这个方法基于ProcessWorkingSetWatch
(window中 使用API申请的内存 系统不会去访问)
先看个结构
typedef union _PSAPI_WORKING_SET_BLOCK {
ULONG_PTR Flags;
struct {
ULONG_PTR Protection : 5;
ULONG_PTR ShareCount : 3;
ULONG_PTR Shared : 1;
ULONG_PTR Reserved : 3;
#if ...
ULONG_PTR VirtualPage : 52;
#else
ULONG_PTR VirtualPage : 20;
#endif
};
} PSAPI_WORKING_SET_BLOCK, *PPSAPI_WORKING_SET_BLOCK;
Members
Flags
The working set information. See the description of the structure members for information about the layout of this variable.
Protection
The protection attributes of the page. This member can be one of the following values.
MEMBERS
Value Meaning
0
The page is not accessed.
1
Read-only.
2
Executable.
3
Executable and read-only.
4
Read/write.
5
Copy-on-write.
6
Executable and read/write.
7
Executable and copy-on-write.
8
The page is not accessed.
9
Non-cacheable and read-only.
10
Non-cacheable and executable.
11
Non-cacheable, executable, and read-only.
12
Non-cacheable and read/write.
13
Non-cacheable and copy-on-write.
14
Non-cacheable, executable, and read/write.
15
Non-cacheable, executable, and copy-on-write.
16
The page is not accessed.
17
Guard page and read-only.
18
Guard page and executable.
19
Guard page, executable, and read-only.
20
Guard page and read/write.
21
Guard page and copy-on-write.
22
Guard page, executable, and read/write.
23
Guard page, executable, and copy-on-write.
24
The page is not accessed.
25
Non-cacheable, guard page, and read-only.
26
Non-cacheable, guard page, and executable.
27
Non-cacheable, guard page, executable, and read-only.
28
Non-cacheable, guard page, and read/write.
29
Non-cacheable, guard page, and copy-on-write.
30
Non-cacheable, guard page, executable, and read/write.
31
Non-cacheable, guard page, executable, and copy-on-write.
ShareCount
The number of processes that share this page. The maximum value of this member is 7.
Shared
If this bit is 1, the page is sharable; otherwise, the page is not sharable.
Reserved
This member is reserved.
VirtualPage
The address of the page in the virtual address space.成员Protection里面有重要的参数 它会给出内存页的工作集信息 里面就有是否被访问
而PDE PTE里有A 位和D 位 分别表示内存是否被访问,和写入过
但是ProcessWorkingSetWatch可能不是去判断PDE PTE(↓)
typedef struct _PSAPI_WS_WATCH_INFORMATION {
LPVOID FaultingPc;
LPVOID FaultingVa;
} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;
Members
FaultingPc
A pointer to the instruction that caused the page fault.
FaultingVa
A pointer to the page that was added to the working set.ProcessWorkingSetWatch的缺点是只能监视第一次访问,后续访问失效
不过写入,可以设置MinimumWorkingSetSize MaximumWorkingSetSize来初始化内存页的工作集信息 让其检测写入
在测试中
使用内核 NtReadVirtualMemory NtWriteVirtualMemory MDL映射读写 均被检测
后记:我认为可以设置某个结构中的成员 也可以初始化 内存页访问