ReadProcessMemory + address from ollydbg (page 2)

July 01, 2017

Re: ReadProcessMemory + address from ollydbg

Posted by bauss
in reply to ag0aep6g

Permalink

bauss

Posted in reply to ag0aep6g

Permalink

On Saturday, 1 July 2017 at 00:40:11 UTC, ag0aep6g wrote:
> On 07/01/2017 02:30 AM, bauss wrote:
>> On Saturday, 1 July 2017 at 00:23:36 UTC, ag0aep6g wrote:
>>> On 07/01/2017 01:41 AM, bauss wrote:
> [...]
>>>>    if (!ReadProcessMemory(process,
>>>>      cast(PCVOID)address, cast(PVOID)&data,
>>>
>>> The second cast still looks suspicious. PVOID is void*, right? Then any mutable pointer type should implicitly convert to PVOID and you shouldn't need the cast.
> [...]
>> Well the address is not a pointer. It's DWORD which is uint, so the cast is necessary since it stores the address.
>
> Not that one. The other one. This one: `cast(PVOID)&data`.
>
> I don't expect it to be related to your problem, but it shouldn't be necessary as far as I see.

Yeah, the cast was unnecessary.

So this is my code after the changes:
string ReadWinString(HANDLE process, DWORD address, size_t stringSize, string defaultValue = "") {
  if (!process || !address) {
    return defaultValue;
  }

  SIZE_T bytesRead;
  char[1024] data;

  if (!ReadProcessMemory(process,
    cast(LPCVOID)address, &data,
    stringSize, &bytesRead)) {
    return defaultValue;
  }

  auto s = cast(string)data[0 .. stringSize].idup;

  return s ? s : defaultValue;
}

Results are still garbage data, correct length in bytesRead however.

I tried to pass the address with the main module's base address because I saw some posts online suggesting you might need to do that.

If I do that however I just get error 299 (ERROR_PARTIAL_COPY), so I don't think I needed the base address, but still can't figure out what exactly is wrong with my code and why I can't read the string from the address I give it, when it's a static address. Every time I look with ollydbg the address is the same and ollydbg can find the string just fine.

Forums