t_memory
One of the most important structures, describes memory block in the debugged application. Memory blocks are listed in the sorted data of table memory. Plugins should not attempt to modify memory descriptions directly.
typedef
struct t_memory { // Descriptor of memory block
ulong
base;
// Base address of memory block
ulong
size;
// Size of memory block
ulong
type;
// Service information, TY_xxx+MEM_xxx
int
special;
// Extension of type, one of MSP_xxx
ulong
owner;
// Address of owner of the memory
ulong
initaccess;
// Initial read/write access
ulong
access;
// Actual status and read/write access
ulong
threadid;
// Block belongs to this thread or 0
wchar_t sectname[SHORTNAME]; // Null-terminated section name
uchar
*copy;
// Copy used in CPU window or NULL
uchar
*decode;
// Decoding information or NULL
} t_memory;
Members:
base
Base address of memory block. Most blocks are page-aligned (a Win32 page consists of 409610 = 0x1000 bytes), but in some rare cases OllyDbg may create unaligned blocks. Note that ZwAllocateVirtualMemory()
allows to allocate memory at address 0 (by passing some small base
address which will be rounded down). Routines that check whether memory
is available or not should not assume that base==0 means no memory
size
Size of memory block, bytes. Usually a multiple of the page size, but in some rare cases OllyDbg may create blocks of any size
type
Attributes of memory block, a set of flags TY_xxx combined with the following memory-specific flags:
MEM_CODE - contains image of code section
MEM_DATA - contains image of data section
MEM_SFX - contains self-extractor
MEM_IMPDATA - contains import data
MEM_EXPDATA - contains export data
MEM_RSRC - contains resources
MEM_RELOC - ontains relocation data
MEM_STACK - contains stack of thread with identifier threadid
MEM_STKGUARD - guarding page of the stack (used as a trap when stack grows)
MEM_THREAD - contains data block of thread with identifier threadid
MEM_HEADER - contains DOS/COFF header
MEM_DEFHEAP - contains default heap
MEM_HEAP - contains non-default heap
MEM_NATIVE - contains JIT-compiled native code
MEM_SECTION - section of the executable file (and sectname is usually defined, too)
MEM_GUARDED - guarded memory block (used internally by debugging engine)
MEM_TEMPGUARD - temporarily guarded block (used internally by debugging engine)
Additional information is available in the member special.
Note that if some flag is set, then OllyDbg guarantees its correctness,
but its absence generally does not mean that feature is not present
special
Additional attribute of memory block, one of the following constants:
MSP_NONE - no special attribute
MSP_PEB - contains Process Environment Block
MSP_SHDATA - contains KUSER_SHARED_DATA
MSP_PROCPAR - contains Process Parameters
MSP_ENV - contains Environment
owner
Address of the owning memory block, as reported by VirtualQueryEx() in AllocationBase. Consult Windows API for details
initaccess
A set of flags PAGE_xxx, defined in Windows API, specifies access protection given when memory block was initially allocated
access
A set of flags PAGE_xxx, defined in Windows API, specifies current state of memory block. To fill access, OllyDbg combines State, Protect and Type members of the structure MEMORY_BASIC_INFORMATION returned by VirtualQueryEx()
threadid
Identifier of the thread owning this memory block, or 0 if there is no associated thread or thread is not known to OllyDbg
sectname
Null-terminated
name of the section in the executable file from which this memory block
was mapped. If several sections were merged together by the OllyDbg,
sectname lists names of all participating sections serapated by comma
copy
Pointer to the global backup of the memory block or NULL. If backup is present, its size is the same as the size of memory block. Note that dump windows may have their own, unrelated backups
decode
Decoding information created by the Analyser or NULL. If analysis is present, its size is the same as the size of memory block. Each byte of the analysis data is the combination of flags DEC_xxx. Preferrable way to get analysis data is to call Finddecode()
See
also: