| Debugging Tools for Windows |
The engine provides a number of methods for reading and writing the virtual and physical memory of a target.
When specifying a location in the virtual memory of a target, the target's virtual address space is used. In user-mode debugging, this is the virtual address space of the current process. In kernel-mode debugging, this is the virtual address space of the implicit process. See Threads and Processes for more information about the current and implicit process.
The virtual memory (of the target) can be read by using ReadVirtual and written using WriteVirtual.
Pointers in the target's memory can be read and written by using the convenience methods ReadPointersVirtual and WritePointersVirtual. These methods will automatically convert between the 64-bit pointers used by the engine and the native pointers used by the target. These methods are useful when requesting memory that contains pointers that will be used for subsequent requests — for example, a pointer to a string.
The SearchVirtual and SearchVirtual2 methods can be used to search the target's virtual memory for a pattern of bytes.
The FillVirtual method can be used to copy a pattern of bytes, multiple times, to the target's virtual memory.
The target's virtual memory can also be read and written in a way that bypasses the debugger engine's virtual memory cache using the methods ReadVirtualUncached and WriteVirtualUncached. These uncached versions are useful for reading virtual memory that is inherently volatile, such as memory-mapped device areas, without contaminating or invalidating the cache. Uncached memory access should only be used in situations when it is required, as the performance of uncached access can be significantly lower than cached access.
The engine provides some convenience methods to read strings from the target's virtual memory. To read a multibyte string from the target, use ReadMultiByteStringVirtual and ReadMultiByteStringVirtualWide. To read a Unicode string from the target, use ReadUnicodeStringVirtual and ReadUnicodeStringVirtualWide.
To find information about a memory location, use GetOffsetInformation. Not all of the virtual address space in the target contains valid memory. To find valid memory within a region, use GetValidRegionVirtual. When manually searching for valid memory in a target, the method GetNextDifferentlyValidOffsetVirtual will find the next location where the validity may change.
The physical memory can only be directly accessed in kernel-mode debugging.
Physical memory on the target can be read by using ReadPhysical and ReadPhysical2, and written by using WritePhysical and WritePhysical2.
The FillPhysical method can be used to copy a pattern of bytes, multiple times, to the target's physical memory.
An address in the target's virtual address space can be translated to a physical address on the target by using the VirtualToPhysical method. The system's paging structures used to translate a virtual address to a physical address can be found by using GetVirtualTranslationPhysicalOffsets.
When the virtual or physical memory of the target is changed, the IDebugEventCallbacks::ChangeDebuggeeState callback method is called.