Home/ Questions/Q 9152335
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T12:01:03+00:00

I’m experiencing some extremely weird behavior when calling ReadProcessMemory in C# through this P/Invoke

  • 0

I’m experiencing some extremely weird behavior when calling ReadProcessMemory in C# through this P/Invoke signature:

[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool ReadProcessMemory(
    IntPtr hProcess,
    IntPtr lpBaseAddress,
    [Out] byte[] lpBuffer,
    int dwSize,
    out int lpNumberOfBytesRead
    );

In my application I’m scanning the entire memory of memory regions that have read and write access (and some more filters applied, that’s another part though).

The code in the scanning part is something like this:

int numberOfBytes;
if (!NativeMethods.ReadProcessMemory(handle, region.StartAddress,
    buffer, (int)region.RegionSize, out numberOfBytes))
// The handle, region (custom struct containing some fields from the
// MEMORY_BASIC_INFORMATION struct), and buffer come from parameters.

And the code works perfectly. It scans the entire memory for a sequence of bytes. No problems there.

A bit further in my program’s flow I have this code:
Note: it’s using the same handle IntPtr as the previous code (checked it) and it runs in the same thread

int bytesRead;
byte[] buffer = new byte[128]; // In my real app this is some calculated value
                            // however that irrelevant. It's calculated 128.
if (!NativeMethods.ReadProcessMemory(handle, location.Location,
    buffer, buffer.Length, out bytesRead))
    continue; // Error while reading
// At this point buffer == null, so the next line causes an exception
if (bytesRead != buffer.Length) continue;

The code is very much alike, but for some reason the reference to buffer is lost and buffer is set to null. If it wouldn’t be an external call I’d be 100% sure it’s a bug, because buffer isn’t passed as a ref or out parameter. However I know .NET does some vodoo stuff when it comes to external calls (marshaling for example).

What makes the situation even weirder is that when I replace that code with:

int bytesRead;
byte[] buffer = new byte[128];
byte[] bufferRef = buffer;
if (!NativeMethods.ReadProcessMemory(handle, location.Location,
    buffer, buffer.Length, out bytesRead))
    continue; // Error while reading
buffer = bufferRef;
if (bytesRead != buffer.Length) continue;

The code simply works. Memory read and all! So all that happens is that for some reason the buffer variable loses it’s reference to the actual buffer. And it confuses the hell out of me.

Is this behavior a result of something I did wrong (such as a faulty P/Invoke), is it dangerous (leaking memory?), and explainable?

My configuration:

  • .NET Framework 4.0
  • Visual Studio Professional 2012 (Version 11.0.51106.01 Update 1)
  • Installed .NET Framework 4.5.50709
  • Running as administrator
  • Occurs in both release and debug builds, both in the visual studio host executable and the regular build executable.
  • Windows 7 64-bits
  • Process I’m reading memory from is 32-bits
  • Build configuration: Platform: Any CPU

Edit: The complete NativeMethods class I’m using can be found here: http://paste2.org/p/2770271

Edit2: I added the simple steps I followed to fix the problem as an answer which can be found here.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Probably since you are a 64-bit app, your lpNumberOfBytesRead should have been “long” and so the call to ReadProcessMemory overwrites (part of your) buffer pointer on return.

    • 0