[Solved] My memory patch to current process is not working

Index > Windows > [Solved] My memory patch to current process is not working

Goto page Previous 1, 2

Author

Thread

Mat-Quasar

Joined: 02 Mar 2025
Posts: 82

Mat-Quasar 31 Mar 2025, 16:07

macomics wrote:

Mat-Quasar wrote:
Forgot to mention at the time I publish the code, if the destination (data section) is not writeable, then "hackmem.exe" will fail.
It is enough to use VirtualProtect before and after writing.

Thanks, but question follows.... How do I change the protection of memory region of another process?

Code:

;BOOL VirtualProtect(
;  [in]  LPVOID lpAddress,
;  [in]  SIZE_T dwSize,
;  [in]  DWORD  flNewProtect,
;  [out] PDWORD lpflOldProtect
;
        invoke   VirtualProtect, 0x401000, 0x1000, PAGE_READWRITE, _OldProtect

The above will not work, because it changes its own data section, not the destination.

Perhaps I do not understand about how memory works in portable executable. Please enlighten.

31 Mar 2025, 16:07

Furs

Joined: 04 Mar 2016
Posts: 2627

Furs 31 Mar 2025, 18:02

Mat-Quasar wrote:

Thanks, but question follows.... How do I change the protection of memory region of another process?

VirtualProtectEx.

31 Mar 2025, 18:02

macomics

Joined: 26 Jan 2021
Posts: 1151
Location: Russia

macomics 31 Mar 2025, 18:08

1) Suspend target process (all threads)
2) VirtualAllocEx -> destination process, inject size, PAGE_RDWR + PAGE_EXEC
3) WriteProcessMemory -> destination process, allocated region, inject procedure, inject size
4) inject procedure ->
4.1) VirtualProtect -> current process, target data section, PAGE_RDWR
4.2) WriteProcessMemory -> current process, target data section, your data, data size
4.3) VirtualProtect -> current process, target data section, PREV_STATE
4.4) TargetProcess.MainThread.CONTEXT.RIP -> saved RIP (just jmp to)
5) TargetProcess.MainThread.CONTEXT.RIP -> allocated region (save previous)
6) Resume process

31 Mar 2025, 18:08

Mat-Quasar

Joined: 02 Mar 2025
Posts: 82

Mat-Quasar 01 Apr 2025, 01:14

Furs wrote:

Mat-Quasar wrote:
Thanks, but question follows.... How do I change the protection of memory region of another process?
VirtualProtectEx.

Thanks, it works.

My code is working even on read-only data section of another process:

Code:

        push    [_id]
        push    -1
        push    PROCESS_ALL_ACCESS
        call    [OpenProcess]
        or      eax, eax
        jz      .error_3
        mov     dword [_hProcess], eax

; BOOL VirtualProtectEx(
;   [in]  HANDLE hProcess,
;   [in]  LPVOID lpAddress,
;   [in]  SIZE_T dwSize,
;   [in]  DWORD  flNewProtect,
;   [out] PDWORD lpflOldProtect
; );
        invoke  VirtualProtectEx, [_hProcess], 0x401000, 0x1000, PAGE_READWRITE, _OldProtect

        push    0
        push    _len
        push    _message
        push    0x401000
        push    dword [_hProcess]
        call    [WriteProcessMemory]

01 Apr 2025, 01:14

Mat-Quasar

Joined: 02 Mar 2025
Posts: 82

Mat-Quasar 01 Apr 2025, 01:15

macomics wrote:

1) Suspend target process (all threads)
2) VirtualAllocEx -> destination process, inject size, PAGE_RDWR + PAGE_EXEC
3) WriteProcessMemory -> destination process, allocated region, inject procedure, inject size
4) inject procedure ->
4.1) VirtualProtect -> current process, target data section, PAGE_RDWR
4.2) WriteProcessMemory -> current process, target data section, your data, data size
4.3) VirtualProtect -> current process, target data section, PREV_STATE
4.4) TargetProcess.MainThread.CONTEXT.RIP -> saved RIP (just jmp to)
5) TargetProcess.MainThread.CONTEXT.RIP -> allocated region (save previous)
6) Resume process

This is a bit complicated for me, as I am not familiar how and why the need to suspend and resume process. Maybe later.

01 Apr 2025, 01:15

macomics

Joined: 26 Jan 2021
Posts: 1151
Location: Russia

macomics 01 Apr 2025, 07:11

In your simple crackme, the message processing loop in the MessageBox function is used to suspend the main thread. While messages are being processed in this loop, the program will not execute the code in the program code section and it can be modified. The data section will also not be accessed for data access.

To exclude partial access to data and code, you need to suspend the process (stop all his threads). Then you need to make sure that the main thread has stopped outside the modifiable range for the code (injection start address <= RIP <= injection end address). You can do without this check if you allocate a new block of memory and embed the code in it (as in my example). After that, in my example, I simply switch to my code block from anywhere in the code.

I omitted in the sequence of actions the need to save registers to the state before switching. But I hope it's already obvious.

Further, the embedded procedure can already work within the implementation process space. I also omitted the need to search and link code with functions in a new space.

After performing all the actions, the code simply returns to the place where the old code was interrupted. Of course, it is necessary to restore the values of all registers to the state before running your procedure.

01 Apr 2025, 07:11

Goto page Previous 1, 2

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum