Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Patch a program in memory

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

because it shouldn't work
any arbitrary process shouldn't be able to write / modify any other arbitrary process
unless the writing process has gained itself proper authorities / privileges
else any script kiddies samanthalovesyou.scr would be able to edit winlogon.exe and
send more screen savers to bill gates from your mickysoft.oldlook

i made 3 changes to your program that you suggest are setup changes user should modify before using
address to write / what to write / whom to write

the three changes i do are

Code: Select all

0:000> !grep -i -e "Calc" -c "!hwnd"
Name        Calculator   < this will be my window name
Class       SciCalc
Name        CalcMsgPumpWnd
0:000> du poi(1014b6c)   < this will be where i write
000b87c0  "Cannot divide by zero."
0:000> du 100131c  this will be what i write
0100131c  "An unknown error has occured."
0:000>
and i should get access denied for PROCESS_ALL_ACCESS in OpenProcess
changing it to PROCESS_VM_OPERATION || PROCESS_VM_WRITE

i should get access denied error for WriteProcessMemory

from where i should strive to become a debugger proper not some screensaver overwriting one of my important password with 1am133tbabe from an ordinary untrusted temporary guest account with barest of the barest privileges on a closed down box


i run a fresh calc instance
list the directory and pipe the output to a txt file (create new every time so 0 byte file no previous entries inside)
compare the posted code with modified code and append the results to the previously created txt file
print the contents of the file that contains posted code for verification and append the results aain to the file
compile the modified file and append the results
list the directory again and append teh results
run the compiled executable and append the output
and print the contents of the file with all the results back in one go in a xp sp3 box

see below



Code: Select all


[b]C:\TESTPA~1>calc & dir /b > res.txt & fc modpatchmem.cpp unmodpatchmem.cpp >> re
s.txt & type unmodpatchmem.cpp >> res.txt & cl /EHsc modpatchmem.cpp user32.lib
>> res.txt & dir/b >> res.txt & modpatchmem.exe >> res.txt & wmic os get caption
, csdversion /format:list  >> res.txt & type res.txt  [/b]

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

modpatchmem.cpp
res.txt
unmodpatchmem.cpp

Comparing files modpatchmem.cpp and UNMODPATCHMEM.CPP
***** modpatchmem.cpp
// setup here
LPVOID targetAddress = (LPWORD)0x01014b6c; // address
int newValue = 0x100131c;

***** UNMODPATCHMEM.CPP
// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

*****

***** modpatchmem.cpp
{
    HWND hWnd = FindWindowW(0, L"Calculator");

***** UNMODPATCHMEM.CPP
{
    HWND hWnd = FindWindow(0, L"WindowName");

*****



#include <iostream>
#include <windows.h>

using namespace std;

// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

int main()
{
    HWND hWnd = FindWindow(0, L"WindowName");

    if(!hWnd)
    {
        cout << "Could not find target window" << endl;
        return 1;
    }

    DWORD pID;
    GetWindowThreadProcessId(hWnd, &pID);

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
    if(!handle)
    {
        cout << "Could not open a process handle!" << endl;
        return 1;
    }

    size_t sznewValue = sizeof(newValue);
    int ret = WriteProcessMemory(handle, targetAddress, &newValue, sznewValue, N
ULL);

    if(ret < 1)
    {
        cout << "WriteProcessMemory failed!" << endl;
        return 1;
    }
    cout << "Written value to target memory address!" << endl;
    return 0;
}modpatchmem.cpp

Microsoft (R) Incremental Linker Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:modpatchmem.exe
modpatchmem.obj
user32.lib
modpatchmem.cpp
modpatchmem.exe
modpatchmem.obj
res.txt
unmodpatchmem.cpp


[b]Could not open a process handle![/b]


 C a p t i o n = M i c r o s o f t   W i n d o w s   X P   P r o f e s s i o n a
 l
 C S D V e r s i o n = S e r v i c e   P a c k   3



C:\TESTPA~1>


second modification

Code: Select all



C:\TESTPA~1>ren modpatchmem.cpp modpatchmemold.cpp

C:\TESTPA~1>copy modpatchmemold.cpp modpatchmem.cpp
        1 file(s) copied.

C:\TESTPA~1>del *.exe *.txt *.obj

C:\TESTPA~1>dir /b
modpatchmem.cpp
modpatchmemold.cpp
unmodpatchmem.cpp

C:\TESTPA~1>edit modpatchmem.cpp

C:\TESTPA~1>fc modpatchmem.cpp modpatchmemold.cpp
Comparing files modpatchmem.cpp and MODPATCHMEMOLD.CPP
***** modpatchmem.cpp

    HANDLE handle = OpenProcess(PROCESS_VM_OPERATION || PROCESS_VM_WRITE, false,
 pID);
    if(!handle)
***** MODPATCHMEMOLD.CPP

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
    if(!handle)
*****


C:\TESTPA~1>cl /EHsc modpatchmem.cpp user32.lib
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

modpatchmem.cpp
Microsoft (R) Incremental Linker Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:modpatchmem.exe
modpatchmem.obj
user32.lib

C:\TESTPA~1>modpatchmem.cpp

C:\TESTPA~1>modpatchmem.exe
Could not find target window

C:\TESTPA~1>calc

C:\TESTPA~1>modpatchmem.exe
[b]WriteProcessMemory failed![/b]

C:\TESTPA~1>

qZanity
Junior Member
Posts: 4
Joined: Fri Aug 16, 2013 3:59 pm

Post by qZanity »

Well of course! All that is needed is something very simple depending on the OS and libarys used by the target, But DLL redirection, ON ATTACH, write to memory. (depending how the dll was loaded)
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

NtProtectVM/NtWriteVM. Amen!
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

Well of course!

oh yeah of course

so you say writing a proper debugger is a breeze for some one who just came to know that there is a programming language called c and landed here via google search well hats off to you
qZanity
Junior Member
Posts: 4
Joined: Fri Aug 16, 2013 3:59 pm

Post by qZanity »

blabberer wrote:Well of course!

oh yeah of course

so you say writing a proper debugger is a breeze for some one who just came to know that there is a programming language called c and landed here via google search well hats off to you
Why thank you
techne
Junior Member
Posts: 19
Joined: Thu Jul 04, 2013 3:08 pm

Post by techne »

qZanity, blabber thank you very much your POF is very usefull for me
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

Post by Shub-nigurrath »

Hi
Probably I join late in this thread but just wanted to point that if you need to customize your own loader the best source is here
http://www.accessroot.com/arteam/site/d ... p?view.108

and all the other loaders related tutorials you can find there like this
http://www.accessroot.com/arteam/site/d ... hp?view.81
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Locked