Get an image of process memory

Question

My goal is to create a method that will take a process handle and return an array of bytes representing that process's memory. Here's what I have:

    [DllImport("Kernel32.dll")]
    public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesRead);

    public static byte[] MemRead(IntPtr handle, IntPtr address, UInt32 size, ref UInt32 bytes)
    {
        byte[] buffer = new byte[size];
        ReadProcessMemory(handle, address, buffer, size, ref bytes);
        return buffer;
    }

I don't know what to pass to the wrapper method as arguments. I can find a handle and the bytes is an output variable, but what about address and size? Where can I get this data from?

Why do you want to read process' memory? – svick May 20 '11 at 20:34 — svick, May 20 '11 at 20:34

score 0 · Answer 1 · answered May 20 '11 at 20:33

0

Use VirtualQuery to find out if an address has actually been allocated before calling MemRead. Start with zero as the address and 64K as the page size and then simply increment the pointer with 64K on every iteration until you reach the maximum size of memory on your system.

answered May 20 '11 at 20:33

500 - Internal Server Error

26,667
6
57
61

If the system is 64-bit, that would take very long. – svick May 20 '11 at 20:36
Also, `VirtualQuery()` checks, whether the *current process* has some memory allocated, `VirtualQueryEx()` checks address-space of another process. – svick May 20 '11 at 20:39

Get an image of process memory

1 Answers1