I want to get read access to physical memory to search for certain bytes. The memory address range is 0x000F0000 to 0x000FFFFF that is 64K bytes. I tried using the following code
NTSTATUS status;
HANDLE physmem;
status = NtOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if( !NT_SUCCESS( status )) {
PrintError( "Could not open \\device\\physicalmemory", status );
return NULL;
}
return physmem;
I am able to get the handle (physmem) but when I try
_lseek(physmem, 0L, SEEK_SET);
perror() gives "Bad file descriptor"
Is there an alternate way to read this section of memory?
NTSTATUS status;
HANDLE physmem;
status = NtOpenSection( &physmem, SECTION_MAP_READ, &attributes );
if( !NT_SUCCESS( status )) {
PrintError( "Could not open \\device\\physicalmemory", status );
return NULL;
}
return physmem;
I am able to get the handle (physmem) but when I try
_lseek(physmem, 0L, SEEK_SET);
perror() gives "Bad file descriptor"
Is there an alternate way to read this section of memory?