Hey guys,

I seem to always come back here for help because you guys are amazing.

Alright, I need an alternative to ReadProcessMemory for a 4th year University project.

I've tried googling for hours and I continue to fail.

Hope you can help.

Jeff

Tell us what you need to do please, without knowing some more details it's hard to suggest something.

I need to read figures from another process using another method then RPM

That's not much more info than the first post.

- Why can't you use RPM?
- Are there other limitations? E.g. can you use something that requires admin rights?
etc.

The teachers program that we will be reading at the due date I believe is hooking NtReadVirtualMemory and making logs. We also aren't allowed OpenProcess() as he logs this to apparently.

We need to be able to read information from the Teachers EXE without it catching that we read that memory.

What doesn't look good?

This is a pretty awesome assignment, you have several options:

Assuming the teacher doesn't have any kernel-level hooks you could create a driver that attaches to the process (look at KeStackAttachProcess) and reads from there.

Another approach: inject a DLL into the process that does the reading, and for instance writes to a file. This normally would require the use of OpenProcess and WriteProcessMemory but there are DLL injectors and DLL injection techniques that do not need this.

Or, a safe approach:
Use up all of your RAM, so that the OS starts paging out some memory pages (make sure paging is enabled). At some point it will page out your teachers program and you can read what you need from the page file. Of course this requires you todo some research into paging.

I would go for the kernel driver ;)

Edited 6 Years Ago by thelamb: n/a

It can't be done in kernel mode. And can't involve inject :( Page idea can't be done either because it needs to be read in real time.

You're bumping after 2 hours... that's not going to get you any help. In fact, you've lost me.

I've done my research and that's why I'm resorting to using a forum. And I'm frequently bumping because it's the final project and I have other stuff to do for school so I have a schedule.

Oh and btw I can't use ZwReadVirtualMemory in a driver form. I must find an alternative to reading memory!

The assignment makes very little sense if you're not allowed to do all the above.

The only other thing I can think of is using a driver to read directly from Physical memory, but this will only work on XP and earlier windows versions. Not to mention the hell you'll go through trying to implement it correctly.

Did the teacher not give any clues as to how you should approach this?

Edited 6 Years Ago by thelamb: n/a

It's actually a bonus question. Gives you added percentage to your grade. I just really need the extra points. Using a driver to ready from physical memory wouldnt that be calling ZwReadVirtualMemory or ntReadVirtualMemory

No, Physical memory has nothing to do with Virtual memory ;)

Does the solution need to work for newer versions than XP?

Nope, he never said it had to be universal. Plus his pc runs XP. :O

Unless I miss something that is your best shot... but if you've never developed a driver it will be a long shot.

I must say that I doubt this is the teacher's intention though...
Is all that he provides for you some binary that contains 'something' and that something you need to read in real-time ?

I assume it calls the same functions from kernel though. Also im having trouble porting it to only c++ never used gcc

Possibly, or you could just write your own function to read the snapshot.

The only gcc specific code on that snippet if I remember correctly, was just to check if it was a 32-bit system. Besides that you just link the correct, equivalent libraries(each linker has their own naming scheme).

Edited 5 Years Ago by MosaicFuneral: n/a

Read the snapshot as in the picture? No lol. If in memory, well I don't know how to do that. How can you read physical memory and not virtual memory ?

Do you know exactly what virtual memory means?

You asked if reading physical memory would 'be like calling ZwReadVirtualMemory'. It is not.

If you driver reads directly from the physical memory, it does not use any functions that have to do with virtual memory. Your teacher has hooks on these Virual memory functions... so you will bypass his hooks.

This is/was a technique used by malware to bypass anti-virus's hooks on certain function.

You will have to do research on how to read the physical memory yourself though.. if you are stuck somewhere I can help but there are enough resources out there explaining it

Hey Lamb, sorry for being a pain. But, I am having trouble finding relevant tutorials or even discussion on the subject. Could you guide me somewhere or give me the correct phrase to search for?

Thanks, really appreciate your help.

In windows 2000/XP it even seems to be possible in Usermode... to double check that, download physmem from SysInternals (by Mark Russinovich) and check if that runs on your XP machine.

I don't know how long you have left for this... but it is a very complicated thing to read from physical memory (the virtual to physical address translation alone is a pain).

In any case... I'm very interested in the intentions of the teacher... would you mind posting the solution, how he had things in mind after the assignment is finished and he explained?

Edited 5 Years Ago by thelamb: n/a

Darn, too confusing for me. Gotta be another way :( Thanks for your help lamb!

This article has been dead for over six months. Start a new discussion instead.