My goal is to read large chunks of executable memory from a target app.
ReadProcessMemory()
sometimes fails, but that is okay, I still can examine the rest of the read bytes that I'm interested in.
I don't modify anything in the target application like values.
My problem is, that the target app crashes after a minute or so, or when certain reallocations happen in it.
I went to extremes like reading without VirtualProtectEx()
in order to not to modify even the security attributes of the said regions of memory.
I'm curious what could cause a target application to crash after reading form its memory, without modifying values or access rights. (?)
Sidenote: The said memory is probably being accessed simultaneously by the target application as well as my application. (From the target app's perspective it is being read, executed and written.)
You can take a look at my code here:
UINT64 pageNum = 0;
BYTE page[4096];
for (UINT64 i = start; i < end; i+=0x1000)
{
ReadProcessMemory(qtHandle, (void*)i, &page, sizeof(page), &bytesRead);
foundCode = findCode(page, pageNum);
if (foundCode != 0)
{
foundCode += start - 11;
break;
}
pageNum++;
}
cout << hex<< foundCode << endl;
CloseHandle(qtHandle);
return 0;
}
UINT64 findCode(BYTE* pg, UINT64 pageNum)
{
for (size_t i = 0; i < 4096; i++)
{
if (findPattern(asm2, pg, i)) { //asm2 is an array of bytes
return (pageNum * 4096 + i);
}
}
return 0;
}
bool findPattern(BYTE* pattern, BYTE* page, size_t index)
{
for (size_t i = 0; i < sizeof(pattern); i++)
{
if (page[index + i] != pattern[i])
{
return false;
}
}
return true;
}
It was the usage of VirtualProtectEx() that caused the problem.