hi,
can anybody tell me what to use in the VirtualQueryEx api
as the second parameter (lpAddress).
i want to call the basic function to get info on a specific process
and i can't work out what to use as second param, the documentation
says use GetSystemInfo to get the size, but i need the address, not
the size.
thanks.
can anybody tell me what to use in the VirtualQueryEx api
as the second parameter (lpAddress).
i want to call the basic function to get info on a specific process
and i can't work out what to use as second param, the documentation
says use GetSystemInfo to get the size, but i need the address, not
the size.
thanks.
Haven't ever actually used that function myself, but I can tell you that the reference to GetSystemInfo is just telling you that thats where you'll find the page size.
If you want to Query a specific address you actually have to query the page that address is on. Page size is almost certainly 4096 by rounding your address down to the nearest 4096 multiple you get the page adress. Do this by ANDing the address with -4096.
If you want to Query a specific address you actually have to query the page that address is on. Page size is almost certainly 4096 by rounding your address down to the nearest 4096 multiple you get the page adress. Do this by ANDing the address with -4096.
hi, thanks for replying
the program i'm making just basically dumps all the memory of a process into a file, and it used to dump only 4096 bytes into a file, but then i read somewhere that this might not be the exact value, i also wanna just get the api to work for the other info too.
anyway the program basically dumps all the memory of that process into a file, from start to end, so it's not a specific address.
maybe would the base address thats returned in the MEMORY_BASIC_INFO... structure be the same thing i needa use?
any other ideas?
thanks
the program i'm making just basically dumps all the memory of a process into a file, and it used to dump only 4096 bytes into a file, but then i read somewhere that this might not be the exact value, i also wanna just get the api to work for the other info too.
anyway the program basically dumps all the memory of that process into a file, from start to end, so it's not a specific address.
maybe would the base address thats returned in the MEMORY_BASIC_INFO... structure be the same thing i needa use?
any other ideas?
thanks
Hi,
I am not quite sure what you want to do here, VirtualQueryEx only returns a filled MEMORY_BASIC_INFORMATION structure with information about the memory address you pass it. It will examine the first page that you pass in the second parameter and fill the structure, it will then scan forward until it reaches one that is different and fill RegionSize with the total number of contiguous bytes that have identical attributes. It cannot be used to read memory from another process, only to query it's allocation information.
To read memory in another process you must use VirtualAllocEx/ReadProcessMemory. I have used these two functions but only to build buffers in the target process for passing information back and forth. Never to actually do a dump of memory. Have you looked at the debug functions available, you can use those effectively to examine the memory in another process.
I am not quite sure what you want to do here, VirtualQueryEx only returns a filled MEMORY_BASIC_INFORMATION structure with information about the memory address you pass it. It will examine the first page that you pass in the second parameter and fill the structure, it will then scan forward until it reaches one that is different and fill RegionSize with the total number of contiguous bytes that have identical attributes. It cannot be used to read memory from another process, only to query it's allocation information.
To read memory in another process you must use VirtualAllocEx/ReadProcessMemory. I have used these two functions but only to build buffers in the target process for passing information back and forth. Never to actually do a dump of memory. Have you looked at the debug functions available, you can use those effectively to examine the memory in another process.
hey
i can get the dumping part all good, and yep using ReadProcessMemory, etc.
but i'm not sure about which address to query (with virtualqueryex)
looking back at my code, the readprocess memory api starts reading at
the address 15000000 (00E4E1C0h?). so i think i should maybe change my question;
does it matter what address i use, is there a certain point where the memory starts (15000000?) and ends ?
also which debug functions are you talking about ?
thanks
i can get the dumping part all good, and yep using ReadProcessMemory, etc.
but i'm not sure about which address to query (with virtualqueryex)
looking back at my code, the readprocess memory api starts reading at
the address 15000000 (00E4E1C0h?). so i think i should maybe change my question;
does it matter what address i use, is there a certain point where the memory starts (15000000?) and ends ?
also which debug functions are you talking about ?
thanks
> is there a certain point where the memory starts (15000000?) and ends
That's what VirtualQueryEx is for. Pass 15000000 as the lpAddress and the function will round that address down to the nearest page (which will vary between applications I think). Then MEMORY_BASIC_INFORMATION structure will be filled for that page. From that, you'll be able to get the read/write/execute rights, the size and position, and a few other things about the page.
You can't use just any address for the second parameter. Typicaly, the memory space of an application is 10000h to 7FFFFFFFh, but all that memory is never used by a single application. Explorer.exe, for example, has a memory range of 0x1000000 - 0x7D492000 while Winamp.exe might use 0x400000 - 0x7D1D4000. Most of this memory is never allocated however so you'll need to check and see if there's really something there before you try and read from it (which is what VirtualQueryEx is for).
Spara
That's what VirtualQueryEx is for. Pass 15000000 as the lpAddress and the function will round that address down to the nearest page (which will vary between applications I think). Then MEMORY_BASIC_INFORMATION structure will be filled for that page. From that, you'll be able to get the read/write/execute rights, the size and position, and a few other things about the page.
You can't use just any address for the second parameter. Typicaly, the memory space of an application is 10000h to 7FFFFFFFh, but all that memory is never used by a single application. Explorer.exe, for example, has a memory range of 0x1000000 - 0x7D492000 while Winamp.exe might use 0x400000 - 0x7D1D4000. Most of this memory is never allocated however so you'll need to check and see if there's really something there before you try and read from it (which is what VirtualQueryEx is for).
Spara
ah ok
i understand it now
thanks
i understand it now
thanks