Help/Support Any way to backtrace a memory address or file access?

infernusdoleo · January 3, 2016

The next step in my project is to see where items are loaded into memory. The app loads data from encrypted binary files on disk. Once the app is up and running, I can see the data, somewhat*, in memory by using iGG to search for some of it. What I'd really like to see is what functions are loading it into memory. My end goal is to find the array structure for the data. I think the best way to do this is to breakpoint or hook the loading functions and see whats happening. Problem is, I don't know what is loading it exactly.

If I have a memory location, is there any way at all to see WHAT put it there? The location is different each time I run the app, and it's not ASLR different, even accounting for that it's in a different area, so I can't use that. So I can't find it until after it's there.

Another option is to breakpoint in some way on file access, but as far as I'm aware thats not possible.

Or maybe some other alternative?

* What I mean by I can see it 'somewhat' is that the data is loaded into multiple locations. For example, I'm trying to find an item number 1234567, and when iGG searches for it, it finds it 17 times. So manually poking around each memory location trying to figure out any sort of structure would be a huge amount of work. Tracing the info would be easier. If possible.