Home > Blockchain >  Question about VirtualQueryEx() lpAdress variable
Question about VirtualQueryEx() lpAdress variable

Time:07-23

I am building a Memory Scanner to find malware strings in a process. Btw, when I was searching about the VirtualQueryEx dll, I saw that people starts its variable lpAdress ( which is supposed to be the Base Address of the process) with a NULL/0 value

    LPVOID lpAdress = 0

and in each loop they increase the adress value by the size of the page they just read, so that way they go to the next page and can map all process virtual memory

    lpAdress  = mbi.RegionSize    # mbi is a variable with MEMORY_BASIC_INFORMATION structure

So, is lpAdress the value of memory considering 0 as a start of the own process virtual memory and you dont need to get the actual base adress of the process in memory ? Sorry if my question looks dumb, but the MSDN documentation is confusing me.

CodePudding user response:

Each process has it's own virtual address space that starts at 0. The various executable files (.exe / .dll / whatever) are loaded either at addresses specified in the file or more recently at random addresses for security purposes.

A process can easily have mapped memory regions at addresses lower than where the process executable is loaded. For this reason, if you want to examine a process' entire memory space you need to start at 0.

Page link:https//www.codepudding.com/Blockchain/485764.html

Prev:Why c static member was not initialized in this case?
Next:How to Query in google sheets, sort by a column and not include that column in the output
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding