Log in

View Full Version : Finding EXE Size in Memory WinHex Style

foxthree
March 17th, 2002, 14:31
Hi All:

I'm writing a tool similar to WinHex and I have a need to implement something similar to RamEditor function. Basically, I need to be able to select a process and scan for certain opcodes within the memory range.

Starting address will be the Image Base address; No problem here?

The problem I have is how to locate the ending address? VirutalQuery* functions? If so, how? For example for calc.exe, WinHex displays the primary memory as beginnging at 00400000 (Module base) and ending at 1016FFFh. How does it calculate this?

Thanks for all your help,

Signed,
-- FoxThree
Kayaker
March 19th, 2002, 04:12
Hi foxthree

You may have already tried this, but run APISpy32 on WinHex with the Kernel32.fnl library and pause it until just before you select a process to RamEdit and select OK.

You'll get a nice output of exactly how it's done. To get the ProcessId you use the CreateToolhelp32Snapshot series of API's (Module32First / Module32Next) and parse the PROCESSENTRY32 structure. Then OpenProcess and VirtualQueryEx to map the regions. Break on OpenProcess and carefully examine the VirtualQueryEx loop and the APISpy32 output to see how it's used. Note how the RegionSize returned in the MEMORY_BASIC_INFORMATION structure of one VirtualQueryEx is used to increment the lpAddress value of the next VirtualQueryEx to scan over the entire per process address space from 4MB up to 2GB (400000 - 7FFFFFFF).

Asprotect (since we know what we're really talking about here ;-) uses VirtualAlloc with the MEM_COMMIT and PAGE_READWRITE attribute flags to allocate memory for its High Mem unpacking code. You could probably use these flags (which are returned in the MEMORY_BASIC_INFORMATION structure) to narrow down your search region to the proper page(s) for those 'certain opcodes'.

Hope this helps,
Kayaker
foxthree
March 19th, 2002, 07:45
Hi Kayaker:

I've just two words: YOU ROCK!!!!

Thanks for your "very" insightful post ;-)... It was worth the wait!

Thanks again,

Signed,
-- FoxThree
[NtSC]
March 19th, 2002, 16:43
YOu should check what OS you are on,because Toolhelp32 Functions are not available on NT. On NT based Systems you should go for APis like EnumProcessModules + .. .. .. ..........
foxthree
March 19th, 2002, 19:29
yep, PSAPI is the way to go on NT