C++

Forum

 
C++ WriteProcessMemory() in protected memory?

Oct 27, 2016 at 9:23pm
DaviFN (10)
Hello everyone!

I'm developing a small program in C++, but I think the process I'm attempting to do memory writing has some kind of protection against WriteProcessMemory(), because it always returns error 5 (which stands for ACCESS_DENIED).

I wonder if there is a way to make it work.



More details:

I'm using Windows 7

WriteProcessMemory() always worked greatly for me, and it does work great in Windows XP, but, in 7, it only works for a few processes

Memory editing tools also fail to open the process, except Cheat Engine's Kernel Mode option (I don't know much what this is though, is there a way to do it with C++?)


Thank you for your attention and for helping me solve this problem.



EDIT: I just want a way (function/code) to edit the process' memory successfully, be it WriteProcessMemory or not... All informations are welcome!
Last edited on Oct 27, 2016 at 9:28pm
Oct 28, 2016 at 1:57am
integralfx (897)
Oct 28, 2016 at 3:54pm
helios (17607)
Windows XP had a lousy security model, using default settings. Since Vista, Windows defaults to a proper security model. For example, not any process can access the memory of any other process.
Briefly, the process that calls WriteProcessMemory() must be running with the same credentials as the target process, or it must have administrative privileges.
Oct 28, 2016 at 7:17pm
DaviFN (10)
the process that calls WriteProcessMemory() must be running with the same credentials as the target process, or it must have administrative privileges.


Nice, so there is a way.

I'd like to know how exactly I can get these info and insert them in the WriteProcessMemory() function. A code example would be great!

Thanks so far.


By the way, if "administrative privileges" means running in admin mode, i've already tried it. I'm dumb in computers, so if I said something funny I'm sorry :)
Oct 28, 2016 at 7:22pm
helios (17607)
You input it when you call OpenProcess().

Running as administrator should be enough to modify the memory of any process. We use WriteProcessMemory() do to inject DLLs into processes, so I know it does work.
Last edited on Oct 28, 2016 at 7:23pm
Oct 28, 2016 at 11:52pm
DaviFN (10)
You input it when you call OpenProcess().


Tried PROCCESS_ALL_ACESS, failed. Tried PROCCESS_VM_OPERATION (or something like this) | PROCCESS_VM_WRITE, failed. Then tried something related with SE_DEBUG_PRIVILEGE, failed. Idk what else to do.

WriteProcessMemory() do to inject DLLs into processes, so I know it does work.


As I said, WriteProcessMemory returns 5... I've already tried to inject a DLL to the proccess, but it requires WriteProcessMemory function, and I'm not being able to use neither WriteProcessMemory nor ReadProcessMemory.

Is there a way to inject a DLL without WriteProcessMemory? Maybe I could inject a DLL and then make this DLL memset() "itself", thus memsetting the proccess I'm trying to use WriteProcessMemory() in...


Running as administrator should be enough to modify the memory of any process.


I get the same error running as adm, even though in theory it's not possible.
Oct 29, 2016 at 8:17am
helios (17607)
Tried PROCCESS_ALL_ACESS, failed. Tried PROCCESS_VM_OPERATION (or something like this) | PROCCESS_VM_WRITE, failed.
Opening an existing process with full access should not fail when the calling process is running with administrative privileges. Check the procedure you use to execute the calling process. You're doing something wrong.

Try this function to check if the process is running with elevated privileges:
http://stackoverflow.com/questions/8046097/how-to-check-if-a-process-has-the-administrative-rights

Is there a way to inject a DLL without WriteProcessMemory? Maybe I could inject a DLL and then make this DLL memset() "itself", thus memsetting the proccess I'm trying to use WriteProcessMemory() in.
If you can't open the process with enough rights to call WriteProcessMemory() then there's nothing you can do. Imagine how disastrous it would be if any random user process could inject DLLs into arbitrary system processes while bypassing security checks.
Oct 30, 2016 at 1:12am
DaviFN (10)
I found something interesting.

Cheat Engine uses lua scripts... And enables the user to create kind of like a "trainer" of it, so I could call this trainer to inject a C++ written DLL into the process and then use memset from there

Is there a way to inject a dll into a process via lua script? I was trying to "translate" this C++ code into lua, but I was unsuccessful:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
#include <windows.h> 
#include <iostream> 
#include <fstream> 
#include <stdlib.h> 
#include <tlhelp32.h> 
  
typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT); 
using namespace std; 
  
struct PARAMETERS{ 
          DWORD MessageBoxInj; 
          char text[50];        
          char caption[25]; 
          int buttons; 
//        HWND handle; 
}; 
  
DWORD getPid(string procName); 
int privileges(); 
DWORD myFunc(PARAMETERS * myparam); //(if you use Dev-C++ put static before DWORD) 
DWORD Useless(); ////(if you use Dev-C++ put static before DWORD) 
  
int main() 
{ 
  privileges();  
  
  DWORD pid = getPid("notepad.exe"); 
  if (pid==0) return 1; //error 
  
   HANDLE p; 
   p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); 
   if (p==NULL) return 1; //error 
  
   char * mytext = "Hello by CodeCave!"; 
   char * mycaption = "Injection result"; 
  
   PARAMETERS data;   //let's fill in a PARAMETERS struct 
   HMODULE user32 = LoadLibrary("User32.dll"); 
   data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA"); 
   strcpy(data.text, mytext); 
   strcpy(data.caption, mycaption); 
   data.buttons = MB_OKCANCEL | MB_ICONQUESTION; 
  
  
   DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc;  //this gets myFunc's size 
  
  
   //--------now we are ready to inject 
  
  
   LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); 
  
   WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL); 
  
      
   LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE); 
  
   WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL); 
  
   HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL); 
      
    if (thread!=0){ 
        //injection completed, not we can wait it to end and free the memory 
        WaitForSingleObject(thread, INFINITE);   //this waits untill thread thread has finished 
        VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory 
        VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory 
        CloseHandle(thread); 
        CloseHandle(p);  //don't wait for the thread to finish, just close the handle to the process 
        cout<<"Injection completed!"<<endl; 
     }else{ 
                   cout<<"Error!"<<endl; 
     } 
  
      
    system("PAUSE"); 
    return EXIT_SUCCESS; 
} 
  
DWORD getPid(string procName){ 
   HANDLE hsnap; 
   PROCESSENTRY32 pt; 
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
   pt.dwSize = sizeof(PROCESSENTRY32); 
   do{ 
          if(!strcmp(pt.szExeFile, procName.c_str())){ 
             DWORD pid = pt.th32ProcessID; 
             CloseHandle(hsnap); 
             return pid; 
          } 
   } while(Process32Next(hsnap, &pt)); 
   CloseHandle(hsnap); 
   return 0;          
} 
  
static DWORD myFunc(PARAMETERS * myparam){ 
             MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj; 
             int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons); 
             switch(result){ 
                  case IDOK: 
                  //your code          
                  break;            
                  case IDCANCEL: 
                  //your code 
                  break; 
             } 
             return 0; 
} 
  
static DWORD Useless(){  
  return 0; 
} 
  
//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system 
int privileges(){ 
  HANDLE Token; 
  TOKEN_PRIVILEGES tp; 
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)) 
  { 
    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); 
    tp.PrivilegeCount = 1; 
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
        if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ 
         return 1; //FAIL 
        }else{ 
         return 0; //SUCCESS 
        } 
   }      
   return 1; 
} 
  
//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of 
//name order from Z to A, so when we try to calculate the size of my func with 
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc; 
//the result is negative and so when we try the injection the target app crashes. 
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler)
Edit & run on cpp.sh


There is a injectDLL() function in lua, but it fails, so I have to somehow use WriteProcessMemory to inject the dll, and it will work...
Topic archived. No new replies allowed.