ReadProcessMemory function
Applies to: desktop apps only
Reads data from an area of memory in a specified process. The entire area to be read must be accessible or the operation fails.
Syntax
BOOL WINAPI ReadProcessMemory( __in HANDLE hProcess, __in LPCVOID lpBaseAddress, __out LPVOID lpBuffer, __in SIZE_T nSize, __out SIZE_T *lpNumberOfBytesRead );
Parameters
- hProcess [in]
-
A handle to the process with memory that is being read. The handle must have PROCESS_VM_READ access to the process.
- lpBaseAddress [in]
-
A pointer to the base address in the specified process from which to read. Before any data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for read access, and if it is not accessible the function fails.
- lpBuffer [out]
-
A pointer to a buffer that receives the contents from the address space of the specified process.
- nSize [in]
-
The number of bytes to be read from the specified process.
- lpNumberOfBytesRead [out]
-
A pointer to a variable that receives the number of bytes transferred into the specified buffer. If lpNumberOfBytesRead is NULL, the parameter is ignored.
Return value
If the function succeeds, the return value is nonzero.
If the function fails, the return value is 0 (zero). To get extended error information, call GetLastError.
The function fails if the requested read operation crosses into an area of the process that is inaccessible.
Remarks
ReadProcessMemory copies the data in the specified address range from the address space of the specified process into the specified buffer of the current process. Any process that has a handle with PROCESS_VM_READ access can call the function.
The entire area to be read must be accessible, and if it is not accessible, the function fails.
Requirements
|
Minimum supported client | Windows XP |
|---|---|
|
Minimum supported server | Windows Server 2003 |
|
Header |
|
|
Library |
|
|
DLL |
|
See also
Send comments about this topic to Microsoft
Build date: 3/6/2012
- 2/13/2012
- Russell V
- 1/9/2012
- hsejard
i just found out that it works to read memory from a 64 bit app by a 32 bit app (at least as long as the high 32bit of the address is zero)
for those who want to get the notify icon rectangle within WinXP64 (i think the function of the subroutines defined by me are clear ennough not to place here)
typedef struct
{
INT iBitmap;
INT idCommand;
BYTE fsState;
BYTE fsStyle;
BYTE bReserved[6];
UINT64 dwData;
UINT64 iString;
//
} TBBUTTON64;
BOOL _TrayTools_GetSysTrayIconRectTB(HWND in_hClient, INT in_TrayID, RECT *out_Rect)
{
/* locals */
INT lv_N;
INT lv_BtnCnt;
BOOL lv_Result;
BOOL lv_IsWOW64;
HWND lv_hNotifyTB;
VOID *lv_hProcMem;
HANDLE lv_hProcess;
INT_PTR lv_UserData[2];
UINT64 lv_UserData64[2];
INT lv_BtnInfoSize;
TBBUTTON lv_BtnInfo;
TBBUTTON64 lv_BtnInfo64;
// find the toolbar
if ((lv_hNotifyTB = Shell_GetSysTaskbarNotifyWindowTB()) == NULL)
return FALSE;
// is this 32bit process running on x64?
lv_IsWOW64 = Is32BitBuildOnWin64();
// determine size
if (lv_IsWOW64)
lv_BtnInfoSize = sizeof(TBBUTTON64);
else
lv_BtnInfoSize = sizeof(TBBUTTON);
// allocate button structure in context of explorer process
if ((lv_hProcMem = AllocProcessHWND(lv_hNotifyTB, lv_BtnInfoSize, &lv_hProcess)) == NULL)
return FALSE;
// not yet found
lv_Result = FALSE;
// get number of toolbar buttons
lv_BtnCnt = SendMessage(lv_hNotifyTB, TB_BUTTONCOUNT, 0,0);
// loop through buttons
for (lv_N = lv_BtnCnt-1; lv_N >= 0; --lv_N)
{
// get button info
if (SendMessage(lv_hNotifyTB, TB_GETBUTTON, lv_N, (LPARAM)lv_hProcMem))
{
// adjust for WOW64?
if (lv_IsWOW64)
{
// get the actual contents
if (ReadProcess(lv_hProcess, lv_hProcMem, &lv_BtnInfo64, sizeof(TBBUTTON64)))
{
// the userdata starts with the attached window and uID (in XP/Vista/Win7)
if (ReadProcess(lv_hProcess, (VOID*)lv_BtnInfo64.dwData, lv_UserData64, 2*sizeof(UINT64)))
{
// compare
if (lv_UserData64[0] == (UINT64)in_hClient && (lv_UserData64[1]&0xFFFFFFFF) == in_TrayID)
{
// got it, not hidden?
lv_Result = ((lv_BtnInfo64.fsState & TBSTATE_HIDDEN) == 0);
// loop no further
break;
}
}
}
}
else
{
// get the actual contents
if (ReadProcess(lv_hProcess, lv_hProcMem, &lv_BtnInfo, sizeof(TBBUTTON)))
{
// the userdata starts with the attached window and uID (in XP/Vista/Win7)
if (ReadProcess(lv_hProcess, (VOID*)lv_BtnInfo.dwData, lv_UserData, 2*sizeof(INT_PTR)))
{
// compare
if (lv_UserData[0] == (INT_PTR)in_hClient && lv_UserData[1] == in_TrayID)
{
// got it, not hidden?
lv_Result = ((lv_BtnInfo.fsState & TBSTATE_HIDDEN) == 0);
// loop no further
break;
}
}
}
}
}
}
// found the button?
if (lv_Result)
{
// get the item rectangle, reuse processmemory as a RECT is smaller than TBBUTTON
lv_Result = SendMessage(lv_hNotifyTB, TB_GETITEMRECT, lv_N, (LPARAM)lv_hProcMem);
// get the contents
if (lv_Result)
lv_Result = ReadProcess(lv_hProcess, lv_hProcMem, out_Rect, sizeof(RECT));
// to screen coordinates
if (lv_Result)
ClientToScreenRect(lv_hNotifyTB, out_Rect);
}
// free process memory again
FreeProcess(lv_hProcess, lv_hProcMem, TRUE);
// done
return lv_Result;
}
- 3/21/2011
- ArnoudMulder
Please suggest how this can be worked out.
- 7/22/2010
- Roshan VCPP
I have same problem, calling from 32bit process to read from 64bit process and it fails :(
- 10/12/2009
- AttilaSz
- 7/22/2010
- Roshan VCPP
If you want to start a 64 bit app. from a 32 bit application for debugging (using DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS flags) then the CreateProcess will fail and GetLastError() function will return code 50 ("The request is not supported."). If the debugger app. is a 64 bit app. and the debuggee app. is a 64 bit app. too then it will work (assuming you have the necessary rights).
- 1/6/2010
- Wilczek
