none
VB.NET - Reading a structure using a pointer RRS feed

  • Question

  • Hey All,
    I am trying to use VirtualQueryEx to read the memory of a process (first instance of notepad in this case). This function returns a pointer to the MEMORY_BASIC_INFORMATION structure. I am trying to read this structure. But everytime I try to access a member of the structure, I get a zero, which indicates I am messing something up. I am copying my code here.

    Any help will be greatly appreciated


    Imports System.Runtime.InteropServices
    
    Module Module1
    
     Declare Auto Sub GetSystemInfo Lib "kernel32.dll" (ByRef Info As SYSTEM_INFO)
     Public Declare Function VirtualQueryEx Lib "kernel32" Alias "VirtualQueryEx" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, <Out()> ByVal lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long
     
    
     Structure SYSTEM_INFO
     Dim ProcessorArchitecture As Int16
     Dim Reserved As Int16
     Dim PageSize As Int32
     Dim MinAppAddress As Int32
     Dim MaxAppAddress As Int32
     Dim ActiveProcMask As Int32
     Dim NumberOfProcessors As Int32
     Dim ProcessorType As Int32
     Dim AllocGranularity As Int32
     Dim ProcessorLevel As Int32
     Dim ProcessorRevision As Int32
     End Structure
     Public Structure MEMORY_BASIC_INFORMATION
     Dim BaseAddress As IntPtr
     Dim AllocationBase As IntPtr
     Dim AllocationProtect As UInt32
     Dim RegionSize As IntPtr
     Dim State As UInt32
     Dim Protect As UInt32
     Dim lType As UInt32
     End Structure
    
     Sub Main()
     Dim ProcessToReadFrom As Process = Process.GetProcessesByName("notepad")(0)
     Dim prHandle = ProcessToReadFrom.Handle
    
     PrintDLLs(prHandle)
    
     End Sub
     
    
    
     Function PrintDLLs(ByVal handle As IntPtr)
     Dim Address As Integer
     Dim Sysinfo As SYSTEM_INFO
     Dim MemInfo As MEMORY_BASIC_INFORMATION
    
    
     GetSystemInfo(Sysinfo)
    
     For Address = Sysinfo.MinAppAddress To Sysinfo.MaxAppAddress
      Try
      
      If VirtualQueryEx(handle, Address, MemInfo, Marshal.SizeOf(MemInfo)) = 0 Then
    
      End If
      Console.WriteLine(MemInfo.lType)
    
      Address = Address + Sysinfo.PageSize
      Catch ex As Exception
    
      End Try
      
     Next
    
    
     End Function
    
    End Module

     



    Wednesday, May 4, 2011 2:20 PM

Answers

  • There is no need for the Marshal stuff. Keep your original code but declare the VirtualQueryEx like this:

    Public Declare Function VirtualQueryEx Lib "kernel32" Alias "VirtualQueryEx" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long
    

    /Calle

    Thursday, May 5, 2011 3:14 PM

All replies

  • You must use ByRef when passing the MEMORY_BASIC_INFORMATION structure to VirtualQueryEx.
    Also, put the <StructLayout(LayoutKind.Sequential)> _ attribute on your structures.

    /Calle


    - Still confused, but on a higher level -
    Thursday, May 5, 2011 10:40 AM
  • Hi Calle,

    Thank you for your reply. I have added for all my structures. I have also made the following change -

       Dim MemInfo As MEMORY_BASIC_INFORMATION
       Dim myptr As IntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(MemInfo))
    
       GetSystemInfo(Sysinfo)
    
       For Address = Sysinfo.MinAppAddress To Sysinfo.MaxAppAddress
          Try
            Marshal.StructureToPtr(MemInfo, myptr, False)
        VirtualQueryEx(handle, Address, Marshal.PtrToStructure(myptr, MemInfo.GetType()), Marshal.SizeOf(MemInfo)) 
    
            

    Still, I get am unable to read the values of the structure MEMORY_BASIC_INFORMATION. They come as a 0.

     

    Thanks for any input.

    Thursday, May 5, 2011 1:46 PM
  • There is no need for the Marshal stuff. Keep your original code but declare the VirtualQueryEx like this:

    Public Declare Function VirtualQueryEx Lib "kernel32" Alias "VirtualQueryEx" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long
    

    /Calle

    Thursday, May 5, 2011 3:14 PM
  • Thank you so much, it works!!

    Thursday, May 5, 2011 3:35 PM