How to use HxD to 1) dump RAM from a specified adr 2) search RAM for string?

[Mel_3]

- It has been years since I did ASM programming but thanks to you guys I'm going to get MASM32 up and going this weekend.
- You guys also told me about HxD as a Debugger since the MS Debug command line program is going away with Win7.

I have downloaded and installed HxD and have it up and running... but don't see how to simply...

1) give it an absolute memory address (in either decimal or hex) and have it dump the contents so I can see what is there...

2) give it a character string to search for in the system memory... either a normal string of characters (8bit ASCII) or as Unicode (16 bit... right?)

3a) Finally is the world still working with the old segmented addressing like in the old 80xx processors?
3b) Is there a standard register map that is used today or is it different for all the various Intel type processors?
3c) Or are people using a "virtual" processor with a "virtual" register map?
3d) Where can I find the register map(s) currently used today when doing asm programming?

Finally, if this is not the proper forum for this post let me know but since HxD came up here I thought I'd give it a try.

thanks for any help.

[dedndave]

well - part 3 is where to start   :P

segmented memory is more or less a thing of the past
although, when the OS emulates a 16-bit environment to run DOS programs, it appears to be segmented

since the 80386 (286, really), a typical operating system runs in "protected mode"
this offers layers or "rings" of protection for processes, I/O, and memory
memory is virtualized so that a process operates in 4 Gb of address space (32-bit machines)
with HxD, you can view the memory of a given process - but, not just any memory

the old x86 processor registers have been expanded a bit...



of course, there are segment registers - and more of them
we rarely have to mess with them unless you are writing an OS or, perhaps, a kernel-mode driver of some sort

since the early pentiums, the FPU registers double as MMX registers...


and with the advent of SSE, even more...


recent processors have still more registers

[anunitu]

Dave blinded me with science(nice graphics) :clap:

[dedndave]

google images   :P

[jj2007]

Here s a 64 lines proggie that displays (and writes to disk) a memory dump. If the commandline contains a valid filename, it will be used, otherwise the executable itself, as loaded in memory, will be displayed.

include \masm32\MasmBasic\MasmBasic.inc   ; download
DumpMem   PROTO :DWORD, :DWORD

.code
   db "Hello, this is the code section just before the start label ....", 0

   Init
   .if Exist(CL$())
      Let eax=FileRead$(CL$())
      mov edx, LastFileSize
   .else
      push Lof(CL$(0))   ; assume size of memory block equals disk size
      invoke GetModuleHandle, 0   ; CL$(0): 0th arg of commandline is the executable itself
      pop edx
   .endif
   mov edi, rv(DumpMem, eax, edx)
   FileWrite "tmp.dmp", edi   ; for further processing
   Inkey Left$(edi, 70*260)   ; show some lines on screen
   Exit

DumpMem proc uses esi edi ecx pStart, nBytes
   mov eax, nBytes
   sar eax, 4   ; divide by 16 to get lines
   mov ecx, eax   ; linecounter - we need it below
   inc eax   ; one line extra in case filesize is not a multiple of 16
   imul eax, eax, 70
   Let edi=New$(eax)   ; create a buffer
   push edi
   mov esi, pStart
   .Repeat
      invoke MbCopy, edi, Cat$(Space$(68)+CrLf$), -1   ; create a line
      REPEAT 4
         lodsd   ; grab 4 bytes, and translate them to Hex
         add Hex$(eax), 8   ; Hex$ returns edx, and we start from the right
         REPEAT 4
            sub edx, 2
            movzx eax, word ptr [edx]   ; grab a byte in hex notation
            stosw
            inc edi   ; 4*3=12
         ENDM
         inc edi   ; 4*(12+1)=52
      ENDM
      push esi
      push ecx
      m2m ecx, 16   ; 52+16=68
      sub esi, ecx
      .Repeat
         lodsb
         .if al<32
            mov al, "."   ; replace non-printable chars with dots
         .endif
         stosb
         dec ecx
      .Until Zero?
      pop ecx
      pop esi
      add edi, 2   ; skip CrLf - 68+2=70, size of one line
      dec ecx   ; dec line counter
   .Until Zero?
   pop edi
   xchg eax, edi
   ret
DumpMem endp
end start