Monitor Meory for Alterations

Monitor Meory for Alterations

Post by Jeffrey Wa » Fri, 01 Jun 2007 03:31:14


Hi All,

Does the Windows API provide a function which allows one to monitor a
chunk of memory for modifications (similar to watching a directory for
changes using FindFirstChangeNotification())?


Jeff
 
 
 

Monitor Meory for Alterations

Post by » Fri, 01 Jun 2007 08:57:37


"Jeffrey Walton" < XXXX@XXXXX.COM > schrieb im Newsbeitrag



Hi Jeffrey,

i think this depends on what you mean with chunk of memory.
If you want to monitor the whole available physical memory
ram on your system, then i think you must operate in kernel mode
and/or with some whatchdog circuit on your system. If you want to
monitor some memory in your own address space, then you can
propably use some kind of signals or guard pages. But i think the
whole Windows Architecture does not allow this kind of mechanism
or doesnt have some API like that, especially for user-mode since
this would violate the security system and concept. Thats what i
think!

Look here:
[Creating Guard Pages]
http://www.yqcomputer.com/

and look here:
http://www.yqcomputer.com/ +memory+change&rnum=19&hl=de


Best regards

Kerem Grc

 
 
 

Monitor Meory for Alterations

Post by Jeffrey Wa » Fri, 01 Jun 2007 09:39:53


>> >>>> Hi All, >> >>>> Does the Windows API provide a function which allows one to monitor a >>>> chunk of memory for modifications (similar to watching a directory for >>>> changes using FindFirstChangeNotification())? >> >>>> Jeff >> >> Hi Jeffrey, >> >> i think this depends on what you mean with chunk of memory. >> If you want to monitor the whole available physical memory >> ram on your system, then i think you must operate in kernel mode >> and/or with some whatchdog circuit on your system. If you want to >> monitor some memory in your own address space, then you can >> propably use some kind of signals or guard pages. But i think the >> whole Windows Architecture does not allow this kind of mechanism >> or doesnt have some API like that, especially for user-mode since >> this would violate the security system and concept. Thats what i >> think! >> >> Look here: >> [Creating Guard Pages] http://www.yqcomputer.com/ >> >> and look here: http://www.yqcomputer.com/ >> >> Best regards >> >> Kerem Grc
Hi Keremen,

Thank you very much.
> > If you want to monitor the whole available physical> > memory ram on your system...
Nope.
> > If you want to monitor some memory in your own> > address space, then you can propably use some kind> > of signals or guard pages.
This is more of what I want - however, I want to monitor the .text
section of an executable in memory (no other sections).

It boils down to 'Polling versus Notification'. Currently, the
technique I present Polls. I'd like to find a Notification method. For
a reference, see 'Tamper Aware and Self Healing Code',
http://www.yqcomputer.com/

Jeff
 
 
 

Monitor Meory for Alterations

Post by Jeffrey Wa » Fri, 01 Jun 2007 14:50:12


>> >>>> Hi All, >> >>>> Does the Windows API provide a function which allows one to monitor a >>>> chunk of memory for modifications (similar to watching a directory for >>>> changes using FindFirstChangeNotification())? >> >>>> Jeff >> >> Hi Jeffrey, >> >> i think this depends on what you mean with chunk of memory. >> If you want to monitor the whole available physical memory >> ram on your system, then i think you must operate in kernel mode >> and/or with some whatchdog circuit on your system. If you want to >> monitor some memory in your own address space, then you can >> propably use some kind of signals or guard pages. But i think the >> whole Windows Architecture does not allow this kind of mechanism >> or doesnt have some API like that, especially for user-mode since >> this would violate the security system and concept. Thats what i >> think! >> >> Look here: >> [Creating Guard Pages] http://www.yqcomputer.com/ >> >> and look here: http://www.yqcomputer.com/ >> >> Best regards >> >> Kerem Grc
Hi Kerem,

It also appears using debug registers is out of the question (due to
limitations). No .text section monitoring; and only up to 4 bytes of
an address can be monitored. From Intel Architecture Software
Developer's Manual Volume 3: System Programming:

The primary function of the debug registers is to set up and monitor
from 1 to 4 breakpoints, numbered 0 though 3. For each breakpoint, the
following information can be specified and detected with the debug
registers:
* The linear address where the breakpoint is to occur.
* The length of the breakpoint location (1, 2, or 4 bytes).
* The operation that must be performed at the address for a debug
exception to be generated.
* Whether the breakpoint is enabled.
* Whether the breakpoint condition was present when the debug
exception was generated.
 
 
 

Monitor Meory for Alterations

Post by Ben Voigt » Fri, 01 Jun 2007 22:57:21

Kerem's suggestion will work well for you. Mark the pages as read-only, and
you'll get tossed into your exception handler with an access violation on
each write (you can unprotect the memory and allow the write to continue,
perform the write yourself, I think you may even be able to redirect the
write to an alternate address).