Accessing .text section code pages of a running Windows process

Hi,

I am a programmer, new to Windows systems development. I want to access the .text section (i.e. the code) of a running process on Windows 7 and above. Basically, I am doing this as a self-study exercise. I can inspect a PE file, and print-out the code disassembly. Instead of static inspection, I now want to perform dynamic inspection of the code section in the loaded process, iterate over the code pages and print the code (or do a checksum, etc.). I am also open to writing a driver module if need be.

I briefly googled and found functions such as ZwQueryInformationProcess, ReadProcessMemory, VirtualQueryEx, etc. Also, I had a quick look at the EPROCESS structure and its members. Please suggest the best way to approach this problem. I know that EPROCESS structure varies between Windows versions and am willing to live with one particular version for now.

I am also wondering what would happen when we read the code pages that are swapped out to the disk. Will the above inspection functions and structures generate a page fault internally and fetch the page in the physical memory for reading?

Thanks.

Well I guess if you parsed the PE of the file on disk then you could do the
same for the file in-memory, the exe in this case.
So in other words let’s assume you have a driver that monitors using the
load module notify routine.
If you see a image name, let’s say notepad.exe, you the take the ImageBase
and ImageSize and parse that module like a normal PE file.

Regards,
Gabriel

Windows Driver Consulting
www.kasardia.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Tuesday, 5 April, 2016 12:45
To: Windows System Software Devs Interest List
Subject: [ntdev] Accessing .text section code pages of a running Windows
process

Hi,

I am a programmer, new to Windows systems development. I want to access the
.text section (i.e. the code) of a running process on Windows 7 and above.
Basically, I am doing this as a self-study exercise. I can inspect a PE
file, and print-out the code disassembly. Instead of static inspection, I
now want to perform dynamic inspection of the code section in the loaded
process, iterate over the code pages and print the code (or do a checksum,
etc.). I am also open to writing a driver module if need be.

I briefly googled and found functions such as ZwQueryInformationProcess,
ReadProcessMemory, VirtualQueryEx, etc. Also, I had a quick look at the
EPROCESS structure and its members. Please suggest the best way to approach
this problem. I know that EPROCESS structure varies between Windows versions
and am willing to live with one particular version for now.

I am also wondering what would happen when we read the code pages that are
swapped out to the disk. Will the above inspection functions and structures
generate a page fault internally and fetch the page in the physical memory
for reading?

Thanks.


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>