Memory scanner always returning the same results

Go To StackoverFlow.com

1

With this code I guess the scan was faster, but the scan always return the SAME address.

E.G.:

00123456
00124567
00135478
00145893
00123456 //start repeat 
00124567
00135478
00145893
00123456 //start repeat 
00124567
00135478
00145893

This is my procedure:

procedure SCANBYTE(value: integer);
var
 lpflOldProtect: dword;
 s: size_t;
 mbi: MEMORY_BASIC_INFORMATION;
 SI: SYSTEM_INFO;
 lpStartAddress, lpStopAddress: dword;
 addr: dword;
 i: dword;
begin
 GetSystemInfo(si);
 lpStartAddress := dword(SI.lpMinimumApplicationAddress);
 lpStopAddress := dword(SI.lpMaximumApplicationAddress);
 for addr := lpStartAddress to lpStopAddress do begin
  S:= VirtualQuery(Pointer(addr), MBI, SizeOf(MEMORY_BASIC_INFORMATION));
  if (S=SizeOf(MEMORY_BASIC_INFORMATION)) and (MBI.State = MEM_COMMIT) and (MBI.Type_9 = MEM_PRIVATE) and (MBI.RegionSize>0) and (MBI.Protect = PAGE_READWRITE) then begin
   for i := dword(MBI.BaseAddress) to (dword(MBI.BaseAddress) + dword(MBI.RegionSize)) - 4096 do begin
     if value = PBYTE(i)^ then ListBox1.Items.Add(IntToHex(i,8));
   end;
  end;
 end;
end;

I guess the problem is at the last FOR loop:

(...)
for i := dword(MBI.BaseAddress) to (dword(MBI.BaseAddress) + dword(MBI.RegionSize)) - 4096 do begin
(...)

But I really don't know.. How can I solve this?

2012-04-04 18:48
by paulohr


8

You run your code in a loop from the start address to the end address. The address addr increases by 1 each time around the loop. VirtualQuery gives you information about entire pages. All the addresses in a page have the same base address. The documentation tells you, "This value is rounded down to the next page boundary."

Look more closely, and you should see that mbi.BaseAddress remains the same for 4096 iterations of your outer loop (assuming 4096 is the page size). Thus, you're re-scanning the same block of memory over and over again. (That might also explain why your code is slow.)

2012-04-04 19:43
by Rob Kennedy
Thanks, I fixed it - paulohr 2012-04-11 13:13
Ads