Here is the story of a problem I had yesterday using Ollydbg exported function Findmemory.
I’m writing an Ollydbg v2 plugin and at some point I need to access the list of all the allocated memory blocks. To do this I decided to call the function I mentioned, it has a simple prototype:
t_memory * Findmemory(ulong addr);
If the function succeeds, the return value is a pointer to the descriptor of memory block to which this address belongs. If it fails the return value is NULL.
Useless to say I got a lot of negative results, but the memory block containing the address I passed to the function exists in memory map output produced by Ollydbg. That’s the problem!
I have no idea about the strategy used by Findmemory, but it should scan all the memory blocks trying to locate the right one. So, I decided to do the same using this piece of code:
The snippet produces this scenario:
Three windows representing: the code inside the allocated memory block, all the memory blocks inside memory map window and the log produced by my script. As you can see the block inside the red selection exists but seems like it’s not inside the memory list scanned by the above snippet. There are some discrepancies between all the memory blocks because most of them are deallocated/allocated but the 30000/31000 memory block still exists in memory, so the question is: how is it possible?
I limited my invistigation to Ollydbg’s help available at http://www.ollydbg.de/Help/ and as far as I’ve seen there’s no mention of a behaviour like this one. I decided to avoid the problem searching for an alternative method and while I was inspecting all the available Ollydbg’s API I stumbled on Listmemory. The function is included inside the memory functions list but it doesn’t have a direct help page, the only thing I have is the prototype:
stdapi (int) Listmemory(void);
I decided to give it a try by calling the function before the one I’m interested in:
lm = Listmemory();
mem = Findmemory(_address);
Well, this time the memory block was found!
I don’t know exactly what’s the purpose of the function, and I don’t know if this method represents the right way to solve my problem, but if you want an updated memory list I suggest you to try to call Listmemory.
I haven’t searched through the net a lot, and I haven’t seen a single page related to this problem. If you have some more information about Listmemory I’ll gladly exchange opinions about it.