How to read a process' memory using code compiled with g++?

Question

I want to read the process memory of notepad.exe and find the string Hello World! inside it (it's typed inside a Notepad window).

I want to use g++.exe, not cl.exe, because it's too much of a hassle to try to figure out how to set the proper environment variables to be able to use it from the command line instead of from inside Visual Studio. There are other reasons as well, but the thing is I need to use g++.exe.

Trying to compile the following code gives the following errors (I know the code, even if run, would do nothing as-is. But this is a first step):

wstring was not declared in this scope

szModName was not declared in this scope

expected ; before wstrModContain

wstrModContain was not declared in this scope

string has not been declared

#include <windows.h>
#include <psapi.h>

HMODULE GetModule();

int main() {
    return 0;
}

HMODULE GetModule() {
    HMODULE hMods[1024];
    HWND hWnd = FindWindowA(0, "Untitled - Notepad");
    DWORD pID;
    GetWindowThreadProcessId(hWnd, &pID);
    HANDLE pHandle = OpenProcess(PROCESS_VM_READ, FALSE, pID);
    DWORD cbNeeded;
    unsigned int i;
    if (EnumProcessModules(pHandle, hMods, sizeof(hMods), &cbNeeded)) {
        for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++) {
            wstring szModName[MAX_PATH];
            if (GetModuleFileNameEx(pHandle, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR))) {
                TCHAR* wstrModName = szModName;
                wstring wstrModContain = "notepad.exe";
                if (wstrModName.find(wstrModContain) != string::npos) {
                    CloseHandle(pHandle);
                    return hMods[i];
                }
            }
        }
    }
    return nullptr;
}

Please extract and provide a [mcve]. Also, some of the errors are just so basic that I'd also suggest you pick up a book on C++. — Ulrich Eckhardt, May 17 '20 at 15:10
If you are using `windows.h` then I would indeed use visual studio, not GCC as the linux toolchain obviously does not support the windows api. Instead of directly calling cl.exe have you tried actually making a visual studio solution and project to compile your exe? — Cory Kramer, May 17 '20 at 15:10
You might want to look at the source code of [x64dbg](https://x64dbg.com/), which is an open source debugger for Windows. It reads process memory. — Eljay, May 17 '20 at 15:10
You need to learn C++ before you attempt this stuff to be honest.. However, you should `#include ` and change `string::npos` to `std::string::npos` and `wstring` to `std::wstring` to fix your errors.. I'd suggest reading your errors and going through a C++ tutorial. — Brandon, May 17 '20 at 15:10
@Brandon Including `` and `using namespace std;` is the first thing I tried but doesn't solve anything. It just changes the undefined `wstring` and `string` errors to `cannot convert` errors. — GirkovArpa, May 17 '20 at 15:19
A good note to keep in mind is that I believe you should compile your program into the same bit as your target process. (`64bit or 32bit`). I have been working on a similar question: https://stackoverflow.com/questions/61777539/c-read-all-memory-from-process-within-modulesize if you are interested. — darclander, May 17 '20 at 16:17
Thank you that is very interesting and seems quite relevant to what I'm trying to do. It will most certainly be helpful in my adventure. — GirkovArpa, May 17 '20 at 16:21
I hope it is helpful! If you manage to find a correct top address feel free to fork my project and suggest improvements! — darclander, May 17 '20 at 16:30

GirkovArpa · Accepted Answer · 2020-05-19T18:32:04.060

Here is a better answer than my last, since the previous only searched the executable image which only contains what's in the .exe file and not it's dynamic memory.

Compile with: g++ filename.cpp -lpsapi

The order of the #includes is important; <Windows.h> must come before <psapi.h>.

#include <Windows.h>
#include <psapi.h>
#include <iostream>
#include <vector>
#include <algorithm>

int main() {
    DWORD pID;
    HWND hwnd = FindWindowA(NULL, "Untitled - Notepad"); // the window title

    if (!hwnd)
        std::cout << "FindWindowA Error: " << GetLastError() << std::endl;

    if (!GetWindowThreadProcessId(hwnd, &pID))
        std::cout << "GetWindowThreadProcessId Error: " << GetLastError() << std::endl;

    HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
    if (!pHandle)
        std::cout << "OpenProcess Error:" << GetLastError() << std::endl;

    unsigned char *p = NULL;
    MEMORY_BASIC_INFORMATION info;

    for (p = NULL; VirtualQueryEx(pHandle, p, &info, sizeof(info)) == sizeof(info); p += info.RegionSize) {
        std::vector<char> buffer;

        if (info.State == MEM_COMMIT && (info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE)) {
            SIZE_T bytes_read;
            buffer.resize(info.RegionSize);
            ReadProcessMemory(pHandle, p, &buffer[0], info.RegionSize, &bytes_read);
            buffer.resize(bytes_read);

            for (int i = 0; i < buffer.size(); i++) {
                char value = buffer.at(i);
                std::cout << value;
            }
        }
    }
}

Amusingly my last answer was deleted for calling comments "imbecilic". Comments which were unhelpful, wrong, patronizing, did not answer the question, yet which were not themselves deleted.

If you are still interested in working on this you could go to my [github](https://github.com/darclander) and add my discord so we could work together. — darclander, Sep 11 '20 at 20:33

How to read a process' memory using code compiled with g++?

1 Answers1