flat assembler
Message board for the users of flat assembler.

Index > Windows > ReadProcessMemory and MapViewOfFile (Simple Debugger Q.)

Author
Thread Post new topic Reply to topic
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 01 Sep 2011, 22:42
Hello everyone. Can anyone explain me what's difference between them ?? As I guess, they does same job.. Is there any difference ?? Thanks.
EDIT:
if there is any difference, can someone show me some working example ? Thank you.


Last edited by Overflowz on 01 Sep 2011, 23:17; edited 1 time in total
Post 01 Sep 2011, 22:42
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 01 Sep 2011, 22:59
ReadProcessMemory reads a specific area in memory.
You must have been allowed to do so.

MapViewOfFile puts data in memory. This data can be executable or so.

I think they are the same in different contexts though
Post 01 Sep 2011, 22:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20421
Location: In your JS exploiting you and your system
revolution 01 Sep 2011, 23:01
File on disk != process data in memory. Why would you expect them to be the same?

If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory?
Post 01 Sep 2011, 23:01
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 01 Sep 2011, 23:06
revolution wrote:
File on disk != process data in memory. Why would you expect them to be the same?

If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory?


I said in different contexts, their goal is the same but different ways. That is what I meant. And notice i said different contexts.
Post 01 Sep 2011, 23:06
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 01 Sep 2011, 23:16
revolution
you mean, MapViewOfFile can also map executable on disk in memory ?
--
Anyway, I'm trying to make little debugger (to be honest, the loader) but I don't know how debuggers work. I did something like this but I can't continue..
Code:
format PE GUI 4.0
include 'WIN32AX.INC'
entry main
section '.data' data readable writeable
fname db         "due-cm5.exe",0
baddr dd         0x00401000
int3addr db      0xCC
sinfo STARTUPINFO
pinfo PROCESS_INFORMATION
align 4
fhandle dd ?
wbytes  dd ?
section '.text' code readable executable
main:
        invoke CreateProcess,fname,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo
        mov [fhandle],eax
        invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId]
        invoke WriteProcessMemory,eax,baddr,int3addr,1,wbytes
        ret
section '.idata' import data readable
library user32,'user32.dll',\
        kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'    

I'm trying to put int3 (0xCC) instruction to cause exception to make little modification there but I don't know what to do next.. Anyone can suggest me the theory what should I do next ? Thank you.
--
Program has new section, that decrypts in memory and jumps to OEP (0x401000) where I'm putting int3 instruction. Also, I'll be thankful if you will give me some theory how should I dump it. Thank you!
Post 01 Sep 2011, 23:16
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 02 Sep 2011, 01:02
Please, someone just suggest me what should I do..
Post 02 Sep 2011, 01:02
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 514
Location: Czech republic, Slovak republic
Feryno 02 Sep 2011, 07:17
http://www.google.com/#q=iczelion+debug_process

DEBUG_PROCESS flag is missing, no need to CREATE_SUSPENDED
in your above sample the child won't start to run (is suspended) eitheir hit the breakpoint you write at OEP

then you must construct debug loop (WaitForDebugEvent, ContinueDebugEvent) where parent will handle exceptions coming from debuggee (child) else the child will die immediately after generating exception (this is why the DEBUG_PROCESS flag and debug loop is necessary - the parent will handle exceptions generated by the child so the child can continue its execution after generating exceptions like int3 etc)
Post 02 Sep 2011, 07:17
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 02 Sep 2011, 13:41
Feryno
Thank you, I'll try!
Post 02 Sep 2011, 13:41
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1659
Location: Toronto, Canada
AsmGuru62 02 Sep 2011, 19:04
This may be useful:
http://msdn.microsoft.com/en-us/library/ms679288(v=VS.85).aspx
Post 02 Sep 2011, 19:04
View user's profile Send private message Send e-mail Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 02 Sep 2011, 20:37
AsmGuru62
I tried that already but I don't understand where to start.. Thanks anyway Smile
Post 02 Sep 2011, 20:37
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 02 Sep 2011, 20:54
P.S how this structure will be in FASM style ?

Code:
DEBUG_EVENT STRUCT 
   dwDebugEventCode dd ? 
   dwProcessId dd ? 
   dwThreadId dd ? 
   u DEBUGSTRUCT <> 
DEBUG_EVENT ENDS    

I don't know how to convert it because I see strange things there.. Does anyone have this structure here ? Thanks.
Post 02 Sep 2011, 20:54
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Sep 2011, 13:43
bump.. Nobody have or can't translate ? Sad
Post 03 Sep 2011, 13:43
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 03 Sep 2011, 14:47
in your code, doesn't CreateProcess return a boolean instead of handle?
Post 03 Sep 2011, 14:47
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz 03 Sep 2011, 17:03
typedef
damn.. you're right. but it doesn't matter for now Razz
Post 03 Sep 2011, 17:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.