Reading process memory (FFI)

Hi, I want to read the specified address of memory from a selected process.

I find the process id using her name without any problem and generate a handler to work with it.

But when I want to read memory using ReadProcessMemory
https://retep998.github.io/doc/kernel32/fn.ReadProcessMemory.html

I receive a 998 error and a random address.

Here's my code, anyone know what could be happen?

https://gist.github.com/h3ku/4823f6ffa15b3cc392a23ba3977bbec1

1 Like
    pub fn read_address(self, addres: &str) -> u64 {
        let num = unsafe{mem::uninitialized()};
        let addr = u64::from_str_radix(&addres[2..], 16).unwrap();  
        let test = unsafe{kernel32::ReadProcessMemory(self.handler, addr as *mut os::raw::c_void, num, u64::max_value(), 0 as *mut u64)};

        return num as u64;
    }

Your call to ReadProcessMemory tries to read 2^64 - 1 (u64::max_value()) bytes into a memory location pointed to by an uninitialized pointer.

Try something like this (untested):

    use std::ptr;

    pub fn read_address(self, address: &str) -> u64 {
        let mut num = unsafe { mem::uninitialized() };
        let addr = u64::from_str_radix(&address[2..], 16).unwrap();
        let test = unsafe {
            kernel32::ReadProcessMemory(self.handler,
                                        addr as *const _,
                                        &mut num as *mut _ as *mut _,
                                        mem::size_of::<u64>() as winapi::SIZE_T,
                                        ptr::null_mut())
        };
        // You should check the value of `test`

        num
    }

You can also have a look at how minject-rs does it. (See RemoteMemory at the top.)

2 Likes

THANKS!!!

This work perfect.