Process memory space
I was wondering if anyone could help me with analyzing/reading other processí memory space. I need to view the memory space in real-time, while running the application, to be able to segregate the variables storing the application state and various strings that are displayed in UI. Then, I need to be able to locate those variables automatically and read them in real-time, whenever application is running.
For example, take Windows Media Player. I would want to be able to get variables such as: string for song currently playing, state of the player (play/pause, volume, etc.), whenever the application is running in memory. Or, as another example, a list of users currently online on MSN and their status.
Are there any applications that would ease my task (e.g. to analyze memory space first)? What programming language could this be written in? (I assume it would be C/C++, and maybe C#?) How would I go about doing all this?
Thank you very much in advance.
You're asking for information about hacking. We don't take too kindly to that here!
If the authors of a program haven't made a publicly accessible way of obtaining such information then you are out of luck as far as you should be concerned.
I disagree on that point. It adds complexity to the program and the authors may not have thought about it. Come on, how many media players expose what song they're currently playing?
There are valid uses, but we do need to know what you're trying to accomplish.
I am not trying to "hack" anything. First of all, I am only Reading the memory space and don't intend to Modify it at run-time. All I am trying to do is to read the information that is displayed to the user from the memory space - the text strings on the UI.
I just finished my 2nd year of CSC Major and we just covered topics such as ASM, Virtual Memory, and some C. This low level material really interests me, that is why I would like to learn how to do things like this.
While using the memory scanner on OllyDbg, I noticed that the variables are not stored consitently in memory locations, and also are duplicated in several locations. This was contrary to my belief that the variables would be stored at a consistent offset in Virtual Memory. From my knowledge I can only I guess that it all depends how the Loader loads the executable into memory? If it is inconsistent this way, is it even possible to accomplish what I am trying to do?
Are you using windows or linux? Not that its of huge consequence, but there already exist programs to aid you in finding this information.
Study up on ASM and as you learn about CPUs you will find that a lot of the common sense you'd apply to a situation goes out the window.
> I noticed that the variables are not stored consitently in memory locations, and also are duplicated in several locations.
No doubt all but one of them are deallocated copies (or the s/w sucks because it needlessly duplicates data).
As more and more systems go in for http://en.wikipedia.org/wiki/ASLR, the less chance you'll have of trying to grub around in someone elses address space looking for stuff.
In any event, taking the media player example, what you need to reliably get that information is an SDK.
> I noticed that the variables are not stored consitently in memory locations,
Excepting ASLR, the only things at known VM addresses will be globals and statics. Anything obtained from the memory pool via malloc / new is going to look pretty random in all but the most simple of programs.
> If it is inconsistent this way, is it even possible to accomplish what I am trying to do?
Considering that it would require you to run the target application through all possible code paths, and that any patches applied to the target application would invalidate all your work to date, I'd say probably not.
Come on, that's DRM-think. We all have the right to do whatever we want with our computers, including poking around in memory. Otherwise we're reduced to that Trusted Computing garbage.
Originally Posted by iMalc