Index
> Windows > ReadProcessMemory and MapViewOfFile (Simple Debugger Q.) |
| Author |
|
|
typedef
ReadProcessMemory reads a specific area in memory.
You must have been allowed to do so. MapViewOfFile puts data in memory. This data can be executable or so. I think they are the same in different contexts though |
|||
01 Sep 2011, 22:59 |
|
|
revolution
File on disk != process data in memory. Why would you expect them to be the same?
If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory? |
|||
|
01 Sep 2011, 23:01 |
|
|
typedef
revolution wrote: File on disk != process data in memory. Why would you expect them to be the same? I said in different contexts, their goal is the same but different ways. That is what I meant. And notice i said different contexts. |
|||
|
01 Sep 2011, 23:06 |
|
|
Overflowz
revolution
you mean, MapViewOfFile can also map executable on disk in memory ? -- Anyway, I'm trying to make little debugger (to be honest, the loader) but I don't know how debuggers work. I did something like this but I can't continue.. Code: format PE GUI 4.0 include 'WIN32AX.INC' entry main section '.data' data readable writeable fname db "due-cm5.exe",0 baddr dd 0x00401000 int3addr db 0xCC sinfo STARTUPINFO pinfo PROCESS_INFORMATION align 4 fhandle dd ? wbytes dd ? section '.text' code readable executable main: invoke CreateProcess,fname,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo mov [fhandle],eax invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId] invoke WriteProcessMemory,eax,baddr,int3addr,1,wbytes ret section '.idata' import data readable library user32,'user32.dll',\ kernel32,'kernel32.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' I'm trying to put int3 (0xCC) instruction to cause exception to make little modification there but I don't know what to do next.. Anyone can suggest me the theory what should I do next ? Thank you. -- Program has new section, that decrypts in memory and jumps to OEP (0x401000) where I'm putting int3 instruction. Also, I'll be thankful if you will give me some theory how should I dump it. Thank you! |
|||
|
01 Sep 2011, 23:16 |
|
|
Overflowz
Please, someone just suggest me what should I do..
|
|||
|
02 Sep 2011, 01:02 |
|
|
Feryno
http://www.google.com/#q=iczelion+debug_process
DEBUG_PROCESS flag is missing, no need to CREATE_SUSPENDED in your above sample the child won't start to run (is suspended) eitheir hit the breakpoint you write at OEP then you must construct debug loop (WaitForDebugEvent, ContinueDebugEvent) where parent will handle exceptions coming from debuggee (child) else the child will die immediately after generating exception (this is why the DEBUG_PROCESS flag and debug loop is necessary - the parent will handle exceptions generated by the child so the child can continue its execution after generating exceptions like int3 etc) |
|||
|
02 Sep 2011, 07:17 |
|
|
Overflowz
Feryno
Thank you, I'll try! |
|||
|
02 Sep 2011, 13:41 |
|
|
AsmGuru62
This may be useful:
http://msdn.microsoft.com/en-us/library/ms679288(v=VS.85).aspx |
|||
|
02 Sep 2011, 19:04 |
|
|
Overflowz
AsmGuru62
I tried that already but I don't understand where to start.. Thanks anyway  |
|||
|
02 Sep 2011, 20:37 |
|
|
Overflowz
P.S how this structure will be in FASM style ?
Code: DEBUG_EVENT STRUCT
dwDebugEventCode dd ?
dwProcessId dd ?
dwThreadId dd ?
u DEBUGSTRUCT <>
DEBUG_EVENT ENDS I don't know how to convert it because I see strange things there.. Does anyone have this structure here ? Thanks. |
|||
|
02 Sep 2011, 20:54 |
|
|
Overflowz
bump.. Nobody have or can't translate ?
 |
|||
|
03 Sep 2011, 13:43 |
|
|
typedef
in your code, doesn't CreateProcess return a boolean instead of handle?
|
|||
|
03 Sep 2011, 14:47 |
|
|
Overflowz
typedef
damn.. you're right. but it doesn't matter for now  |
|||
|
03 Sep 2011, 17:03 |
|
< Last Thread | Next Thread > |
Forum Rules:
|