Question about VirtualQueryEx() lpAdress variable

Question

I am building a Memory Scanner to find malware strings in a process. Btw, when I was searching about the VirtualQueryEx dll, I saw that people starts its variable lpAdress ( which is supposed to be the Base Address of the process) with a NULL/0 value

    LPVOID lpAdress = 0

and in each loop they increase the adress value by the size of the page they just read, so that way they go to the next page and can map all process virtual memory

    lpAdress += mbi.RegionSize    # mbi is a variable with MEMORY_BASIC_INFORMATION structure

So, is lpAdress the value of memory considering 0 as a start of the own process virtual memory and you dont need to get the actual base adress of the process in memory ? Sorry if my question looks dumb, but the MSDN documentation is confusing me.

Also have a look at [Virtual Address Space (Memory Management)](https://learn.microsoft.com/en-us/windows/win32/memory/virtual-address-space). — YangXiaoPo-MSFT, Jul 19 '22 at 05:34
The [documentation](https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualqueryex) seems unambiguously clear: *"`lpAddress`: A pointer to the base address of the region of pages to be queried."* If you care about all memory it seems reasonable to start scanning at the lowest possible address: 0. I don't know what *"the Base Address of the process"* is supposed to mean. — IInspectable, Jul 19 '22 at 10:19
It's because I was thinking about the Base Address considering the Virtual Address of User-Space at all, so I was wondering that maybe if you start at Address 0 you could end up scanning up the memory address of other processes too — João P 2018, Jul 19 '22 at 12:39

score 2 · Accepted Answer · answered Jul 18 '22 at 23:19

Each process has it's own virtual address space that starts at 0. The various executable files (.exe / .dll / whatever) are loaded either at addresses specified in the file or more recently at random addresses for security purposes.

A process can easily have mapped memory regions at addresses lower than where the process executable is loaded. For this reason, if you want to examine a process' entire memory space you need to start at 0.

Thanks, Now It's clear to me ! – João P 2018 Jul 19 '22 at 12:40 — João P 2018, Jul 19 '22 at 12:40

Question about VirtualQueryEx() lpAdress variable

1 Answers1