flat assembler
Message board for the users of flat assembler.
Index
> Windows > ReadProcessMemory and MapViewOfFile (Simple Debugger Q.) |
Author |
|
typedef 01 Sep 2011, 22:59
ReadProcessMemory reads a specific area in memory.
You must have been allowed to do so. MapViewOfFile puts data in memory. This data can be executable or so. I think they are the same in different contexts though |
|||
01 Sep 2011, 22:59 |
|
revolution 01 Sep 2011, 23:01
File on disk != process data in memory. Why would you expect them to be the same?
If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory? |
|||
01 Sep 2011, 23:01 |
|
typedef 01 Sep 2011, 23:06
revolution wrote: File on disk != process data in memory. Why would you expect them to be the same? I said in different contexts, their goal is the same but different ways. That is what I meant. And notice i said different contexts. |
|||
01 Sep 2011, 23:06 |
|
Overflowz 01 Sep 2011, 23:16
revolution
you mean, MapViewOfFile can also map executable on disk in memory ? -- Anyway, I'm trying to make little debugger (to be honest, the loader) but I don't know how debuggers work. I did something like this but I can't continue.. Code: format PE GUI 4.0 include 'WIN32AX.INC' entry main section '.data' data readable writeable fname db "due-cm5.exe",0 baddr dd 0x00401000 int3addr db 0xCC sinfo STARTUPINFO pinfo PROCESS_INFORMATION align 4 fhandle dd ? wbytes dd ? section '.text' code readable executable main: invoke CreateProcess,fname,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo mov [fhandle],eax invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId] invoke WriteProcessMemory,eax,baddr,int3addr,1,wbytes ret section '.idata' import data readable library user32,'user32.dll',\ kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' I'm trying to put int3 (0xCC) instruction to cause exception to make little modification there but I don't know what to do next.. Anyone can suggest me the theory what should I do next ? Thank you. -- Program has new section, that decrypts in memory and jumps to OEP (0x401000) where I'm putting int3 instruction. Also, I'll be thankful if you will give me some theory how should I dump it. Thank you! |
|||
01 Sep 2011, 23:16 |
|
Overflowz 02 Sep 2011, 01:02
Please, someone just suggest me what should I do..
|
|||
02 Sep 2011, 01:02 |
|
Feryno 02 Sep 2011, 07:17
http://www.google.com/#q=iczelion+debug_process
DEBUG_PROCESS flag is missing, no need to CREATE_SUSPENDED in your above sample the child won't start to run (is suspended) eitheir hit the breakpoint you write at OEP then you must construct debug loop (WaitForDebugEvent, ContinueDebugEvent) where parent will handle exceptions coming from debuggee (child) else the child will die immediately after generating exception (this is why the DEBUG_PROCESS flag and debug loop is necessary - the parent will handle exceptions generated by the child so the child can continue its execution after generating exceptions like int3 etc) |
|||
02 Sep 2011, 07:17 |
|
Overflowz 02 Sep 2011, 13:41
Feryno
Thank you, I'll try! |
|||
02 Sep 2011, 13:41 |
|
AsmGuru62 02 Sep 2011, 19:04
This may be useful:
http://msdn.microsoft.com/en-us/library/ms679288(v=VS.85).aspx |
|||
02 Sep 2011, 19:04 |
|
Overflowz 02 Sep 2011, 20:37
AsmGuru62
I tried that already but I don't understand where to start.. Thanks anyway |
|||
02 Sep 2011, 20:37 |
|
Overflowz 02 Sep 2011, 20:54
P.S how this structure will be in FASM style ?
Code: DEBUG_EVENT STRUCT
dwDebugEventCode dd ?
dwProcessId dd ?
dwThreadId dd ?
u DEBUGSTRUCT <>
DEBUG_EVENT ENDS I don't know how to convert it because I see strange things there.. Does anyone have this structure here ? Thanks. |
|||
02 Sep 2011, 20:54 |
|
Overflowz 03 Sep 2011, 13:43
bump.. Nobody have or can't translate ?
|
|||
03 Sep 2011, 13:43 |
|
typedef 03 Sep 2011, 14:47
in your code, doesn't CreateProcess return a boolean instead of handle?
|
|||
03 Sep 2011, 14:47 |
|
Overflowz 03 Sep 2011, 17:03
typedef
damn.. you're right. but it doesn't matter for now |
|||
03 Sep 2011, 17:03 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.