Monitoring Accesses To Structures
Finding the writers and reader of memory
Last updated
Finding the writers and reader of memory
Last updated
Have you ever tried to discover what functions read or write on a portion of memory?
Hardware Debug Registers have limitations, we only have four debug registers and these debug registers have a limitation on size (4, 2, 1).
Imagine the nt!_EPROCESS
of a process is located at 0xffff83811f265040
and at the current version of Windows, the size of the nt!_EPROCESS
is 0xa40. We can conclude that this structure starts from 0xffff83811f265040
to 0xffff83811f265040 + 0xa40 = 0xffff83811f265a80
.
If we want to break on any read/write to this structure, we use the following command.
If we want to create a log from RIP(s) that tries to write on nt!_EPROCESS
of that special process.
If we want to monitor RIP(s) for reading (not writing), we use the following command.