C++

Forum

 
VirtualQuery issue

Nybble (65)
Well I'm trying to figure out why this app keeps crashing...
Basically I'm going through memory reading every address to find a value, right now I'm reading every single READABLE address just for testing purposes, I will not be doing this when I figure out why this keeps crashing.

Here is the code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
#define READABLE (PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_READONLY | PAGE_READWRITE | PAGE_WRITECOPY)

void scan()
{
    MEMORY_BASIC_INFORMATION mbi;
    unsigned char *addr = 0;

    while(1)
    {
        if (VirtualQuery(addr, &mbi, sizeof(mbi)) == 0)break;

            if (mbi.State & MEM_COMMIT)
            {
                if(mbi.AllocationProtect & READABLE)
                {
                    for(unsigned char* i = addr; i < (unsigned char*)addr+mbi.RegionSize; i++){
                    if(*(DWORD*)i== 1)
                    {
                        std::cout << (DWORD*)i << "\n";
                    }
                   }
                }
            }
            addr = (unsigned char*)mbi.BaseAddress+mbi.RegionSize;
    }
}


it keeps crashing at address like 0x20000+ I looked at the memory region of the process and it is readable through tools like ollydbg and other memory scanning/debugging tools, thanks.
kbw (9488)
That's sort of meaningless without knowing the values of i and mbi.RegionSize when the crash occurs.

You do realise that you're reading out of bounds with *(DWORD*)i== 1 when i > (mbi.RegionSize - 3)?
Nybble (65)
i = 0x20e98 and mbi.RegionSize = 4096, and even if I change to (mbi.RegionSize - 3) crash occurs...
kbw (9488)
Let's start again.

You want information about a range of pages in the virtual address space of the calling process starting at zero?
Last edited on
Nybble (65)
it is different every time for some reason, so is i

No, I do not want information about a range of pages starting at 0, but it shouldn't matter though because if there is no readable info I skip it anyways, and that isn't where the crash occurs, it skips from 0-10000 just fine since there isn't anything to read there.
Last edited on
kbw (9488)
Windows, ugh! I wonder why anyone still uses it!

Anyway, I ran your code and it doesn't crash. Using Windows 7/Visual Studio 12.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
#include <Windows.h>
#include <iostream>

#define READABLE (PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY | PAGE_READONLY | PAGE_READWRITE | PAGE_WRITECOPY)

void scan()
{
	MEMORY_BASIC_INFORMATION mbi;

	for (BYTE* addr = 0; VirtualQuery(addr, &mbi, sizeof(mbi)); addr = reinterpret_cast<BYTE*>(mbi.BaseAddress) + mbi.RegionSize)
	{
		if (mbi.State & MEM_COMMIT)
		{
			if (mbi.AllocationProtect & READABLE)
			{
				for (BYTE* i = addr; i < addr+mbi.RegionSize; ++i)
				{
					std::cout << "0x" << reinterpret_cast<void*>(i);
					std::cout << "\t" << static_cast<unsigned>(*i);
					std::cout << std::endl;
				}
			}
		}		
	}
}

int main()
{
	scan();
	return 0;
}
Last edited on
Nybble (65)
Edit: well I used your exact code and it still crashes...
Last edited on
kbw (9488)
What OS/Compiler?
Nybble (65)
windows 7 - 64 bit codeblocks.

Alright so I created a .exe and ran the program and it works but when I inject it, that is when I have issues, I appreciate the help kbw, thanks a lot I am going to debug further and try to fix it.
Last edited on
Nybble (65)
I figured out what it was, I needed to filter out pages with the PAGE_GUARD flag... it is working fine now.

1
2
3
4
5
6
 
DWORD dwProtect = (PAGE_GUARD | PAGE_NOCACHE | PAGE_NOACCESS);

if (!mbi.Protect & dwProtect )
{
  // read/write memory here
}
Topic archived. No new replies allowed.