Unable to read all the requests part of the memory

Question

I ran an executable using CreateProcess like so:

CreateProcess(fname, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL,NULL, &si, pi)

Note the pi in CreateProcess is passed by reference.

After that, I want to read the process memory at the address of LoadLibrary(), so I used this code:

void read_mem(PROCESS_INFORMATION pi)
{
    SIZE_T bytes = 0;
    char messageBoxOriginalBytes[6] = {};
    HINSTANCE hMod = GetModuleHandle("user32.dll");
    if (!hMod)
    {
        printf("unable to locate user32.dll\n");
        return 1;
    }
    msg_func = GetProcAddress(hMod, "MessageBoxA");
    if (msg_func == NULL)
    {
        printf(" unable to locate messagebox\n");
        CloseHandle(hMod);
        return 1;
    }
    if (!ReadProcessMemory(pi.hProcess, msg_func, messageBoxOriginalBytes, 6, &bytes))
    {
        printf("Failed to read process memory  %d\n", GetLastError());
        return 1;
    } 
}

The error that I get is 299:

Only part of a ReadProcessMemory or WriteProcessMemory request was completed.

I did try to use OpenProcess() with PROCESS_ALL_ACCESS, but that does not seem to have an effect.

Can anyone explain what I am doing wrong?

Answer 1

The issue is here:

CreateProcess(fname, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL,NULL, &si, pi);

This isn't inherently wrong, but using the CREATE_SUSPENDED creation flag has several consequences. Since processes are self-initializing, the CreateProcess call does the bare minimum required for the primary thread to pick up initialization.

Notably, the kernel will not map modules (except ntdll.dll) into the address space. Mapping modules (and resolving imports) is the responsibility of the process' primary thread. Until that starts executing, there isn't much to be found in the process' address space.

Any attempt to read memory backed by to-be-loaded modules will thus fail.