Solved

Memory search

Posted on 1997-11-24
3
333 Views
Last Modified: 2013-12-03
I want to find a number stored somehwere in a win16 application.  The way I have set out to do this is use CreateProcess in my application to start the win16 program.  I then use the OpenProcess with the intention of using ReadProcessMemory.  So I go through all of this only I am not finding what I should.  To test the whole procedure I wrote my own simple win16 program with specific numbers on the stack and another set on the heap.  I then set out to find those numbers in my test program only it didn't work.  Why not?  If this hasn't made sense yet read on.  My search routine looked something like:

HANDLE h;  // is the process handle from OpenProcess
short number; // is the number I am looking for

int i=0;
short chk;  // 2 byte number

/*
The idea here is since I don't know the actual size of the process memory, as soon as i becomes too big and is outside the valid process memory ReadProcessMemory will fail.  So in theory (at least the way I understand it) this should check all the memory in the process, the stack and heap, and program code.
*/
while(ReadProcessMemory(h,(void*)i,&chk,2,&readBytes) != 0)
{
   if (chk == number)
   {
       // I just print the location here
   }
   i++
}

So anyway I see it as the above code should check through everything in the program and the memory it is using.  It is searching through something, it goes through about a meg of memory before ReadProcessMemory fails.  But it doesn't find what it should.  So, at least, its not search the stack or heap (which is what I want).  So what is going on?  What is it searching?  And how do I get at the data I want to search?

Any thoughts/comments would be greatly appreciated.

Thanx ... Jason
0
Comment
Question by:tlsoftware
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
faster earned 200 total points
ID: 1408818
I have not used ReadProcessMemory(), but from its documentation, I don't think it can do what you want to.

The problem is that the address space of a process may not be continuous.  Now you will search from 0 to some address, then you may enter a region where you can not read, either because you don't have the access rights or the memory does not exist at all (note that win32 is using virtual memory).  Therefore, unless you know exactly where the heap and stack exists in the process's address space, you will not be able to search it.

What are you trying to do exactly?  If the target program is fixed, then you need not write your own program to do it.  There are such utilities to search other process's memory (SoftICE is an example).  But you have another problem, your target is too small: 2 bytes only.  You probably will get numerous matches.
0
 

Author Comment

by:tlsoftware
ID: 1408819
I am aware of the two byte issue.  In practice I would search memory as many times as needed, each time having the application change the number in question.  So in the end I could locate it by cross references all the occurances of the number.

A program that can do this search for me would be nice for immediate use.  As far as I know SoftIce is a fairly expensive debugger outside of my price range.  Any other programs?

However I'm still going to need to write this program eventually so if you have any other advice...  Ideally I'd like to have windows tell me where the heap and stack are located relative to the process's memory.  Can I do this?
0
 
LVL 7

Expert Comment

by:faster
ID: 1408820
I remember that in the book "advanced windows programming" memory issues are discussed in detail.  But I can not remember it now.  If you can not find the book, I can check it out for you, but probably severals days later.

Besides, I still don't understand why you need such a program.  Becuase you must create the process yourself, thus it can only be useful in very limited situations (offline).
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to make a Windows 7 gadget that accepts files dropped from the Windows Explorer.  It also illustrates how to give your gadget a non-rectangular shape and how to add some nifty visual effects to text displayed in a your gadget.…
For a while now I'v been searching for a circular progress control, much like the one you get when first starting your Silverlight application. I found a couple that were written in WPF and there were a few written in Silverlight, but all appeared o…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question