I didn't get any help on the other section so maybe I'll get some here?:

I want to read memory off my process, for example I have this global variable with the value = 12345; then I make a function and make a local variable value =12345;

using VirtualQuery and MEMORY_BASIC_INFORMATION I am able to get all readable pages, but when I iterate through each address in that region and do this:

I get an ERROR, basically saying access violation, which means I can't read the address...

so I don't get it, if the MEMORY_BASIC_INFORMATION.Protect == PAGE_READ_WRITE then I check each address to see if they hold the value, it shouldn't crash me because the Protection is PAGE_READWRITE;

so does any one have any idea why I'm crashing?

My first guess would be that you don't stop searching soon enough, i.e. you go up to the last byte of a memory region and then try to read 4 bytes, thus crossing the boundary to the next page.
But if you already take that into account, you would have to post your code.

Are you sure Address is in range of the usable address space? E.g., the first 64kb is off-limits.

@Athar this is what I do, AFTER I get the region size i go through this loop:
mbi is:MEMORY_SYSTEM_INFORMATION mbi;

this is one of the ways I have tried :/ is it wrong?

I'm just going 1 address above each time until i == mbi.RegionSize then the loop ends and the rest of the code executes.

@gpot wait what? I'm reading in memory that is readable :/ so am I supposed to skip some space in the region? because the page is readable starting at the mbi.BaseAddress right? all the way to the ending region size.

Yes, when you use <=, even the first byte is on the next page.
Using <, there are still three bytes on the next page.
As an example, assume the first page were readable, so before the loop Address is 0, and RegionSize is 4096.
Then, in the last iteration, Address is 4095 (or 4096 using <=). You now read a DWORD from this address, whose bytes are on addresses 4095-4098. However, 4096 is already on the next page, which you might not have access to.

Oh SHIT lol I completely missed that I feel retarded now, I can't believe I didn't catch that, a basic loop LOL wow... let me go and try it :/

Man you were right! thanks a lot brother when I do:


I don't get any violations :) and I get TWO addresses where value was found, I declared a local variable to try and find it's address and I could never find it :/ the only thing is I get a different address when I use a debugger. The address is different for some reason... I'll try to work it out though, thanks again bro.

This still shouldn't work, unless you're adjusting RegionSize before the loop.
As for the address mismatch, you're printing addr instead of addr+i when the value is found.

I'm not adjusting region size at all, why should I? the region size is merely a number of times the loop should run, what I do AFTER the for loop is this:

addr = (unsigned char*)mbi.BaseAddress + mbi.RegionSize;

to obviously go to the next readable region.

you were right, if I put addr+i I get the right address... man I think I need some sleep, I have been waking up at 5:20 am every day for the past week I'm too tired and I shouldn't be making this simple errors.

I see what you mean when you said it shouldn't work, but it is a typo LOL it is supposed to say

for(unsigned long i = 0;i < mbi.RegionSize-3; i++ )

I didn't actually copy and paste my code that is why, again man I appreciate it :D

EDIT: Thanks again man I am finally able to do what I wanted to, ;) I can't believe it was a simple condition...

@gpot wait what? I'm reading in memory that is readable :/ so am I supposed to skip some space in the region? because the page is readable starting at the mbi.BaseAddress right? all the way to the ending region size.

I was referring to addresses before and after the min and max values returned from GetSystemInfo, pointing out the fact that if Address referenced those areas you could run into problems. I was under the assumption that VirtualQuery worked differently than it does(assuming it would err if you passed an address in the range 0-65535).