Absolute Physical Memory Viewer. Show any part of OS/2 memory. RamScope is a debugging tool written for the OS/2 Presentation Manager.
Program is distributed as ZIP package: download to temporary directory and unpack to destination folder. See below for download link(s).
Following ones are the download links for manual installation:
RamScope v. 2.1 (1/2/2024, Lars Erdmann) | Readme/What's new |
╔═════════════════════════════════════════════════╗
║ ║
║ >>> R A M S C O P E <<< ║
║ Absolute Physical Memory Viewer ║
║ Copyright (c) 1988, 1989 Farpoint Software ║
║ Version 2.0 ║
║ ------------------------------------- ║
║ ║
║ A debugging tool ║
║ for the OS/2 Presentation Manager ║
║ ║
╚═════════════════════════════════════════════════╝
Introduction
------------
RamScope is a debugging tool written specifically for the OS/2 Presentation
Manager. Its purpose is to allow you to do something that is not normally
allowed for a "user" (i.e. ring 2 or ring 3) program: You can roam freely
through all of the system's physical memory space without regard for segment
limits, access privilege, or descriptor tables.
There are three active areas of the RamScope display: The left side of the
window shows the starting address in hex of each line of data. These addresses
are always expressed as true physical memory locations. The middle section
of the window shows sixteen lines of sixteen bytes each in hex format. The
right-hand section of the window shows the same data area in character format
rather than hex.
The displayed memory area is "live"; i.e. the memory block is re-read and the
display is updated about six times per second. Therefore, if an area of memory
is actively changing, this activity can be visually monitored. The updating
of the display can be stopped (frozen) with a single-keystroke command.
It is possible to run multiple copies of RamScope simultaneously in order to
monitor multiple separate areas of memory.
Operating Instructions
----------------------
All the display manipulation commands are accessible both with the mouse and
as "accelerator" keys. Each command will be described individually.
Specify address <Ctrl-A>:
This produces a dialog box into which the desired starting address of the
display area may be entered. As always, the address must be in hex and
must be expressed as a physical address.
Scan Forward <Ctrl-F>:
This causes the start address of the displayed memory area to be increased
by 10 hex at each update interval (about 6 Hz), allowing a "hands-off"
visual search through memory. The scan can be stopped with <F8> or <F9>.
Scan Backward <Ctrl-B>:
Same as Scan Forward, except that 10 hex is subtracted from the starting
address each update interval.
┌─
│Subtract 1000 hex <Home>:
│ Add 1000 hex <End>:
│Subtract 100 hex <PgUp>:
│ Add 100 hex <PgDn>:
│Subtract 10 hex <Up-arrow>:
│ Add 10 hex <Dn-arrow>:
│Subtract 1 <Left-arrow>:
│ Add 1 <Right-arrow>:
└─
All of these perform the indicated action on the starting address of the
displayed memory area.
Find Global Descriptor Table <Ctrl-G>:
Sets the display start address to the address of the system's global
descriptor table. This is the master descriptor table used by the
system kernel. User programs always operate through their individual
Local Descriptor Tables, not the GDT.
Find Interrupt Descriptor Table <Ctrl-I>:
Sets the display start address to the address of the system hardware
interrupt descriptor table. All hardware and software interrupts are
vectored through this table.
Find Text String <Ctrl-T>:
Produces a dialog box into which may be entered: a text string to be
searched for, a starting memory address, and an ending memory address.
The specified area is searched for an exact match to the text string.
If a match is found, then the starting address for the display area
is set to the address of the matching string.
Find Hex Byte Sequence <Ctrl-H>:
This works the same way as "Find Text String", except that the data to
be searched for is entered in hex.
Find Next Text String <Ctrl-N>:
Finds the text string previously specified, with the search starting at
the currently displayed address + 1.
Find Next Hex Byte Sequence <Ctrl-X>:
Finds the hex sequence previously specified, with the search starting at
the currently displayed address + 1.
Stop Scan <F8>:
Stops the auto-incrementing or auto-decrementing started by one of the
"Scan" commands. The display continues to refresh at 6 Hz.
Freeze <F9>:
Stops the display refresh process. If the content of the memory area
changes, this will NOT be reflected in the display. It will continue to
show conditions present at the time <F9> was pressed. If a scan was in
progress, it will be stopped.
UnFreeze <F10>:
Restores the display refresh, previously stopped by "Freeze".
About <F1>:
Produces a dialog box containing a short description of RamScope and
a copyright notice.
Changes in Version 1.1
-----------------------------
The "find next" functions and pull-down menu shadow boxes (just to be
fancy). The search routine has been modified to reduce the probability
of falsing while searching through areas of non-existant memory
(floating bus).
Changes in Version 2.0:
-----------------------
This version runs correctly under the IBM release of OS/2 version 1.1
(the previous versions of RamScope ran only under Microsoft's SDK 1.05).
A change in the message sequence sent to submenus required a more
clunky (and slow) method of creating those cute shadow boxes, so they
have been removed.
Installation
------------
In order to do its magic, RamScope needs its own device driver so that
privilege level zero code can be executed. This device driver is supplied
as PHYSMEM.SYS. Installation of the device driver proceeds as follows:
(1) Copy the file PHYSMEM.SYS into the root directory of the boot (C:) drive.
(2) Edit CONFIG.SYS in the root directory. Insert the following line
anywhere in the file:
DEVICE=C:\PHYSMEM.SYS
(3) Reboot the system.
PHYSMEM won't bother anything else in the system, and it only uses 1k.
To start RamScope, either type its name at an OS/2 command line prompt, or
install it as an entry in the Program Starter. It takes no command line
parameters. The working directory is irrelevant. The program type is
"Presentation Manager", not "Other".
Since the default configuration of OS/2 allows memory segments to be moved,
discarded, and swapped to disk whenever the kernel code deems appropriate,
using RamScope could be a little tricky under some conditions. The data
segment you were watching could unexpectedly disappear from memory or
move to another location. To prevent this, change the MEMMAN line in
CONFIG.SYS from "MEMMAN=SWAP,MOVE" to "MEMMAN=NOSWAP,NOMOVE". Normally,
this is unnecessary unless you are either short on memory or run a lot of
other programs while debugging. Be sure to restore CONFIG.SYS to its
normal state when not debugging.
PHYSMEM source code
-------------------
The complete source code to the PHYSMEM device driver is included in this
package as an example of a simple non-interrupt device driver. PHYSMEM does
not in fact drive a device at all, but rather is a means by which a ring 3
program can call ring zero code. Examples of how to call the driver are
shown in the comment block at the beginning of PHYSMEM.ASM.
OS/2 Bug Note:
--------------
Any "accelerator" keys which are combinations of the control key and a
letter key (such as ^A to set the address) will not work if Caps Lock is
in effect. Just be sure to turn off Caps Lock if you are using keyboard
commands. The function keys F1 thru F12 are not affected.
SHAREWARE NOTICE
----------------
Please remember that RamScope is Shareware, not free software. It costs $35.
For this you get: A version that doesn't start up with the About Box, support
via telephone or CompuServe, a few other small-but-useful OS/2 programs,
and free updates whenever they become available. If you're going to use
this program, please pay for it. In any event, give copies of the unregistered
version to all takers. Thanks for your support. Shareware publishers would
starve without it.
Our mailing address is:
Farpoint Software
2501 Afton Court
League City, Texas 77573
Messages may be sent through Compuserve E-mail to: Alan Jones [74030,554].
----------------------------------------------------------------------------------
----------------------------------------------------
* * * A NOTE OF CAUTION CONCERNING PHYSMEM.SYS * * *
----------------------------------------------------
The device driver PHYSMEM.SYS provided with this package is, in one sense,
a "gateway" by which the normal memory protection mechanisms used by OS/2
can be bypassed. The selectors provided by version 1.11 of PHYSMEM correspond
to descriptors in the calling program's LDT marked as "readable" and
"executable" but not "writable". The access types for the selectors created
with the PhysToUVirt call (see PHYSMEM.ASM) must be one of two possible
combinations: read/write or read/execute. This is determined by the value
passed to PhysToUVirt in the DH register (0=r/w, 1=r/e). Read/execute is
the one used here, since it is the safer of the two (RamScope does not write
to the segment thus obtained).
There is no method provided for verifying the identity of the program which
calls the PHYSMEM device driver; it could be called by any program which
"knows" of its existence. With the current version, a "badly behaved" program
could not write anywhere in memory, but it would be possible for it to perform
a far call or jump to anywhere, thus precipitating a probable system crash.
It is of course possible to modify PHYSMEM.ASM and re-assemble it to produce
a version which returns selectors to read/write segments. A driver thus
created would, as before, be accessible to all programs in the system,
giving "badly behaved" programs a means to trash anything in memory,
including modifying other programs' code segments, system descriptor tables,
etc.
This is not to say that PHYSMEM will cause problems, since it is rather
unlikely that any programs will "accidentally" open a device by this name
and then make the specific IOCtl calls required to use it. However, a
deliberately malicious program, OR a legitimate one under development which
uses PHYSMEM, could wreak havoc.
All this is nothing new, since any program running in real mode in the DOS
compatibility box could do this also, but it is best that users of PHYSMEM
be aware of this different type of "loophole" in the memory protection.
----------------------------------------------------------------------------------
RamScope 2.1
Changelog:
Fixed "RAMSCOPE" to work under 32-bit OS/2 (in particular: its device driver PHYSMEM.SYS).
updated and renamed PHYSMEM to MAKEFILE
updated PHYSMEM.LNK
updated PHYSMEM.DEF
updated PHYSMEM.ASM and rebuilt the driver PHYSMEM.SYS
added the PHYSMEM.SYM file for PHYSMEM.SYS
The executable RAMSCOPE.EXE to actually view memory is left unchanged.
|
ecsoft2.org/system/files/repository/ramscope_2-1.zip | local copy | |
RamScope v. 2.0 (4/12/1989, Farpoint Software) | Readme/What's new |
----------------------------------------------------
* * * A NOTE OF CAUTION CONCERNING PHYSMEM.SYS * * *
----------------------------------------------------
The device driver PHYSMEM.SYS provided with this package is, in one sense,
a "gateway" by which the normal memory protection mechanisms used by OS/2
can be bypassed. The selectors provided by version 1.11 of PHYSMEM correspond
to descriptors in the calling program's LDT marked as "readable" and
"executable" but not "writable". The access types for the selectors created
with the PhysToUVirt call (see PHYSMEM.ASM) must be one of two possible
combinations: read/write or read/execute. This is determined by the value
passed to PhysToUVirt in the DH register (0=r/w, 1=r/e). Read/execute is
the one used here, since it is the safer of the two (RamScope does not write
to the segment thus obtained).
There is no method provided for verifying the identity of the program which
calls the PHYSMEM device driver; it could be called by any program which
"knows" of its existence. With the current version, a "badly behaved" program
could not write anywhere in memory, but it would be possible for it to perform
a far call or jump to anywhere, thus precipitating a probable system crash.
It is of course possible to modify PHYSMEM.ASM and re-assemble it to produce
a version which returns selectors to read/write segments. A driver thus
created would, as before, be accessible to all programs in the system,
giving "badly behaved" programs a means to trash anything in memory,
including modifying other programs' code segments, system descriptor tables,
etc.
This is not to say that PHYSMEM will cause problems, since it is rather
unlikely that any programs will "accidentally" open a device by this name
and then make the specific IOCtl calls required to use it. However, a
deliberately malicious program, OR a legitimate one under development which
uses PHYSMEM, could wreak havoc.
All this is nothing new, since any program running in real mode in the DOS
compatibility box could do this also, but it is best that users of PHYSMEM
be aware of this different type of "loophole" in the memory protection.
╔═════════════════════════════════════════════════╗
║ ║
║ >>> R A M S C O P E <<< ║
║ Absolute Physical Memory Viewer ║
║ Copyright (c) 1988, 1989 Farpoint Software ║
║ Version 2.0 ║
║ ------------------------------------- ║
║ ║
║ A debugging tool ║
║ for the OS/2 Presentation Manager ║
║ ║
╚═════════════════════════════════════════════════╝
Introduction
------------
RamScope is a debugging tool written specifically for the OS/2 Presentation
Manager. Its purpose is to allow you to do something that is not normally
allowed for a "user" (i.e. ring 2 or ring 3) program: You can roam freely
through all of the system's physical memory space without regard for segment
limits, access privilege, or descriptor tables.
There are three active areas of the RamScope display: The left side of the
window shows the starting address in hex of each line of data. These addresses
are always expressed as true physical memory locations. The middle section
of the window shows sixteen lines of sixteen bytes each in hex format. The
right-hand section of the window shows the same data area in character format
rather than hex.
The displayed memory area is "live"; i.e. the memory block is re-read and the
display is updated about six times per second. Therefore, if an area of memory
is actively changing, this activity can be visually monitored. The updating
of the display can be stopped (frozen) with a single-keystroke command.
It is possible to run multiple copies of RamScope simultaneously in order to
monitor multiple separate areas of memory.
Operating Instructions
----------------------
All the display manipulation commands are accessible both with the mouse and
as "accelerator" keys. Each command will be described individually.
Specify address <Ctrl-A>:
This produces a dialog box into which the desired starting address of the
display area may be entered. As always, the address must be in hex and
must be expressed as a physical address.
Scan Forward <Ctrl-F>:
This causes the start address of the displayed memory area to be increased
by 10 hex at each update interval (about 6 Hz), allowing a "hands-off"
visual search through memory. The scan can be stopped with <F8> or <F9>.
Scan Backward <Ctrl-B>:
Same as Scan Forward, except that 10 hex is subtracted from the starting
address each update interval.
┌─
│Subtract 1000 hex <Home>:
│ Add 1000 hex <End>:
│Subtract 100 hex <PgUp>:
│ Add 100 hex <PgDn>:
│Subtract 10 hex <Up-arrow>:
│ Add 10 hex <Dn-arrow>:
│Subtract 1 <Left-arrow>:
│ Add 1 <Right-arrow>:
└─
All of these perform the indicated action on the starting address of the
displayed memory area.
Find Global Descriptor Table <Ctrl-G>:
Sets the display start address to the address of the system's global
descriptor table. This is the master descriptor table used by the
system kernel. User programs always operate through their individual
Local Descriptor Tables, not the GDT.
Find Interrupt Descriptor Table <Ctrl-I>:
Sets the display start address to the address of the system hardware
interrupt descriptor table. All hardware and software interrupts are
vectored through this table.
Find Text String <Ctrl-T>:
Produces a dialog box into which may be entered: a text string to be
searched for, a starting memory address, and an ending memory address.
The specified area is searched for an exact match to the text string.
If a match is found, then the starting address for the display area
is set to the address of the matching string.
Find Hex Byte Sequence <Ctrl-H>:
This works the same way as "Find Text String", except that the data to
be searched for is entered in hex.
Find Next Text String <Ctrl-N>:
Finds the text string previously specified, with the search starting at
the currently displayed address + 1.
Find Next Hex Byte Sequence <Ctrl-X>:
Finds the hex sequence previously specified, with the search starting at
the currently displayed address + 1.
Stop Scan <F8>:
Stops the auto-incrementing or auto-decrementing started by one of the
"Scan" commands. The display continues to refresh at 6 Hz.
Freeze <F9>:
Stops the display refresh process. If the content of the memory area
changes, this will NOT be reflected in the display. It will continue to
show conditions present at the time <F9> was pressed. If a scan was in
progress, it will be stopped.
UnFreeze <F10>:
Restores the display refresh, previously stopped by "Freeze".
About <F1>:
Produces a dialog box containing a short description of RamScope and
a copyright notice.
Changes in Version 1.1
-----------------------------
The "find next" functions and pull-down menu shadow boxes (just to be
fancy). The search routine has been modified to reduce the probability
of falsing while searching through areas of non-existant memory
(floating bus).
Changes in Version 2.0:
-----------------------
This version runs correctly under the IBM release of OS/2 version 1.1
(the previous versions of RamScope ran only under Microsoft's SDK 1.05).
A change in the message sequence sent to submenus required a more
clunky (and slow) method of creating those cute shadow boxes, so they
have been removed.
Installation
------------
In order to do its magic, RamScope needs its own device driver so that
privilege level zero code can be executed. This device driver is supplied
as PHYSMEM.SYS. Installation of the device driver proceeds as follows:
(1) Copy the file PHYSMEM.SYS into the root directory of the boot (C:) drive.
(2) Edit CONFIG.SYS in the root directory. Insert the following line
anywhere in the file:
DEVICE=C:\PHYSMEM.SYS
(3) Reboot the system.
PHYSMEM won't bother anything else in the system, and it only uses 1k.
To start RamScope, either type its name at an OS/2 command line prompt, or
install it as an entry in the Program Starter. It takes no command line
parameters. The working directory is irrelevant. The program type is
"Presentation Manager", not "Other".
Since the default configuration of OS/2 allows memory segments to be moved,
discarded, and swapped to disk whenever the kernel code deems appropriate,
using RamScope could be a little tricky under some conditions. The data
segment you were watching could unexpectedly disappear from memory or
move to another location. To prevent this, change the MEMMAN line in
CONFIG.SYS from "MEMMAN=SWAP,MOVE" to "MEMMAN=NOSWAP,NOMOVE". Normally,
this is unnecessary unless you are either short on memory or run a lot of
other programs while debugging. Be sure to restore CONFIG.SYS to its
normal state when not debugging.
PHYSMEM source code
-------------------
The complete source code to the PHYSMEM device driver is included in this
package as an example of a simple non-interrupt device driver. PHYSMEM does
not in fact drive a device at all, but rather is a means by which a ring 3
program can call ring zero code. Examples of how to call the driver are
shown in the comment block at the beginning of PHYSMEM.ASM.
OS/2 Bug Note:
--------------
Any "accelerator" keys which are combinations of the control key and a
letter key (such as ^A to set the address) will not work if Caps Lock is
in effect. Just be sure to turn off Caps Lock if you are using keyboard
commands. The function keys F1 thru F12 are not affected.
SHAREWARE NOTICE
----------------
Please remember that RamScope is Shareware, not free software. It costs $35.
For this you get: A version that doesn't start up with the About Box, support
via telephone or CompuServe, a few other small-but-useful OS/2 programs,
and free updates whenever they become available. If you're going to use
this program, please pay for it. In any event, give copies of the unregistered
version to all takers. Thanks for your support. Shareware publishers would
starve without it.
Our mailing address is:
Farpoint Software
2501 Afton Court
League City, Texas 77573
Messages may be sent through Compuserve E-mail to: Alan Jones [74030,554]. |
hobbes.nmsu.edu/download/pub/os2/util/memory/RAMScope_2-0.zip |
This work is licensed under a Creative Commons Attribution 4.0 International License.
Add new comment