How can I detect the memory data changed?

Question

I am studying about the windows programming, and i have some question.

I saw a security module that defends memory data. if one process is going to change other process memory, it detects and turns off the process.

This is often used in anti-cheat engines in games or bank application programs(i live in Korea, so i think this is the best example of this. Almost every on-line games or bank application has self-defence algorithm.)

My question is, is there any APIs or functions that detects about this?

thanks.

P.S. i can make an example,

if 0x01000000 memory data is 'A', some different process changed it to 'B'. when i first thought about this, i thought that i have to make a thread to check the data and if it changes, turn off the process. but i think this is not a good idea. any suggestions?

Answer 1

There's an API that allows you to monitor writing operations into a piece of the specific memory area.

UINT GetWriteWatch(
  DWORD     dwFlags,
  PVOID     lpBaseAddress,
  SIZE_T    dwRegionSize,
  PVOID     *lpAddresses,
  ULONG_PTR *lpdwCount,
  LPDWORD   lpdwGranularity
);

When the API detects any writing operations, it appends the writing addresses into the arrays that you provided as the parameter of the API, until your array is full.

Answer 2

General answer to your question: no, there are no such API or functions.

But there are different methods where you can achieve same result. 1. Api hooking. You can Hook functions in system (such as WriteProcessMemory) and then check if somebody trying to change something in your process. More on this here. 2. Debugging. You can use debugging breakpoints on functions or memory change.