Jump to content
Tuts 4 You

Memory Allocation


TBBW

Recommended Posts

Hi all,

the program I'm working on allocates a block of memory of 0x66000 bytes.

(Using Olly it is displayed on the Memory Map Tab)

Every time I start this program it is 0x66000 bytes.

Only the Base adres differs.

I want to find this block of memory (if Olly can do it, It is possible)

Using C#

how should I do this?

regards,

ger

Edited by TBBW
Link to comment

if you need to catch the allocation itself, you might have to inject code, although Nyelenas non-intrusive .net debuggin thing might be an option, too.

if you just need to find the base address, VirtualQueryEx may be of help.


/>http://msdn.microsoft.com/en-us/library/windows/desktop/aa366907%28v=vs.85%29.aspx

and then maybe do some pattern matching.

Link to comment

@ deepzero

Yep, as you said I'm not interested in the creation moment.

I just want to be able to find this block of memory.

To be more precise; my program in C# starts a setup.exe using "Process.start"

when the setup.exe is executed it allocates a block of 0x66000 bytes of memory.

In MY program I want to be able to edit this block, so I need the base adres of this block.

regards,

ger

Link to comment

I could be wrong, but i think deepzero was asking you why you haven't looked at using VirtualQueryEx after it was suggested and you came back posting but not saying whether or not you had attempted to use it.

http://msdn.microsof...7(v=vs.85).aspx

VirtualQueryEx function

Retrieves information about a range of pages within the virtual address space of a specified process.

I wont flood the page with info that is on that page, but suffice to say that VirtualQueryEx should enable you to gather information about the memory of an external process. The name says it all, it is querying the memory status/inforamation about the desired page(s) in the given process.

On one hand we have you asking how to find your specific block of 0x66000 bytes and on the other hand we have someone offering a function which has the sole purpose of gathering information on memory...

Reading the page i linked to will help give you more information but in a nutshell you can basically start at the beginning of the processes memory range (0x00000000) and perform a query. Taking the base address of a region and adding its size, we get the base address of the next region and we can perform another query on that one. Iterating through the regions like this, you can walk the entire user space of the process and map it out.

HR,

Ghandi

Edited by ghandi
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...