6
我想捕获内存写入特定的内存范围,并调用一个函数与正在写入的内存位置的地址。优选地,在写入存储器之后已经发生。如何捕获写入地址的内存写入和调用函数
我知道这可以通过操作系统通过页表条目来完成。但是,如何在需要执行此操作的应用程序中实现类似的功能呢?
A
回答
13
嗯,你可以做这样的事情:
// compile with Open Watcom 1.9: wcl386 wrtrap.c
#include <windows.h>
#include <stdio.h>
#ifndef PAGE_SIZE
#define PAGE_SIZE 4096
#endif
UINT_PTR RangeStart = 0;
SIZE_T RangeSize = 0;
UINT_PTR AlignedRangeStart = 0;
SIZE_T AlignedRangeSize = 0;
void MonitorRange(void* Start, size_t Size)
{
DWORD dummy;
if (Start &&
Size &&
(AlignedRangeStart == 0) &&
(AlignedRangeSize == 0))
{
RangeStart = (UINT_PTR)Start;
RangeSize = Size;
// Page-align the range address and size
AlignedRangeStart = RangeStart & ~(UINT_PTR)(PAGE_SIZE - 1);
AlignedRangeSize = ((RangeStart + RangeSize - 1 + PAGE_SIZE) &
~(UINT_PTR)(PAGE_SIZE - 1)) -
AlignedRangeStart;
// Make the page range read-only
VirtualProtect((LPVOID)AlignedRangeStart,
AlignedRangeSize,
PAGE_READONLY,
&dummy);
}
else if (((Start == NULL) || (Size == 0)) &&
AlignedRangeStart &&
AlignedRangeSize)
{
// Restore the original setting
// Make the page range read-write
VirtualProtect((LPVOID)AlignedRangeStart,
AlignedRangeSize,
PAGE_READWRITE,
&dummy);
RangeStart = 0;
RangeSize = 0;
AlignedRangeStart = 0;
AlignedRangeSize = 0;
}
}
// This is where the magic happens...
int ExceptionFilter(LPEXCEPTION_POINTERS pEp,
void (*pMonitorFxn)(LPEXCEPTION_POINTERS, void*))
{
CONTEXT* ctx = pEp->ContextRecord;
ULONG_PTR* info = pEp->ExceptionRecord->ExceptionInformation;
UINT_PTR addr = info[1];
DWORD dummy;
switch (pEp->ExceptionRecord->ExceptionCode)
{
case STATUS_ACCESS_VIOLATION:
// If it's a write to read-only memory,
// to the pages that we made read-only...
if ((info[0] == 1) &&
(addr >= AlignedRangeStart) &&
(addr < AlignedRangeStart + AlignedRangeSize))
{
// Restore the original setting
// Make the page range read-write
VirtualProtect((LPVOID)AlignedRangeStart,
AlignedRangeSize,
PAGE_READWRITE,
&dummy);
// If the write is exactly within the requested range,
// call our monitoring callback function
if ((addr >= RangeStart) && (addr < RangeStart + RangeSize))
{
pMonitorFxn(pEp, (void*)addr);
}
// Set FLAGS.TF to trigger a single-step trap after the
// next instruction, which is the instruction that has caused
// this page fault (AKA access violation)
ctx->EFlags |= (1 << 8);
// Execute the faulted instruction again
return EXCEPTION_CONTINUE_EXECUTION;
}
// Don't handle other AVs
goto ContinueSearch;
case STATUS_SINGLE_STEP:
// The instruction that caused the page fault
// has now succeeded writing to memory.
// Make the page range read-only again
VirtualProtect((LPVOID)AlignedRangeStart,
AlignedRangeSize,
PAGE_READONLY,
&dummy);
// Continue executing as usual until the next page fault
return EXCEPTION_CONTINUE_EXECUTION;
default:
ContinueSearch:
// Don't handle other exceptions
return EXCEPTION_CONTINUE_SEARCH;
}
}
// We'll monitor writes to blah[1].
// volatile is to ensure the memory writes aren't
// optimized away by the compiler.
volatile int blah[3] = { 3, 2, 1 };
void WriteToMonitoredMemory(void)
{
blah[0] = 5;
blah[0] = 6;
blah[0] = 7;
blah[0] = 8;
blah[1] = 1;
blah[1] = 2;
blah[1] = 3;
blah[1] = 4;
blah[2] = 10;
blah[2] = 20;
blah[2] = 30;
blah[2] = 40;
}
// This pointer is an attempt to ensure that the function's code isn't
// inlined. We want to see it's this function's code that modifies the
// monitored memory.
void (* volatile pWriteToMonitoredMemory)(void) = &WriteToMonitoredMemory;
void WriteMonitor(LPEXCEPTION_POINTERS pEp, void* Mem)
{
printf("We're about to write to 0x%X from EIP=0x%X...\n",
Mem,
pEp->ContextRecord->Eip);
}
int main(void)
{
printf("&WriteToMonitoredMemory() = 0x%X\n", pWriteToMonitoredMemory);
printf("&blah[1] = 0x%X\n", &blah[1]);
printf("\nstart\n\n");
__try
{
printf("blah[0] = %d\n", blah[0]);
printf("blah[1] = %d\n", blah[1]);
printf("blah[2] = %d\n", blah[2]);
// Start monitoring memory writes
MonitorRange((void*)&blah[1], sizeof(blah[1]));
// Write to monitored memory
pWriteToMonitoredMemory();
// Stop monitoring memory writes
MonitorRange(NULL, 0);
printf("blah[0] = %d\n", blah[0]);
printf("blah[1] = %d\n", blah[1]);
printf("blah[2] = %d\n", blah[2]);
}
__except(ExceptionFilter(GetExceptionInformation(),
&WriteMonitor)) // write monitor callback function
{
// never executed
}
printf("\nstop\n");
return 0;
}
输出(在Windows XP上运行):
&WriteToMonitoredMemory() = 0x401179
&blah[1] = 0x4080DC
start
blah[0] = 3
blah[1] = 2
blah[2] = 1
We're about to write to 0x4080DC from EIP=0x4011AB...
We're about to write to 0x4080DC from EIP=0x4011B5...
We're about to write to 0x4080DC from EIP=0x4011BF...
We're about to write to 0x4080DC from EIP=0x4011C9...
blah[0] = 8
blah[1] = 4
blah[2] = 40
stop
这就是这个想法。
您可能需要对其进行更改以使代码在多个线程中正常工作,使其可以与其他SEH代码(如果有)一起使用,并且具有C++异常(如果适用)。
而且,当然,如果您确实需要它,您可以在写入完成后调用写入监视回调函数。为此,您需要将STATUS_ACCESS_VIOLATION案例中的存储器地址(TLS?)保存起来,以便STATUS_SINGLE_STEP案件可以稍后提取并传递给该函数。
0
或者,您可以使用Page Guards,它们同样会导致访问异常,但会被系统自动清除(一次性)。这些应该也适用于只读内存。
在你的情况下,你仍然需要单步陷阱技巧来重新启用页面防护。
用于例如vkTrace以及潜在的OpenGL/Vulkan持久映射缓冲区驱动程序实现本身。 vkTrace源代码还显示了如何在Linux和Android上执行此类事情。
相关问题
- 1. Nodejs:读取和写入内存地址
- 2. 写入物理内存地址
- 3. 找出写入该地址的内容
- 4. 写入闪存时的跟踪地址
- 5. 是否有可能在Windows中写入任何内存地址
- 6. Linux内核写入()和读取()函数
- 7. 如何写入to_string函数?
- 8. 二进制写入地址
- 9. 调用函数在内存地址x86_x64
- 10. OpenCL是否允许并发写入相同的内存地址?
- 11. 函数和写入程序
- 12. C:“读取:错误的地址”和“写入:错误的地址”
- 13. 如何获取一条机器指令写入的地址?
- 14. 调用C++ vs写入php函数?
- 15. QProcess调用写入函数失败
- 16. gdb&找出什么时候写入内存地址
- 17. 获取函数的内存地址
- 18. 存储MySQL写入内存
- 19. PS3的C++内存写入
- 20. 无法使用winpcap写入DLT_USER0捕获
- 21. Linux写入函数
- 22. 我会如何写入内存?
- 23. 如何将NAudio WaveStream写入内存流?
- 24. 如何将流写入内存流?
- 25. 缓存数据与写入内存表
- 26. 如何查看内核函数和系统调用的地址?
- 27. 如何将一段的起始地址写入ROM中的专用地址
- 28. 如何调用函数,将写入文件,并在该函数内调用其他函数
- 29. 写入共享内存
- 30. 如何将内存中的内容写入数组?
这里有一个相当不错的答案,但我怀疑如果你告诉我们为什么你要这样做,那么可能有一个更简单的解决方案。 –
@Adrian - 我正在研究一种新的编译器和操作系统,并考虑在进程内部进行测试和调试。捕捉写入对于模拟一些简单的设备非常重要。 – tgiphil