Results 1 to 7 of 7

Thread: begin of program in mem

  1. #1
    apocalexiz
    Guest

    begin of program in mem

    Hi

    I'm under WinXP. Programming with C for a while. Now i want to try new things, just for fun and to see whether its possible or not.

    My question is. If i wrote a little program thats good for...nothing. How can i get the adress where its located in virtual memory? The starting adress of the whole program and all the memory it owns. I want to play around with the mem. Searching some variables in the program and change the values, stuff like this.
    I guess for such things i have to use strange windows api functions and i can imagine that such "games" not possible, if I'm under normal "User rights". And this is for the next question i got. How to run such a programm beyond all this rights? Should i disguise it as device driver? AFAIK device drivers got full access to anything, right?

    If someone got some useful textlinks, book recommendations etc. pls post it or leave me a message.

    bye

    apo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    lifewire
    Guest
    you can get the base of where the module is loaded with GetModuleHandle(NULL);. that is the same thing has the HINSTANCE btw.

    and yes, there are functions to enumerate allocated memory, but I can't remember them at the moment.. i guess they are in PSAPI, but i'm not sure about that.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Check out the section table in the PE header of the executable to get hold of all static memory and memory ranges. This will also tell you more specifically where the code is located and where the different types of data are located (at least for "normal" programs).

    To sum it up, check out some good documentation about the PE header. Google and this board's search engine should be more than enough for that.

    And applications have surprisingly much access to each other's memory spaces, so this shouldn't be a problem for you, and if you also make sure to be logged in as an administrator while playing around with this there really shouldn't be any problems with anywthing like that. And leave the device driver idea completely for now, you don't want to go there in your current state, believe me.

  4. #4
    apocalexiz
    Guest

    hmm...

    >Check out the section table in the PE header of the executable to get hold of
    >all static memory and memory ranges.

    yesterday in the evening i got nearly the same idea, i downloaded the ms pe documentation file and made a printout

    so i'll write a little prog that gives me all relevant information about a pe exec. If i got questions i'll come back

    So long!

    apo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ok, sounds good. And if you'd need some reference, or find out halfway that you don't have time to finish it (or just want to play with another cool little program in general ) you can always take a look at my exe analyzer, which can be found as an attachment in this thread:

    http://www.woodmann.com/forum/showthread.php?t=5264

  6. #6
    Hey delta, I found your app a while back whilst looking for something to find code caves, and IIRC I found a bug in it. When I analysed a certain exe it got a bit confused, put up a message about "overlapping areas" or something and some of the analysis options didn't work. If I can remember which app it was I'll give you a proper bug report, if you're still developing it?
    Still here...

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I haven't touched that thing for ages, it was just a little hack I did when I was looking into the PE file structure a bunch of years ago. But sure, if you have an exe that reproduces the problem, it might be fun anyway, if nothing else to see if the exe is messed up somehow by some protection or similar.

Similar Threads

  1. Help with What this program does??
    By gogreen in forum The Newbie Forum
    Replies: 1
    Last Post: November 19th, 2013, 02:55
  2. Where to begin? For noobies
    By tc250 in forum OllyDbg Support Forums
    Replies: 6
    Last Post: June 25th, 2005, 18:33
  3. Where to begin?
    By balt in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 20th, 2003, 09:12
  4. Help with finding keyfile a program used by program
    By Polt in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 14th, 2001, 15:41
  5. I would like to start RE'ing, where do I begin?
    By Sven in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: March 23rd, 2001, 19:43

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •