Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Memory Viewer

Posted on 2006-06-18
Last Modified: 2010-04-15
Hi all,

I'm starting work on a memory viewer app which will dump the values of a specified range of memory addresses to stdout or a win32 text box. I'm just wondering how exactly to implement this, whether I should just have a memcpy in a for loop,  iterating through the addresses and copying their values to a buffer. or is there a more sophisticated way of doing it? Any help is appreciated

Question by:pushpop

Expert Comment

ID: 16930860
What OS are you running? If it's multitasking, chances are you will not be able to read the contents of just any memory address, especially not that of another process. For Windows, for example, there are the OpenProcess/ReadProcessMemory/WriteProcessMemory "debugging" functions which will allow you to read another process' memory. You will most likely need a privileged user account.

Author Comment

ID: 16930913

Im running Windows XP sp2 as an admin. Does that sound workable?

Expert Comment

ID: 16931992
Reading memory in a virtual memory environment needs defining.

Are you looking to dump the memory of your own program, another program or dump system memory?

Each situation has different requirements.

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 16932602
Ideally I'd like to dump the contents of system memory, but I'm aware that with the use of virtual memory this might be tricky.

Thanks everyone for your contributions so far
LVL 22

Expert Comment

ID: 16933221
Dumping memory isnt very useful anymore.  IN the old days with DOS there was plenty of data at predictable addresses:  the ROM BIOS, the interrupt vectors, the DOS list of lists, and many more.

But nowadays OS's don't put anything at fixed addresses.  And the OD's usually have nice API calls you can make to cleanly get whatever info you might want.  AND there is sooooo much memory, often gigabytes, it doesnt make much sense to dump it out for human eyes.

Maybe if you could tell us what your goal really is, we could make better sugestions.

LVL 45

Expert Comment

by:Kent Olsen
ID: 16933593
Hi pushpop,

The actual viewer is pretty easy.  Getting to system memory is the challenge.  A function to do this will have to be written in assembler and involves switching from user to protected mode, copying the data from system memory to your workspace, and returning to user mode.

As such, I'd define the outer structure to be a buffer from 1K to 4K in size.  Any larger and you run the risk of tying up the CPU to long in a block move.  Then build the function to copy memory to the program.

Good Luck.  This will be quite a challenge.

Accepted Solution

billtouch earned 125 total points
ID: 16935032
One approach that I would consider is creating a drvier to access system memory. You could use seek() to point t the desired address and read() to get the data.

Or you could use ioctl() for the the operation. The singe  pointer argument you are allowed could contain the start/end addresses or start/length.

If there is any interest, let me know and I will post more.

At the very least, this is no small undertaking. As for the comments above, there is very little of interest in a windows dump. If you are one of the very few that understands windows internals, you probably alreay have tools to look at what you need. Windows scrambles most names so you won't be able find user info from peeking.

Unlike most people, telling me there is not much to see awakens the desire to look anyway. So... if you are brave and undaunted by programming challenges... Have fun!.


PS: try to figure out the  windows dll's that start with kd (kd*.dll).

Author Comment

ID: 16943295
Hi all,

I suppose I'm just doing it for fun, to see can it be done really. Thanks for your contributions so far

Expert Comment

ID: 17002479
Thanks and "doing it to see if it can be done" is usually the start of great things. I call those things toys. I write toys and play with them. Many secrets of the deep have been revealed that way.

I first learned about OS's by doing exactly what you are doing, but with IBM's DOS operating system. After doing the dump, I wrote a disassembler to take all that hex stuff and turn it into instructions. What a wonderful time of exploration.

Have a lot of fun and learn a lot!


Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows programmers of the C/C++ variety, how many of you realise that since Window 9x Microsoft has been lying to you about what constitutes Unicode (http://en.wikipedia.org/wiki/Unicode)? They will have you believe that Unicode requires you to use…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.
The goal of this video is to provide viewers with basic examples to understand and use switch statements in the C programming language.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question