void allocBreakPoint(HANDLE hProcess, BREAKPOINT *pt) { unsigned char bf; if (!pt->active && pt->addresses) { int i =0,j; int *p; for (p = pt->addresses; *p !=0; ++p) i++; if (!pt->tempvals) { pt->tempvals = calloc(i, sizeof(int)); } strcpy(pt->name, "unknown"); for (i=0, p = pt->addresses; *p !=0; ++p, ++i) { DWORD len; if (ReadProcessMemory(hProcess, (LPVOID)pt->addresses[i], (LPVOID) &bf, 1, &len)) { if (!len) return ; if (bf == 0xcc) { pt->tempvals[i] = -1; } else { WriteBreakPoint(hProcess, pt->addresses[i], 0xcc); pt->active = TRUE; pt->tempvals[i] = bf; } } if (i == 0) { char name[256]; DWORD n = FindFunctionName(name, pt->addresses[i], NULL, NULL); if (n) sprintf(pt->name, "%s + 0x%x", name, pt->addresses[i]-n); } } } }
void CT_cbMagicValue() { DeleteHardwareBreakPoint(UE_DR1); unsigned int retrieve_addr=GetContextData(UE_EBP)-magic_ebp_sub-4; unsigned int magic_values[2]= {0}; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retrieve_addr, magic_values, 8, 0)) { CT_FatalError(rpmerror()); return; } CT_cert_data->magic1=magic_values[0]; CT_cert_data->magic2=magic_values[1]; if(end_big_loop) SetBPX(magic_byte, UE_BREAKPOINT, (void*)CT_cbMagicJump); else CT_RetrieveSaltValue(); }
void DumpBtn( const char * filename ) { if ( IsOk( ) && GetBtnAddr( ) > 1000 ) { FILE *fp; fopen_s( &fp , filename , "wb" ); if ( fp ) { unsigned char buffer[ 520 ]; if ( ReadProcessMemory( GetCurrentProcess( ) , ( void * ) ( GetBtnAddr( ) ) , &buffer , 520 , 0 ) ) { fwrite( buffer , 1 , 520 , fp ); } fclose( fp ); } } }
void ProcessLister::getProcessImageInformation( HANDLE hProcess, Process* process ) { DWORD_PTR readImagebase = 0; process->imageBase = 0; process->imageSize = 0; if (hProcess && process->pebAddress) { PEB_CURRENT * peb = (PEB_CURRENT *)process->pebAddress; if (ReadProcessMemory(hProcess, &peb->ImageBaseAddress, &readImagebase, sizeof(DWORD_PTR), 0)) { process->imageBase = readImagebase; process->imageSize = (DWORD)ProcessAccessHelp::getSizeOfImageProcess(hProcess, process->imageBase); } } }
char *getSourceName(HWND hwnd) { HANDLE hProcess; DWORD processid; char filename[MAX_PATH], *pname; SIZE_T bread; //HWND hdlgPE; memset(filename, 0, MAX_PATH); GetWindowThreadProcessId(hwnd, &processid); hProcess = OpenProcess(PROCESS_VM_READ, FALSE, processid); // hdlgPE=SendMessage(hwnd,WM_WA_IPC,IPC_GETWND_PE,IPC_GETWND); pname=(char*)SendMessage(hwnd,WM_WA_IPC,SendMessage(hwnd,WM_WA_IPC,0,IPC_GETLISTPOS),IPC_GETPLAYLISTFILE); ReadProcessMemory(hProcess, pname, filename, MAX_PATH, &bread); CloseHandle(hProcess); return strdup(filename); }
void InspectMemory::OnInspectbut() { // TODO: Add your control notification handler code here char address_str[9]; m_edit1.GetWindowText(address_str, 9); if (address_str[0]==0) return; char size_str[9]; m_edit_2.GetWindowText(size_str, 9); if (size_str[0]==0) return; unsigned int caddress = GenericPurposeMethods::ConvertHexStringToInt(address_str); int size = GenericPurposeMethods::StringToNumber(size_str); HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processid); if (hProcess==NULL) return; unsigned long dwTotalRead; char* valuestr = new char[1]; valuestr[0] = 00; unsigned char* valbytes = new unsigned char[size]; int isok = ReadProcessMemory(hProcess, (LPVOID)caddress, valbytes, size, &dwTotalRead); if (isok != 0) // if read didn't failed { valuestr = GenericPurposeMethods::BytesToString(valbytes, size, CString(_T("bytes")).GetBuffer(0), CString(_T("hexadecimal")).GetBuffer(0)); } else { valuestr = _T("Read failed!!!"); } m_result_edit.SetWindowText(valuestr); }
bool Pdb::AddBp(adr_t address) { LLOG("AddBp: " << Hex(address)); if(bp_set.Find(address) >= 0) return true; byte prev; if(!ReadProcessMemory(hProcess, (LPCVOID) address, &prev, 1, NULL)) return false; LLOG("ReadProcessMemory OK"); byte int3 = 0xcc; if(!WriteProcessMemory(hProcess, (LPVOID) address, &int3, 1, NULL)) return false; LLOG("WriteProcessMemory OK"); // FlushInstructionCache (hProcess, (LPCVOID)address, 1); bp_set.Put(address, prev); return true; }
void CEException::dumpContext(HANDLE file, HANDLE hProcess, CONTEXT *context) { char tempo[200]; unsigned char memoryDump[100]; DWORD size; unsigned int i; #ifdef ARM writeBreak(file); writeString(file, "Context dump"); sprintf(tempo, "R0=%.8x R1=%.8x R2=%.8x R3=%.8x R4=%.8x", context->R0, context->R1, context->R2, context->R3, context->R4); writeString(file, tempo); sprintf(tempo, "R5=%.8x R6=%.8x R7=%.8x R8=%.8x R9=%.8x", context->R5, context->R6, context->R7, context->R8, context->R9); writeString(file, tempo); sprintf(tempo, "R10=%.8x R11=%.8x R12=%.8x", context->R10, context->R11, context->R12); writeString(file, tempo); sprintf(tempo, "Sp=%.8x Lr=%.8x Pc=%.8x Psr=%.8x", context->Sp, context->Lr, context->Pc, context->Psr); writeString(file, tempo); writeBreak(file); sprintf(tempo, "Memory dump at %.8x", context->Pc - (sizeof(memoryDump) / 2)); writeString(file, tempo); if (ReadProcessMemory(hProcess, (LPCVOID)(context->Pc - (sizeof(memoryDump) / 2)), memoryDump, sizeof(memoryDump), &size)) { for (i = 0; i < size; i += 8) { int j; char digit[4]; int max; max = size - i; if (max > 8) max = 8; tempo[0] = '\0'; for (j = 0; j < max; j++) { sprintf(digit, "%.2x ", memoryDump[i + j]); strcat(tempo, digit); } writeString(file, tempo); } } #else writeBreak(file); writeString(file, "Context dump only available on ARM devices"); #endif }
void CBody::Write(HANDLE hProcess,void* entrypiont,const char* dllname) { m_process=hProcess; m_entrypoint=(DWORD)entrypiont; GetBody(dllname); DBGTRACE("infect %d %08x,'%s' witch %d\n",hProcess,entrypiont,dllname,m_body.size()); DWORD old; VirtualProtectEx(hProcess,(LPVOID)entrypiont,m_body.size(),PAGE_EXECUTE_READWRITE,&old); DWORD read,write; m_bodybak.resize(m_body.size()); ReadProcessMemory(hProcess,(LPVOID)entrypiont,&m_bodybak.front(),m_bodybak.size(),&read); WriteProcessMemory(hProcess,(LPVOID)entrypiont,&m_body.front(),m_body.size(),&write); VirtualProtectEx(hProcess,(LPVOID)entrypiont,m_body.size(),old,&old); }
/** * Process session request * * This service implements the OS independent API for sending requests to the environment. * This session is Windows specific and so will call the operating system. The NDBG executive * session manager would send requests over PIPE to NDBG executive debugger server instead. * * \param request Session request * \param session Debug session * \param addr Optional data address * \param data Optional data buffer * \param size Optional data buffer size * \ret The number of bytes read or written OR TRUE on success, FALSE on failure depending on request * */ unsigned long DbgProcessRequest (IN dbgProcessReq request, IN dbgSession* session, IN OPT void* addr, IN OUT OPT void* data, IN OPT size_t size) { switch(request) { case DBG_REQ_READ: { unsigned long bytesRead = 0; ReadProcessMemory ((HANDLE)session->process.process,(LPCVOID) addr,data,size, &bytesRead); if (bytesRead==0) DbgDisplayError("Unable to read process memory. Error code: 0x%x", GetLastError()); return bytesRead; } case DBG_REQ_WRITE: { unsigned long bytesRead = 0; WriteProcessMemory ((HANDLE)session->process.process,(LPCVOID) addr,data,size, &bytesRead); if (bytesRead==0) DbgDisplayError("Unable to write process memory. Error code: 0x%x", GetLastError()); return bytesRead; } case DBG_REQ_GETCONTEXT: { CONTEXT context; context.ContextFlags = CONTEXT_ALL; if (! GetThreadContext ((HANDLE)session->process.thread, &context)) return FALSE; DbgContextFromWin32 (&context, (dbgContext*)data); return TRUE; } case DBG_REQ_SETCONTEXT: { return SetThreadContext ((HANDLE)session->process.thread, (LPCONTEXT)data); } case DBG_REQ_CONTINUE: { if (ResumeThread ((HANDLE)session->process.thread) == -1) return FALSE; return TRUE; } case DBG_REQ_BREAK: { return DebugBreakProcess ((HANDLE)session->process.process); } case DBG_REQ_STOP: default: printf ("\nDBG_REQ_STOP Not implemented"); return 0; }; }
JsBuffer* JsDbg::BufReadProcessMemory(BYTE* address, SIZE_T length) { BYTE* buffer = NULL; DWORD old = 0; try { UnprotectMemory uc(p_hnd, address, length, PAGE_EXECUTE_READWRITE); buffer = (BYTE*) malloc(sizeof(BYTE) * length); assert(buffer != NULL); printf("C++: memory alloc'ed\n"); { SIZE_T current_length = length, count = 0; BYTE* ptr_buffer = buffer; while(current_length > 0){ if(!ReadProcessMemory(p_hnd, address, ptr_buffer, current_length, &count)){ if(count == 0){ throw "Error reading process'es memory!"; } // else: all data ok! } current_length -= count; ptr_buffer += count; address += count; } } } catch (char* s) { printf("C++: Caught exception %s!\n", s); if(buffer != NULL) { free(buffer); } } if(buffer != NULL && length > 0) { return new JsBuffer(buffer, length); } else { return NULL; } }
int main(){ int pid = 0; HANDLE hproc = 0; int buf; int nRead, nWrite; char *s = "Hello.exe"; if (argc < 2) { printf("Usage: %s pid\n", argv[0]); return -1; } pid = atoi(argv[1]); if (pid <= 0) { printf("[E]: pid must be positive (pid>0)!\n"); return -2; } hproc = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, 0, pid); if (!ReadProcessMemory(hproc, pRemote, &buf, 4, &nRead)) { printf("[E]: Read DWORD from remote process failed at 0x%08x!\n", pRemote); } else { printf("[I]: Read DWORD from remote process (%d) from 0x%08x --> 0x%08x \n", pid, pRemote, buf); } printf("nRead:%08x\n",nRead); if (!WriteProcessMemory(hproc, pRemote, s, strlen(s)+1, &nWrite)) { printf("[E]: Write string to remote process failed at 0x%08x!\n", pRemote); } else { printf("[I]: Write string (size: %d) to remote process at 0x%08x.\n", nWrite, pRemote); } if (!CloseHandle(hproc)) { printf("[E]: Process (%d) cannot be closed !\n", pid); return 2; }; printf("[I]: Process (%d) is closed. \n", pid); return 0; }
Address FindSignature(BYTE* signature, const std::string& mask, const Address start, const Address end, bool search_rewind, HANDLE my_proc) { Address curr_addr = start; size_t mask_size = mask.size(); BYTE buf[BUF_SCAN_SIZE]; size_t current_size = 0; while(curr_addr < end) { MEMORY_BASIC_INFORMATION mbi; if(!VirtualQueryEx(my_proc, reinterpret_cast<PVOID>(curr_addr), &mbi, sizeof(MEMORY_BASIC_INFORMATION))) { return NULL; } Address end = reinterpret_cast<Address>(mbi.BaseAddress) + mbi.RegionSize; size_t remainder = end - curr_addr; if(remainder > BUF_SCAN_SIZE) { remainder = BUF_SCAN_SIZE; } if(mbi.State == MEM_COMMIT) { if(current_size < remainder) { current_size = remainder; } if(!ReadProcessMemory(my_proc, reinterpret_cast<PVOID>(curr_addr), buf, remainder, NULL)) { curr_addr += remainder; continue; } BYTE* ptr = _FindPattern(buf, remainder, signature, mask, search_rewind); Address actptr = (curr_addr+(ptr-buf)); if(ptr != NULL) { return actptr; } } curr_addr += remainder; } return NULL; }
/// <summary> /// Gets WOW64 PEB /// </summary> /// <param name="ppeb">Retrieved PEB</param> /// <returns>PEB pointer</returns> ptr_t NativeWow64::getPEB( _PEB32* ppeb ) { // Target process is x64. PEB32 is not available. if (_wowBarrier.targetWow64 == false) { return 0; } else { PROCESS_BASIC_INFORMATION pbi = { 0 }; ULONG bytes = 0; if (NT_SUCCESS( SAFE_NATIVE_CALL( NtQueryInformationProcess, _hProcess, ProcessBasicInformation, &pbi, (ULONG)sizeof( pbi ), &bytes ) ) && ppeb) ReadProcessMemory( _hProcess, pbi.PebBaseAddress, ppeb, sizeof(_PEB32), NULL ); return reinterpret_cast<ptr_t>(pbi.PebBaseAddress); } }
DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup) { DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName); BYTE jmp[6] = { 0xe9, //jmp 0x00, 0x00, 0x00, 0x00, //address 0xc3 }; //retn ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0); DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5); //((to)-(from)-5) memcpy(&jmp[1], &dwCalc, 4); //build the jmp WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0); return dwAddr; }
/// <summary> /// Get WOW64 TEB /// </summary> /// <param name="ppeb">Retrieved TEB</param> /// <returns>TEB pointer</returns> ptr_t NativeWow64::getTEB( HANDLE hThread, _TEB32* pteb ) { // Target process is x64. TEB32 is not available. if (_wowBarrier.targetWow64 == false) { return 0; } else { _THREAD_BASIC_INFORMATION_T<DWORD> tbi = { 0 }; ULONG bytes = 0; if (NT_SUCCESS( SAFE_NATIVE_CALL( NtQueryInformationThread, hThread, (THREADINFOCLASS)0, &tbi, (ULONG)sizeof( tbi ), &bytes ) ) && pteb) ReadProcessMemory( _hProcess, (LPCVOID)((uintptr_t)tbi.TebBaseAddress), pteb, sizeof( _TEB32 ), nullptr ); return static_cast<ptr_t>(tbi.TebBaseAddress); } }
static int sigar_rtl_get(sigar_t *sigar, HANDLE proc, RTL_USER_PROCESS_PARAMETERS *rtl) { PEB peb; int status = sigar_pbi_get(sigar, proc, &peb); DWORD size=sizeof(*rtl); if (status != SIGAR_OK) { return status; } if (ReadProcessMemory(proc, peb.ProcessParameters, rtl, size, NULL)) { return SIGAR_OK; } else { return GetLastError(); } }
static void dumpFPtr(HMODULE lib, IMAGE_THUNK_DATA* oft, IMAGE_THUNK_DATA* ft) { while(oft->u1.Function) { char *f = (char*)((BYTE*)lib + (DWORD)oft->u1.AddressOfData+2); char buf[5]; BOOL r = ReadProcessMemory(GetCurrentProcess(), f, buf, 4, NULL); if(r) dbg(" \\_ import: <%s>", f); else dbg(" \\_ Cannot access import name!", f); /*if(oft->u1.AddressOfData < 0x80000000) dbg(" \\_ import: <%s>", f);*/ oft++; ft++; } return; }
PPEB_LDR_DATA ReadRemoteLoaderData(HANDLE hProcess, PPEB pPEB) { PPEB_LDR_DATA pLoaderData = new PEB_LDR_DATA(); BOOL bSuccess = ReadProcessMemory ( hProcess, pPEB->LoaderData, pLoaderData, sizeof(PEB_LDR_DATA), 0 ); if (!bSuccess) return 0; return pLoaderData; }
HRESULT STDMETHODCALLTYPE LiveProcDataTarget::ReadVirtual( /* [in] */ CLRDATA_ADDRESS address, /* [length_is][size_is][out] */ PBYTE buffer, /* [in] */ ULONG32 request, /* [optional][out] */ ULONG32 *done) { // ReadProcessMemory will fail if any part of the // region to read does not have read access. This // routine attempts to read the largest valid prefix // so it has to break up reads on page boundaries. HRESULT status = S_OK; ULONG32 totalDone = 0; SIZE_T read; ULONG32 readSize; while (request > 0) { // Calculate bytes to read and don't let read cross // a page boundary. readSize = OS_PAGE_SIZE - (ULONG32)(address & (OS_PAGE_SIZE - 1)); readSize = min(request, readSize); if (!ReadProcessMemory(m_process, (PVOID)(ULONG_PTR)address, buffer, readSize, &read)) { if (totalDone == 0) { // If we haven't read anything indicate failure. status = E_FAIL; } break; } totalDone += (ULONG32)read; address += read; buffer += read; request -= (ULONG32)read; } *done = totalDone; return status; }
HTREEITEM GetTreeRegWnd(HTREEITEM hItemParentWnd,CHAR *szRegPath)//查找SafeBoot句柄 { if(!hItemParentWnd) { return 0; } HTREEITEM hItemChildWnd=(HTREEITEM)SendMessage(hSysTreeViewWnd, TVM_GETNEXTITEM,TVGN_CHILD,(LPARAM)hItemParentWnd); if (!hItemChildWnd) { return 0; } while ( 1 ) { CHAR ReadBuffer[0X100]; memset(ReadBuffer,0,0x100); TVITEM Tvitem; _tmemset((PTCHAR)&Tvitem,0,sizeof(TVITEM)); Tvitem.mask=TVIF_HANDLE|TVIF_TEXT; Tvitem.hItem=hItemChildWnd; Tvitem.pszText=(LPTSTR)pbuf3; Tvitem.cchTextMax=MAX_PATH; WriteProcessMemory(hProcess,pbuf1,(LPVOID)&Tvitem, sizeof(TVITEM),0); SendMessage(hSysTreeViewWnd,TVM_GETITEMA,0,(LPARAM)pbuf1);//获取句柄内容 ReadProcessMemory(hProcess,pbuf3,ReadBuffer, 0x100, 0); //__asm int 3 if ( !strcmp(szRegPath,ReadBuffer)) break; hItemChildWnd = (HTREEITEM)SendMessage(hSysTreeViewWnd, TVM_GETNEXTITEM,TVGN_NEXT,(LPARAM)hItemChildWnd); if ( !hItemChildWnd ) return 0; } return hItemChildWnd; }
int primitive_drop_breakpoint (HANDLE process, DWORD address, BYTE *holder) { BYTE breakpoint_instance = 0xCC; DWORD bytes_read; BOOL read_status, write_status; // Read out the byte that we're going to eclipse with the breakpoint. // Some other function will have to store this somewhere. //printf ("--- NUB: Writing breakpoint at 0x%x\n", address); read_status = ReadProcessMemory (process, (LPVOID) address, holder, sizeof(BYTE), &bytes_read); dylan_debugger_message("dropped breakpoint byte %= %=", *holder, read_status); // If it doesn't work, don't try to continue. if (!read_status) return (0); // Write in the breakpoint instruction. write_status = ValidatedWriteProcessMemory (process, (LPVOID) address, &breakpoint_instance, sizeof(BYTE), &bytes_read); dylan_debugger_message("Dropping breakpoint at %= %=", address, write_status); // Again, break if something goes wrong. (We have to assume here that the // breakpoint wasn't written if the function call failed). if (!write_status) return (0); // Make sure the breakpoint will be "seen" when encountered... FlushInstructionCache (process, (LPCVOID) address, sizeof(BYTE)); return(1); }
void ScanProcess(DWORD processID){ char szProcessName[MAX_PATH]; HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID); HMODULE hMod = NULL; if (hProcess){ DWORD cbNeeded; if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) { GetModuleBaseName(hProcess, hMod, szProcessName, sizeof(szProcessName)); MODULEINFO lpm; GetModuleInformation(hProcess, hMod, &lpm, sizeof(lpm)); DWORD start, end; start = (DWORD)hMod; end = start + lpm.SizeOfImage; printf("Scanning module %s (PID: %u) Range: %x to %x\n", szProcessName, processID, start, end); for (int i = 0; i < end; i+=16) { //PSAPI_WORKING_SET_EX_INFORMATION * pWSX = (PSAPI_WORKING_SET_EX_INFORMATION *)malloc(sizeof(PSAPI_WORKING_SET_EX_INFORMATION)); //pWSX->VirtualAddress = reinterpret_cast<void*>(i); //QueryWorkingSetEx(hProcess, &pWSX, sizeof(PSAPI_WORKING_SET_EX_INFORMATION)); //if (pWSX->VirtualAttributes.Valid == 1) { //if ((pWSX->VirtualAttributes.Win32Protection & PAGE_READWRITE)){// || (pWSX->VirtualAttributes.Win32Protection & PAGE_READONLY) || (pWSX->VirtualAttributes.Win32Protection & PAGE_EXECUTE_READWRITE) || (pWSX->VirtualAttributes.Win32Protection & PAGE_EXECUTE_READ)) { //printf("Page: %x. Page backing is %s. Page protection: %X\n", i, pWSX->VirtualAttributes.Valid ? "valid" : "invalid", pWSX->VirtualAttributes.Win32Protection); int j = 0; if (ReadProcessMemory(hProcess, (LPCVOID)i, &j, sizeof(int), 0)) { if(j ==1337) printf("%s FOUND SUSPICOUS BLOCK: %x\n", szProcessName, i); } //printf("%s FOUND SUSPICOUS BLOCK: %i\n",szProcessName, j); //else //printf("%s Error: %x\n", szProcessName, GetLastError()); //} //} } } } CloseHandle(hProcess); }
bool CODebugger::ReadTEB(HANDLE th) { bool rv = false; DWORD dwLength = 0; DEBUGGER_THREAD* pDebuggerThread = NULL; pDebuggerThread = m_debuggerThread.Search(th); if(pDebuggerThread != NULL) { rv = ReadProcessMemory( m_hProcess, pDebuggerThread->m_tbiBasics.TebBaseAddress, &pDebuggerThread->m_ThreadEnvironmentBlock, sizeof(TEB), &dwLength); } return rv; }
/// <summary> /// Get WOW64 TEB /// </summary> /// <param name="ppeb">Retrieved TEB</param> /// <returns>TEB pointer</returns> ptr_t NativeWow64::getTEB( HANDLE hThread, _TEB32* pteb ) { // Target process is x64. TEB32 is not available. if (_wowBarrier.targetWow64 == false) { return 0; } else { _THREAD_BASIC_INFORMATION_T<DWORD> tbi = { 0 }; ULONG bytes = 0; if (GET_IMPORT( NtQueryInformationThread )( hThread, (THREADINFOCLASS)0, &tbi, sizeof(tbi), &bytes ) == STATUS_SUCCESS) if (pteb) ReadProcessMemory( _hProcess, reinterpret_cast<LPCVOID>(tbi.TebBaseAddress), pteb, sizeof(_TEB32), NULL ); return static_cast<ptr_t>(tbi.TebBaseAddress); } }
int main(int argc, char *argv[]) { if(argc!=2) exit(EXIT_FAILURE); int pid = GetProcessToPid(argv[1]); printf("[#] PID du CrackMe : %d\n", pid); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid); if(hProcess==NULL) { printf("OpenProcess() : KO\n"); exit(EXIT_FAILURE); } DWORD buffer, taille; if(!(ReadProcessMemory(hProcess, (LPDWORD) 0x0028FF40, &buffer, sizeof(DWORD), &taille))) { // la seule difficultée est l'adresse du stack printf("ReadProcessMemory() : KO\n"); exit(EXIT_FAILURE); // que l'on récupère via le debugger } printf("[#] La key est : %d\n", buffer); close(hProcess); return 0; }
void GetNextAddr( void ) { struct { unsigned long ptr; seg cs; off ip; } stack_entry; SIZE_T len; if( commonAddr.segment == 0 ) { CGraphOff = 0; CGraphSeg = 0; } else { ReadProcessMemory( processHandle, (LPVOID)Comm.cgraph_top, &stack_entry, sizeof( stack_entry ), &len ); CGraphOff = stack_entry.ip; CGraphSeg = stack_entry.cs; Comm.cgraph_top = stack_entry.ptr; } }
void cpyFromProcess(DWORD pid, void *dst, void *src, size_t size) { SIZE_T numBytesRead; HANDLE procHandle = OpenProcess(PROCESS_VM_READ, FALSE, pid); if (procHandle == NULL) { dbgPrint(DBGLVL_ERROR, "cpyFromProcess: could not open process %u\n", procHandle); exit(1); } if (ReadProcessMemory(procHandle, src, dst, size, &numBytesRead) == 0) { dbgPrint(DBGLVL_ERROR, "cpyFromProcess: copying failed: %u\n", GetLastError()); CloseHandle(procHandle); exit(1); } if (numBytesRead != size) { dbgPrint(DBGLVL_ERROR, "cpyFromProcess: could copy only %u out of %u bytes.\n", numBytesRead, size); CloseHandle(procHandle); exit(1); } CloseHandle(procHandle); }
void CT_cbGetOtherSeed() { unsigned int eip=GetContextData(UE_EIP); DeleteBPX(eip); unsigned char reg_byte=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), ®_byte, 1, 0)) { CT_FatalError(rpmerror()); return; } CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte)); other_seed_counter++; if(other_seed_counter==4) { other_seed_counter=0; if(!magic_value_addr) CT_RetrieveSaltValue(); } }
char* ReadRemoteDescriptorName(HANDLE hProcess, LPCVOID lpImageBaseAddress, PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor) { char* pBuffer = new char[BUFFER_SIZE]; BOOL bSuccess = ReadProcessMemory ( hProcess, (LPCVOID)((DWORD)lpImageBaseAddress + pImageImportDescriptor->Name), pBuffer, BUFFER_SIZE, 0 ); if (!bSuccess) return 0; return pBuffer; }