Cheat Engine

CatNoCat · How do I cheat? Reputation: 0 Joined: 23 Feb 2024 Posts: 2

Hello,
What is the difference between QueryVirtualMemory and dbk_QueryVirtualMemory?
Is dbk_QueryVirtualMemory just using ZwQueryVirtualMemory from kernel mode?
Thanks ahead

Dark Byte · Posted: Fri Feb 23, 2024 1:23 pm Post subject:

dbk_QueryVirtualMemory scans the pagetable layout of the target process(cr3 register) and builds a results that matcjes the result of virtualQueryEx

this is why it can't scan memory that is paged out , which shouldn't be an issue most of the time as usually you scan for things that are actively used by game

CatNoCat · How do I cheat? Reputation: 0 Joined: 23 Feb 2024 Posts: 2

Thank your for your response.
I'm asking because I'm not gettin a result that matches NtVirtualQuery.
When scanning the memory regions with NtQueryVirtualMemory I got the following results:
address, AllocatopnProtect, State, Protect, Type, Size
7ff60c510000 Execute+Read, Commit, Execute+Read, Mapped, 1DD0000

When scanning memory regions with dbg_QueryVirtualMemory I got the results of:
address, AllocatopnProtect, State, Protect, Type, Size
7ff60c510000 Execute+Read, Commit, Execute+Read, Private, 1DD3000

So, I'm wondering why the results are not the same...
Do you have any assumption why the region size may differ when using dbg_QueryVirtualMemory?

Dark Byte · Posted: Fri Feb 23, 2024 3:47 pm Post subject:

as i said in my previous post, it only finds paged in memory. If a block has been paged out to disk it won't be found. (E.g if the function you're interested in hasn't been executed yet, it may not be present in RAM yet)