读取调试对象内存时访问被拒绝

时间:2018-09-30 11:16:19

标签: c debugging winapi

我已经打开了一个进程:

HANDLE CreateDebuggedProcess(LPCSTR lpApplicationName)
{
    STARTUPINFO startupInfo;
    PROCESS_INFORMATION processInformation;

    ZeroMemory(&startupInfo, sizeof(startupInfo));
    startupInfo.cb = sizeof(startupInfo);
    ZeroMemory(&processInformation, sizeof(processInformation));

    if (!CreateProcessA(
        lpApplicationName,
        NULL,
        NULL,
        NULL,
        FALSE,
        DEBUG_PROCESS,
        NULL,
        NULL,
        &startupInfo,
        &processInformation
    ))
    {
        return INVALID_HANDLE_VALUE;
    }

    return processInformation.hProcess;
}

我正在等待第一个BreakPoint事件,然后试图打印指向的内存条。我对Get感到厌烦

void * getRip(DWORD threadId)
{
    BOOL status = FALSE;
    CONTEXT context = { 0 };

    context.ContextFlags = CONTEXT_ALL;
    HANDLE threadHandle = OpenThread(THREAD_GET_CONTEXT, FALSE, threadId);
    if (NULL != threadHandle)
    {
        if(!GetThreadContext(threadHandle, &context))
        {
            status = FALSE;
            return 0;
        }

        return (void *)context.Rip;
    }

    return 0;
}

,返回的值似乎正确。然后,我尝试调用ReadProcessMemory,但出现错误299:ReadProcessMemory: invalid argument (Only part of a ReadProcessMemory or WriteProcessMemory request was completed.)

BOOL queryMemory(HANDLE processHandle, void * address)
{
    MEMORY_BASIC_INFORMATION memoryInformation = { 0 };

    if (0 == VirtualQueryEx(processHandle, address, &memoryInformation, sizeof(memoryInformation)))
    {
        printf("failed :( Lasr error: %x\n", GetLastError());
        return FALSE;
    }

    printf("AllocProtect: %x, state: %x, type: %x\n", memoryInformation.Protect
                                                    , memoryInformation.State
                                                    , memoryInformation.Type);
    return TRUE;
}

返回AllocProtect: 1, state: 10000, type: 0。这意味着我没有访问权限,但是那很奇怪,因为自创建该过程以来,我应该有权访问所有内容。

我在做什么错了?

1 个答案:

答案 0 :(得分:0)

AllocProtect: 1, state: 10000

0x1作为保护常数= PAGE_NOACCESS

状态0x10000 = MEM_FREE

您无法读取NOACCESS或FREE的内存。它必须是MEM_COMMIT,不能是PAGE_NOACCESS。

我假设您的getRip()函数返回0,因为OpenThread或GetThreadContext失败。逐步检查代码,确认每一行都应正常工作,在每次调用WinAPI函数后检查GetLastError()的返回值以查找错误。

如果找不到错误,请确保以管理员身份运行,并且正在为与目标进程相同的体系结构进行编译。

相关问题
最新问题