ReadProcessMemory and MapViewOfFile (Simple Debugger Q.)

Index > Windows > ReadProcessMemory and MapViewOfFile (Simple Debugger Q.)

Author

Thread

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 01 Sep 2011, 22:42

Hello everyone. Can anyone explain me what's difference between them ?? As I guess, they does same job.. Is there any difference ?? Thanks.
EDIT:
if there is any difference, can someone show me some working example ? Thank you.

Last edited by Overflowz on 01 Sep 2011, 23:17; edited 1 time in total

01 Sep 2011, 22:42

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 01 Sep 2011, 22:59

ReadProcessMemory reads a specific area in memory.
You must have been allowed to do so.

MapViewOfFile puts data in memory. This data can be executable or so.

I think they are the same in different contexts though

01 Sep 2011, 22:59

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 19869
Location: In your JS exploiting you and your system

revolution 01 Sep 2011, 23:01

File on disk != process data in memory. Why would you expect them to be the same?

If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory?

01 Sep 2011, 23:01

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 01 Sep 2011, 23:06

revolution wrote:

File on disk != process data in memory. Why would you expect them to be the same?

If you map a text file on disk with MapViewOfFile, then what is the equivalent to do that with ReadProcessMemory?

I said in different contexts, their goal is the same but different ways. That is what I meant. And notice i said different contexts.

01 Sep 2011, 23:06

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 01 Sep 2011, 23:16

revolution
you mean, MapViewOfFile can also map executable on disk in memory ?
--
Anyway, I'm trying to make little debugger (to be honest, the loader) but I don't know how debuggers work. I did something like this but I can't continue..

Code:

format PE GUI 4.0
include 'WIN32AX.INC'
entry main
section '.data' data readable writeable
fname db         "due-cm5.exe",0
baddr dd         0x00401000
int3addr db      0xCC
sinfo STARTUPINFO
pinfo PROCESS_INFORMATION
align 4
fhandle dd ?
wbytes  dd ?
section '.text' code readable executable
main:
        invoke CreateProcess,fname,0,0,0,0,CREATE_SUSPENDED,0,0,sinfo,pinfo
        mov [fhandle],eax
        invoke OpenProcess,PROCESS_ALL_ACCESS,0,[pinfo.dwProcessId]
        invoke WriteProcessMemory,eax,baddr,int3addr,1,wbytes
        ret
section '.idata' import data readable
library user32,'user32.dll',\
        kernel32,'kernel32.dll'
include 'API\USER32.INC'
include 'API\KERNEL32.INC'

I'm trying to put int3 (0xCC) instruction to cause exception to make little modification there but I don't know what to do next.. Anyone can suggest me the theory what should I do next ? Thank you.
--
Program has new section, that decrypts in memory and jumps to OEP (0x401000) where I'm putting int3 instruction. Also, I'll be thankful if you will give me some theory how should I dump it. Thank you!

01 Sep 2011, 23:16

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 02 Sep 2011, 01:02

Please, someone just suggest me what should I do..

02 Sep 2011, 01:02

Feryno

Joined: 23 Mar 2005
Posts: 503
Location: Czech republic, Slovak republic

Feryno 02 Sep 2011, 07:17

http://www.google.com/#q=iczelion+debug_process

DEBUG_PROCESS flag is missing, no need to CREATE_SUSPENDED
in your above sample the child won't start to run (is suspended) eitheir hit the breakpoint you write at OEP

then you must construct debug loop (WaitForDebugEvent, ContinueDebugEvent) where parent will handle exceptions coming from debuggee (child) else the child will die immediately after generating exception (this is why the DEBUG_PROCESS flag and debug loop is necessary - the parent will handle exceptions generated by the child so the child can continue its execution after generating exceptions like int3 etc)

02 Sep 2011, 07:17

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 02 Sep 2011, 13:41

Feryno
Thank you, I'll try!

02 Sep 2011, 13:41

AsmGuru62

Joined: 28 Jan 2004
Posts: 1561
Location: Toronto, Canada

AsmGuru62 02 Sep 2011, 19:04

This may be useful:
http://msdn.microsoft.com/en-us/library/ms679288(v=VS.85).aspx

02 Sep 2011, 19:04

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 02 Sep 2011, 20:37

AsmGuru62
I tried that already but I don't understand where to start.. Thanks anyway Smile

02 Sep 2011, 20:37

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 02 Sep 2011, 20:54

P.S how this structure will be in FASM style ?

Code:

DEBUG_EVENT STRUCT 
   dwDebugEventCode dd ? 
   dwProcessId dd ? 
   dwThreadId dd ? 
   u DEBUGSTRUCT <> 
DEBUG_EVENT ENDS

I don't know how to convert it because I see strange things there.. Does anyone have this structure here ? Thanks.

02 Sep 2011, 20:54

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 03 Sep 2011, 13:43

bump.. Nobody have or can't translate ? Sad

03 Sep 2011, 13:43

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 03 Sep 2011, 14:47

in your code, doesn't CreateProcess return a boolean instead of handle?

03 Sep 2011, 14:47

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 03 Sep 2011, 17:03

typedef
damn.. you're right. but it doesn't matter for now Razz

03 Sep 2011, 17:03

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum