Locating data in memory
September 1, 2009 6:59 AM   Subscribe

I need to access certain data loaded in memory by an application. There are certain application specific encrypted files, which the program decrypts and loads into memory. Can I see the data in the memory used by the application?

Is it possible to search the entire memory footprint of an application?

If I know some keywords in the encrypted file, can I search based on those words and locate the decrypted data in memory ?

Are there any other techniques?

Can I get the addresses of all the memory areas used by the application including the EXE file, and save everything into a file?
posted by inquisitive to Computers & Internet (4 answers total) 1 user marked this as a favorite
 
Sure. You attach a debugger to the process, most of them allow searching through process memory. Or just dump out all strings, as that's probably what your interested in - maybe the "Strings" tab in Sysinternals Process Explorer is already enough.
posted by dhoe at 7:06 AM on September 1, 2009


Response by poster: The Strings tab will just give me isolated strings. My objective is to copy the entire decrypted data into a file.
posted by inquisitive at 7:14 AM on September 1, 2009


Response by poster: I think the application will load the decrypted file in the memory heap, so how do I search the heap? Again how do I find the start and end of the file?
posted by inquisitive at 7:16 AM on September 1, 2009


Install the Debugging Tools for Windows, open Windbg, hit File->Attach to a process, and use the command s -u 0x00000000 L?0xffffffff "yourstring". It will search the whole memory for the Unicode string "yourstring", without bothering about heap or not (there's several of them on windows anyways).
posted by dhoe at 7:42 AM on September 1, 2009


« Older Would using a Heading1 here help?   |   3 years of pain, 5 thousand dollars, and my teeth... Newer »
This thread is closed to new comments.


Tags

Share