Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Monitor Meory for Alterations

0 views
Skip to first unread message

Jeffrey Walton

unread,
May 30, 2007, 2:31:14 PM5/30/07
to
Hi All,

Does the Windows API provide a function which allows one to monitor a
chunk of memory for modifications (similar to watching a directory for
changes using FindFirstChangeNotification())?


Jeff

Kerem Gümrükcü

unread,
May 30, 2007, 7:57:37 PM5/30/07
to

"Jeffrey Walton" <nolo...@gmail.com> schrieb im Newsbeitrag
news:1180549874....@k79g2000hse.googlegroups.com...


Hi Jeffrey,

i think this depends on what you mean with chunk of memory.
If you want to monitor the whole available physical memory
ram on your system, then i think you must operate in kernel mode
and/or with some whatchdog circuit on your system. If you want to
monitor some memory in your own address space, then you can
propably use some kind of signals or guard pages. But i think the
whole Windows Architecture does not allow this kind of mechanism
or doesnt have some API like that, especially for user-mode since
this would violate the security system and concept. Thats what i
think!

Look here:
[Creating Guard Pages]
http://msdn2.microsoft.com/en-us/library/aa366549.aspx

and look here:
http://groups.google.de/group/microsoft.public.vstudio.development/browse_frm/thread/62b7c3fc8a8e8318/ff9a94216c6233b7?lnk=st&q=detect+memory+change&rnum=19&hl=de


Best regards

Kerem Gümrükcü


Jeffrey Walton

unread,
May 30, 2007, 8:39:53 PM5/30/07
to
On May 30, 7:57 pm, "Kerem Gümrükcü" <kareem...@hotmail.com> wrote:
> "Jeffrey Walton" <noloa...@gmail.com> schrieb im Newsbeitragnews:1180549874....@k79g2000hse.googlegroups.com...

>
> > Hi All,
>
> > Does the Windows API provide a function which allows one to monitor a
> > chunk of memory for modifications (similar to watching a directory for
> > changes using FindFirstChangeNotification())?
>
> > Jeff
>
> Hi Jeffrey,
>
> i think this depends on what you mean with chunk of memory.
> If you want to monitor the whole available physical memory
> ram on your system, then i think you must operate in kernel mode
> and/or with some whatchdog circuit on your system. If you want to
> monitor some memory in your own address space, then you can
> propably use some kind of signals or guard pages. But i think the
> whole Windows Architecture does not allow this kind of mechanism
> or doesnt have some API like that, especially for user-mode since
> this would violate the security system and concept. Thats what i
> think!
>
> Look here:
> [Creating Guard Pages]http://msdn2.microsoft.com/en-us/library/aa366549.aspx
>
> and look here:http://groups.google.de/group/microsoft.public.vstudio.development/br...
>
> Best regards
>
> Kerem Gümrükcü

Hi Keremen,

Thank you very much.

> If you want to monitor the whole available physical

> memory ram on your system...
Nope.

> If you want to monitor some memory in your own
> address space, then you can propably use some kind
> of signals or guard pages.

This is more of what I want - however, I want to monitor the .text
section of an executable in memory (no other sections).

It boils down to 'Polling versus Notification'. Currently, the
technique I present Polls. I'd like to find a Notification method. For
a reference, see 'Tamper Aware and Self Healing Code',
http://www.codeproject.com/useritems/SelfHealing.asp.

Jeff


Jeffrey Walton

unread,
May 31, 2007, 1:50:12 AM5/31/07
to
On May 30, 7:57 pm, "Kerem Gümrükcü" <kareem...@hotmail.com> wrote:
> "Jeffrey Walton" <noloa...@gmail.com> schrieb im Newsbeitragnews:1180549874....@k79g2000hse.googlegroups.com...

>
> > Hi All,
>
> > Does the Windows API provide a function which allows one to monitor a
> > chunk of memory for modifications (similar to watching a directory for
> > changes using FindFirstChangeNotification())?
>
> > Jeff
>
> Hi Jeffrey,
>
> i think this depends on what you mean with chunk of memory.
> If you want to monitor the whole available physical memory
> ram on your system, then i think you must operate in kernel mode
> and/or with some whatchdog circuit on your system. If you want to
> monitor some memory in your own address space, then you can
> propably use some kind of signals or guard pages. But i think the
> whole Windows Architecture does not allow this kind of mechanism
> or doesnt have some API like that, especially for user-mode since
> this would violate the security system and concept. Thats what i
> think!
>
> Look here:
> [Creating Guard Pages]http://msdn2.microsoft.com/en-us/library/aa366549.aspx
>
> and look here:http://groups.google.de/group/microsoft.public.vstudio.development/br...
>
> Best regards
>
> Kerem Gümrükcü

Hi Kerem,

It also appears using debug registers is out of the question (due to
limitations). No .text section monitoring; and only up to 4 bytes of
an address can be monitored. From Intel Architecture Software
Developer's Manual Volume 3: System Programming:

The primary function of the debug registers is to set up and monitor
from 1 to 4 breakpoints, numbered 0 though 3. For each breakpoint, the
following information can be specified and detected with the debug
registers:
* The linear address where the breakpoint is to occur.
* The length of the breakpoint location (1, 2, or 4 bytes).
* The operation that must be performed at the address for a debug
exception to be generated.
* Whether the breakpoint is enabled.
* Whether the breakpoint condition was present when the debug
exception was generated.

Ben Voigt [C++ MVP]

unread,
May 31, 2007, 9:57:21 AM5/31/07
to
Kerem's suggestion will work well for you. Mark the pages as read-only, and
you'll get tossed into your exception handler with an access violation on
each write (you can unprotect the memory and allow the write to continue,
perform the write yourself, I think you may even be able to redirect the
write to an alternate address).


0 new messages