Any ideas on where to start?
views:
60answers:
3If the process you want to scan is currently running, then you can connect to it as a debugger and scrape its address space.
If you want to scrape memory in general, you'd need to install a driver or something similar, in order to get out of userspace.
SoftICE (wiki) is still probably the best debugger for Windows. It has the low level capabilities you are looking for and can suspend all operations in Windows which is very useful to look at memory changes. Although it has been discontinued and there are many anti-SoftICE measures about these days (mainly to protect commercial software), there are also some stealthy options to use on top of it: IceStealth or IceExt. You're really gonna have to suss out sources for these bits of software yourself, might be a bit of work. Alternatively there are other debuggers: Sysersoft claims to have taken up where SoftICE left off (although I haven't played with it), and an Open Source alternative, Rasta Ring 0 Debugger which hasn't seen development since 2006.
That's a very interesting concept albeit it does sound sinister, a root-kit...For starters, you'd need to elevate your program privileges to that of Administrator, and somehow develop some kind of driver (probably a block-mode driver) and from the user-land, make a polling call to the driver to pass out a block of data (hence block-mode driver). The length of the block passed in to the driver (I'd imagine) as a parameter, the user-land code would then retrieve the data and scan the block of data.
The snag is that as the driver would have to reside at ring0 kernel mode in order to fetch the block of memory, you will end up with generating BSOD's and plenty of debugging grief. Sounds way to masochist for my liking, but then again you could use VirtualBox and install Windows into the VM.
You would need to root around looking for Windows Kernel Mode Driver SDK which will enable you to write drivers. Other than that, I wouldn't know how! :)
This is something I am going to stick on my favourite questions.
Good luck and hope this helps, Best regards, Tom.