Home/ Questions/Q 7708035
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T00:30:30+00:00

On Windows (preferably XP) is it generally possible to suspend a process when it

  • 0

On Windows (preferably XP) is it generally possible to suspend a process when it is writing at a specific address (in it’s virtual address space) ?

The problem is complicated by the fact that loaded DLLs perform the write operation and not code in the (PE) image of the process itself.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can protect the page containing address of interest with VirtualProtect and PAGE_GUARD or other options and have an exception hit on address write. Such exception can be handled by unhandled exception filter (it depends, the application might be handling it itself), or by out of process debugger application, such as well known debugger or custom application debugging process through API.

    The debugger application can suspend the process if necessary, or take a minidump with a snapshot. See MSDN EXCEPTION_DEBUG_EVENT for details:

    Generated whenever an exception occurs in the process being debugged.
    Possible exceptions include attempting to access inaccessible memory,
    executing breakpoint instructions, attempting to divide by zero, or
    any other exception noted in Structured Exception Handling.

    The DEBUG_EVENT structure contains an EXCEPTION_DEBUG_INFO structure.
    This structure describes the exception that caused the debugging
    event.

    • 0