Home Library Learn Downloads Support Community
Sign in | United States - English | |
24 out of 35 rated this helpful - Rate this topic

WriteProcessMemory function

Applies to: desktop apps only

Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.

Syntax

Copy 
BOOL WINAPI WriteProcessMemory(
  __in   HANDLE hProcess,
  __in   LPVOID lpBaseAddress,
  __in   LPCVOID lpBuffer,
  __in   SIZE_T nSize,
  __out  SIZE_T *lpNumberOfBytesWritten
);

Parameters

hProcess [in]

A handle to the process memory to be modified. The handle must have PROCESS_VM_WRITE and PROCESS_VM_OPERATION access to the process.

lpBaseAddress [in]

A pointer to the base address in the specified process to which data is written. Before data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for write access, and if it is not accessible, the function fails.

lpBuffer [in]

A pointer to the buffer that contains data to be written in the address space of the specified process.

nSize [in]

The number of bytes to be written to the specified process.

lpNumberOfBytesWritten [out]

A pointer to a variable that receives the number of bytes transferred into the specified process. This parameter is optional. If lpNumberOfBytesWritten is NULL, the parameter is ignored.

Return value

If the function succeeds, the return value is nonzero.

If the function fails, the return value is 0 (zero). To get extended error information, call GetLastError. The function fails if the requested write operation crosses into an area of the process that is inaccessible.

Remarks

WriteProcessMemory copies the data from the specified buffer in the current process to the address range of the specified process. Any process that has a handle with PROCESS_VM_WRITE and PROCESS_VM_OPERATION access to the process to be written to can call the function. Typically but not always, the process with address space that is being written to is being debugged.

The entire area to be written to must be accessible, and if it is not accessible, the function fails.

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003

Header
WinBase.h (include Windows.h)

Library
Kernel32.lib

DLL
Kernel32.dll

See also

Debugging Functions
Process Functions for Debugging
ReadProcessMemory
VirtualAllocEx

 

 

Send comments about this topic to Microsoft

Build date: 3/6/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
WriteProcessMemory from 32-bit processes to 64-bit processes?
WriteProcessMemory takes void*/size_t parameters to describe the memory location in the target process. This makes the assumption that the pointer size in the calling process is sufficient to represent the address space of the target process, which is not true when trying to use WriteProcessMemory in a 32-bit processes to modify memory in a 64-bit processes. This prevents simple implementations of in-process debuggers or analysis tools that do binary patching using libraries like Microsoft Detours to propagate injected code to child processes. In order to implement such a tool, I ended up modifying the Detours sources to detect the 32->64 case, and launch a 64-bit helper process to do the ReadProcessMemory/WriteProcessMemory work. Would it be possible to add ReadProcessMemoryEx/WriteProcessMemoryEx functions, which allow 32-bit processes to fully address a memory space of a target 64-bit process? One interface that would work is to use ULONGLONG instead of void*/size_t for target process base address and size. Another approach would be to take a struct with a union and an for explicitly denoting the assumed pointer size, so it's easy for the implementation to check at run-time that the user's intended addressing matches the pointer size of the target process.
History