Thread: Process memory space

  1. 04-22-2008 #1
    barboris
    barboris is offline
    Registered User
    Join Date
    Apr 2008
    Posts
    2

    Process memory space

    Hi all,

    I was wondering if anyone could help me with analyzing/reading other process’ memory space. I need to view the memory space in real-time, while running the application, to be able to segregate the variables storing the application state and various strings that are displayed in UI. Then, I need to be able to locate those variables automatically and read them in real-time, whenever application is running.

    For example, take Windows Media Player. I would want to be able to get variables such as: string for song currently playing, state of the player (play/pause, volume, etc.), whenever the application is running in memory. Or, as another example, a list of users currently online on MSN and their status.

    Are there any applications that would ease my task (e.g. to analyze memory space first)? What programming language could this be written in? (I assume it would be C/C++, and maybe C#?) How would I go about doing all this?

    Thank you very much in advance.
  2. 04-23-2008 #2
    iMalc
    iMalc is offline
    Algorithm Dissector iMalc's Avatar
    Join Date
    Dec 2005
    Location
    New Zealand
    Posts
    6,318
    You're asking for information about hacking. We don't take too kindly to that here!

    If the authors of a program haven't made a publicly accessible way of obtaining such information then you are out of luck as far as you should be concerned.
    My homepage
    Advice: Take only as directed - If symptoms persist, please see your debugger

    Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"
  3. 04-23-2008 #3
    Elysia
    Elysia is offline
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    I disagree on that point. It adds complexity to the program and the authors may not have thought about it. Come on, how many media players expose what song they're currently playing?
    There are valid uses, but we do need to know what you're trying to accomplish.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.
  4. 04-25-2008 #4
    barboris
    barboris is offline
    Registered User
    Join Date
    Apr 2008
    Posts
    2
    I am not trying to "hack" anything. First of all, I am only Reading the memory space and don't intend to Modify it at run-time. All I am trying to do is to read the information that is displayed to the user from the memory space - the text strings on the UI.

    I just finished my 2nd year of CSC Major and we just covered topics such as ASM, Virtual Memory, and some C. This low level material really interests me, that is why I would like to learn how to do things like this.

    While using the memory scanner on OllyDbg, I noticed that the variables are not stored consitently in memory locations, and also are duplicated in several locations. This was contrary to my belief that the variables would be stored at a consistent offset in Virtual Memory. From my knowledge I can only I guess that it all depends how the Loader loads the executable into memory? If it is inconsistent this way, is it even possible to accomplish what I am trying to do?
  5. 04-25-2008 #5
    master5001
    master5001 is offline
    Banned master5001's Avatar
    Join Date
    Aug 2001
    Location
    Visalia, CA, USA
    Posts
    3,685
    Are you using windows or linux? Not that its of huge consequence, but there already exist programs to aid you in finding this information.

    Study up on ASM and as you learn about CPUs you will find that a lot of the common sense you'd apply to a situation goes out the window.
  6. 04-25-2008 #6
    Salem
    Salem is offline
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,659
    > I noticed that the variables are not stored consitently in memory locations, and also are duplicated in several locations.
    No doubt all but one of them are deallocated copies (or the s/w sucks because it needlessly duplicates data).

    As more and more systems go in for http://en.wikipedia.org/wiki/ASLR, the less chance you'll have of trying to grub around in someone elses address space looking for stuff.

    In any event, taking the media player example, what you need to reliably get that information is an SDK.
    http://www.microsoft.com/downloads/d...DisplayLang=en

    > I noticed that the variables are not stored consitently in memory locations,
    Excepting ASLR, the only things at known VM addresses will be globals and statics. Anything obtained from the memory pool via malloc / new is going to look pretty random in all but the most simple of programs.

    > If it is inconsistent this way, is it even possible to accomplish what I am trying to do?
    Considering that it would require you to run the target application through all possible code paths, and that any patches applied to the target application would invalidate all your work to date, I'd say probably not.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.
  7. 04-25-2008 #7
    brewbuck
    brewbuck is offline
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Quote Originally Posted by iMalc View Post
    You're asking for information about hacking. We don't take too kindly to that here!

    If the authors of a program haven't made a publicly accessible way of obtaining such information then you are out of luck as far as you should be concerned.
    Come on, that's DRM-think. We all have the right to do whatever we want with our computers, including poking around in memory. Otherwise we're reduced to that Trusted Computing garbage.
« Previous Thread | Next Thread »
Popular pages Recent additions subscribe to a feed

Similar Threads

  1. init adopts zombie process?
    By password636 in forum Linux Programming
    Replies: 4
    Last Post: 07-01-2009, 10:05 AM
  2. tools for finding memory leaks
    By stanlvw in forum C++ Programming
    Replies: 4
    Last Post: 04-03-2009, 11:41 AM
  3. Why address space 0-0x08000000 in a process is unused?
    By meili100 in forum Tech Board
    Replies: 8
    Last Post: 03-31-2008, 10:14 AM
  4. pointers
    By InvariantLoop in forum C Programming
    Replies: 13
    Last Post: 02-04-2005, 09:32 AM
  5. Memory handler
    By Dr. Bebop in forum C Programming
    Replies: 7
    Last Post: 09-15-2002, 04:14 PM