Hello. I downloaded a disk and memory editor called HxD (available at http://mh-nexus.de/en/hxd/). I wonder how it is able to access (read and modify) virtual memory assigned to all applications running on my system (Windows XP Pro SP3). From what I know, Windows is running in protected mode, making such endeavours impossible. Yet it's not, how can that be?
+1
A:
Windows does indeed protect the memory of applications. Every application has its own address space and can simply not access anything outside it.
But, Windows also has functions that allow you to access memory from other processes. Not by simply accessing a pointer, but by calling a function to get the data from the other process.
This functionality seems strange, but it is essential if you want to write a debugger, or other kinds of diagnostics utilities.
Patrick
2010-09-06 21:39:26
+1
A:
If the program is run in administrator mode then the it can load a driver dynamically and see information via kernel mode to any process. An example is a debugger or similar like the process explorer tools from Sysinternals.
Preet Sangha
2010-09-06 21:39:33