C# / WinAPI - Monitoring a Memory Region

Question

I was wondering if there is a way to monitor a particolar memory region for changes. I'm using the following method in order to open a process and obtain a collection of its used memory regions:

internal static MemoryProcess OpenProcess(Process process)
{
    IntPtr processHandle = OpenProcess(ProcessAccess.Desided, true, (UInt32)process.Id);

    if (processHandle == IntPtr.Zero)
        return null;

    IntPtr processAddress = new IntPtr();
    List<MemoryRegion> memoryRegions = new List<MemoryRegion>();

    while (true)
    {
        MemoryBasicInformation info = new MemoryBasicInformation();

        if (VirtualQueryEx(processHandle, processAddress, out info, MemoryBasicInformation.Size) == 0)
            break;

        if (info.Allocation.HasFlag(MemoryAllocation.Commit) && info.Type.HasFlag(MemoryType.Private) && ((info.Protection & MemoryProtection.Readable) != 0) && ((info.Protection & MemoryProtection.Protected) == 0))
            memoryRegions.Add(new MemoryRegion(info.BaseAddress, info.RegionSize));

        processAddress = new IntPtr(info.BaseAddress.ToInt64() + info.RegionSize.ToInt64());
    }

    if (memoryRegions.Count == 0)
    {
        CloseHandle(processHandle);
        return null;
    }

    return (new MemoryProcess(processHandle, memoryRegions));
}

I saw a lot of applications doing this. Cheat Engine is one of them. Let's say I open a Google Chrome Tab process and I search and find a specific value (the string "stackoverflow") within it's memory:

Now, i use that tab to browse another, completely different, website and I see those address values changing:

Last step: I close that Chrome tab killing its corresponding process:

So... of course there MUST be a sort of monitoring for memory regions. And, in fact, there is:

Using Process.Exited event is not enough to achieve a real time update of memory addresses values I think... so, how can I do that?

Answer 1

If you can intercept VirtualAlloc called in target application, and combined MEM_WRITE_WATCH to original flags, system will keep track of this allocated memory region, then you can call the GetWriteWatch function to retrieve the addresses of the pages that have been written to since the region has been allocated or the write-tracking state has been reset. This looks a lot of work to do though.