1

This is my Form1 code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Diagnostics;

namespace ReadMemory
{
    public partial class Form1 : Form
    {
        List<int> memoryAddresses = new List<int>();

        public Form1()
        {
            InitializeComponent();


            Process proc = Process.GetCurrentProcess();
            IntPtr startOffset = proc.MainModule.BaseAddress;
            IntPtr endOffset = IntPtr.Add(startOffset, proc.MainModule.ModuleMemorySize);
            for (int i = 0; i < startOffset.ToInt64(); i++)
            {
                memoryAddresses.Add(startOffset[i]
            }

        }

        private void modelsToolStripMenuItem_Click(object sender, EventArgs e)
        {

        }
    }
}

I tried to scan all memory addresses from the start to the end and add them to a List. But i'm getting an error on the line:

memoryAddresses.Add(startOffset[i]

Error 3 Cannot apply indexing with [] to an expression of type 'System.IntPtr'

Second thing is doing in the loop: startOffset.ToInt64() is ok ? Or i should do ToInt32() ?

Doron Muzar
  • 443
  • 1
  • 10
  • 26
  • possible duplicate of [Add offset to IntPtr](http://stackoverflow.com/questions/1866236/add-offset-to-intptr) – BartoszKP Oct 05 '13 at 13:04

2 Answers2

3

That's just not how Windows works. It is a virtual memory demand-paged operating system, every process gets 2 gigabytes of memory. Which starts at 0x0001000 and ends at 0x7fffffff for a 32-bit process. Most processes start consuming VM at 0x00400000, the default start address of an EXE. The end of the VM space is always used by Windows to keep track of essential stuff like threads in the process. Lots of space in between, used to load DLLs and allocate memory for the heaps.

Seeing the allocations requires VirtualQueryEx(), you can't do it with the Process class. Your code is otherwise invalid, an IntPtr is not an array. Get insight in the way a process uses the virtual memory space with the SysInternals' VMMap utility. The same authors wrote the "Windows Internals" book, an essential book to understand how Windows works internally.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
1

An IntPtr value is just a number, it's not an array that you can access by an index. Right now you are looping from zero to startOffset, but I think that you want to loop from startOffset to endOffset.

As a memory address can be either 32 bits or 64 bits, depending on the platform that you run the code on, you need a long (Int64) to handle either type of pointer:

List<long> memoryAddresses = new List<long>();

It's correct to use ToInt64 to turn the pointer value into an integer. The memory address will just be the variable that you use in the loop.

for (long i = startOffset.ToInt64(); i < endOffset.ToInt64(); i++) {
  memoryAddresses.Add(i);
}

Note: As you are adding an item for the list for each byte in the process memory, the list will be eight times the size of the process memory. It's likely that you won't have enough memory in your process for that.

Guffa
  • 687,336
  • 108
  • 737
  • 1,005
  • Guffa but doing it this way isn't just counting it ? I mean of the first address the startOffset was : 2162888 and the next one in the List is 2162889 so 2162889 is the next memory address ? Or i just counted from the start to the end ? – Doron Muzar Oct 05 '13 at 13:18
  • you dont need a long, you can just use a IntPtr because the purpose of IntPtr is to handle memory locations. IntPtr is 64 bit on x64 and 32 Bit on x86 – quadroid Oct 05 '13 at 13:21
  • @DoronMuzar: Yes, the loop just goes through the numbers, that originally came from memory addresses. – Guffa Oct 05 '13 at 13:24
  • @console: Yes, you could use an `IntPtr` to represent the address, but it doesn't seem like that's what the OP is trying to do. – Guffa Oct 05 '13 at 13:25