Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Memory Allocation

TBBW
TBBW
in Programming and Coding

Featured Replies

Posted

Hi all,

the program I'm working on allocates a block of memory of 0x66000 bytes.

(Using Olly it is displayed on the Memory Map Tab)

Every time I start this program it is 0x66000 bytes.

Only the Base adres differs.

I want to find this block of memory (if Olly can do it, It is possible)

Using C#

how should I do this?

regards,

ger

Edited by TBBW

if you need to catch the allocation itself, you might have to inject code, although Nyelenas non-intrusive .net debuggin thing might be an option, too.

if you just need to find the base address, VirtualQueryEx may be of help.


/>http://msdn.microsoft.com/en-us/library/windows/desktop/aa366907%28v=vs.85%29.aspx

and then maybe do some pattern matching.

  • Author

@ deepzero

Yep, as you said I'm not interested in the creation moment.

I just want to be able to find this block of memory.

To be more precise; my program in C# starts a setup.exe using "Process.start"

when the setup.exe is executed it allocates a block of 0x66000 bytes of memory.

In MY program I want to be able to edit this block, so I need the base adres of this block.

regards,

ger

so what`s with that VirtualQueryEx() API?

  • Author

@ deepzero,

I do not understand your last post.

I will try VirtualQueryEx

regards,

ger

I could be wrong, but i think deepzero was asking you why you haven't looked at using VirtualQueryEx after it was suggested and you came back posting but not saying whether or not you had attempted to use it.

http://msdn.microsof...7(v=vs.85).aspx

VirtualQueryEx function

Retrieves information about a range of pages within the virtual address space of a specified process.

I wont flood the page with info that is on that page, but suffice to say that VirtualQueryEx should enable you to gather information about the memory of an external process. The name says it all, it is querying the memory status/inforamation about the desired page(s) in the given process.

On one hand we have you asking how to find your specific block of 0x66000 bytes and on the other hand we have someone offering a function which has the sole purpose of gathering information on memory...

Reading the page i linked to will help give you more information but in a nutshell you can basically start at the beginning of the processes memory range (0x00000000) and perform a query. Taking the base address of a region and adding its size, we get the base address of the next region and we can perform another query on that one. Iterating through the regions like this, you can walk the entire user space of the process and map it out.

HR,

Ghandi

Edited by ghandi

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.