[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

Memory search

I want to find a number stored somehwere in a win16 application.  The way I have set out to do this is use CreateProcess in my application to start the win16 program.  I then use the OpenProcess with the intention of using ReadProcessMemory.  So I go through all of this only I am not finding what I should.  To test the whole procedure I wrote my own simple win16 program with specific numbers on the stack and another set on the heap.  I then set out to find those numbers in my test program only it didn't work.  Why not?  If this hasn't made sense yet read on.  My search routine looked something like:

HANDLE h;  // is the process handle from OpenProcess
short number; // is the number I am looking for

int i=0;
short chk;  // 2 byte number

/*
The idea here is since I don't know the actual size of the process memory, as soon as i becomes too big and is outside the valid process memory ReadProcessMemory will fail.  So in theory (at least the way I understand it) this should check all the memory in the process, the stack and heap, and program code.
*/
while(ReadProcessMemory(h,(void*)i,&chk,2,&readBytes) != 0)
{
   if (chk == number)
   {
       // I just print the location here
   }
   i++
}

So anyway I see it as the above code should check through everything in the program and the memory it is using.  It is searching through something, it goes through about a meg of memory before ReadProcessMemory fails.  But it doesn't find what it should.  So, at least, its not search the stack or heap (which is what I want).  So what is going on?  What is it searching?  And how do I get at the data I want to search?

Any thoughts/comments would be greatly appreciated.

Thanx ... Jason
0
tlsoftware
Asked:
tlsoftware
  • 2
1 Solution
 
fasterCommented:
I have not used ReadProcessMemory(), but from its documentation, I don't think it can do what you want to.

The problem is that the address space of a process may not be continuous.  Now you will search from 0 to some address, then you may enter a region where you can not read, either because you don't have the access rights or the memory does not exist at all (note that win32 is using virtual memory).  Therefore, unless you know exactly where the heap and stack exists in the process's address space, you will not be able to search it.

What are you trying to do exactly?  If the target program is fixed, then you need not write your own program to do it.  There are such utilities to search other process's memory (SoftICE is an example).  But you have another problem, your target is too small: 2 bytes only.  You probably will get numerous matches.
0
 
tlsoftwareAuthor Commented:
I am aware of the two byte issue.  In practice I would search memory as many times as needed, each time having the application change the number in question.  So in the end I could locate it by cross references all the occurances of the number.

A program that can do this search for me would be nice for immediate use.  As far as I know SoftIce is a fairly expensive debugger outside of my price range.  Any other programs?

However I'm still going to need to write this program eventually so if you have any other advice...  Ideally I'd like to have windows tell me where the heap and stack are located relative to the process's memory.  Can I do this?
0
 
fasterCommented:
I remember that in the book "advanced windows programming" memory issues are discussed in detail.  But I can not remember it now.  If you can not find the book, I can check it out for you, but probably severals days later.

Besides, I still don't understand why you need such a program.  Becuase you must create the process yourself, thus it can only be useful in very limited situations (offline).
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now