"Memory Juggler" extension FAQ (Extension module name: SCMB)

I am working with 500 Gigs of data in the access descriptor. How do I select a large data chunk?
I've done some work with a buffer in the Memory Juggler. How do I save my work?
Can I search for several byte sequences in the same search query?
How do I clone a hard drive partition?
How do I search data in the hard drive bypass file system?
How do I merge two or more files?
How do I save hard drive sectors into a disk file?
How do I find a byte sequence in the virtual memory?
What is the fastest search technique?
How do I open and edit a disk file?
Does the SCMB extension process CD/DVD drives?
What is the function of the PHYSM command?
Sometimes when I try to change memory cells in the Data Editor but it rejects my changes. Why?
Why is that when a new buffer is created its start address is shown as zero?
Can I create two or more buffers representing the same virtual address in the same context?
What is the maximum size of the buffer I can allocate in the Memory Juggler?


I am working with 500 Gigs of data in the access descriptor. How do I select a large data chunk?

Please use the "Advanced Selection" function from the context menu. It allows you to select any portion of your buffer's data by specifying the start and the end offset in the buffer.

I've done some work with a buffer in the Memory Juggler. How do I save my work?

There are two ways how you can save your work in the Memory Juggler:

1. Saving the real data content.
2. Saving metadata.

The first method is useful when you are processing data content and want to save it in order to open the same content in the next session. In this case you can save the real data content into a disk file or through the access descriptor, as you prefer.

The second method helps you save metadata described by your buffer parameters only. For example, you have opened a hard drive area through the access descriptor. This area has certain parameters like the starting sector, size, etc. You can save such parameters into an xml file in order to be able to open the same area in the next work session. You do not care about the content of this area, as you do not save the real data. When you open the saved xml file, you will get the same hard drive area, but content of this area may be changed. You can also save other information (e.g., bookmarks) to an xml file to make it available for the next session

Can I search for several byte sequences in the same search query?

Yes. Moreover, you can build your own sequence databases and execute complex search queries at the same time. It works like an antivirus engine searching for harm signatures. The difference is that the System Console Search Engine does not perform an analysis to find out whether it is a virus signature or just a byte sequence.

Sometimes when I try to change memory cells in the Data Editor it rejects my changes. Why?

This is because the memory page you are trying to work with is write-protected. For example, when you assign virtual memory of a dynamic link library (usually, DLLs are memory-mapped sections with copy-on-write protection) you cannot change its memory cells until you disable the protection. The Memory Juggler v 1.0 cannot disable write protection of a specified page, but you can write a small extension to fix that. You would just need to open the appropriate process and call the VitrualProtectEx API function for the desired virtual memory area. Moreover, in the Windows Vista you can have a situation when you cannot change cells in a file or the access descriptor linked to some area of the hard drive. That is because you are working under the User Account Control (UAC) and do not have appropriate rights to modify certain objects (e.g., system files). In such a case, you would need to change access rights to the necessary object for the user account under which you are logged in.

How do I clone a hard drive partition?

The System Console Memory Juggler and the NTFS extension working together allow to make a snapshot of a part of a hard drive or even of an entire hard drive. The image can be saved into a disk file or another storage device represented by an access descriptor. For example, we need to clone a hard drive partition from one hard drive to another. In the first step, we need to obtain information about the structure of the hard drive(s) in our system.

1) Use the DPE command. Below you can see an output of this command for 2 hard drives in the system: 

Start sector End sector Sectors count D P.  Pri Boot Size
0 62 63 00 ?? ?? ?? 31744 ( 0.03 MB)
63 80324 80262 00 00 Yes Yes  41094144 ( 39.00 MB)
80325 58605119 58524795 00 01 Yes Yes 29964695040 ( 28576.00 MB)
               
Start sector End sector Sectors count D P.  Pri Boot Size
0 62 63 01 ?? ?? ?? 31744 ( 0.03 MB)
63 39086144 39086082 01 00 Yes Yes 20012073984 ( 19085.00 MB )
39086145 121001579 81915435 01 01 Yes No 41940702720 ( 39997.00 MB)


To transfer one partition to another it is necessary to have two equal-size partitions, i.e. if you need to copy partition A (marked red) you will need to create a new partition of the same size (39 MB) on the second hard drive (blue caption drive). To repartition the second hard drive you can use any disk manager (including the standard Windows disk manager).After the repartition, the DPE command will display something like this:

Start sector End sector Sectors count D P.  Pri Boot Size
0 62 63 00 ?? ?? ?? 31744 ( 0.03 MB)
63 80324 80262 00 00 Yes Yes  41094144 ( 39.00 MB)
80325 58605119 58524795 00 01 Yes Yes 29964695040 ( 28576.00 MB)  
               
Start sector End sector Sectors count D P.  Pri Boot Size
0 62 63 01 ?? ?? ?? 31744 ( 0.03 MB)
63 80324 80262 01 00 Yes Yes 41094144 ( 39.00 MB )
80325 121001579 120921254 01 ?? ?? ?? 52427600000 ( 49978.00 MB)


Now everything is ready to transfer the partition.

2) Create an access descriptor for the source partition:hdad -c 63 -e 80324 -n "source hd" and one for the destination partition:hdad -c 63 -e 80324 -d 1 -n "dest hd" 
3) Create a new buffer for the source partition (create a new buffer and link it to the access descriptor nameed "source hd").
4) In the open Data Editor select all data.
5) Open the context menu and select Write To Descriptor
6) In the open dialog select the access descriptor named "dest hd" and click "OK".
7) After all the data are copied, reboot the computer.

How do I search data in the hard drive bypass file system?

To search data in the entire hard drive or its part one needs to create an access descriptor for the hard drive and then search for the data through this descriptor. To create the access descriptor: 1) Get information about the hard drive structure in your system with the help of the DPE command. The result will look as follows:dpe  

Start sector End sector Sectors count D P.  Pri Boot Size
0 62 63 00 ?? ?? ?? 31744 ( 0.03 MB)
63 80324 80262 00 00 Yes Yes  41094144 ( 39.00 MB)
80325 58605119 58524795 00 01 Yes Yes 29964695040 ( 28576.00 MB)

Now you know the structure of the hard drive(s) and can decide where you need so find the data. For example, in the first partition (which is the middle line).2) To do that you need create an appropriate access descriptor.hdad -c 63 -e 80324 -n "HD0 P0 39MB"After a successful operation, "Created access descriptor Id: ..." message will be displayed. Now we are ready to open the newly created access descriptor in the Memory Juggler. Open the “Create new buffer” dialog, select access descriptor “HD P0 39MB” and press the “OK” button.3) Now you need to specify a byte sequence (or a list of sequences) which you need to find. To find one byte sequence you can use the fast search technique.  To specify a list of byte sequences you need to create a new search query. On the "Where to find" step, check the box with the access descriptorname "HD0 P0 39MB".

4) Complete the query and execute the search.

How do I merge two or more files?

With the Memory Juggler you can split or merge files easily. For example, we need to merge 3 files named A, B and C. You need to open all three files by creating buffers for each of them.  After all three buffers are created you just need to save them one to the end of another. The operation will look as follows:

1) Create a buffer for each file.
2) Switch to the buffer with file A and select all its contents.
3) Right-click to open the data editor popup menu, select "Save To File...", specify a name for the output file as "ABCMerged", and press the "Save" button.
4) Repeat steps 2 and 3 for the buffer with file B.
A message box will appear asking you what you want to do.
5) Press the "Yes" button.
6) Repeat steps 2 through 5 for the buffer with file C.With the technique described above you have saved one file to the end of another. The "Insert From File.." menu item allows the user to insert one file in any location within another file. The user can split a file in the same manner by using the “Save To File…"menu item.

How do I save hard drive sectors into a disk file?

First of all, you need to decide which area of your hard drive you want to save. It may be one sector (for example, the boot sector), a partition (or a part of a partition) or a full hard drive (if you have enough space for that on another hard drive or a network drive). Note that for processing a hard drive you need to load the NTFS extension.

1) To obtain information about the hard drive structure in your system, use the DPE command. The result will look as follows:dpe

Start sector End sector Sectors count D P.  Pri Boot Size
0 62 63 00 ?? ?? ?? 31744 ( 0.03 MB)
63 80324 80262 00 00 Yes Yes  41094144 ( 39.00 MB)
80325 58605119 58524795 00 01 Yes Yes 29964695040 ( 28576.00 MB)

Now we know the structure of the hard drive(s) and can decide what we need so save. Let us save the very first partition (which is the middle line).

2) To do that we need to create an appropriate access descriptor.hdad -c 63 -e 80324 -n "HD0 P0 39MB"After a successful operation, "Created access descriptor Id: ..." message will be displayed. Now we are ready to open the newly created access descriptor in the Memory Juggler as provided below.

3) Open the "Create new buffer" dialog and select the access descriptor "HD0 P0 39MB" in the access descriptor list (to enable the list control window, check the "Link to available Access Descriptor" check box). Click "OK" and new "Data editor" instance will open.

4) Select all data in the data editor by selecting the appropriate popup menu item (or press CTRL+A)5) Select "Save As..." from the appropriate popup menuand specify the file name and the path where you wish to save the file, then press "Save". A progress dialog will appear and the data from the partition will be saved into the file.As a last step you can make sure that the data in the partition and the file are consistent by calculating the control sum. To do that, open the newly created file, select all data in the data editor and then select "Calculate CRC" from the popup menu. Repeat the same in the data editor which represents the appropriate partition. If control sums are the same, you have done everything right. Note that if you are working with a “live” partition the check sums may not be the same.

Security note
To open the hard drive on the sector level, the SCFS extension must be loaded. Use LDE SCFS command in "System Console"

How do I find a sequence in the virtual memory?

With the help of the Memory Juggler you can find byte sequence(s) in the virtual memory of any process in the system or even the kernel memory. For example, let us search for the word "Windows" in the virtual memory of the Explorer process. To do that, we need to create a memory buffer and assign it to the virtual memory of the Explorer process.

1)           Open the "Create new buffer" dialog;
2)           Specify "Explorer virtual memory" as the buffer name;
3)           Check "Assign new buffer to virtual address”;
4)           Specify the PID of the process (use PROC command or "Task manager to get process id");
5)           Specify start and end addresses (in our case: 0, 0x7FFFFFFF, respectively).

A new buffer will be created with opening the Data Editor and inserting a new record in the Buffer List. Now we need to create a search query.
You can use a quick search technique to find a byte sequence without going through all the steps of the Sear Query Wizard (see the previous question).;

6)           Press the "Create new search query" button on the toolbar. The Search Query Wizard  will open;
7)           Because the word "Windows" contains 7 symbols specify 7 in the "Bytes sequence length" field and press the "Next" button;
8)          Type the word "Windows" in the ASCII part of the byte sequence editor and press the "Next" button;
9)           Expand the "System Console->Buffers" tree and check the box opposite to the recently created buffer name ("Explorer virtual memory") and press the "Next" button;
10)       In the last step the Wizard offers you to save the query into a XML metadata file. Leave the field empty if you do not want to save the search query (you can still save the search query at any time using the search queries list popup menu). Press the "Finish" button.
A new item will be inserted in search queries list. Note: The created search query does not execute until you select "Execute" in the popup menu;
11)        Go to the search queries list popup menu and click on the "Execute" item. The search process will start, and the results view will open.

What is the fastest search technique?

To generate a search query in the Memory Juggler, you need to use the Search Query Wizard and go through several dialogs to complete the new search request. It is a useful technique for complex search queries, but if you need to find a single byte sequence it easier to use a quick search query technique that it does not require going through all the steps of the Search Query Wizard. With this technique the Memory Juggler will perform all the secondary tasks for you. You will only be required to specify where you wish to find data.

1)            Open "Create new buffer" dialog and press "OK" button. A new buffer will be created with default parameters;
2)           Type the byte sequence or paste it into the buffer;
3)           Select the byte sequence and click the "Find" button on the Memory Juggler toolbar. In the opened dialog's tab specify where you want to find the byte sequence;
4)           Press the "Execute"button and the search process will start;

How do I open and edit a disk file?

The simplest way to open a file for editing is drag-and-drop it from the Windows Explorer to the Memory Juggler window. Another way is to open the file through the “Create new buffer” dialog box. Open this dialog box and check "Link to disk file", specify the full path to the desired file. By default, theMemory Juggler creates a write-protected buffer, so if you need to edit the file, clear the "Create write protected buffer" check box at the bottom of the dialog box. Click "OK", the Data Editor will open, and a new item will be added to the buffer list.

Does the SCMB extension process CD/DVD drives?

Not independently, since an optical drive is considered to be an external data source, but generally it can if you load another extension that is a data source provider for the optical data source, for example, the OPTFS extension. This extension is a data source provider for the floppy drive and CD/DVD data source. The SCEXDRV extension comes with the source code so you will be able to see how it works. SCFS is a similar extension but it is intended to work with hard drives.

What is the function of the PHYSM command?

If you want the operating system to put rarely used memory pages into a page file  in order to free up the physical memory, the PHYSM command can help you do that. The purpose of the PHYSM command is to release as much as possible physical memory on your PC. It can take some time and a number of iterations to complete the process.

Sometimes when I try to change memory cells in the Data Editor it rejects my changes. Why?

This is because the memory page you are trying to work with is write-protected. For example, when you assign virtual memory of a dynamic link library (usually, DLLs are memory-mapped sections with copy-on-write protection) you cannot change its memory cells until you disable the protection. The Memory Juggler v 1.0 cannot disable write protection of a specified page, but you can write a small extension to fix that. You would just need to open the appropriate process and call the VitrualProtectEx API function for the desired virtual memory area. Moreover, in the Windows Vista you can have a situation when you cannot change cells in a file or the access descriptor linked to some area of the hard drive. That is because you are working under the User Account Control (UAC) and do not have appropriate rights to modify certain objects (e.g., system files). In such a case, you would need to change access rights to the necessary object for the user account under which you are logged in.

Why is that when a new buffer is created its start address is shown as zero?

The start address of a newly allocated memory buffer is displayed in accordance with the visual display mode. There are two available modes: 0-based and the real buffer address. The default mode is 0-based but you can change it in the Buffer Properties dialog. (Since Srvice Pack 1 the Memory Juggler reflects a real buffer address for virtual memory buffers by default)

Can I create two or more buffers representing the same virtual address in the same context?

Yes, of course. It may be pre-allocated memory or you can create a new buffer in the Memory Juggler an then assign every newly created  buffer to its virtual address.

What is the maximum size of the buffer I can allocate in the Memory Juggler?

It depends on the available common virtual memory in your system. Usually, the maximum size of the buffer is equal to the size of RAM that OS can allocate for the process on your PC, but this is not a rule.  If you are assigning a buffer to the virtual memory space, the size you will have is equal to the difference between the start address and the end address of your buffer. If you link the buffer to a disk file there will be limitations on 8 Exabyte (8 EB). The same applies to the access descriptors.