2

I see that inspecting /proc/self/maps on Linux machines lets me see the pages that have been mapped in. As a result I can write a program to read and parse the pages it has mapped in. How could one go about doing something similar for Windows? Are there any APIs for the same? If not, do you have any suggestions on how this could be done?

Improve this question

1 Answer 1

Reset to default
3

Yes, the possibility exists. First of all You have to access any process memory, or better, make it "accessible". Then You can read memory. Here are some usefull links ( by the way, You should always look in there, if You come from linux and try to do things on windows, it is the main source ).

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366916%28v=vs.85%29.aspx

There is all documented.

But ther are also undocumented approaches, really crazy stuff, which also deals whith this topic.Like this for example.

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtReadVirtualMemory.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

See also Windows Sysinternals VMMap tool with nice GUI and the above functions already used