Get process memory image

Question

Get process memory image

My goal is to create a method that takes a process descriptor and returns an array of bytes representing this process memory. Here is what I have:

    [DllImport("Kernel32.dll")]
    public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesRead);

    public static byte[] MemRead(IntPtr handle, IntPtr address, UInt32 size, ref UInt32 bytes)
    {
        byte[] buffer = new byte[size];
        ReadProcessMemory(handle, address, buffer, size, ref bytes);
        return buffer;
    }

I do not know what to pass to the method wrappers as arguments. I can find handle, and bytesis the output variable, but what about addressand size? Where can I get this data?

+3

c #

Hui May 20, '11 at 20:19

source share

1 answer

500 - Internal Server Error · Answer 1 · 2011-05-20T20:33:35+0000

Use VirtualQuery to find out if the address was actually allocated before calling MemRead. Start from scratch as the address and 64K as the page size, and then simply increase the pointer to 64K at each iteration until you reach the maximum amount of memory on your system.

Get process memory image

More articles: