Hello.
Is there a possibility to know that given memory page (of a single process) has changed without reading it’s content? I’m not interested in content itself. just want to know if it is different than I was checking it last time. I’m asking if MemoryManager in windows is tracking something like this? Something like last modification time/count or something?
So you know such things?
thank you for answers.
Nope there is no way.
Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in
message news:xxxxx@ntdev:
> Hello.
>
> Is there a possibility to know that given memory page (of a single process) has changed without reading it’s content? I’m not interested in content itself. just want to know if it is different than I was checking it last time. I’m asking if MemoryManager in windows is tracking something like this? Something like last modification time/count or something?
>
> So you know such things?
>
> thank you for answers.
There is a way how OllyDbg handles memory breakpoints. The idea is to set target page’s protection to NO_ACCESS and handle exceptions that arise on access to the page. After recording an attempt to access the page, you restore previous state of the page, let the instruction to execute and then set NO_ACCESS again. Note, that kernel mode is not related to the process, it is better to implement it in user mode, you have to attach to target process as debugger. Another option is hardware breakpoints (Intel manual explains about them), but it covers only up to four bytes of virtual memory, not the whole page and also requires debugging target process.
You can mark the underlying pages of an allocation as guard pages using
VirtualProtectEx . Windows then raises an exception whenever these pages are
accessed but that includes read access as well.
It’s a pity that Windows does not offer us to install callbacks that trigger
upon memory read or write (or even execute) access. Such a system could be
easily implemented by extending the page fault handler.
Some higher level languages offer a feature called ‘properties’ where
reading or writing to a variable is done through Get and Set methods. Very
powerful and one of the best language features I have seen ever, though it’s
dangerous too because a property can be easily mistaken for a standard
variable and you need to know the implications.
//Daniel
Is there a possibility to know that given memory page (of a single process)
has changed without reading it’s content? I’m not interested in content
itself. just want to know if it is different than I was checking it last
time. I’m asking if MemoryManager in windows is tracking something like
this? Something like last modification time/count or something?
Note that the point of Get/Set methods is so you cannot mistake a variable
for a property; the variables are protected (or private) and the Get/Set
methods are public and the only visible interface. Note that not
providing a Set mehod, the propery becomes read-only. In addition, you
can set breakpoints at the Get/Set routines only in unoptimized code. But
even with low-level optimizations, the following code is compiled inline
at the call site:
class something
{
protected:
SIZE_T count;
public:
void SetCount(SIZE_T n) { count = n; }
SIZE_T GetCount() { return count; }
}
====================
SIZE_T v = whatever -> GetCount();
whatever->SetCount(v + 1);
Debug mode code (example)
mov ecx, whatever
call somethin.GetCount
mov v, eax
mov eax, v
inc eax
push eax
mov ecx, whatever
call Something.SetCount
Optimized code (example)
mov ebx, whatever
mov eax, [ebx]
inc eax
mov[ebx], eax
(I compiled these in my head; if you do the actual experient, there may be
slightly different sequences)
Now, somebody will say “If you don’t put the bodies in the header file,
they have to be compiled as calls”, but if you enable Link-Time Code
Generation (LTCG) then even separate compilation will end up generating
inline code, no matter what the .cod file tells you.
joe
You can mark the underlying pages of an allocation as guard pages using
VirtualProtectEx . Windows then raises an exception whenever these pages
are
accessed but that includes read access as well.It’s a pity that Windows does not offer us to install callbacks that
trigger
upon memory read or write (or even execute) access. Such a system could be
easily implemented by extending the page fault handler.Some higher level languages offer a feature called ‘properties’ where
reading or writing to a variable is done through Get and Set methods. Very
powerful and one of the best language features I have seen ever, though
it’s
dangerous too because a property can be easily mistaken for a standard
variable and you need to know the implications.//Daniel
>Is there a possibility to know that given memory page (of a single
> process)
>has changed without reading it’s content? I’m not interested in content
>itself. just want to know if it is different than I was checking it last
>time. I’m asking if MemoryManager in windows is tracking something like
>this? Something like last modification time/count or something?
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I was meaning a language with native support for properties such as Delphi
where a variable assignment such as x=1 can end you up with another value
because it invisibly goes through some Set property method. In C++ you would
need to override the assignment operator (=) to achieve that but that would
only work for class objects.
//Daniel
Note that the point of Get/Set methods is so you cannot mistake a
variablefor a property; the variables are protected (or private) and the
Get/Set
methods are public and the only visible interface.
> class something
{
protected:
SIZE_T count;
public:
void SetCount(SIZE_T n) { count = n; }
SIZE_T GetCount() { return count; }
}
C++ has no proper support for properties, unlike C#, OA-based languages, and IIRC Java, Objective C and Python.
In C#, for instance, you can use { get; private set; } to declare a field read-only public and read-write private.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
I have this memory–and it has been more than five years since I used
C#–that the get/set properties in effect look like an “overload” of use
and assignment, which the compiler does automaticaaly, thus eliminating
the far clumsier C++ example I used. And no, overloading assignment in
C++ does not achieve this.
joe
> class something
> {
> protected:
> SIZE_T count;
> public:
> void SetCount(SIZE_T n) { count = n; }
> SIZE_T GetCount() { return count; }
> }C++ has no proper support for properties, unlike C#, OA-based languages,
and IIRC Java, Objective C and Python.In C#, for instance, you can use { get; private set; } to declare a field
read-only public and read-write private.–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Maxim S. Shatskih wrote:
> class something
> {
> protected:
> SIZE_T count;
> public:
> void SetCount(SIZE_T n) { count = n; }
> SIZE_T GetCount() { return count; }
> }
C++ has no proper support for properties, unlike C#, OA-based languages, and IIRC Java, Objective C and Python.
Standard C++ does not, but Visual C++ supports properties as an extension.
class MyClass
{
__declspec( property( put=SetValue, get=GetValue ) ) int Value;
void SetValue( int iInput ) …
int GetValue( ) const { … }
};
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
>but if you enable Link-Time Code
Generation (LTCG) then even separate compilation will end up generating
inline code, no matter what the .cod file tells you.
With LTCG, the COD files are actually generated by LINK.
Actually, there are .cod files generated by the compiler, but they cannot
be trusted to be correct under LTCG. I actually show the “before” and
“after” cases in my (never-taught) assembly-language course (it turns out
that since students never get exposed to assembly code in college, when it
comes to reverse-engineering malware, they have no skills. But I ended up
on medical disability and had to cancel te class that had been scheduled)
joe
>but if you enable Link-Time Code
Generation (LTCG) then even separate compilation will end up generating
inline code, no matter what the .cod file tells you.With LTCG, the COD files are actually generated by LINK.
NTDEV is sponsored by OSR
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
No way in general, but for memory you allocated yourself you may be able to use VirtualAlloc(MEM_WRITE_WATCH).
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Saturday, March 23, 2013 3:49 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] tracking modification of memory
Nope there is no way.
“xxxxx@gmail.com” wrote in message news:xxxxx@ntdev:
> Hello.
>
> Is there a possibility to know that given memory page (of a single process) has changed without reading it’s content? I’m not interested in content itself. just want to know if it is different than I was checking it last time. I’m asking if MemoryManager in windows is tracking something like this? Something like last modification time/count or something?