DarkstaR
07-09-2017, 12:49 PM
Greetings,
My name is Nick. I'm giving a talk at DEFCON this year on a memory scanner I've written called XenoScan, and I'll be giving a live demo on it's extensiblity by running memory scans again games using the Dolphin emulator.
When trying to figure out my implementation, I though of all kinds of hacks to get this working (without, of course, recompiling Dolphin with changes). After considering things like automating the presses of the memory dump buttons, scanning memory maps for ones which match the size and protection which would be expected for emulator memory chunks, and using the memory watcher on every conceivable address, I came up with a more elegant solution: shared memory.
I've written a binary patch for Dolphin 5 on Windows which essentially changes:
to:
allowing me to grab a handle to the memory from another process. You'll notice the shared memory name I'm using seems odd; that's just due to trying to keep the patch simple and using an existing string.
Anyways, my goal here is to find out if there's a process by witch I can submit a patch for version 5 (rather than the current dev line) to make this a native part. AFAIK, this is already the case on OSX, as memory maps cannot by anonymous.
I'll gladly submit the commit myself, I'm just unaware of the process or if there even is one. Regardless, it's as simple as changing:
to
Which allows everything to work exactly as it does now, provided cleanup always happens properly (otherwise, a dangling map can exist, but it's still not a problem unless PID reuse occurs).
Thanks for taking the time to read. If you're more interested in my approach, you can see the detailed write up in my commit here. Ultimately, my patch works for me, but I'd like it to work for others, too, and this is a great way to add a memory API that relies on nothing but the inner workings of the OS.
My name is Nick. I'm giving a talk at DEFCON this year on a memory scanner I've written called XenoScan, and I'll be giving a live demo on it's extensiblity by running memory scans again games using the Dolphin emulator.
When trying to figure out my implementation, I though of all kinds of hacks to get this working (without, of course, recompiling Dolphin with changes). After considering things like automating the presses of the memory dump buttons, scanning memory maps for ones which match the size and protection which would be expected for emulator memory chunks, and using the memory watcher on every conceivable address, I came up with a more elegant solution: shared memory.
I've written a binary patch for Dolphin 5 on Windows which essentially changes:
Code:
hMemoryMapping = CreateFileMapping(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0, (DWORD)(size), nullptr);to:
Code:
hMemoryMapping = CreateFileMapping(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0, (DWORD)(size), L"Dolphin Direct3D 11 backend");allowing me to grab a handle to the memory from another process. You'll notice the shared memory name I'm using seems odd; that's just due to trying to keep the patch simple and using an existing string.
Anyways, my goal here is to find out if there's a process by witch I can submit a patch for version 5 (rather than the current dev line) to make this a native part. AFAIK, this is already the case on OSX, as memory maps cannot by anonymous.
I'll gladly submit the commit myself, I'm just unaware of the process or if there even is one. Regardless, it's as simple as changing:
Code:
hMemoryMapping = CreateFileMapping(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0, (DWORD)(size), nullptr);to
Code:
std::string file_name = StringFromFormat("dolphinmem.%d", GetCurrentProcessId());
hMemoryMapping = CreateFileMappingA(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0, (DWORD)(size), file_name.c_str());Which allows everything to work exactly as it does now, provided cleanup always happens properly (otherwise, a dangling map can exist, but it's still not a problem unless PID reuse occurs).
Thanks for taking the time to read. If you're more interested in my approach, you can see the detailed write up in my commit here. Ultimately, my patch works for me, but I'd like it to work for others, too, and this is a great way to add a memory API that relies on nothing but the inner workings of the OS.