Hi Madshi,
I want to know if it is somehow possibile to monitor when certain memory locations are accessed by an application.
The purpose is this:
I want to build a caching mechanism for an application that uses straight, synchronous reading and writing. For this, I can intercept the API calls to ReadFile and WriteFile, and report success but not actually perform any IO Operation (only to build a list of I/O requests). BUT when the hooked application tries to read or write within these buffers, I will have to suspend that thread and actually perform the I/O operations as requested in the list.
Thank you very much,
Nick
Is it possible to supervise memory access using your librar?
-
- Posts: 26
- Joined: Fri Oct 21, 2005 9:17 am
You can not catch memory read/write access through API hooking, because memory access is nothing but simple assembler "mov" instructions. There's no special API called to access memory.
You could try to deny access to the memory areas you're talking about (by using VirtualProtect). That way an exception will happen, everytime the application tries to read the memory. You could then catch the exception and do your IO instead. However, I don't really like this approach, cause it's kind of ugly.
The best way for you might eventually be to write a kernel mode driver, but I'm not really sure about it.
You could try to deny access to the memory areas you're talking about (by using VirtualProtect). That way an exception will happen, everytime the application tries to read the memory. You could then catch the exception and do your IO instead. However, I don't really like this approach, cause it's kind of ugly.
The best way for you might eventually be to write a kernel mode driver, but I'm not really sure about it.
-
- Posts: 26
- Joined: Fri Oct 21, 2005 9:17 am
-
- Posts: 26
- Joined: Fri Oct 21, 2005 9:17 am
It seems that I have no alternative but to try the path you suggested. Thank you again.
There is a non-fatal PAGE_GUARD exception that can be used for this purpose.
In API Help I read
<Pages in the region become guard pages. Any attempt to access a guard page causes the operating system to raise a STATUS_GUARD_PAGE exception and turn off the guard page status. Guard pages thus act as a one-shot access alarm.>
I am sorry to bother you again, but is there a way to catch the generated exception (now generally speaking) of the OS using your library?
What I mean is: I can apply VirtualProtect but I have to know when an exception is generated, intercept and clear it, perform my IO and then continue the execution in the same place it was interrupted (including the instruction that generated the exception). It there some (easy ) way to do this?
Yours,
Nick
There is a non-fatal PAGE_GUARD exception that can be used for this purpose.
In API Help I read
<Pages in the region become guard pages. Any attempt to access a guard page causes the operating system to raise a STATUS_GUARD_PAGE exception and turn off the guard page status. Guard pages thus act as a one-shot access alarm.>
I am sorry to bother you again, but is there a way to catch the generated exception (now generally speaking) of the OS using your library?
What I mean is: I can apply VirtualProtect but I have to know when an exception is generated, intercept and clear it, perform my IO and then continue the execution in the same place it was interrupted (including the instruction that generated the exception). It there some (easy ) way to do this?
Yours,
Nick
-
- Posts: 26
- Joined: Fri Oct 21, 2005 9:17 am