMemory时出现问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！