Ollydbg full tutorial memory ing window [Memory Map window]

10. Memory ing window [Memory Map window]

The memory ing window displays all memory blocks allocated by the debugging program. Because there is no standard way to complete this task, ollydbg may divide a large memory block into several parts. However, in most cases, it is not necessary to handle the issue accurately. If you want to view the list of memory blocks applied by applications by calling globalalloc () and localalloc (), use heap list.

If the memory block is a section of the executable module, ollydbg reports the Data Types contained in the memory block, such as code, data, and resources.

Windows95/98 is different from WindowsNT/2000. In Windows 95/98, the ollydbg cannot display the name of the mapped file. In addition, the access types not allowed by Windows95/98 are read and write. However, in WindowsNT/2000, ollydbg has more functions, including execution access, write and copy [copy-on-write] and monitor the flag. Ollydbg ignores the [copy-on-write] attribute of write replication.

If the ollydbg finds that the program has allocated new memory or re-allocated existing memory blocks, it will highlight the corresponding records in the memory ing window and remove the High Brightness Display, you can choose to refresh in the shortcut menu [
Actualize.

You can call the memory window by pressing Alt + M.

The following menu items can be selected from the shortcut menu:

Refresh [actualize]-update the list of allocated memory and remove the highlighted display of new memory blocks.

In the Disassembly window, view [view in discycler]-in the Disassembly window: Open the memory block in the Disassembly window, this option is only available when the memory blocks of some modules contain executable code or self-depressurization.

View [dump in CPU] In the CPU data window-display the memory block content in the CPU data window.

Data window [dump]-display the memory block content in a separate window. If the type of the memory block is known, the ollydbg automatically selects the display format.

View all resources [view all resources]-if the memory block contains resource data, all resources and related data are listed. Ollydbg does not support resources as separate entities. You can display and edit the data in binary format.

View resource string [view resource strings]-if the memory block contains resource data, all resource strings and their identifiers are listed.

Search for [Search]-allows you to search for all memory blocks. Search for matching binary strings starting from the selection. If yes, the ollydbg displays the memory block. The memory image window and data window share the same search mode. Therefore, you can continue searching for the next position of the binary string in the pop-up data window. Press ESC to close the data window.

Search for the next [search next] (shortcut: Ctrl + l)-continue the last search.

Set access interruption [set break-on-access] (shortcut: F2, available only under WindowsNT/2000)-protect the entire memory block. After the interruption occurs, ollydbg pause the program to be debugged and clear the breakpoint. This type of breakpoint is especially useful when you want to capture calls or return to a module.

Clear [remove break-on-access] (shortcut: F2)-Clear the access interruption protection from the memory block.

Set memory access breakpoint [set memory breakpoint on access]-set a breakpoint on the entire memory block. The program is interrupted whenever the memory block is accessed. Ollydbg only supports one memory access breakpoint. In
In Windows 95/98, when the system program accesses a memory block containing a memory breakpoint, it may cause the debugging program to crash. Therefore, do not set this breakpoint unless necessary.

Set the memory writing breakpoint [set memory breakpoint on write]-set the breakpoint on the entire memory block. The program will be interrupted whenever the memory block is written to Data. In Windows 95/98, when the system program accesses a memory block containing a memory breakpoint, it may cause the debugging program to crash. Therefore, this breakpoint cannot be set unless necessary.

Clear memory breakpoint [remove memory breakpoint]-clear memory breakpoint.

Clear the real entry of the Self-extracting memory breakpoint [remove SFX memory breakpoint]-Stop searching for the Self-extracting program [Self-extractable (SFX) Program. This search uses a special type of memory breakpoint.

Access setting [set access]-set the protection attribute of the entire memory block. Options include:

Access prohibited [no access]
Read-Only [Read Only]
Read/write [read/write]
Execute [execute]
Execute/read [execute/read]
Full access [full access]

Copy to clipboard [copy to clipboard]

The entire line [whole line]-copies the selected record to the clipboard in the form of multi-line text (including explanations). If you want to exclude certain columns during the copy, you can minimize the width of the column (the remaining border of the column will be grayed out ).

The entire table [whole table]-copies the entire memory image information to the clipboard in the form of multi-line text. The first row window title of the text ("memory ing [Memory Map]"), the title bar of the second behavior column. The content of the following rows is a memory data record. Copy will keep the column width. If you want to exclude certain columns during replication, You can minimize the width of the column (the remaining border of the column will be grayed out ).