0

I am trying to obtain the memory map of a process. One way I can think of doing this is to attach Olly/Immunity Debugger to the process and copy the memory map to the clipboard. However, this is probably not a good idea when I'd like to repeat this multiple times consecutively. Is there a tool similar to ListDLLs that can be used to achieve this? I noticed procdump can be used to dump the memory of a process but I don't need a memory dump: I just need a list of valid memory locations.

dnivra
  • 3
  • 1
  • 5
  • 1
    This seems pretty similar to http://reverseengineering.stackexchange.com/questions/8297/proc-self-maps-equivalent-on-windows/8299#8299 (or at least, I think the solution given would also work here) – Brendan Dolan-Gavitt Mar 11 '15 at 05:06

2 Answers2

2

Mark Russinovich's SysInternals suite contains a utility named VMMap, which can be used to view the memory layout of a process and/or dump the information in various formats.

As Brendan mentioned, an answer in /proc/self/maps equivalent on Windows shows how to obtain the information via calls to VirtualQueryEx(). So you could easily whip up your own customised utility by writing a few lines of C/C++.

Note: the memory layout is not static. Stacks can grow, sections can be unmapped, blocks allocated or freed, reserved space be committed, valid pages be made inaccessible.

Depending on the goal of the operation it may be best to integrate the querying of memory layout info with the process that uses it, which makes it easier to achieve the desired accuracy. Things to ponder here are caching (for performance) versus snapshot semantics (to achieve consistent views).

Community
  • 1
DarthGizka
  • 2,010
  • 1
  • 13
  • 30
0

execute this bat file you will need windbg in path

it attaches to a running process (hard coded as calc.exe you can script it with %1) dumps the memory map filtered by page_readonly and mapped file and detaches automatically when quitting and sleeps for 10 seconds before repeating and pipes (appends its output to a file of choice that can be processed with your favorite text processing tool)

:begin
echo Date and Time of Address Dump = %date%%time% >> address.text
cdb -pd -c "!address -1 -F:PAGE_READONLY,FILEMAP;q" -pn calc.exe >> address.text
sleep 10
goto begin

you can use any test processing tool to parse the output

:grep -iE  "Date and Time of Address Dump | 80000 " address.text
Date and Time of Address Dump = 11/03/201512:25:21.01
   80000    83000     3000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY MemoryMappedFile "PageFile"
Date and Time of Address Dump = 11/03/201512:25:23.15
   80000    83000     3000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY MemoryMappedFile "PageFile"
Date and Time of Address Dump = 11/03/201512:25:26.82
   80000    83000     3000 MEM_MAPPED  MEM_COMMIT  PAGE_READONLY MemoryMappedFile "PageFile"
blabb
  • 16,376
  • 1
  • 15
  • 30