ReadProcessMemory
Header: Windows.h
Library: Kernel32.lib
Synopsis
BOOL WINAPI ReadProcessMemory(
HANDLE hProcess,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
SIZE_T nSize,
SIZE_T *lpNumberOfBytesRead
);Parameters
| Parameter | Description |
|---|---|
hProcess |
Handle to the process with MEMORY_READ access. The handle must be obtained by OpenProcess or similar. |
lpBaseAddress |
Base address in the specified process from which to read. |
lpBuffer |
Pointer to a buffer that receives the contents from the target process. |
nSize |
Number of bytes to be read. |
lpNumberOfBytesRead |
Optional pointer to a SIZE_T variable that receives the number of bytes actually read. Can be NULL. |
Return Value
Returns nonzero if the operation succeeds. If the function fails, the return value is zero. Use GetLastError() to obtain extended error information.
Remarks
- The calling process must have appropriate access rights to the target process.
- The address range must be readable; otherwise the function fails with
ERROR_PARTIAL_COPYorERROR_INVALID_ADDRESS. - Reading from a remote process can affect its state if the memory is being modified concurrently.
Example
#include <windows.h>
#include <stdio.h>
int main()
{
DWORD pid = 1234; // target process id
HANDLE hProc = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, FALSE, pid);
if (!hProc) {
printf("OpenProcess failed: %lu\n", GetLastError());
return 1;
}
// Assume we know the address of an integer variable in the remote process
LPCVOID remoteAddr = (LPCVOID)0x00A1B2C3;
int value = 0;
SIZE_T bytesRead = 0;
if (ReadProcessMemory(hProc, remoteAddr, &value, sizeof(value), &bytesRead)) {
printf("Read %zu bytes: %d\n", bytesRead, value);
} else {
printf("ReadProcessMemory failed: %lu\n", GetLastError());
}
CloseHandle(hProc);
return 0;
}