i am gathering the best way to do this,
iv seen that each process has its address ,
is the best way to dump a process is to use the OpenProcess and use the ReadProcessMemory api ?, thus than in order to know its size iv seen some pe editors which opens the file from Hdd calculate the size and than dump..is that the correcr way?
iv seen that each process has its address ,
is the best way to dump a process is to use the OpenProcess and use the ReadProcessMemory api ?, thus than in order to know its size iv seen some pe editors which opens the file from Hdd calculate the size and than dump..is that the correcr way?
Yes, the most reliable way is to gather ImageSize from the file on HD, the same with ImageBase as not all applications have it 400000.
Dll's often will not be loaded at their ImageBase, and it's not guaranteed for exe's either. A way to get the imagebase is to do this:
The ImageSize is also in memory (the entire file is in memory, actually), so you can get it from there too. You just can't be sure it hasn't been modified, but most program don't touch it ;)
.data?
ThreadId dd ?
ExitCode dd ?
hThread dd ?
.code
invoke GetModuleHandle,CTEXT("kernel32")
invoke GetProcAddress,eax,CTEXT("GetModuleHandleA")
invoke CreateRemoteThread,hProcess,0,0,eax,0,0,addr ThreadId
mov hThread,eax
invoke WaitForSingleObject,hThread,INFINITE
invoke GetExitCodeThread,hThread,addr ExitCode
invoke CloseHandle,hThread
The ImageSize is also in memory (the entire file is in memory, actually), so you can get it from there too. You just can't be sure it hasn't been modified, but most program don't touch it ;)
Well, he said he wants just to dump a process, he didn't mention about dlls:)
In this case, a much cleaner way is to use toolhelp32 functions, which you can use to retrieve both ImageBase and ImageSize
In this case, a much cleaner way is to use toolhelp32 functions, which you can use to retrieve both ImageBase and ImageSize
yeah, also CreateRemoteThread isn't supported on 9x
fsck 9x.
hi,
thanks for replying!
well, yeah, i want to dump a process, say: Notepad.exe
all i need is its size .
and once i have the PID and address all i need to do is to
get its pointer to the start of PE header and start the dump usnig ReadProcessMemory..
so if i supply ReadProcessMemory API its address it will read from that process own space addres?
thanks for replying!
well, yeah, i want to dump a process, say: Notepad.exe
all i need is its size .
and once i have the PID and address all i need to do is to
get its pointer to the start of PE header and start the dump usnig ReadProcessMemory..
so if i supply ReadProcessMemory API its address it will read from that process own space addres?