Home/ Questions/Q 3599978
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T20:26:11+00:00

From ReadProcessMemory in MSDN: lpBaseAddress [in] : A pointer to the base address in

  • 0

From ReadProcessMemory in MSDN:

lpBaseAddress [in]:
A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails.

nSize [in]:
The number of bytes to be read from the specified process.

lpNumberOfBytesRead [out]
A pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.

So.. ReadProcessMemory can only completely succeed or completely fail. And the size is obviously known to the caller — had to pass it in to make the call. Why have the lpNumberOfBytesRead?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From winerror.h:

    //
// MessageId: ERROR_PARTIAL_COPY
//
// MessageText:
//
//  Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
//
#define ERROR_PARTIAL_COPY               299L

    ReadProcessMemory would return FALSE and GetLastError would return ERROR_PARTIAL_COPY when the copy hits a page fault. This is a common scenario in dumpers, which have to work on a potentially corrupted process so they can’t be sure if the requested area is valid or not (the pointer they chased to get the start address could be corrupted and point to la-la-land), but they would still like to copy as much as possible into the dump.

    • 0