Process memory, significant addresses
-
Hi ho :) I've been experimenting with reading memory of other processes for a while now. And I've noticed the virtual addresses are quite weird. First of all I can't access anything from 0x0 till 0xFFFF. This seems to be a forbidden area or so. :p I've never found a process that didn't have this 'offset'. The first readable address socket is 0x10000. I first thought this previous forbidden area (lower than 0x10000) was a Windows header or so, but it seems this 0x10000 and further is the windows header, including some data like the windir, cpu architecture, and so on. Now you'd think the actual data of the process itself is just after this Windows header, but that's often not the case. Suddenly there's another piece of memory that's not accessible there. That keeps on going for a while. Now I searched up some interesting addresses for certain processes (like the Minesweeper of Windows XP), and I can for example find the width and height of a minefield. But when you look at the actual address of this data, it's extremely high (relatively of course): 0x1005334. This is a hundred times higher than the first memory address that's accessible (0x10000). I've researched a bit, but I can't find information about a certain structure Windows uses for process memory. Maybe there's a fixed virtual address where it actually starts to be interesting to read memory, because that's the actual memory allocated by the process itself? Thanks in advance. :)
-
Hi ho :) I've been experimenting with reading memory of other processes for a while now. And I've noticed the virtual addresses are quite weird. First of all I can't access anything from 0x0 till 0xFFFF. This seems to be a forbidden area or so. :p I've never found a process that didn't have this 'offset'. The first readable address socket is 0x10000. I first thought this previous forbidden area (lower than 0x10000) was a Windows header or so, but it seems this 0x10000 and further is the windows header, including some data like the windir, cpu architecture, and so on. Now you'd think the actual data of the process itself is just after this Windows header, but that's often not the case. Suddenly there's another piece of memory that's not accessible there. That keeps on going for a while. Now I searched up some interesting addresses for certain processes (like the Minesweeper of Windows XP), and I can for example find the width and height of a minefield. But when you look at the actual address of this data, it's extremely high (relatively of course): 0x1005334. This is a hundred times higher than the first memory address that's accessible (0x10000). I've researched a bit, but I can't find information about a certain structure Windows uses for process memory. Maybe there's a fixed virtual address where it actually starts to be interesting to read memory, because that's the actual memory allocated by the process itself? Thanks in advance. :)
Hi, virtual addresses get assigned by the linker, based on some defaults and a lot of optional choices you can specify. It gets reported in the optional map file. As a result the address map can be structured in many ways, all equaly valid. Not sure how this is a C# question, Minesweeper is a lot older than any .NET stuff. :)
Luc Pattyn [Forum Guidelines] [My Articles]
This month's tips: - before you ask a question here, search CodeProject, then Google; - the quality and detail of your question reflects on the effectiveness of the help you are likely to get; - use PRE tags to preserve formatting when showing multi-line code snippets.
-
Hi, virtual addresses get assigned by the linker, based on some defaults and a lot of optional choices you can specify. It gets reported in the optional map file. As a result the address map can be structured in many ways, all equaly valid. Not sure how this is a C# question, Minesweeper is a lot older than any .NET stuff. :)
Luc Pattyn [Forum Guidelines] [My Articles]
This month's tips: - before you ask a question here, search CodeProject, then Google; - the quality and detail of your question reflects on the effectiveness of the help you are likely to get; - use PRE tags to preserve formatting when showing multi-line code snippets.
I'm not talking about Minesweeper, I'm talking about any existing process that runs on Windows. :p I'd really like to find some pattern that can be used to find significant memory data more easily. My final purpose is to make addons for applications that actually don't support addons. :D
-
I'm not talking about Minesweeper, I'm talking about any existing process that runs on Windows. :p I'd really like to find some pattern that can be used to find significant memory data more easily. My final purpose is to make addons for applications that actually don't support addons. :D
Good luck then. I just told you things can be anywhere, it is a matter of choice. Will your add-ons be programmed in C#? and apply to native code programs??? :)
Luc Pattyn [Forum Guidelines] [My Articles]
This month's tips: - before you ask a question here, search CodeProject, then Google; - the quality and detail of your question reflects on the effectiveness of the help you are likely to get; - use PRE tags to preserve formatting when showing multi-line code snippets.
-
Good luck then. I just told you things can be anywhere, it is a matter of choice. Will your add-ons be programmed in C#? and apply to native code programs??? :)
Luc Pattyn [Forum Guidelines] [My Articles]
This month's tips: - before you ask a question here, search CodeProject, then Google; - the quality and detail of your question reflects on the effectiveness of the help you are likely to get; - use PRE tags to preserve formatting when showing multi-line code snippets.