0

I am would like to know if my assumption is correct, in my project i would like to know exactly what memory my process and child process allocated, so after a research i cam across win32 api, GetProcessHeaps(), the documentation tells me i can enumerate all heaps that process has allocated, and gets its size. However i ran into another question, where a stack would be located in each thread. I expiremented with GetCurrentThreadStackLimits() which returns start address and end address. But i was not able to read directly from this memory.

Maybe some one can direct me in the right way, or explain a bit about how Locate each chunk of memory that the process uses.

Basically a debugger somehow knows what part of memory u have reserved and what parts of it u did not. therefore, some part of virtual memory you can read, and some parts you just cant, cause you haven't reserved it, and it is not mapped to physical memory.

Question is mostly about, enumerating allocation, determine their location and size, and reading from them. Just like a debugger does.

Anton Stafeyev
  • 1
  • 1
  • This is a very broad topic, probably too broad to be a good fit here – David Heffernan Aug 05 '20 at 13:32
  • @DavidHeffernan whats so broad about enumerating heaps ? and telling if stack is located in one of those allocated regions ? it is a question of yes or no, is stack located in one of the heap reserver regions or no – Anton Stafeyev Aug 05 '20 at 13:33
  • 2
    Use VirtualQuery(), start at 0. [Sample code](https://stackoverflow.com/questions/20303380/virtualprotect-and-kernel32-dll-attempt-to-access-invalid-address/20350190#20350190). – Hans Passant Aug 05 '20 at 13:45
  • 1
    Enumerating heaps won't find you any stacks. And it won't find you any heap memory allocated by other means, i.e. `VirtualAlloc`. But @Hans is of course right. If you want to check every page with `VirtualQuery`, then that will work. A bit of a sledgehammer, but perhaps the only reliable way to do it. – David Heffernan Aug 05 '20 at 13:47
  • @DavidHeffernan that makes sense :) thanks a lot man, will go investigate Virtual Protect. – Anton Stafeyev Aug 05 '20 at 13:50
  • @HansPassant `The size of the region beginning at the base address in which all pages have identical attributes, in bytes.` is it talking about the STATE or TYPE ? or both – Anton Stafeyev Aug 05 '20 at 15:06
  • In general, a debugger *doesn't* know, which memory is allocated or readable. If a user requests that a certain memory location should be read, the debugger attempts to read it, but is prepared for the call to fail. – IInspectable Aug 05 '20 at 17:19
  • I think you are looking for `VirtualQuery` (your process) and `VirtualQueryEx` (other processes) – user253751 Aug 05 '20 at 21:13
  • @user253751 yep man, already solved it :) works like a charm, thanks for your comment :) – Anton Stafeyev Aug 05 '20 at 22:11

0 Answers0