|
Just off the top of my head, could it be that not all the memory from the target program is paged in?
IIRC, the ReadProcessMemory fails if even a small part of the memory you requested was not available. Also, if the memory hasn't been paged in yet (because the execution of the target program hasn't triggered the page in), the ReadProcessMemory won't force the page in, and will fail because the memory is not available.
So if you have for instance these memory areas for the target:
400000(+3FF) - Image signature
401000(+FFFF) - .text (code)
a) If you request from 400000 to the end of .text, it will always fail because there's a hole before the start of .text
b) Even if you only request the ".text" area, it might fail because likely there are areas not paged in yet.
I think that a) you must solve yourself (don't ask for a whole contiguous area but for individual blocks), and for b) one of the options is to inject code to run in the target address space, that will force the memory to page in (by reading one address in each page?), after that in can probably be ReadProcessMemory'ed
|