possible to get reference assembly address in file for special memory address?

Question

Hello I try to learn reverse engineering, so i use from process hacker to view dynamic strings in the process's memory... (more info)

i get something like this :

Address  Length Result
-----------------------
0x853978 (43): hello
0xfb5e1a8 (86): hello alex !

now i want to know how can i get/find reference address for them ?

I try with WinHex but i cant, i don't know how can i do this, is it possible to find reference assembly address in file form memory address (for ex : 0x853978) or this is not possible in any way.

anyone can help ?

Binary loaded into memory, relocated and mapped to process' virtual memory. It is vary between static and dynamic addresses. — Kerim Can Kalıpcıoğlu, Oct 17 '17 at 07:59

Nordwald · Accepted Answer · 2017-10-17T05:46:16.667

When you are using Process Hacker to find strings, you will look at a running process. Process Hacker iterates over the mapped parts of the processes virtual memory and tries to parse everything it finds as a string.

When you use WinHex to look at your binary, these sections have not been mapped yet and are cramped together into the binary.

tl:dr;

Use another program to check for strings (e.g. exe explorer, pe studio, ida, binaryninja, ...), use a debugger to find the strings at the adresses process hacker tells you, or calculate the file offset utilizing the section information.

Could you clarify what you are trying to do?

edit

if you want to find references to strings in code, you are best off utilizing a decent disassembler (binaryninja, radare2, ida pro). It will show you references it can find:

possible to get reference assembly address in file for special memory address?

1 Answers1