Cheat Engine

Polynomial · Posted: Mon Jan 24, 2011 10:07 pm Post subject: Notify when memory page written

I'm trying to build some sort of visualization application that displays a process's memory as a bitmap image. The idea is that each pixel represents a page, pixels are white normally and red for 500ms when written to.

What I'm trying to work out is how I'd notify my process when the target process writes to any memory page within the process's virtual memory. I'm not sure it's possible to create software breakpoints that get hit on memory write. I'm also not sure it's possible to do this in hardware.

I suppose I could use some kinda ReadProcessMemory loop that compares each page and marks changes, but this isn't a very elegant way to do it.

Any ideas on how I can achieve something like this?

Dark Byte · Posted: Mon Jan 24, 2011 10:50 pm Post subject:

at creation time hook the allocate memory apis and make all allocations go accompanied with the "MEM_WRITE_WATCH"

now constantly call ResetWriteWatch and GetWriteWatch to find out which pages have been written since last iteration

Perhaps you might be able to do it at runtime as well, but may be tricky. suspend the process, copy the original memory regions, free them, reallocate with the specific flags at the specific address and put the memory back (I never tried and doubt it works, but give it a try)

alternatively (a lot easier), if the system has a lot of memory and not a lot of paging in/out happens you could manually inspect the pagetables if they have the A(ccessed) flag and the D(irty) flag set. Dirty is set when it the page has been written

And third method if you love to see an app go with the speed of a snail :
Hook the exception handler and mark all pages read only
Now when a write exception happens (e.g push ) freeze ALL threads except the one that caused it. Make the accessed pages writable (multiple in case of a pageboundary write) and set the single step flag. Now on breakpoint disable the step flag and make the specified pages readonly again and resume all other threads (of course, i'd rather go with the readprocessmemory approach instead of this one)

Polynomial · Posted: Tue Jan 25, 2011 7:16 am Post subject:

I was kinda hoping to do it without injecting anything into process memory. I think I'll try my original idea of creating checksums of small blocks of memory (4KB blocks) and comparing every 500ms. I'd only actually iterate over writeable memory pages, so hopefully it'll work reasonably quickly.

Is it faster to perform one large ReadProcessMemory operation, or a succession of 4KB reads?

If it fails then I'll try the page tables method. Do you know of any decent reference / tutorial on how it works and how to implement it? I've never really looked at the page tables.

Dark Byte · Posted: Tue Jan 25, 2011 8:25 am Post subject:

reading large parts is faster than 4kb reads

as for pagetables read the intel architecture books and in the ce wiki I wrote the addresses where the pagetables in 32 and 64 bit windows start
http://wiki.cheatengine.org/index.php?title=Windows_internals