tags:

views:

375

answers:

3
+3  Q: 

Low level programming: How to find data in a memory of another running process?

I am trying to write a statistics tool for a game by extracting values from game's process memory (as there is no other way). The biggest challenge is to find out required addresses that store data I am interested. What makes it even more harder is dynamic memory allocation - I need to find not only addresses that store data but also pointers to those memory blocks, because addresses are changing every time game restarts.

For now I am just manually searching game memory using memory editor (ArtMoney), and looking for addresses that change their values as data changes (or don't change). After address is found I am looking for a pointer that points to this memory block in a similar way.

I wonder what techniques/tools exist for such tasks? Maybe there are some articles I can read? Is mastering disassembler the only way to go? For example game trainers are solving similar tasks, but they make them in days and I am struggling already for weeks.

Thanks.

PS. It's all under windows.

A: 

If you know how to code in C, it is easy to search for memory values. If you don't know C, this page might point you to your solution if you can code in C#. It will not be hard to port the C# they have to Java.

Jack L.  2009-03-25 04:29:53
+1  A: 

Is mastering disassembler the only way to go?

Yes; go download WinDbg from http://www.microsoft.com/whdc/devtools/debugging/default.mspx, or if you've got some money to blow, IDA Pro is probably the best tool for doing this

Paul Betts  2009-03-25 04:37:37
But even with disassembler, what is the strategy for finding values? Disassembling hundreds of megabytes and trying to figure out what is going on there looks like impossible task to me. Where to start?
serg  2009-03-25 04:56:09
Don't just search through all of memory, try to find the function that updates the value you're interested in; set debugger breakpoints that print stuff every time you hit them
Paul Betts  2009-03-26 01:32:41
A: 

You might take a look at DynInst (Dynamic Instrumentation). In particular, look at the Dynamic Probe Class Library (DPCL). These tools will let you attach to running processes via the debugger interface and insert your own instrumentation (via special probe classes) into them while they're running. You could probably use this to instrument the routines that access your data structures and trace when the values you're interested in are created or modified.

You might have an easier time doing it this way than doing everything manually. There are a bunch of papers on those pages you can look at to see how other people built similar tools, too.

I believe the Windows support is maintained, but I have not used it myself.

tgamblin  2009-03-25 04:46:22

related questions

CLR Profiler - Attaching to existing process
What's the maximum amount of RAM I can use in a Windows box?
.Net 2.0 - How efficient are Generic Lists?
Process Memory Size - Different Counters
C++ Memory management
Using MySQLi - which is better for closing queries
How Does A Stack Overflow Occur and How Do You Prevent It?
C Memory Management
How does .net managed memory handle value types inside objects?
FLVPlayback component memory issues
memset() causing data abort
Is Visual C++ memory managed by the Dot Net framework
Preventing Memory Leaks with Attached Behaviours
How to dispose a class in .net?
best way to persist data in .NET Web Service
Reading Other Process' Memory in Mac OS / BSD
Replicating load related crashes in non-production environments
Secure Memory Allocator in C++
Best way to wrap rsync progress in a gui?
Some kind of task manager for JavaScript in Firefox 3?
Of Memory Management, Heap Corruption, and C++
Understanding reference counting with Cocoa / Objective C
Setting Objects to Null/Nothing after use in .NET
Heap corruption under Win32; how to locate?
Anatomy of a "Memory Leak"