Recently I’ve put together a C# class that can read and write bytes in another processes memory using API calls etc. as I’m sure you’ve all seen before.
My question however relates to how I can efficiently scan the memory of another process? I know the basic method of testing each group of 4 bytes until you reach Int32.MaxValue, but I’ve found it is (as you may imagine) incredibly time and resource consuming.
From what I’ve read, there is a way to determine the allocated addresses of a process by doing a “HeapWalk”. Can anyone provide me with some code examples and/or information about this and what would be the best way of going about it?
What you are looking for is the list of memory regions, which is basically a list of pair of memory address / region size.
What you must do is :
PID) usingOpenProcessVirtualQueryExfunction until you reach the end of the memory space (i.e. while the result of the method is greater than 0)Start
VirtualQueryExwithlpAddressas0x0. This will return aMEMORY_BASIC_INFORMATIONstructure that contains bothBaseAddressandRegionSizeproperties (this represents a memory space you can read). Then increment thelpAdressparameter with theRegionSizevalue, so next call ofVirtualQueryExwill return the next region…etc.Google
OpenProcess,CloseHandle,VirtualQueryExandMEMORY_BASIC_INFORMATIONso you can find the different P/Invoke declarations to use, so you can call those Win32 functions from C#.