I prop up over a problem with regard to the subject " space of linear addresses (-) Physical addresses ".

It is a little complicated then I am going to try to explain it.
Any programs that turns under Windows begin at 00400000h (Linear Adresses)
If two prog turn at the same time, and it is here my problem because I do not know perfectly the principle, the boss are at 00400000h alternately (not possible there are here at the same time)
Physically on hard disk they are at two different places (ex: prog1 in 80000000 prog2 in 8A000000)

What I made it is that the first program ( a debugger ) which opens the second program ( the target). (CreateProcess, WaitForDebugEvent,...)
The purpose it is that debugger looks at which APIS are used by the target. For that I puts a CCh byte at the beginning of the API which interest me like SoftIce do it.
And that works well, the debugger sees well the used APIs. But I want besides to see the state of the stack of the target to know which are the parameters to use by the API in question.
Ex: Debugger sees that the target uses RegCreateKeyEx, I want besides to have the 2-nd parameter of its stack to know the way in the Register.

The problem it is that when I look at the content of I make a reading IN THE ADDRESS SPACE OF MY DEBUGGER and not in the address space of the target. (Not good)
I must break the spaces of addresses, it is for that if somebody can explain me the correspondence between the linear addresses spaces and Physical that would indeed arrange me.

Posted on 2003-07-18 12:19:30 by Morgatte

The problem:
"The problem it is that when I look at the content of I make a reading IN THE ADDRESS SPACE OF MY DEBUGGER and not in the address space of the target. (Not good)"

Easy decision:
The name of YOUR DEBUGGER should be SoftIce

Posted on 2003-07-18 12:39:03 by lingo12
no Sice can't do that.

Do you know APIspy ? it is that I try to make.
Posted on 2003-07-18 12:56:58 by Morgatte
Use ReadProcessMemory to read pages from the address space of another process.
Posted on 2003-07-18 12:57:37 by Sephiroth3
I ever try that and that don't work. In fact I think I must modify the CR3 in the Context Structure to get access to the address space to the target.

But I don't know exactly how.

It's for that I search someone whose can tell me the relation between Linear addresses and Physicals. (what is paging ?)
Posted on 2003-07-18 15:18:12 by Morgatte
To understand the difference between linear and physical address space you have to understand the Virtual Machine. When Windows runs a program it runs it in a virtual machine, this allows the program to *think* that it is running alone and there is nothing else disturbing it's address space. Each process gets it's own set of registers, ports and memory. So say you have two processes running. The first will be running on a virtual machine at the physical address in memory of say 06000000 and the second will be running at the physical address 0A000000 (these adresses are imaginary - I made them up) the VMM (virtual machine manager) will remap the memory as the process sees it so that each program thinks it is running on a machine that begins at base address 0 and is alone in the machine. This allows every program to think that it is running at the same address, the VMM will adjust the addresses. There are cases when you wish to look across the boundaries into another machine, Windows provides the Debug and other API's to do this, but from the standpoint of the programs they are still alone and the data (such as memory addresses) cannot be used by both processes. Generally Physical memory means the actually memory address in the memory chips of your computer, linear or virtual address is the address that the process sees from the virtual machine.
Posted on 2003-07-18 15:43:27 by donkey
Um, processes have nothing to do with VMs. All Windows applications run in the System VM (VM 1). They access the same virtual devices. That means that if two processes write to the same device directly through ports, they would ruin each other's operation. Btw, some VXDs won't operate if accessed from VM 1 or will operate differently. For example, my soundcard driver won't play any sound if I start a DOS program that uses sound instead of krnl386.exe when I start up Windows. Instead a blue screen pops up and tells me the device is in use by another application.
Anyway, the only things that separates Windows 9x processes is their page directory, the PEB, the PSP, the CDS and possibly a few other things.

Now back to the original problem. If ReadProcessMemory fails, check that all the memory is valid and that the handle is correct and has the PROCESS_VM_READ access bit set.
Posted on 2003-07-18 17:46:58 by Sephiroth3
The page tables can map memory almost any way you want. A good read of the third Intel x86 manual is needed to understand all that is going on behind the scenes.
Posted on 2003-07-18 18:19:51 by bitRAKE