share
Stack OverflowPossible to hook an event for ReadProcessMemory()?
[+3] [1] y2k
[2013-06-02 06:50:23]
[ c++ winapi hook readprocessmemory ]
[ https://stackoverflow.com/questions/16880479/possible-to-hook-an-event-for-readprocessmemory ]

Is it possible to hook calls to ReadProcessMemory() in the win32 API? I would like to do it in C or C++.

What I mean is, anytime another process uses that function, it detours to my callback at some point with all the info.

I would say it is. - Qaz
[+1] [2017-12-05 05:20:46] GuidedHacking

You can inject your code into every running process and hook ReadProcessMemory in the calling process, just like you would any other function but there is no way for you to hook it from the target process.

Alternatively you can use obRegisterCallbacks() [1] from the kernel to detect OpenProcess() [2] by filtering by PsProcessType object type and OB_OPERATION_HANDLE_CREATE operation. This will show you any processes that need handles to call ReadProcessMemory() [3]. You would then have the ability to execute your own code when these events are triggered from the kernel. You could also speak to a usermode process from your obRegisterCallbacks routine.

[1] https://msdn.microsoft.com/en-us/library/windows/hardware/ff558692%28v=vs.85%29.aspx
[2] https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320(v=vs.85).aspx
[3] https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx

Do you have an example of this? Would you require admin access to achieve this? - rollsch
Ok it appears to use obRegisterCallbacks you must have a valid signed driver. This is not feasible for most people. - rollsch
1