how to hook memory accesses

Hello,

I’m working on an pseudo-emulator software. I have
to provide a box capable of loading and running a
binary code. This binary is a DLL compiled in VC++.
The same source code compiled for a specific
processor
is used by the real machine. The source code cannot
be
changed.
The code makes use of direct memory manipulations
like:
*(unsigned char *)(0xFF00FF00) = 0x80
or
unsigned char ch = *(unsigned char *)(0xFF00FF00);

I am searching for a solution to intercept these
memory accesses. I need to know:

  • the operation type: write or read
  • the address
  • the value (if write)

It is important to intercept the read because some
devices need only a register read to switch to a
specific mode.

Could someone give me some advices about how
should
I implement this mechanism?
I am familiar with filter drivers but, in this
case,
I don’t know which driver I have to filter.

Thank you


Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com

I haven’t received Maxim’s message (but my co-worker did?) but I can add

  • Vectored exception handler (AddVectoredExceptionHandler) if you can afford
    to run only on XP and your DLL is multithreaded. __try/__except won’t work
    well if it is multithreaded. On earlier systems, you can use
    (UnhandledExceptionFilter)…

Reserving or using a guard pages are 2 nice way to force the exception
mecanism. For sure, if the adresses are in kernel range, you don’t have to
do anything to throw exceptions :slight_smile:

For guard pages, your DLL *MUST* be single threaded.

So you can all do this in user mode.

M-A

“Razvan Marcus” a écrit dans le message de news:
xxxxx@ntfsd…
>
>
> Hello,
>
> I’m working on an pseudo-emulator software. I have
> to provide a box capable of loading and running a
> binary code. This binary is a DLL compiled in VC++.
> The same source code compiled for a specific
> processor
> is used by the real machine. The source code cannot
> be
> changed.
> The code makes use of direct memory manipulations
> like:
> *(unsigned char *)(0xFF00FF00) = 0x80
> or
> unsigned char ch = *(unsigned char *)(0xFF00FF00);
>
> I am searching for a solution to intercept these
> memory accesses. I need to know:
> - the operation type: write or read
> - the address
> - the value (if write)
>
> It is important to intercept the read because some
> devices need only a register read to switch to a
> specific mode.
>
> Could someone give me some advices about how
> should
> I implement this mechanism?
> I am familiar with filter drivers but, in this
> case,
> I don’t know which driver I have to filter.
>
> Thank you
>
>
>
>
>
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> The all-new My Yahoo! - Get yours free!
> http://my.yahoo.com
>
>
>

Oops, you cross-posted!?!
Stay in ntdev…

“Marc-Antoine Ruel” a écrit dans le message de news:
xxxxx@ntfsd…
>I haven’t received Maxim’s message (but my co-worker did?) but I can add
>
> - Vectored exception handler (AddVectoredExceptionHandler) if you can
> afford to run only on XP and your DLL is multithreaded. try/ except
> won’t work well if it is multithreaded. On earlier systems, you can use
> (UnhandledExceptionFilter)…
>
> Reserving or using a guard pages are 2 nice way to force the exception
> mecanism. For sure, if the adresses are in kernel range, you don’t have to
> do anything to throw exceptions :slight_smile:
>
> For guard pages, your DLL MUST be single threaded.
>
> So you can all do this in user mode.
>
> M-A
>
> “Razvan Marcus” a écrit dans le message de news:
> xxxxx@ntfsd…
>>
>>
>> Hello,
>>
>> I’m working on an pseudo-emulator software. I have
>> to provide a box capable of loading and running a
>> binary code. This binary is a DLL compiled in VC++.
>> The same source code compiled for a specific
>> processor
>> is used by the real machine. The source code cannot
>> be
>> changed.
>> The code makes use of direct memory manipulations
>> like:
>> *(unsigned char *)(0xFF00FF00) = 0x80
>> or
>> unsigned char ch = *(unsigned char *)(0xFF00FF00);
>>
>> I am searching for a solution to intercept these
>> memory accesses. I need to know:
>> - the operation type: write or read
>> - the address
>> - the value (if write)
>>
>> It is important to intercept the read because some
>> devices need only a register read to switch to a
>> specific mode.
>>
>> Could someone give me some advices about how
>> should
>> I implement this mechanism?
>> I am familiar with filter drivers but, in this
>> case,
>> I don’t know which driver I have to filter.
>>
>> Thank you
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> The all-new My Yahoo! - Get yours free!
>> http://my.yahoo.com
>>
>>
>>
>
>
>

There’s debug registers, if you are dealing with a limited number of
funny locations. Otherwise, it’s exception handling, as per other
posters. Or you could disassemble and analyze the code.

in fact I posted the question in both lists. finally it seems there are the
same people

sorry

“Marc-Antoine Ruel” wrote in message news:xxxxx@ntfsd…
> Oops, you cross-posted!?!
> Stay in ntdev…
>
>
> “Marc-Antoine Ruel” a écrit dans le message de news:
> xxxxx@ntfsd…
>>I haven’t received Maxim’s message (but my co-worker did?) but I can add
>>
>> - Vectored exception handler (AddVectoredExceptionHandler) if you can
>> afford to run only on XP and your DLL is multithreaded. try/ except
>> won’t work well if it is multithreaded. On earlier systems, you can use
>> (UnhandledExceptionFilter)…
>>
>> Reserving or using a guard pages are 2 nice way to force the exception
>> mecanism. For sure, if the adresses are in kernel range, you don’t have
>> to do anything to throw exceptions :slight_smile:
>>
>> For guard pages, your DLL MUST be single threaded.
>>
>> So you can all do this in user mode.
>>
>> M-A
>>
>> “Razvan Marcus” a écrit dans le message de
>> news: xxxxx@ntfsd…
>>>
>>>
>>> Hello,
>>>
>>> I’m working on an pseudo-emulator software. I have
>>> to provide a box capable of loading and running a
>>> binary code. This binary is a DLL compiled in VC++.
>>> The same source code compiled for a specific
>>> processor
>>> is used by the real machine. The source code cannot
>>> be
>>> changed.
>>> The code makes use of direct memory manipulations
>>> like:
>>> *(unsigned char *)(0xFF00FF00) = 0x80
>>> or
>>> unsigned char ch = *(unsigned char *)(0xFF00FF00);
>>>
>>> I am searching for a solution to intercept these
>>> memory accesses. I need to know:
>>> - the operation type: write or read
>>> - the address
>>> - the value (if write)
>>>
>>> It is important to intercept the read because some
>>> devices need only a register read to switch to a
>>> specific mode.
>>>
>>> Could someone give me some advices about how
>>> should
>>> I implement this mechanism?
>>> I am familiar with filter drivers but, in this
>>> case,
>>> I don’t know which driver I have to filter.
>>>
>>> Thank you
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> __________________________________
>>> Do you Yahoo!?
>>> The all-new My Yahoo! - Get yours free!
>>> http://my.yahoo.com
>>>
>>>
>>>
>>
>>
>>
>
>
>