Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Process ID

Posted on 1998-01-21
12
Medium Priority
?
475 Views
Last Modified: 2013-12-27
I need to find out where a program is keeping its data at runtime (get the data's segment address with API's or something?) so i can get a pointer to there.  All i know about the program at runtime is it's name.  
im using visualc++4.
Thanks in advance.
not sure if it's a hard question. ill say moderate?
0
Comment
Question by:bod_1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 1

Expert Comment

by:PBMax
ID: 1601073
First of all I would suggest posting in the programming section under C++.  Second of all the allocation of memory is dependent on how much memory is needed and what operating system you are using.  Basically a program says I need this much memory and the operating system gives that much memory to that process and restricts access to only that program.  Depending on what is currently running at the time that memory address can be anywhere.  The use of pointers is ususally the preferred method of assigning varaibles in memory.  Your variable can be anywhere in memory even if it is a linked list.  It doesn't have to be all together.  What I'm basically sayying is that the memory space allocated for data can be anywhere in memory each time a program is run.
0
 

Author Comment

by:bod_1
ID: 1601074
I know windows allocates memory to programs at runtime and that the memory address will be dependent on what memory segments or blocks are available when the program is run.  
That is my problem is that I need to find out where so i can take a 'snapshot' of the memory-ReadProcessMemory.  
I have a bit of sample code from enigma@exo.com who did what i'm trying to do with a different application.
I'm not sure he might be finding a process with a specified size exe?
If this doesn't make any sense then don't bother with my question, i've probably missed something somewhere (like Tlhelp32.h).
Anyways, for all it's worth the code (class) used to get the process ID is as follows but i dont completely understand what he's doing.  He uses the Tlhelp32.h file to do it though.
#include <tlhelp32.h>

long CTest4Dlg::GetPID()
{
      HANDLE hSnapshot = NULL;
      PROCESSENTRY32 *p;
      DWORD size;
      BOOL rc;
      DWORD errorCode;
      const DWORD extraSize = MAX_PATH;
      long result;

      size = sizeof(PROCESSENTRY32);
      hSnapshot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      p = (PROCESSENTRY32 *)malloc(size + extraSize);
      p->dwSize = size + extraSize;
      rc = pProcess32First(hSnapshot, p);
      if (!rc)
            errorCode = GetLastError();
      else
            errorCode = 0;
      //Not found in the list!
      if (errorCode == ERROR_NO_MORE_FILES)
            return 0;
      do
      {
            if ( (strstr(p->szExeFile, "DIABLO.EXE")) || (strstr(p->szExeFile, "HYBRID.EXE")) )
            {
                  spawn = FALSE;
                  result = p->th32ProcessID;
                  free(p);
                  return result;
            }
            if (strstr(p->szExeFile, "DIABLO_S.EXE"))
            {
                  spawn = TRUE;
                  result = p->th32ProcessID;
                  free(p);
                  return result;
            }
            rc = pProcess32Next(hSnapshot, p);
            if (!rc)
                  errorCode = GetLastError();
            else
                  errorCode = 0;
            }while (errorCode != ERROR_NO_MORE_FILES);
      free(p);
      return 0;
}
Thanks again


0
 

Author Comment

by:bod_1
ID: 1601075
//Allocate memory to in OUR memory space, in which to copy that character
      buf = (char *)malloc(mode==BUFFER?BUFFER_SIZE:CHARACTER_SIZE);
      //And finally, copy that character from the other program's protected memory space into
      //our memory space!  (Wow!  I didn't think this was possible with protected memory!)
      ReadProcessMemory(h, (void *)((char *)begin+CHARACTER_SPACING*memoryCharacterSlot), buf, mode==BUFFER?BUFFER_SIZE:CHARACTER_SIZE, &size);

0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 

Author Comment

by:bod_1
ID: 1601076
Adjusted points to 200
0
 
LVL 5

Expert Comment

by:inter
ID: 1601077
Dear friend,
The process walk needs a special DLL called TlHelp32.dll which is normally not distributed with windows, for 16 bit processes however there is a toolhelp.dll in system directory. So, since you have VC++ it may installs it. Search for it and respond if it is available inyour system.

The code you gave does the following, and it is partialy a answer of the question. It returns the ProcessID of the DIABLO.EXE if it  is in the memory.

So,
1 - Do you have tlhelp32.h?
2 - Do you have tlhelp32.dll?
3 - If so did you try the code above?

Once you answer these, we'll solve your problem(and the problem does make sense, all the debugging applications use tlhelp32 to perform such tasks)

Igor
0
 
LVL 5

Expert Comment

by:inter
ID: 1601078
I am in jam, sorry!
The toolhelp.dll is seperate for 16 bit apps however they are not for 32 bit apps. The toolhelp functions for 32bit apps reside in kernel32.dll. So, your kernel32 should include the tool help functions.

Sorry for the jam!
Igor
0
 

Author Comment

by:bod_1
ID: 1601079
Thanks for response Inter,
Now i know i've found the major header i've got to work with.
Yea, I guess my question should read how would you make the transition between having a processes ID to having the physical memory address of that process?
i've since found a small program called Tinkerbell which does exatly this.  It lists all of the running processes. Once you select one it reads the memory of it.  it can be found at;
http://www.burgoyne.com/pages/dchriste
anyway's thanks

0
 
LVL 5

Expert Comment

by:inter
ID: 1601080

// I want to write it for you but I have no time for that
// So this is the code that may give you the idea

...
  HEAPENTRY32 lphe;
  DWORD th32ProcessID, th32HeapID;
  LPCVOID lpBaseAddress;
  LPVOID  lpBuffer;
  DWORD   cbRead;
  DWORD lpNumberOfBytesRead;
  ...
// assume we find the th32ProcessID as in the previous code

  hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPHEAPLIST, 0);

// and obtain th32HeapID by snapshot
  ...
  Heap32First(&lphe, th32ProcessID, th32HeapID);
  do {
    // Here we have the pointer to data in the lphe structure as follows
..
    DWORD  dwSize;
    HANDLE hHandle;      // Handle of this heap block
    DWORD  dwAddress;      // Linear address of start of block
                        // Examine it to find what you seek
    DWORD  dwBlockSize; // Size of block in bytes
    DWORD  dwFlags;
    DWORD  dwLockCount;
    DWORD  dwResvd;
    DWORD  th32ProcessID;   // owning process
    DWORD  th32HeapID;          // heap block is in...
    Heap32Next(&lphe);
  } while (lphe.dwAdress == NULL);
  CloseHandle(hSnapShot);

Sorry, I could really complete but, I have no time!

Igor

0
 

Author Comment

by:bod_1
ID: 1601081
Thanks Inter,
At first glance i think your codes' gotten me thinking in the right terms so it's already helped. I'll get it. Thanks man.
Now, i cant seem to find anything to close this question as answered, there's only a submit button...
jeez...
0
 
LVL 5

Accepted Solution

by:
inter earned 800 total points
ID: 1601082
I am back again,

Happy to hear it helps

Sincerey,
Igor
0
 

Expert Comment

by:gourou
ID: 1601083
Ok it's true but for windows 9X only, on WIN NT try this

DWORD pdwProcess[100];
HANDLE hProcess;
HMODULE phModule[100];
DWORD dwNbProcessInByte,dwNbModuleInByte;
char pcNameModule[255+1];
unsigned int uiI;

 EnumProcesses(pdwProcess,100*sizeof(DWORD),&dwNbProcessInByte);
 for(iI=0;iI<(dwNbProcessInByte/4);iI++)
 {
  hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,pdwProcess[iI]);
  EnumProcessModules(hProcess,phModule,100*sizeof(HMODULE),&dwNbModuleInByte);
  GetModuleBaseName(hProcess,*phModule,pcNameModule,255+1);
  CloseHandle(hProcess);
 }

you must include the psapi.h and link with psapi.lib ( to use psapi.dll)

bye...
0
 

Author Comment

by:bod_1
ID: 1601084
Thanks for the xtra gourou.
I noticed Windows NT has a lot of extras that 95 doesn't have.
I've got a 95/Linux box.  With 95, I decided to use the Toolhelp 'debugging' library.
Jeez, In January I'd just started teaching myself C (less than one month). I did a little bit with windows and have just recently took on programming Linux because at school - semesters two and on - we're going to be programming for System V.
I'm trying to learn X-Windows now so Windows programming is pretty much on the back-burner for me.
Anyways thanks for the info.
Cheers
0

Featured Post

Take our survey for a chance to win!

As a valued customer of Targus, we’d like to ask you a few questions about us. As thanks, you will be automatically entered for a chance to win a $500 VISA gift card. To enter, just complete the survey by September 15, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does your iMac really need a hardware upgrade? Will upgrading RAM speed-up your computer? If yes, then how can you proceed? Upgrading RAM in your iMac is not as simple as it may seem. This article will help you in getting and installing right RA…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question