Does the Windows API provide a function which allows one to monitor a
chunk of memory for modifications (similar to watching a directory for
changes using FindFirstChangeNotification())?
Jeff
Hi Jeffrey,
i think this depends on what you mean with chunk of memory.
If you want to monitor the whole available physical memory
ram on your system, then i think you must operate in kernel mode
and/or with some whatchdog circuit on your system. If you want to
monitor some memory in your own address space, then you can
propably use some kind of signals or guard pages. But i think the
whole Windows Architecture does not allow this kind of mechanism
or doesnt have some API like that, especially for user-mode since
this would violate the security system and concept. Thats what i
think!
Look here:
[Creating Guard Pages]
http://msdn2.microsoft.com/en-us/library/aa366549.aspx
Best regards
Kerem Gümrükcü
Hi Keremen,
Thank you very much.
> If you want to monitor the whole available physical
> memory ram on your system...
Nope.
> If you want to monitor some memory in your own
> address space, then you can propably use some kind
> of signals or guard pages.
This is more of what I want - however, I want to monitor the .text
section of an executable in memory (no other sections).
It boils down to 'Polling versus Notification'. Currently, the
technique I present Polls. I'd like to find a Notification method. For
a reference, see 'Tamper Aware and Self Healing Code',
http://www.codeproject.com/useritems/SelfHealing.asp.
Jeff
Hi Kerem,
It also appears using debug registers is out of the question (due to
limitations). No .text section monitoring; and only up to 4 bytes of
an address can be monitored. From Intel Architecture Software
Developer's Manual Volume 3: System Programming:
The primary function of the debug registers is to set up and monitor
from 1 to 4 breakpoints, numbered 0 though 3. For each breakpoint, the
following information can be specified and detected with the debug
registers:
* The linear address where the breakpoint is to occur.
* The length of the breakpoint location (1, 2, or 4 bytes).
* The operation that must be performed at the address for a debug
exception to be generated.
* Whether the breakpoint is enabled.
* Whether the breakpoint condition was present when the debug
exception was generated.