Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Monitor Memory for Alteration

4 views
Skip to first unread message

Jeffrey Walton

unread,
May 29, 2007, 4:01:44 PM5/29/07
to
Hi All,

Does the Windows API provide a function which allows one to monitor a
chunk of memory for modifications (similar to watching a directory for
changes using FindFirstChangeNotification())?

Jeff

MrAsm

unread,
May 29, 2007, 5:07:19 PM5/29/07
to
On 29 May 2007 13:01:44 -0700, Jeffrey Walton <nolo...@gmail.com>
wrote:

>Does the Windows API provide a function which allows one to monitor a
>chunk of memory for modifications (similar to watching a directory for
>changes using FindFirstChangeNotification())?

I don't know (I would be interested in knowing that, too).

You may try to ask to the kernel newsgroup:

microsoft.public.win32.programmer.kernel

MrAsm

Jeffrey Walton

unread,
May 29, 2007, 7:06:55 PM5/29/07
to
On May 29, 5:07 pm, MrAsm <m...@usa.com> wrote:
> On 29 May 2007 13:01:44 -0700, Jeffrey Walton <noloa...@gmail.com>

> wrote:
>
> >Does the Windows API provide a function which allows one to
> >monitor a chunk of memory for modifications (similar to
> >watching a directory for changes using
> >FindFirstChangeNotification())?
>
> I don't know (I would be interested in knowing that, too).
> You may try to ask to the kernel newsgroup:
>
> microsoft.public.win32.programmer.kernel

Hi Asm,

I've been a bit active over there lately, so I'm trying to give them a
break ;)

Jeff

Joseph M. Newcomer

unread,
May 29, 2007, 7:57:54 PM5/29/07
to
No. There are several ways you can deal with this, depending on what you are trying to
accomplish, but you need to explain what you are really trying to do, and under what
coniditions. Otherwise, I could write a minor essay on the subject, but I'd rather make
it more directed.
joe

Joseph M. Newcomer [MVP]
email: newc...@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm

Jeffrey Walton

unread,
May 30, 2007, 8:08:16 PM5/30/07
to
Hello Doctor,

> No.
Thank You. I did not think so, but I wanted a second opinion.

> depending on what you are trying to accomplish...
'Polling versus Callback' (some hand waiving). I think if you peruse
this link, it will be fairly obvious. http://www.codeproject.com/useritems/SelfHealing.asp

Jeff

On May 29, 7:57 pm, Joseph M. Newcomer <newco...@flounder.com> wrote:
> No. There are several ways you can deal with this, depending on what you are trying to
> accomplish, but you need to explain what you are really trying to do, and under what
> coniditions. Otherwise, I could write a minor essay on the subject, but I'd rather make
> it more directed.
> joe
>

> On 29 May 2007 13:01:44 -0700, Jeffrey Walton <noloa...@gmail.com> wrote:
>
> >Hi All,
>
> >Does the Windows API provide a function which allows one to monitor a
> >chunk of memory for modifications (similar to watching a directory for
> >changes using FindFirstChangeNotification())?
>
> >Jeff
>
> Joseph M. Newcomer [MVP]

> email: newco...@flounder.com

Joseph M. Newcomer

unread,
May 30, 2007, 11:19:40 PM5/30/07
to
Indeed, I am quoted in that article as saying there is no way to receive a notification,
and there is not. If you are trying to create self-healing code where you can detect code
modifications, then you can only poll. This means that there are windows of opportunity
during which modified code can execute.

I once used an architecture based on ideas in the PhD dissertation of a friend of mine as
part of a story I wrote. But if you google for parts of the title

"Error Detection with Memory Tags" by Richard H. Gumpertz, Carnegie-Mellon University,
Dec. 1981,

you'll also locate http://www.freepatentsonline.com/5249212.html which cites his work (no,
I didn't take time to read it)

Essentially, if you want serious protection, you need cooperation from the hardware, and
right now that is not possible.

The use of checksums is one of the techniques I would have discussed. I tend to use
something far less complex than SHA-1 if I'm only looking for memory damage of data.

The examples in the article you cite are interesting, but it is not clear that they could
not be spoofed if someone knew they were being used.
joe

email: newc...@flounder.com

Jeffrey Walton

unread,
May 31, 2007, 12:38:30 AM5/31/07
to
Hello Dector,

> Indeed, I am quoted in that article as saying there
> is no way to receive a notification,
> and there is not.

OK - I did not want to misrepresent you. Also I move very fast at
times.

> This means that there are windows of opportunity
> during which modified code can execute.

At times, it seems like this could be a losing effort. But it is a
nice mental exercise.

> Essentially, if you want serious protection, you need
> cooperation from the hardware, and
> right now that is not possible.

And the Operating System... For arguments, see 'Dynamic TEXT Section
Image Verification' (http://www.codeproject.com/cpp/
VerifyIntegrity.asp).

> The examples in the article you cite are interesting, but it
> is not clear that they could not be spoofed if someone knew
> they were being used.

Agreed. There is no security in obscurity.

Jeff

On May 30, 11:19 pm, Joseph M. Newcomer <newco...@flounder.com> wrote:
> Indeed, I am quoted in that article as saying there is no way to receive a notification,
> and there is not. If you are trying to create self-healing code where you can detect code
> modifications, then you can only poll. This means that there are windows of opportunity
> during which modified code can execute.
>
> I once used an architecture based on ideas in the PhD dissertation of a friend of mine as
> part of a story I wrote. But if you google for parts of the title
>
> "Error Detection with Memory Tags" by Richard H. Gumpertz, Carnegie-Mellon University,
> Dec. 1981,
>

> you'll also locatehttp://www.freepatentsonline.com/5249212.htmlwhich cites his work (no,


> I didn't take time to read it)
>
> Essentially, if you want serious protection, you need cooperation from the hardware, and
> right now that is not possible.
>
> The use of checksums is one of the techniques I would have discussed. I tend to use
> something far less complex than SHA-1 if I'm only looking for memory damage of data.
>
> The examples in the article you cite are interesting, but it is not clear that they could
> not be spoofed if someone knew they were being used.
> joe

> On 30 May 2007 17:08:16 -0700, Jeffrey Walton <noloa...@gmail.com> wrote:
>
>
>
>
>
> >Hello Doctor,
>
> >> No.
> >Thank You. I did not think so, but I wanted a second opinion.
>
> >> depending on what you are trying to accomplish...
> >'Polling versus Callback' (some hand waiving). I think if you peruse

> >this link, it will be fairly obvious.http://www.codeproject.com/useritems/SelfHealing.asp


>
> >Jeff
>
> >On May 29, 7:57 pm, Joseph M. Newcomer <newco...@flounder.com> wrote:
> >> No. There are several ways you can deal with this, depending on what you are trying to
> >> accomplish, but you need to explain what you are really trying to do, and under what
> >> coniditions. Otherwise, I could write a minor essay on the subject, but I'd rather make
> >> it more directed.
> >> joe
>
> >> On 29 May 2007 13:01:44 -0700, Jeffrey Walton <noloa...@gmail.com> wrote:
>
> >> >Hi All,
>
> >> >Does the Windows API provide a function which allows one to monitor a
> >> >chunk of memory for modifications (similar to watching a directory for
> >> >changes using FindFirstChangeNotification())?
>
> >> >Jeff
>
> >> Joseph M. Newcomer [MVP]
> >> email: newco...@flounder.com
> >> Web:http://www.flounder.com
> >> MVP Tips:http://www.flounder.com/mvp_tips.htm
>
> Joseph M. Newcomer [MVP]
> email: newco...@flounder.com
> Web:http://www.flounder.com

> MVP Tips:http://www.flounder.com/mvp_tips.htm- Hide quoted text -
>
> - Show quoted text -


0 new messages