Sign in to follow this  
azherdev

Read RAM contents with VC++

Recommended Posts

Is there a way to read/write contents of RAM from say byte 0 to 2Gigs? I want to be able to search for a particular byte signature and replace it. But, the contents are not written by my app. Don't worry, I am not writing a virus. :)

Share this post


Link to post
Share on other sites
Not for the actual RAM contents. You can read memory from other processes, which may be in RAM or may be in virtual memory. But without writing an OS, you're not going to be able to actually read or write to the RAM itself. That's why all these memory testers run off a boot disk.

Share this post


Link to post
Share on other sites
hmmm, so you can't, huh?

Ok, followup question: I would like to change the picture of the windows background but not from a file on the drive but rather a bitmap in ram, is there a function to do so in Win32 API? .NET or C++.

p.s. How does a program like norton anti-virus then scan your ram for viruses?

Share this post


Link to post
Share on other sites
Quote:
Original post by azherdev
hmmm, so you can't, huh?

Ok, followup question: I would like to change the picture of the windows background but not from a file on the drive but rather a bitmap in ram, is there a function to do so in Win32 API? .NET or C++.
As far as I know, you can't. At least not particularly easily. Bitmaps are GDI objects, and the RAM for the image itself may even be on the graphics card, which isn't directly accessable from the CPU. The only way I can think of would be to inject a DLL into explorer.exe, and somehow find the HBITMAP that represents the background. Then change it.

Quote:
Original post by azherdev
p.s. How does a program like norton anti-virus then scan your ram for viruses?
It scans the memory used by running processes (which may be in RAM, or may be in virtual memory). See ReadProcessMemory.

Share this post


Link to post
Share on other sites
Thanks Steve... or Evil...

I'll look into this more. I am trying to create the effect of the WinDVD, it allows the video to be played back in as the desktop image and keeps the desktop icons on top of it. I guess it is their "secret" or trick that they use.

Thanks agian.

Share this post


Link to post
Share on other sites
That's much easier - just use a DirectDraw overlay. That way DirectDraw will render onto pixels of a certain colour. What WinDVD probably does is change the dektop background colour to a certain value, and hides the wallpaper (I don't know how to do that, but I'd imagine it'll be fairly easy). Then it can just render the video onto the desktop HWND.

Share this post


Link to post
Share on other sites
I remember seeing some code on Planet Source Code that played video on the desktop background only with the icons on top or even just inside of the icon shapes.

Tried looking there?

Share this post


Link to post
Share on other sites
Quote:
Original post by azherdev
hmmm, so you can't, huh?

Ok, followup question: I would like to change the picture of the windows background but not from a file on the drive but rather a bitmap in ram, is there a function to do so in Win32 API? .NET or C++.
Just write it to a file and tell it to use that file. Attempt anything else and you're asking for trouble, trust me.[smile]

If you realy want to, you can get Windows to give you a temporary file name (GetTempFileName), and write the file to the temp directory

Share this post


Link to post
Share on other sites
Since the Windows desktop (the area holding the icons) is implemented as a Listview control, you could send it messages such as LVM_SETBKCOLOR and LVM_SETBKIMAGE to set it's background color and image, respectively. Do note that once the desktop gets reloaded for some reason, Windows will reset these to the default values that it keeps in the registry.

Also, this method may not work with future versions of Windows (Vista, for example), as the desktop may be implemented by other means than a standard Listview. I haven't checked this yet, though.

Share this post


Link to post
Share on other sites
Quote:
Original post by azherdev
Is there a way to read/write contents of RAM from say byte 0 to 2Gigs? I want to be able to search for a particular byte signature and replace it. But, the contents are not written by my app. Don't worry, I am not writing a virus. :)


You don't have access to the physical RAM addresses from user space (you only know how to read/write the virtual PC memory). If you want to scan the whole memory, you have to write a device driver.

Regards,

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Most of these posters are wrong. Actually you can read physical memory under NT, XP, Win2K, using \Device\PhysicalMemory. You have to be logged on as administrator, and do not need a device driver.

Under Vista this should no longer be possible without a driver.

There is a tool with source at www.sysinternals.com somewhere showing how to do it. Another tool that does it is the windows version of dd.exe, a forensics tool.

An older discussion about it is here http://www.phrack.org/show.php?p=59&a=16.

I know this is possible since I have written a physical memory scanner under a research grant for doing rootkit detection/prevention.

I am trying to get a release to opensource my memory scanner.

One thig you'll find that is odd is that there is no Windows API call returning how much physical memory you have installed (before you think you do, test the values the API returns). The API calls remove the amount paged to hardware IO, BIOS, etc., so always return a slightly smaller value than actual physical memory.

Good luck

Chris Lomont
www.lomont.org

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this