Log in

View Full Version : begin of program in mem


apocalexiz
October 6th, 2004, 13:00
Hi

I'm under WinXP. Programming with C for a while. Now i want to try new things, just for fun and to see whether its possible or not.

My question is. If i wrote a little program thats good for...nothing. How can i get the adress where its located in virtual memory? The starting adress of the whole program and all the memory it owns. I want to play around with the mem. Searching some variables in the program and change the values, stuff like this.
I guess for such things i have to use strange windows api functions and i can imagine that such "games" not possible, if I'm under normal "User rights". And this is for the next question i got. How to run such a programm beyond all this rights? Should i disguise it as device driver? AFAIK device drivers got full access to anything, right?

If someone got some useful textlinks, book recommendations etc. pls post it or leave me a message.

bye

apo

lifewire
October 6th, 2004, 14:46
you can get the base of where the module is loaded with GetModuleHandle(NULL);. that is the same thing has the HINSTANCE btw.

and yes, there are functions to enumerate allocated memory, but I can't remember them at the moment.. i guess they are in PSAPI, but i'm not sure about that.

dELTA
October 6th, 2004, 14:52
Check out the section table in the PE header of the executable to get hold of all static memory and memory ranges. This will also tell you more specifically where the code is located and where the different types of data are located (at least for "normal" programs).

To sum it up, check out some good documentation about the PE header. Google and this board's search engine should be more than enough for that.

And applications have surprisingly much access to each other's memory spaces, so this shouldn't be a problem for you, and if you also make sure to be logged in as an administrator while playing around with this there really shouldn't be any problems with anywthing like that. And leave the device driver idea completely for now, you don't want to go there in your current state, believe me.

apocalexiz
October 6th, 2004, 23:20
>Check out the section table in the PE header of the executable to get hold of
>all static memory and memory ranges.

yesterday in the evening i got nearly the same idea, i downloaded the ms pe documentation file and made a printout

so i'll write a little prog that gives me all relevant information about a pe exec. If i got questions i'll come back

So long!

apo

dELTA
October 7th, 2004, 05:06
Ok, sounds good. And if you'd need some reference, or find out halfway that you don't have time to finish it (or just want to play with another cool little program in general ) you can always take a look at my exe analyzer, which can be found as an attachment in this thread:

http://www.woodmann.com/forum/showthread.php?t=5264

Silver
October 7th, 2004, 09:34
Hey delta, I found your app a while back whilst looking for something to find code caves, and IIRC I found a bug in it. When I analysed a certain exe it got a bit confused, put up a message about "overlapping areas" or something and some of the analysis options didn't work. If I can remember which app it was I'll give you a proper bug report, if you're still developing it?

dELTA
October 7th, 2004, 12:26
I haven't touched that thing for ages, it was just a little hack I did when I was looking into the PE file structure a bunch of years ago. But sure, if you have an exe that reproduces the problem, it might be fun anyway, if nothing else to see if the exe is messed up somehow by some protection or similar.