Page 1 of 1

Accessing .text section code pages of a Windows 7 process

Posted: Tue Apr 05, 2016 4:22 am
by coldthunder
Hi,

I am a programmer, new to Windows systems development. I want to access the .text section (i.e. the code) of a running process on Windows 7 and above. Basically, I am doing this as a self-study exercise. I can inspect a PE file, and print-out the code disassembly. Instead of static inspection, I now want to perform dynamic inspection of the code section in the loaded process, iterate over the code pages and print the code (or do a checksum, etc.). I am also open to writing a driver module if need be.

I briefly googled and found functions such as ZwQueryInformationProcess, ReadProcessMemory, VirtualQueryEx, etc. Also, I had a quick look at the EPROCESS structure and its members. Please suggest the best way to approach this problem. I know that EPROCESS structure varies between Windows versions and am willing to live with one particular version for now.

I am also wondering what would happen when we read the code pages that are swapped out to the disk. Will the above inspection functions and structures generate a page fault internally and fetch the page in the physical memory for reading?

Thanks.

Re: Accessing .text section code pages of a Windows 7 proces

Posted: Mon Apr 18, 2016 11:21 am
by jojo
I assume you figured this out, but ten seconds on google gave me:

http://stackoverflow.com/questions/2258 ... in-program

Also yes on page swapping, but it's kind of a silly question as that's not something, at a fundamental level, your usermode code will ever be able to be aware of. A user mode application doesn't even know page swapping exists.