Jump to content
Tuts 4 You

How to build a memory viewer?

LCF-AT

By LCF-AT
in Programming and Coding

Recommended Posts

LCF-AT

LCF-AT

Posted
Posted

Hi guys,

does anyone know how to create a own memory viewer what does show memory similar as HxD?Offset / Hex etc you know.

So normaly I would open any choosen process and read entire memory from 0 - F using VirtualQuery and then I need to show it anyhow.Not sure whether I should use a edit control or anything else.Next question would be how to show it with offset addresses / hex / ASCII and how to update the memory if it does change.Hhmmm.Has someone any ideas / hints how to handle that?Just wanna create a memory viewer + some search function only.

Thank you

Link to comment
Techlord

Techlord

Posted
Posted (edited)
6 hours ago, LCF-AT said:

Just wanna create a memory viewer + some search function only.

Have you taken a look at the tool from our very own @CodeCracker ? :)

He has shared the sources also.

I always like CodeCracker's tools a lot :) - especially since he shares the sources also. Thank you CodeCracker ...

 

Another excellent tool : (with sources of course)

Main.png

Get it here : 

https://sourceforge.net/projects/memorypatch/

Credits to @tonyweb due to whom I came to know about wonderful tool last year :)

 

 

Yet another snippet of SOURCE (but I did not test this one) :

3047ef88-392c-11e5-8270-a54f8354b208.gif

Get it here :  

https://gist.github.com/ocornut/0673e37e54aff644298b

 

Edited by Techlord
Formatting and added another link
  • Like 4
Link to comment
LCF-AT

LCF-AT

Posted
  • Author
Posted

Hi again,

below a example pic how I wanna have it...

HxD..png.b480d24e3a146a7d5d5450a17135a70e.png

....the question I have is how to read entire virtual memory bytes from a process and how to show it like on the picture.So I think I can not use just a simple edit control for this.I think I have also to create any template to put all 3 infos rows into like offset addresses / HexBytes / ASCII.I just have no clue how to do it yet you know.

greetz

Link to comment
fearless

fearless

Posted
Posted

Ive attached a RadASM v2.x project that uses the RAHexEdit control (which i have modified to compile to a static library along with a few minor edits) the project includes a HexView.asm file that i use to help setup and use the RAHexEdit control. You also need to call a function early on in the project to register the class for the RAHexEdit control - i have done this just after the InitCommonControlsEx call, and later on some fonts and whatnot are created for the RAHexEdit control 

Invoke RAHexEdInstall, hInstance, FALSE

Here is a screenshot to show how it looks roughly - it can be adapted to read memory from a memory mapped file or some other memory location, but that will require some adjusting of the code and creating a few functions to handle this.

Hex_View_Mem.png

 

 

 

HexViewMem.zip

  • Like 4
Link to comment
atom0s

atom0s

Posted
Posted
13 hours ago, LCF-AT said:

Hi again,

below a example pic how I wanna have it...

HxD..png.b480d24e3a146a7d5d5450a17135a70e.png

....the question I have is how to read entire virtual memory bytes from a process and how to show it like on the picture.So I think I can not use just a simple edit control for this.I think I have also to create any template to put all 3 infos rows into like offset addresses / HexBytes / ASCII.I just have no clue how to do it yet you know.

greetz

For speed sake, you may want to look into on-the-fly reading per-page based on what range of addresses is actually viewable to the user. Cosntantly reading the entire processes memory range can become a huge timesink as well as a resource hog if the process is large. You are essentially recreating a copy (twice) of the memory from the remote process. So if that process is using say, 2gigs of RAM, you are going to essentially create another 4gigs yourself. (Displaying the data and its ASCII counterpart.) 

Instead, you could read 1 or 2 pages before and after the current location the user is scrolling around to help reduce the resource usage costs and sizes. 

  • Like 2
Link to comment
LCF-AT

LCF-AT

Posted
  • Author
Posted

Hi again,

thanks again for all infos and example codes.I see isnt so easy as I thought before.

No idea how HxD does handle it to read entire memory so quickly and to show it.I dosent think that HxD does read memory by scrolling.Of course I dont know it.So one question I have is how much time it would take to search the entire memory from any process from 0 - F.So if I cant show the while memory at once then I could maybe just search for specific hex byte pattern / ASCII string etc in the memory and if something was found then I could show it in a window anyhow (maybe just only this one memory block).

greetz

Link to comment
atom0s

atom0s

Posted
Posted

Use VirtualQueryEx to walk the processes memory pages, dump what is valid and readable to search within, do your search per-page and then list the results.

Link to comment
fearless

fearless

Posted
Posted

Ive updated the example HexViewMem that it reads from its own process and displays the memory in the RAHexEdit control - just have to change and add additional features like selecting or specifying another process to read from to extend the functionality. I attached x64dbg to it, and took a screenshot so you can see the address of the entry point and the bytes of the instructions in both programs are exactly the same (i highlighted the first two instructions bytes in each case)

hewviewmem2.png

HexViewMem.zip

  • Like 2
Link to comment
LCF-AT

LCF-AT

Posted
  • Author
Posted

Hi fearless,

thanks  again so far.You process option dosent work anyhow.There comes nothing only the eip address.

Eip.png.7f789aadc234e23a648bdba91d7474d1.png

So is there no way to create it anyhow else so that I later could only use API functions only as HexViewOpenProcess etc?If I try to include your files in my project then I got many  diffrent erros which I dont get if I use your files as single / one / same project.

One more question: I tried to play a little with a Rich control and EM_STREAMIN + callback routine of it.So its working (callback works to access it if I use RichEdit control) using it with reading from a handle (CreateFile) but how it works for some memory any not from file?

greetz

Link to comment
fearless

fearless

Posted
Posted

Yeh some little bug i found as well, when i compile it with the donkey's vkim like debug library it displays the data ok, when i packaged it up for release i commented that out as it probably wouldnt be needed, but then the ReadProcessMemory api fails.

Link to comment
Techlord

Techlord

Posted
Posted
3 hours ago, LCF-AT said:

So if I cant show the while memory at once then I could maybe just search for specific hex byte pattern / ASCII string etc in the memory and if something was found then I could show it in a window anyhow (maybe just only this one memory block).

The 3 tools that I mentioned in my post earlier in this thread (along with sources), helps you achieve exactly this result :)

Link to comment
LCF-AT

LCF-AT

Posted
  • Author
Posted

Hi,

one more question about showing codes in a nice sortet & clean window like I did post above a pic from HxD.So can anyone expain me how to show it like that?So what I have to build?On internet I found always some HexView classes so how to create something manually?So it seems I can use any normal control xy like a edit control so send bytes into to show me them like HxD or others.So do I need to build any control / class by myself and if yes how should that work?

greetz

Link to comment
  • 3 weeks later...
  • 1 year later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...