Mixing
Are addresses from VMMap readable?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
1
I'm using VMMap to view the address space of a process. In the left corner is the address. I attempted to copy the address and read it from the process.
Here's an example:
I attempted to see if I could read this address with a quick bit of code below. The call to VirtualQueryEx doesn't fail as the response is not 0. But, my problem is State returns a value that indicates the address does not exist and Protect returns PAGE_NOACCESS.
Code:
int pid = 10964;
DWORD_PTR addr = 0x2C1811E0000;
MEMORY_BASIC_INFORMATION data;
HANDLE pHandler = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (pHandler == NULL) {
printf("Could not find process with id: %i", pid);
return -1;
}
int mResult = VirtualQueryEx(pHandler, addr, &data, sizeof(MEMORY_BASIC_INFORMATION));
if (!mResult) {
printf("Could not query virtual memory. Error: %i", GetLastError());
return -1;
}
printf("Base address: %#010xn", data.BaseAddress);
printf("Address state: %#010xn", data.State);
printf("Address protection: %#010xn", data.Protect);
Are the address in VMMap readable or am I doing something wrong?
c winapi sysinternals vmmap
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
add a comment |
1
I'm using VMMap to view the address space of a process. In the left corner is the address. I attempted to copy the address and read it from the process.
Here's an example:
I attempted to see if I could read this address with a quick bit of code below. The call to VirtualQueryEx doesn't fail as the response is not 0. But, my problem is State returns a value that indicates the address does not exist and Protect returns PAGE_NOACCESS.
Code:
int pid = 10964;
DWORD_PTR addr = 0x2C1811E0000;
MEMORY_BASIC_INFORMATION data;
HANDLE pHandler = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (pHandler == NULL) {
printf("Could not find process with id: %i", pid);
return -1;
}
int mResult = VirtualQueryEx(pHandler, addr, &data, sizeof(MEMORY_BASIC_INFORMATION));
if (!mResult) {
printf("Could not query virtual memory. Error: %i", GetLastError());
return -1;
}
printf("Base address: %#010xn", data.BaseAddress);
printf("Address state: %#010xn", data.State);
printf("Address protection: %#010xn", data.Protect);
Are the address in VMMap readable or am I doing something wrong?
c winapi sysinternals vmmap
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
are your code 32bit ?
– RbMm
Jan 3 at 3:29
1
anyway you need%#pformat instead%#010xwhen print pointer (data.BaseAddress). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes.DWORD_PTR addr = 0x2C1811E0000;- in 32 bit will be truncated to0x811e0000and must be compiler warning about this
– RbMm
Jan 3 at 3:40
Are VMMap addresses physical or linear?
– Michael Chourdakis
Jan 3 at 7:03
@Michael - virtual - not physical of course.
– RbMm
Jan 3 at 9:40
@RbMm You're right. I changed to useMEMORY_BASIC_INFORMATION64and targetingx64and all works fine. If you put that as a complete answer I can accept.
– BugHunterUK
Jan 3 at 11:13
add a comment |
1
1
1
I'm using VMMap to view the address space of a process. In the left corner is the address. I attempted to copy the address and read it from the process.
Here's an example:
I attempted to see if I could read this address with a quick bit of code below. The call to VirtualQueryEx doesn't fail as the response is not 0. But, my problem is State returns a value that indicates the address does not exist and Protect returns PAGE_NOACCESS.
Code:
int pid = 10964;
DWORD_PTR addr = 0x2C1811E0000;
MEMORY_BASIC_INFORMATION data;
HANDLE pHandler = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (pHandler == NULL) {
printf("Could not find process with id: %i", pid);
return -1;
}
int mResult = VirtualQueryEx(pHandler, addr, &data, sizeof(MEMORY_BASIC_INFORMATION));
if (!mResult) {
printf("Could not query virtual memory. Error: %i", GetLastError());
return -1;
}
printf("Base address: %#010xn", data.BaseAddress);
printf("Address state: %#010xn", data.State);
printf("Address protection: %#010xn", data.Protect);
Are the address in VMMap readable or am I doing something wrong?
c winapi sysinternals vmmap
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
I'm using VMMap to view the address space of a process. In the left corner is the address. I attempted to copy the address and read it from the process.
Here's an example:
I attempted to see if I could read this address with a quick bit of code below. The call to VirtualQueryEx doesn't fail as the response is not 0. But, my problem is State returns a value that indicates the address does not exist and Protect returns PAGE_NOACCESS.
Code:
int pid = 10964;
DWORD_PTR addr = 0x2C1811E0000;
MEMORY_BASIC_INFORMATION data;
HANDLE pHandler = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (pHandler == NULL) {
printf("Could not find process with id: %i", pid);
return -1;
}
int mResult = VirtualQueryEx(pHandler, addr, &data, sizeof(MEMORY_BASIC_INFORMATION));
if (!mResult) {
printf("Could not query virtual memory. Error: %i", GetLastError());
return -1;
}
printf("Base address: %#010xn", data.BaseAddress);
printf("Address state: %#010xn", data.State);
printf("Address protection: %#010xn", data.Protect);
Are the address in VMMap readable or am I doing something wrong?
c winapi sysinternals vmmap
c winapi sysinternals vmmap
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
asked Jan 3 at 3:04
BugHunterUKBugHunterUK
3,19721760
3,19721760
are your code 32bit ?
– RbMm
Jan 3 at 3:29
1
anyway you need%#pformat instead%#010xwhen print pointer (data.BaseAddress). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes.DWORD_PTR addr = 0x2C1811E0000;- in 32 bit will be truncated to0x811e0000and must be compiler warning about this
– RbMm
Jan 3 at 3:40
Are VMMap addresses physical or linear?
– Michael Chourdakis
Jan 3 at 7:03
@Michael - virtual - not physical of course.
– RbMm
Jan 3 at 9:40
@RbMm You're right. I changed to useMEMORY_BASIC_INFORMATION64and targetingx64and all works fine. If you put that as a complete answer I can accept.
– BugHunterUK
Jan 3 at 11:13
add a comment |
are your code 32bit ?
– RbMm
Jan 3 at 3:29
1
anyway you need%#pformat instead%#010xwhen print pointer (data.BaseAddress). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes.DWORD_PTR addr = 0x2C1811E0000;- in 32 bit will be truncated to0x811e0000and must be compiler warning about this
– RbMm
Jan 3 at 3:40
Are VMMap addresses physical or linear?
– Michael Chourdakis
Jan 3 at 7:03
@Michael - virtual - not physical of course.
– RbMm
Jan 3 at 9:40
@RbMm You're right. I changed to useMEMORY_BASIC_INFORMATION64and targetingx64and all works fine. If you put that as a complete answer I can accept.
– BugHunterUK
Jan 3 at 11:13
are your code 32bit ?
– RbMm
Jan 3 at 3:29
are your code 32bit ?
– RbMm
Jan 3 at 3:29
1
1
anyway you need
%#p format instead %#010x when print pointer (data.BaseAddress). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes. DWORD_PTR addr = 0x2C1811E0000; - in 32 bit will be truncated to 0x811e0000 and must be compiler warning about this– RbMm
Jan 3 at 3:40
anyway you need
%#p format instead %#010x when print pointer (data.BaseAddress). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes. DWORD_PTR addr = 0x2C1811E0000; - in 32 bit will be truncated to 0x811e0000 and must be compiler warning about this– RbMm
Jan 3 at 3:40
Are VMMap addresses physical or linear?
– Michael Chourdakis
Jan 3 at 7:03
Are VMMap addresses physical or linear?
– Michael Chourdakis
Jan 3 at 7:03
@Michael - virtual - not physical of course.
– RbMm
Jan 3 at 9:40
@Michael - virtual - not physical of course.
– RbMm
Jan 3 at 9:40
@RbMm You're right. I changed to use
MEMORY_BASIC_INFORMATION64 and targeting x64 and all works fine. If you put that as a complete answer I can accept.– BugHunterUK
Jan 3 at 11:13
@RbMm You're right. I changed to use
MEMORY_BASIC_INFORMATION64 and targeting x64 and all works fine. If you put that as a complete answer I can accept.– BugHunterUK
Jan 3 at 11:13
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54015802%2fare-addresses-from-vmmap-readable%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54015802%2fare-addresses-from-vmmap-readable%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
are your code 32bit ?
– RbMm
Jan 3 at 3:29
1
anyway you need
%#pformat instead%#010xwhen print pointer (data.BaseAddress). can guess that your code is 32bit on 64bit system (wow64) - this code of course can not correct work with native (64bit) processes.DWORD_PTR addr = 0x2C1811E0000;- in 32 bit will be truncated to0x811e0000and must be compiler warning about this– RbMm
Jan 3 at 3:40
Are VMMap addresses physical or linear?
– Michael Chourdakis
Jan 3 at 7:03
@Michael - virtual - not physical of course.
– RbMm
Jan 3 at 9:40
@RbMm You're right. I changed to use
MEMORY_BASIC_INFORMATION64and targetingx64and all works fine. If you put that as a complete answer I can accept.– BugHunterUK
Jan 3 at 11:13