virtualquery

MEMORY_BASIC_INFORMATION and VirtualQueryEx on different architectures

十年热恋 提交于 2021-01-29 06:18:13
问题 The MSDN page for MEMORY_BASIC_INFORMATION points out in the remarks section that MEMORY_BASIC_INFORMATION32 and MEMORY_BASIC_INFORMATION64 should be specified in situations where the target process is running on a different architecture than the querying program (when using VirtualQueryEx). I also found some SO posts which pointed this out in their answers to related questions. I discovered though that the version of MEMORY_BASIC_INFORMATION I was being passed by VirtualQUeryEx was the same

Is there a better way than parsing /proc/self/maps to figure out memory protection?

坚强是说给别人听的谎言 提交于 2019-12-17 09:34:20
问题 On Linux (or Solaris) is there a better way than hand parsing /proc/self/maps repeatedly to figure out whether or not you can read, write or execute whatever is stored at one or more addresses in memory? For instance, in Windows you have VirtualQuery . In Linux, I can mprotect to change those values, but I can't read them back. Furthermore, is there any way to know when those permissions change (e.g. when someone uses mmap on a file behind my back) other than doing something terribly invasive

Scanning process memory causes crash

无人久伴 提交于 2019-12-06 15:23:09
问题 i have injected my DLL into process and i try to scan memory for addresses with same value as mine, but it results in a crash after i get 1st address , it should be 10 addresses for(DWORD i = MEM_START; i< MEM_END ;i++) { VirtualQuery((void*)i,pMemInfo,sizeof(MEMORY_BASIC_INFORMATION)); if(pMemInfo->AllocationProtect == PAGE_READONLY || PAGE_EXECUTE_WRITECOPY || PAGE_READWRITE || PAGE_WRITECOMBINE) { if(*(DWORD*)i==1337) { addresses.push_back(i); } } } I believe my protection check is wrong

Scanning process memory causes crash

允我心安 提交于 2019-12-04 20:49:30
i have injected my DLL into process and i try to scan memory for addresses with same value as mine, but it results in a crash after i get 1st address , it should be 10 addresses for(DWORD i = MEM_START; i< MEM_END ;i++) { VirtualQuery((void*)i,pMemInfo,sizeof(MEMORY_BASIC_INFORMATION)); if(pMemInfo->AllocationProtect == PAGE_READONLY || PAGE_EXECUTE_WRITECOPY || PAGE_READWRITE || PAGE_WRITECOMBINE) { if(*(DWORD*)i==1337) { addresses.push_back(i); } } } I believe my protection check is wrong but not quite sure. virtual memory scanner MEMORY_BASIC_INFORMATION mbi = {0}; unsigned char *pAddress =

Is there a better way than parsing /proc/self/maps to figure out memory protection?

折月煮酒 提交于 2019-11-27 07:52:06
On Linux (or Solaris) is there a better way than hand parsing /proc/self/maps repeatedly to figure out whether or not you can read, write or execute whatever is stored at one or more addresses in memory? For instance, in Windows you have VirtualQuery . In Linux, I can mprotect to change those values, but I can't read them back. Furthermore, is there any way to know when those permissions change (e.g. when someone uses mmap on a file behind my back) other than doing something terribly invasive and using ptrace on all threads in the process and intercepting any attempt to make a syscall that
订阅 virtualquery