Is there a reliable way to learn that a memory page or a range of pages belongs to a specific DLL inside the address space of a process?
+1
A:
Depends on the type of page. The address of the code pages, etc of a dll are known when loaded, and viewable by looking at the "loaded modules" window or equivalent in any debugger.
If you're talking about a general read/write memory page, and I think you are, then I don't know of a way to find out what dll it "belongs" to - nor do I think there is a strict concept of ownership here.
Terry Mahaffey
2010-05-23 09:47:49
Thanks! Yes, I'm talking generic read/write. Of course there's no problem in knowing the base address of a DLL. I want to find a way to tell the memory of a process from a memory of libraries it has loaded- with no success so far.
Micktu
2010-05-23 10:40:43
A:
Hello!
There are a method known as API hooking. Well known BugslayerUtil.DLL from John Robbins (see his book "Debugging Applications") war used originally as API hooking inside own process. I mean that all memory allocation can be allocated with respect of small number of well known functions like LocalAlloc, GlobalAlloc, VirtualAlloc etc. One can overwrite start addresses of this functions inside of process address space. You can do this either somewhere at the beginning of the process or use DLL Injection to make this (like it do Dependency Walker in profiling mode). So you will be able to log (trace) every memory allocation attempt, forward the call to the original function, see the resulting return values log (trace) one more time and gives results back. Inside of every call attempt you can see all functions which called this one on the call stack. So the contain of the call stack together with the address of allocated memory and the size gives you full information for which your are looking for. You will see all in the dynamic.
You should not implement all stuffs yourself. Just search in internet for "API hooking" or "DLL injection" and you will find enough working examples. For examining of the call stack you can use documented StackWalk64 function (see http://msdn.microsoft.com/en-us/library/ms680650(VS.85).aspx) from imagehlp.dll / dbghelp.dll (for example see http://www.codeproject.com/KB/threads/StackWalker.aspx).
So it seems to me that your problem could be solved.
Oleg
2010-05-24 01:24:16
Thanks a lot! I already implemented a DLL injection, and API hooking looks like a great solution. What bothers me is the performance overhead- the application I inject to allocates more than 600MB of memory, but I'll try it anyway. Greetings from Ukraine :)
Micktu
2010-05-25 10:59:42
You welcome! I especially pleased to help somebody with the same background as I. Because of overhead you should just try it. Memory allocation on the heap is not a cheep operation, so if you will write a in the log file not at every function call, filter the calls with some criteria (you should know better with which one), then the total performance of you application will be not changed very much. If you use memory mapped files for writing of logs (you just copy strings to a mapped files memory), the writing to file will be very quickly. Best regards and much success wish you from Germany.
Oleg
2010-05-25 21:31:57