i am gathering the best way to do this,
iv seen that each process has its address ,
is the best way to dump a process is to use the OpenProcess and use the ReadProcessMemory api ?, thus than in order to know its size iv seen some pe editors which opens the file from Hdd calculate the size and than dump..is that the correcr way?
Posted on 2003-01-28 02:48:33 by wizzra
Yes, the most reliable way is to gather ImageSize from the file on HD, the same with ImageBase as not all applications have it 400000.
Posted on 2003-01-28 04:24:13 by DZA
Dll's often will not be loaded at their ImageBase, and it's not guaranteed for exe's either. A way to get the imagebase is to do this:



.data?
ThreadId dd ?
ExitCode dd ?
hThread dd ?

.code
invoke GetModuleHandle,CTEXT("kernel32")
invoke GetProcAddress,eax,CTEXT("GetModuleHandleA")
invoke CreateRemoteThread,hProcess,0,0,eax,0,0,addr ThreadId
mov hThread,eax
invoke WaitForSingleObject,hThread,INFINITE
invoke GetExitCodeThread,hThread,addr ExitCode
invoke CloseHandle,hThread


The ImageSize is also in memory (the entire file is in memory, actually), so you can get it from there too. You just can't be sure it hasn't been modified, but most program don't touch it ;)
Posted on 2003-01-28 09:15:58 by Qweerdy
Well, he said he wants just to dump a process, he didn't mention about dlls:)
In this case, a much cleaner way is to use toolhelp32 functions, which you can use to retrieve both ImageBase and ImageSize
Posted on 2003-01-28 10:45:47 by DZA
yeah, also CreateRemoteThread isn't supported on 9x
Posted on 2003-01-28 12:34:15 by stormix
fsck 9x.
Posted on 2003-01-28 12:39:23 by f0dder
hi,
thanks for replying!

well, yeah, i want to dump a process, say: Notepad.exe
all i need is its size .
and once i have the PID and address all i need to do is to
get its pointer to the start of PE header and start the dump usnig ReadProcessMemory..

so if i supply ReadProcessMemory API its address it will read from that process own space addres?
Posted on 2003-01-28 15:16:17 by wizzra