ERROR_NOT_LOCKED error on KbReadProcessMemory

[klinyecviktor]

Hey there,

KbReadProcessMemory fails with 158 error (ERROR_NOT_LOCKED). Driver loads without any errors. For my project I use "User-Bridge" wrappers as standalone .cpp/.h modules. Driver version: v1.19

BOOL status = KbReadProcessMemory(
    GetPidByName(L"process.exe"),
    Address,
    &buf,
    size
);

if (status == 0) {
    cout << GetLastError() << endl;
}

Any ideas how could be this fixed?

[klinyecviktor]

Just checked it It works well with notepad.exe, but with the process I'm trying to work it does not.

Maybe related to this old issue?

[HoShiMin]

How can I reproduce it in easy way? What type of memory are you want to read (what protection flags does it have - PAGE_***)? What type of process (x32/x64/maybe UWP...)?

[klinyecviktor]

Sorry, I'm not sure how to reproduce it without running that process. The process is 64bit.

Regarding protection flags, is there a API to get protection flags? Thanks in advance.

[HoShiMin]

@klinyecviktor, for example, you can see these rights in ProcessHacker or by VirtualQuery API. And whether this failure appears in other programs or in this exactly process only?

[klinyecviktor]

@HoShiMin Sorry, seems like the issue was caused by wrong Address Driver works well

Is there an API method to get process Base Address?

[HoShiMin]

@klinyecviktor, you can find base addresses of all images of process in the PEB::Ldr field (it has PPEB_LDR_DATA type). And you can obtain a PEB address using ZwQueryInformationProcess with the ProcessBasicInformation class.

[klinyecviktor]

Thanks a lot!