Prev: Show modal a windows
Next: draw text on a titlebar
From: R.Wieser on 7 Dec 2009 05:25
Hello All,

I'm currently using CreateProcess in its simpelest form with the
"process_suspended" flag and a pointer to a "process_info" structure.
After that I'm using ReadProcessMemory to get and check for the existance of
a certain string, after which I alter the read data and use
WriteProcessMemory to put it back into its place.

Alas, this method results, when trying to write, in an 5, "Access denied"
error.

Opening the process again using "OpenProcess" with the "process_all_access"
flags and doing the above read-write again combination results in a 998,
"Invalid memory access" error (on the write).

According to my googeling either of the above should have worked, but simply
doesn't when I try it.

My question : Have I forgotten something in the above ?

Regards,
Rudy Wieser



From: Xavier Roche on 7 Dec 2009 05:30
R.Wieser wrote:
> My question : Have I forgotten something in the above ?

Are you sure the given memory region is within a region which is writable ?

Ie. if you are trying to modify a read-only mmape'd region (such as the
constant string & friends zone), this won't work. Maybe in this case you
could try to remap the region in anonymous copy-on-write zone, but I'm
not familiar enough with the WIN32 MapViewOfFile() API to guarantee that.
From: R.Wieser on 7 Dec 2009 06:51
Hello Xavier,

> Are you sure the given memory region is within
> a region which is writable ?

I did think about that, but have, while googleing for information, not found
anything in regard to it. No remark (to the WriteProcessMemory command)
about needing to consider it, no remark to a way of checking of the
writebility of an area, no possibility of altering of that status. Because
of it I assumed that the "process_all_access" setting would take care of
that.

I hope that someone will read my question and your remark to it and can
provide some definitive to it (and maybe a method to re-enable the
write-possibility to the whole program-memory).

Thanks for the response.

Regards,
Rudy Wieser


-- Origional message :
Xavier Roche <xroche(a)free.fr.NOSPAM.invalid> schreef in berichtnieuws
hfilf8$h6c$1(a)news.httrack.net...
> R.Wieser wrote:
> > My question : Have I forgotten something in the above ?
>
> Are you sure the given memory region is within a region which is writable
?
>
> Ie. if you are trying to modify a read-only mmape'd region (such as the
> constant string & friends zone), this won't work. Maybe in this case you
> could try to remap the region in anonymous copy-on-write zone, but I'm
> not familiar enough with the WIN32 MapViewOfFile() API to guarantee that.



From: Xavier Roche on 7 Dec 2009 07:13
R.Wieser wrote:
> I hope that someone will read my question and your remark to it and can
> provide some definitive to it (and maybe a method to re-enable the
> write-possibility to the whole program-memory).

Unless you copy-on-write the given region, there is no way to "enable"
write on these regions IMHO. Constants (such as strings, resources ..)
of a program are directly mmap'ed from disk to memory -- ie. the
read-only regions are direct program "disk" data views.
From: R.Wieser on 8 Dec 2009 16:13
Hello Xavier,

> Unless you copy-on-write the given region, there is no
> way to "enable" write on these regions IMHO.

Shucks.

> Constants (such as strings, resources ..) of a program
> are directly mmap'ed from disk to memory -- ie. the
> read-only regions are direct program "disk" data views.

That sounds in-par with the fact that you can't delete a running program.

Funny though : only the third of the sections in the program has the
"writable" bit on (section-flags : 60000020, 40000020, C0000020, and again
40000020), but I can write into the first section (which contains code), but
not the second (which contains data).

I'll have to dig into it some more.

Regards,
Rudy Wieser


-- Origional message
Xavier Roche <xroche(a)free.fr.NOSPAM.invalid> schreef in berichtnieuws
hfirhk$rpg$1(a)news.httrack.net...
> R.Wieser wrote:
> > I hope that someone will read my question and your remark to it and can
> > provide some definitive to it (and maybe a method to re-enable the
> > write-possibility to the whole program-memory).
>
> Unless you copy-on-write the given region, there is no way to "enable"
> write on these regions IMHO. Constants (such as strings, resources ..)
> of a program are directly mmap'ed from disk to memory -- ie. the
> read-only regions are direct program "disk" data views.


 | 
Pages: 1
Prev: Show modal a windows
Next: draw text on a titlebar