Scanning process memory causes crash

无人久伴 提交于 2019-12-06 15:23:09

问题


i have injected my DLL into process and i try to scan memory for addresses with same value as mine, but it results in a crash after i get 1st address , it should be 10 addresses

for(DWORD i = MEM_START; i< MEM_END ;i++)
{
    VirtualQuery((void*)i,pMemInfo,sizeof(MEMORY_BASIC_INFORMATION));
    if(pMemInfo->AllocationProtect == PAGE_READONLY || PAGE_EXECUTE_WRITECOPY || PAGE_READWRITE || PAGE_WRITECOMBINE)
    {
        if(*(DWORD*)i==1337)
        {
           addresses.push_back(i);
        }
    } 
}

I believe my protection check is wrong but not quite sure.


回答1:


virtual memory scanner

MEMORY_BASIC_INFORMATION mbi = {0};
unsigned char *pAddress   = NULL,
              *pEndRegion = NULL;

DWORD   dwFindData          = 0xBAADF00D,
        dwProtectionMask    = PAGE_READONLY | PAGE_EXECUTE_WRITECOPY 
                              | PAGE_READWRITE | PAGE_WRITECOMBINE;

while( sizeof(mbi) == VirtualQuery(pEndRegion, &mbi, sizeof(mbi)) ){
    pAddress = pEndRegion;
    pEndRegion += mbi.RegionSize;
    if ((mbi.AllocationProtect & dwProtectionMask) && (mbi.State & MEM_COMMIT)){
         for (pAddress; pAddress < pEndRegion ; pAddress++){
             if (*pAddress == dwFindData){
                 // dostaff  
             }
         }
    }
}



回答2:


Yes, several mistakes. You'll need to use the | operator instead of ||. The value of i is not meaningful, you must use MEMORY_BASIC_INFORMATION.AllocationBase to find where a region begins. And .RegionSize to know how big it is. The next value you pass to VirtualQuery should be .AllocationBase + .RegionSize to find the next region.




回答3:


That's not how the || operator works. You may find it more readable to use a switch statement instead.

for (DWORD i = MEM_START; i < MEM_END ;i++)
{
    VirtualQuery((void*)i, pMemInfo, sizeof(MEMORY_BASIC_INFORMATION));
    switch (pMemInfo->AllocationProtect)
    {
    case PAGE_READONLY:
    case PAGE_EXECUTE_WRITECOPY:
    case PAGE_READWRITE:
    case PAGE_WRITECOMBINE:
        if(*(DWORD*)i==1337)
        {
           addresses.push_back(i);
        }
    } 
}


来源:https://stackoverflow.com/questions/14130961/scanning-process-memory-causes-crash

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!