A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #2986  by a_d_13
 Sat Oct 09, 2010 7:47 pm
Hello,

MemMAP is a tool inspired by j00ru's KernelMAP (see here). I've written my own version with a couple more interesting features. A list follows:
  • More memory types included (kernel thread stacks and GDI objects)
  • Ability to visualize the memory of a user-mode process
  • Help dialog with description of memory types
  • Refresh feature
When run without arguments, it will display a map of kernel memory. You can visualize a process by running "memmap -p <process id>". To refresh, press F5. To show help, press F1.

The framed area is organized such that the top-left corner is address 0x80000000, and the bottom right corner is 0xFFFFF000 (or, for user-mode processes, 0x00000000 - 0x7FFFF000). Each pixel represents one page of memory (4096 bytes). Below are several screenshots:

When run without arguments, on Windows Vista SP1:
Image

Visualizing Microsoft Visual Studio 2008 (memmap -p 5976):
Image

Help window:
Image

If there's a bug, please let me know! Please note that I offer no guarantees about this program - it does not write to memory, and does not load a kernel-mode driver, but it might still crash a process. Do not run this on any important system.

Thanks,
--AD
You do not have the required permissions to view the files attached to this post.
 #2987  by j00ru
 Sat Oct 09, 2010 8:38 pm
Wow, impressive ;>
Glad to see that my project became the inspiration for something even more useful ;D
Bah, I guess it could become the ultimate tool in the context of ASLR protection visualization :)
Do you have plans on sharing the source?

Let me enclose two kernel screenshots from the Windows XP SP3 and Windows Vista SP2 kernels ;)

Windows XP SP3:
Image

Windows Vista SP2:
Image

Overall, good job ;)
 #2990  by EP_X0FF
 Sun Oct 10, 2010 3:24 am
Looks cool :)
 #18692  by Doctor
 Mon Mar 25, 2013 5:23 pm
hello,
before any thank you for this division.
I have to download your file .zip. It functions but displays me that 3 features red in bottom nothing more. I did something ?, or not done something?

Afflicted for this deplorable English
thks
D.
 #18693  by EP_X0FF
 Tue Mar 26, 2013 9:14 am
Doctor wrote:hello,
before any thank you for this division.
I have to download your file .zip. It functions but displays me that 3 features red in bottom nothing more. I did something ?, or not done something?

Afflicted for this deplorable English
thks
D.
I assume you're running on x64 OS. I don't think it was designed to be compatible with x64.
 #18898  by Doctor
 Wed Apr 10, 2013 8:21 pm
hello, thank you for your answer and sorry for this late answer.
it is really damage.
Would I have a last question if that does not disturb you?
Do you think that this kind of application could be to transform to be to use on a software like Processing?

I thank you

D.