LCF-AT Posted May 16, 2017 Posted May 16, 2017 Hi guys, does anyone know how to create a own memory viewer what does show memory similar as HxD?Offset / Hex etc you know. So normaly I would open any choosen process and read entire memory from 0 - F using VirtualQuery and then I need to show it anyhow.Not sure whether I should use a edit control or anything else.Next question would be how to show it with offset addresses / hex / ASCII and how to update the memory if it does change.Hhmmm.Has someone any ideas / hints how to handle that?Just wanna create a memory viewer + some search function only. Thank you
Techlord Posted May 16, 2017 Posted May 16, 2017 (edited) 6 hours ago, LCF-AT said: Just wanna create a memory viewer + some search function only. Have you taken a look at the tool from our very own @CodeCracker ? He has shared the sources also. I always like CodeCracker's tools a lot - especially since he shares the sources also. Thank you CodeCracker ... Another excellent tool : (with sources of course) Get it here : https://sourceforge.net/projects/memorypatch/ Credits to @tonyweb due to whom I came to know about wonderful tool last year Yet another snippet of SOURCE (but I did not test this one) : Get it here : https://gist.github.com/ocornut/0673e37e54aff644298b Edited May 16, 2017 by Techlord Formatting and added another link 4
LCF-AT Posted May 17, 2017 Author Posted May 17, 2017 Hi again, below a example pic how I wanna have it... ....the question I have is how to read entire virtual memory bytes from a process and how to show it like on the picture.So I think I can not use just a simple edit control for this.I think I have also to create any template to put all 3 infos rows into like offset addresses / HexBytes / ASCII.I just have no clue how to do it yet you know. greetz
fearless Posted May 17, 2017 Posted May 17, 2017 Ive attached a RadASM v2.x project that uses the RAHexEdit control (which i have modified to compile to a static library along with a few minor edits) the project includes a HexView.asm file that i use to help setup and use the RAHexEdit control. You also need to call a function early on in the project to register the class for the RAHexEdit control - i have done this just after the InitCommonControlsEx call, and later on some fonts and whatnot are created for the RAHexEdit control Invoke RAHexEdInstall, hInstance, FALSE Here is a screenshot to show how it looks roughly - it can be adapted to read memory from a memory mapped file or some other memory location, but that will require some adjusting of the code and creating a few functions to handle this. HexViewMem.zip 4
atom0s Posted May 18, 2017 Posted May 18, 2017 13 hours ago, LCF-AT said: Hi again, below a example pic how I wanna have it... ....the question I have is how to read entire virtual memory bytes from a process and how to show it like on the picture.So I think I can not use just a simple edit control for this.I think I have also to create any template to put all 3 infos rows into like offset addresses / HexBytes / ASCII.I just have no clue how to do it yet you know. greetz For speed sake, you may want to look into on-the-fly reading per-page based on what range of addresses is actually viewable to the user. Cosntantly reading the entire processes memory range can become a huge timesink as well as a resource hog if the process is large. You are essentially recreating a copy (twice) of the memory from the remote process. So if that process is using say, 2gigs of RAM, you are going to essentially create another 4gigs yourself. (Displaying the data and its ASCII counterpart.) Instead, you could read 1 or 2 pages before and after the current location the user is scrolling around to help reduce the resource usage costs and sizes. 2
LCF-AT Posted May 18, 2017 Author Posted May 18, 2017 Hi again, thanks again for all infos and example codes.I see isnt so easy as I thought before. No idea how HxD does handle it to read entire memory so quickly and to show it.I dosent think that HxD does read memory by scrolling.Of course I dont know it.So one question I have is how much time it would take to search the entire memory from any process from 0 - F.So if I cant show the while memory at once then I could maybe just search for specific hex byte pattern / ASCII string etc in the memory and if something was found then I could show it in a window anyhow (maybe just only this one memory block). greetz
atom0s Posted May 18, 2017 Posted May 18, 2017 Use VirtualQueryEx to walk the processes memory pages, dump what is valid and readable to search within, do your search per-page and then list the results.
fearless Posted May 18, 2017 Posted May 18, 2017 Ive updated the example HexViewMem that it reads from its own process and displays the memory in the RAHexEdit control - just have to change and add additional features like selecting or specifying another process to read from to extend the functionality. I attached x64dbg to it, and took a screenshot so you can see the address of the entry point and the bytes of the instructions in both programs are exactly the same (i highlighted the first two instructions bytes in each case) HexViewMem.zip 2
LCF-AT Posted May 18, 2017 Author Posted May 18, 2017 Hi fearless, thanks again so far.You process option dosent work anyhow.There comes nothing only the eip address. So is there no way to create it anyhow else so that I later could only use API functions only as HexViewOpenProcess etc?If I try to include your files in my project then I got many diffrent erros which I dont get if I use your files as single / one / same project. One more question: I tried to play a little with a Rich control and EM_STREAMIN + callback routine of it.So its working (callback works to access it if I use RichEdit control) using it with reading from a handle (CreateFile) but how it works for some memory any not from file? greetz
fearless Posted May 18, 2017 Posted May 18, 2017 Yeh some little bug i found as well, when i compile it with the donkey's vkim like debug library it displays the data ok, when i packaged it up for release i commented that out as it probably wouldnt be needed, but then the ReadProcessMemory api fails.
Techlord Posted May 18, 2017 Posted May 18, 2017 3 hours ago, LCF-AT said: So if I cant show the while memory at once then I could maybe just search for specific hex byte pattern / ASCII string etc in the memory and if something was found then I could show it in a window anyhow (maybe just only this one memory block). The 3 tools that I mentioned in my post earlier in this thread (along with sources), helps you achieve exactly this result
LCF-AT Posted May 19, 2017 Author Posted May 19, 2017 Hi, one more question about showing codes in a nice sortet & clean window like I did post above a pic from HxD.So can anyone expain me how to show it like that?So what I have to build?On internet I found always some HexView classes so how to create something manually?So it seems I can use any normal control xy like a edit control so send bytes into to show me them like HxD or others.So do I need to build any control / class by myself and if yes how should that work? greetz
Techlord Posted June 7, 2017 Posted June 7, 2017 There is a delphi control that does exactly what you want, @LCF-AT ... Quote http://www.tkweb.eu/en/delphicomp/khexeditor.html If someone who is a DELPHI expert can write a DLL Wrapper or something around it, then we can call it from our code ... Calling all Delphi Experts
Viloresi Posted January 31, 2019 Posted January 31, 2019 this is probably exactly what you were looking for: I know the source is old btw... https://www.codeproject.com/Articles/457/frhed-free-hex-editor
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now