On Windows (preferably XP) is it generally possible to suspend a process when it is writing at a specific address (in it's virtual address space) ?
The problem is complicated by the fact that loaded DLLs perform the write operation and not code in the (PE) image of the process itself.
You can protect the page containing address of interest with VirtualProtect and PAGE_GUARD or other options and have an exception hit on address write. Such exception can be handled by unhandled exception filter (it depends, the application might be handling it itself), or by out of process debugger application, such as well known debugger or custom application debugging process through API.
The debugger application can suspend the process if necessary, or take a minidump with a snapshot. See MSDN EXCEPTION_DEBUG_EVENT for details:
Generated whenever an exception occurs in the process being debugged. Possible exceptions include attempting to access inaccessible memory, executing breakpoint instructions, attempting to divide by zero, or any other exception noted in Structured Exception Handling.
The DEBUG_EVENT structure contains an EXCEPTION_DEBUG_INFO structure. This structure describes the exception that caused the debugging event.
