[Tutor] Windows Memory Basics

Alan Gauld alan.gauld at yahoo.co.uk
Mon Oct 16 19:48:16 EDT 2017 

On 16/10/17 21:04, Michael C wrote:

> I don't understand this part about the memory:

And I'm not sure I understand your question but...

> if I used VirtualQueryEx to find out if a region of memory is ok to scan,
> and it
> says it's ok, are the values in the region arranged like this:
> 
> short,int,double,long,char, double, short in
> 
> as in, random?

They won't be random, they'll be in the order that the
program that wrote the memory chose them to be in. For
example the memory might contain some program variables
and those variables may be of different types (assuming
a compiled language like C++, say). Or it may be holding
a complex data structure, like a class, that has fields
of different types.

What those types are will not be obvious and unless you
know what you are reading will be impossible to guess
in most cases since it is just a sequence of bytes and
one set of 8 bits looks a lot like any other.

> I am asking this because, if it's random, then I'd have to run
> ReadProcessMemory
>  by increasing  the value of of my loop by ONE (1) at a time, like this

That doesn't really help, you need to know what each
chunk of data represents and then increment the index
by the size of each corresponding data type.

For example if you have a string of 8 UTF8 characters
that will probably be 8 bytes long(some UTF characters
are more than 8 bits). But those 8 bytes could equally
be a floating point number or a long integer or a
struct containing 2 32 bit ints. You have absolutely
no way to tell.

And if you increment your index by one you will then
look at the first 7 bytes plus one other. What is
the 8th byte? It could be the start of another float,
another UTF8 character or something else entirely.

Things are then further complicated by the tendency
to store data on word boundaries, so either 4 or
8 byte chunks, but even that can't be guaranteed
since it could be a compressed memory scheme in
action or a piece of assembler code taking the
'law' into its own hands.

And of course it may not represent anything since
many programs set aside memory spaqce for later use
and either fill it with zeros or some other arbitrary
pattern, or just leave it with whatever bits happened
to already be there.

> for i in range(start_of_region, end_of_region, 1):
>       ReadProcessMemory(Process, i, ctypes.byref(buffer),
> ctypes.sizeof(buffer),             ctypes.byref(nread))
> 
> Is that correct?

Probably not. If you know what data you are reading you
can do what you want, but if it's just a random block
of memory you are scanning then its almost impossible
to determine for certain what the raw data represents.

If you have access to a *nix system (or cygwin
on windows) it may help you to see the nature
of the problem by running od -x on a text file
You can find out what is in it by looking at it
in a text editor but the hex listing will be
meaningless. If that's what simple text looks
like imagine what a binary file containing
mixed data is like.

-- 
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
http://www.amazon.com/author/alan_gauld
Follow my photo-blog on Flickr at:
http://www.flickr.com/photos/alangauldphotos

More information about the Tutor mailing list