Page 2 of 2

Posted: Tue Aug 20, 2013 3:08 am
by blabberer
because it shouldn't work
any arbitrary process shouldn't be able to write / modify any other arbitrary process
unless the writing process has gained itself proper authorities / privileges
else any script kiddies samanthalovesyou.scr would be able to edit winlogon.exe and
send more screen savers to bill gates from your mickysoft.oldlook

i made 3 changes to your program that you suggest are setup changes user should modify before using
address to write / what to write / whom to write

the three changes i do are

Code: Select all

0:000> !grep -i -e "Calc" -c "!hwnd"
Name        Calculator   < this will be my window name
Class       SciCalc
Name        CalcMsgPumpWnd
0:000> du poi(1014b6c)   < this will be where i write
000b87c0  "Cannot divide by zero."
0:000> du 100131c  this will be what i write
0100131c  "An unknown error has occured."
0:000>
and i should get access denied for PROCESS_ALL_ACCESS in OpenProcess
changing it to PROCESS_VM_OPERATION || PROCESS_VM_WRITE

i should get access denied error for WriteProcessMemory

from where i should strive to become a debugger proper not some screensaver overwriting one of my important password with 1am133tbabe from an ordinary untrusted temporary guest account with barest of the barest privileges on a closed down box


i run a fresh calc instance
list the directory and pipe the output to a txt file (create new every time so 0 byte file no previous entries inside)
compare the posted code with modified code and append the results to the previously created txt file
print the contents of the file that contains posted code for verification and append the results aain to the file
compile the modified file and append the results
list the directory again and append teh results
run the compiled executable and append the output
and print the contents of the file with all the results back in one go in a xp sp3 box

see below



Code: Select all


[b]C:\TESTPA~1>calc & dir /b > res.txt & fc modpatchmem.cpp unmodpatchmem.cpp >> re
s.txt & type unmodpatchmem.cpp >> res.txt & cl /EHsc modpatchmem.cpp user32.lib
>> res.txt & dir/b >> res.txt & modpatchmem.exe >> res.txt & wmic os get caption
, csdversion /format:list  >> res.txt & type res.txt  [/b]

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

modpatchmem.cpp
res.txt
unmodpatchmem.cpp

Comparing files modpatchmem.cpp and UNMODPATCHMEM.CPP
***** modpatchmem.cpp
// setup here
LPVOID targetAddress = (LPWORD)0x01014b6c; // address
int newValue = 0x100131c;

***** UNMODPATCHMEM.CPP
// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

*****

***** modpatchmem.cpp
{
    HWND hWnd = FindWindowW(0, L"Calculator");

***** UNMODPATCHMEM.CPP
{
    HWND hWnd = FindWindow(0, L"WindowName");

*****



#include <iostream>
#include <windows.h>

using namespace std;

// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

int main()
{
    HWND hWnd = FindWindow(0, L"WindowName");

    if(!hWnd)
    {
        cout << "Could not find target window" << endl;
        return 1;
    }

    DWORD pID;
    GetWindowThreadProcessId(hWnd, &pID);

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
    if(!handle)
    {
        cout << "Could not open a process handle!" << endl;
        return 1;
    }

    size_t sznewValue = sizeof(newValue);
    int ret = WriteProcessMemory(handle, targetAddress, &newValue, sznewValue, N
ULL);

    if(ret < 1)
    {
        cout << "WriteProcessMemory failed!" << endl;
        return 1;
    }
    cout << "Written value to target memory address!" << endl;
    return 0;
}modpatchmem.cpp

Microsoft (R) Incremental Linker Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:modpatchmem.exe
modpatchmem.obj
user32.lib
modpatchmem.cpp
modpatchmem.exe
modpatchmem.obj
res.txt
unmodpatchmem.cpp


[b]Could not open a process handle![/b]


 C a p t i o n = M i c r o s o f t   W i n d o w s   X P   P r o f e s s i o n a
 l
 C S D V e r s i o n = S e r v i c e   P a c k   3



C:\TESTPA~1>


second modification

Code: Select all



C:\TESTPA~1>ren modpatchmem.cpp modpatchmemold.cpp

C:\TESTPA~1>copy modpatchmemold.cpp modpatchmem.cpp
        1 file(s) copied.

C:\TESTPA~1>del *.exe *.txt *.obj

C:\TESTPA~1>dir /b
modpatchmem.cpp
modpatchmemold.cpp
unmodpatchmem.cpp

C:\TESTPA~1>edit modpatchmem.cpp

C:\TESTPA~1>fc modpatchmem.cpp modpatchmemold.cpp
Comparing files modpatchmem.cpp and MODPATCHMEMOLD.CPP
***** modpatchmem.cpp

    HANDLE handle = OpenProcess(PROCESS_VM_OPERATION || PROCESS_VM_WRITE, false,
 pID);
    if(!handle)
***** MODPATCHMEMOLD.CPP

    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
    if(!handle)
*****


C:\TESTPA~1>cl /EHsc modpatchmem.cpp user32.lib
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

modpatchmem.cpp
Microsoft (R) Incremental Linker Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:modpatchmem.exe
modpatchmem.obj
user32.lib

C:\TESTPA~1>modpatchmem.cpp

C:\TESTPA~1>modpatchmem.exe
Could not find target window

C:\TESTPA~1>calc

C:\TESTPA~1>modpatchmem.exe
[b]WriteProcessMemory failed![/b]

C:\TESTPA~1>


Posted: Tue Aug 20, 2013 6:07 am
by qZanity
Well of course! All that is needed is something very simple depending on the OS and libarys used by the target, But DLL redirection, ON ATTACH, write to memory. (depending how the dll was loaded)

Posted: Tue Aug 20, 2013 10:00 am
by Indy
NtProtectVM/NtWriteVM. Amen!

Posted: Wed Aug 21, 2013 1:34 am
by blabberer
Well of course!

oh yeah of course

so you say writing a proper debugger is a breeze for some one who just came to know that there is a programming language called c and landed here via google search well hats off to you

Posted: Wed Aug 21, 2013 5:04 pm
by qZanity
blabberer wrote:Well of course!

oh yeah of course

so you say writing a proper debugger is a breeze for some one who just came to know that there is a programming language called c and landed here via google search well hats off to you
Why thank you

Posted: Sat Jan 11, 2014 6:42 am
by techne
qZanity, blabber thank you very much your POF is very usefull for me

Posted: Mon Jan 13, 2014 3:31 am
by Shub-nigurrath
Hi
Probably I join late in this thread but just wanted to point that if you need to customize your own loader the best source is here
http://www.accessroot.com/arteam/site/d ... p?view.108

and all the other loaders related tutorials you can find there like this
http://www.accessroot.com/arteam/site/d ... hp?view.81