Solved

Memory search

Posted on 1997-11-24
3
332 Views
Last Modified: 2013-12-03
I want to find a number stored somehwere in a win16 application.  The way I have set out to do this is use CreateProcess in my application to start the win16 program.  I then use the OpenProcess with the intention of using ReadProcessMemory.  So I go through all of this only I am not finding what I should.  To test the whole procedure I wrote my own simple win16 program with specific numbers on the stack and another set on the heap.  I then set out to find those numbers in my test program only it didn't work.  Why not?  If this hasn't made sense yet read on.  My search routine looked something like:

HANDLE h;  // is the process handle from OpenProcess
short number; // is the number I am looking for

int i=0;
short chk;  // 2 byte number

/*
The idea here is since I don't know the actual size of the process memory, as soon as i becomes too big and is outside the valid process memory ReadProcessMemory will fail.  So in theory (at least the way I understand it) this should check all the memory in the process, the stack and heap, and program code.
*/
while(ReadProcessMemory(h,(void*)i,&chk,2,&readBytes) != 0)
{
   if (chk == number)
   {
       // I just print the location here
   }
   i++
}

So anyway I see it as the above code should check through everything in the program and the memory it is using.  It is searching through something, it goes through about a meg of memory before ReadProcessMemory fails.  But it doesn't find what it should.  So, at least, its not search the stack or heap (which is what I want).  So what is going on?  What is it searching?  And how do I get at the data I want to search?

Any thoughts/comments would be greatly appreciated.

Thanx ... Jason
0
Comment
Question by:tlsoftware
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
faster earned 200 total points
ID: 1408818
I have not used ReadProcessMemory(), but from its documentation, I don't think it can do what you want to.

The problem is that the address space of a process may not be continuous.  Now you will search from 0 to some address, then you may enter a region where you can not read, either because you don't have the access rights or the memory does not exist at all (note that win32 is using virtual memory).  Therefore, unless you know exactly where the heap and stack exists in the process's address space, you will not be able to search it.

What are you trying to do exactly?  If the target program is fixed, then you need not write your own program to do it.  There are such utilities to search other process's memory (SoftICE is an example).  But you have another problem, your target is too small: 2 bytes only.  You probably will get numerous matches.
0
 

Author Comment

by:tlsoftware
ID: 1408819
I am aware of the two byte issue.  In practice I would search memory as many times as needed, each time having the application change the number in question.  So in the end I could locate it by cross references all the occurances of the number.

A program that can do this search for me would be nice for immediate use.  As far as I know SoftIce is a fairly expensive debugger outside of my price range.  Any other programs?

However I'm still going to need to write this program eventually so if you have any other advice...  Ideally I'd like to have windows tell me where the heap and stack are located relative to the process's memory.  Can I do this?
0
 
LVL 7

Expert Comment

by:faster
ID: 1408820
I remember that in the book "advanced windows programming" memory issues are discussed in detail.  But I can not remember it now.  If you can not find the book, I can check it out for you, but probably severals days later.

Besides, I still don't understand why you need such a program.  Becuase you must create the process yourself, thus it can only be useful in very limited situations (offline).
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

zlib is a free compression library (a DLL) on which the popular gzip utility is built.  In this article, we'll see how to use the zlib functions to compress and decompress data in memory; that is, without needing to use a temporary file.  We'll be c…
After several hours of googling I could not gather any information on this topic. There are several ways of controlling the USB port connected to any storage device. The best example of that is by changing the registry value of "HKEY_LOCAL_MACHINE\S…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question