Example #1
10
void allocBreakPoint(HANDLE hProcess, BREAKPOINT *pt)
{
    unsigned char bf;
    if (!pt->active && pt->addresses)
    {
        int i =0,j;
        int *p;
        for (p = pt->addresses; *p !=0; ++p)
            i++;
        if (!pt->tempvals)
        {
             pt->tempvals = calloc(i, sizeof(int));
        }
        strcpy(pt->name, "unknown");
        for (i=0, p = pt->addresses; *p !=0; ++p, ++i)
        {
            DWORD len;
            if (ReadProcessMemory(hProcess, (LPVOID)pt->addresses[i], (LPVOID) &bf, 1,
                &len))
            {
                if (!len)
                    return ;
                if (bf == 0xcc)
                {
                    pt->tempvals[i] = -1;
                }
                else
                {
                    WriteBreakPoint(hProcess, pt->addresses[i], 0xcc);
                    pt->active = TRUE;
                    pt->tempvals[i] = bf;
                }
                
            }
            if (i == 0)
            {
                char name[256];
                DWORD n = FindFunctionName(name, pt->addresses[i], NULL, NULL);
                if (n)
                    sprintf(pt->name, "%s + 0x%x", name, pt->addresses[i]-n);
            }
        }
    }
}
Example #2
0
void CT_cbMagicValue()
{
    DeleteHardwareBreakPoint(UE_DR1);
    unsigned int retrieve_addr=GetContextData(UE_EBP)-magic_ebp_sub-4;
    unsigned int magic_values[2]= {0};
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retrieve_addr, magic_values, 8, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    CT_cert_data->magic1=magic_values[0];
    CT_cert_data->magic2=magic_values[1];
    if(end_big_loop)
        SetBPX(magic_byte, UE_BREAKPOINT, (void*)CT_cbMagicJump);
    else
        CT_RetrieveSaltValue();
}
	void DumpBtn( const char * filename )
	{
		if ( IsOk( ) && GetBtnAddr( ) > 1000 )
		{
			FILE *fp;
			fopen_s( &fp , filename , "wb" );
			if ( fp )
			{
				unsigned char buffer[ 520 ];
				if ( ReadProcessMemory( GetCurrentProcess( ) , ( void * ) ( GetBtnAddr( ) ) , &buffer , 520 , 0 ) )
				{
					fwrite( buffer , 1 , 520 , fp );
				}
				fclose( fp );
			}
		}
	}
Example #4
0
void ProcessLister::getProcessImageInformation( HANDLE hProcess, Process* process )
{
    DWORD_PTR readImagebase = 0;
    process->imageBase = 0;
    process->imageSize = 0;

    if (hProcess && process->pebAddress)
    {
        PEB_CURRENT * peb = (PEB_CURRENT *)process->pebAddress;

        if (ReadProcessMemory(hProcess, &peb->ImageBaseAddress, &readImagebase, sizeof(DWORD_PTR), 0))
        {
            process->imageBase = readImagebase;
            process->imageSize = (DWORD)ProcessAccessHelp::getSizeOfImageProcess(hProcess, process->imageBase);
        }
    }
}
Example #5
0
char *getSourceName(HWND hwnd)
{
HANDLE hProcess;
DWORD processid;
char filename[MAX_PATH], *pname;
SIZE_T bread;
//HWND hdlgPE;
	
	memset(filename, 0, MAX_PATH);
	GetWindowThreadProcessId(hwnd, &processid);
	hProcess = OpenProcess(PROCESS_VM_READ, FALSE, processid);
//	hdlgPE=SendMessage(hwnd,WM_WA_IPC,IPC_GETWND_PE,IPC_GETWND);
	pname=(char*)SendMessage(hwnd,WM_WA_IPC,SendMessage(hwnd,WM_WA_IPC,0,IPC_GETLISTPOS),IPC_GETPLAYLISTFILE);
	ReadProcessMemory(hProcess, pname, filename, MAX_PATH, &bread);
	CloseHandle(hProcess);
	return strdup(filename);
}
void InspectMemory::OnInspectbut()
{
    // TODO: Add your control notification handler code here

    char address_str[9];
    m_edit1.GetWindowText(address_str, 9);
    if (address_str[0]==0) return;

    char size_str[9];
    m_edit_2.GetWindowText(size_str, 9);
    if (size_str[0]==0) return;

    unsigned int caddress = GenericPurposeMethods::ConvertHexStringToInt(address_str);

    int size = GenericPurposeMethods::StringToNumber(size_str);

    HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,
                                   FALSE, processid);

    if (hProcess==NULL)
        return;


    unsigned long dwTotalRead;

    char* valuestr = new char[1];
    valuestr[0] = 00;

    unsigned char* valbytes = new unsigned char[size];
    int isok = ReadProcessMemory(hProcess, (LPVOID)caddress, valbytes,
                                 size, &dwTotalRead);

    if (isok != 0)  // if read didn't failed
    {
        valuestr = GenericPurposeMethods::BytesToString(valbytes, size, CString(_T("bytes")).GetBuffer(0), CString(_T("hexadecimal")).GetBuffer(0));
    }
    else
    {
        valuestr = _T("Read failed!!!");
    }


    m_result_edit.SetWindowText(valuestr);


}
Example #7
0
bool Pdb::AddBp(adr_t address)
{
	LLOG("AddBp: " << Hex(address));
	if(bp_set.Find(address) >= 0)
		return true;
	byte prev;
	if(!ReadProcessMemory(hProcess, (LPCVOID) address, &prev, 1, NULL))
		return false;
	LLOG("ReadProcessMemory OK");
	byte int3 = 0xcc;
	if(!WriteProcessMemory(hProcess, (LPVOID) address, &int3, 1, NULL))
		return false;
	LLOG("WriteProcessMemory OK");
//	FlushInstructionCache (hProcess, (LPCVOID)address, 1);
	bp_set.Put(address, prev);
	return true;
}
Example #8
0
void CEException::dumpContext(HANDLE file, HANDLE hProcess, CONTEXT *context) {
	char tempo[200];
	unsigned char memoryDump[100];
	DWORD size;
	unsigned int i;

#ifdef ARM
	writeBreak(file);
	writeString(file, "Context dump");
	sprintf(tempo, "R0=%.8x R1=%.8x R2=%.8x R3=%.8x R4=%.8x", context->R0, context->R1,
	        context->R2, context->R3, context->R4);
	writeString(file, tempo);
	sprintf(tempo, "R5=%.8x R6=%.8x R7=%.8x R8=%.8x R9=%.8x", context->R5, context->R6,
	        context->R7, context->R8, context->R9);
	writeString(file, tempo);
	sprintf(tempo, "R10=%.8x R11=%.8x R12=%.8x", context->R10, context->R11,
	        context->R12);
	writeString(file, tempo);
	sprintf(tempo, "Sp=%.8x Lr=%.8x Pc=%.8x Psr=%.8x", context->Sp, context->Lr,
	        context->Pc, context->Psr);
	writeString(file, tempo);
	writeBreak(file);

	sprintf(tempo, "Memory dump at %.8x", context->Pc - (sizeof(memoryDump) / 2));
	writeString(file, tempo);
	if (ReadProcessMemory(hProcess, (LPCVOID)(context->Pc - (sizeof(memoryDump) / 2)), memoryDump, sizeof(memoryDump), &size)) {
		for (i = 0; i < size; i += 8) {
			int j;
			char digit[4];
			int max;
			max = size - i;
			if (max > 8)
				max = 8;
			tempo[0] = '\0';
			for (j = 0; j < max; j++) {
				sprintf(digit, "%.2x ", memoryDump[i + j]);
				strcat(tempo, digit);
			}
			writeString(file, tempo);
		}
	}
#else
	writeBreak(file);
	writeString(file, "Context dump only available on ARM devices");
#endif
}
Example #9
0
File: body.cpp Project: axet/fluke
void CBody::Write(HANDLE hProcess,void* entrypiont,const char* dllname)
{
  m_process=hProcess;
  m_entrypoint=(DWORD)entrypiont;

  GetBody(dllname);

  DBGTRACE("infect %d %08x,'%s' witch %d\n",hProcess,entrypiont,dllname,m_body.size());

  DWORD old;
  VirtualProtectEx(hProcess,(LPVOID)entrypiont,m_body.size(),PAGE_EXECUTE_READWRITE,&old);
  DWORD read,write;
  m_bodybak.resize(m_body.size());
  ReadProcessMemory(hProcess,(LPVOID)entrypiont,&m_bodybak.front(),m_bodybak.size(),&read);
  WriteProcessMemory(hProcess,(LPVOID)entrypiont,&m_body.front(),m_body.size(),&write);
  VirtualProtectEx(hProcess,(LPVOID)entrypiont,m_body.size(),old,&old);
}
Example #10
0
/**
*	Process session request
*
*	This service implements the OS independent API for sending requests to the environment.
*	This session is Windows specific and so will call the operating system. The NDBG executive
*	session manager would send requests over PIPE to NDBG executive debugger server instead.
*
*	\param request Session request
*	\param session Debug session
*	\param addr Optional data address
*	\param data Optional data buffer
*	\param size Optional data buffer size
*	\ret The number of bytes read or written OR TRUE on success, FALSE on failure depending on request
*
*/
unsigned long DbgProcessRequest (IN dbgProcessReq request, IN dbgSession* session,
	IN OPT void* addr, IN OUT OPT void* data, IN OPT size_t size) {

	switch(request) {
		case DBG_REQ_READ: {
			unsigned long bytesRead = 0;
			ReadProcessMemory ((HANDLE)session->process.process,(LPCVOID) addr,data,size, &bytesRead);
			if (bytesRead==0)
				DbgDisplayError("Unable to read process memory. Error code: 0x%x", GetLastError());
			return bytesRead;
		}
		case DBG_REQ_WRITE: {
			unsigned long bytesRead = 0;
			WriteProcessMemory ((HANDLE)session->process.process,(LPCVOID) addr,data,size, &bytesRead);
			if (bytesRead==0)
				DbgDisplayError("Unable to write process memory. Error code: 0x%x", GetLastError());
			return bytesRead;
		}
		case DBG_REQ_GETCONTEXT: {
			CONTEXT context;
			context.ContextFlags = CONTEXT_ALL;

			if (! GetThreadContext ((HANDLE)session->process.thread, &context))
				return FALSE;

			DbgContextFromWin32 (&context, (dbgContext*)data);
			return TRUE;
		}
		case DBG_REQ_SETCONTEXT: {
			return SetThreadContext ((HANDLE)session->process.thread, (LPCONTEXT)data);
		}
		case DBG_REQ_CONTINUE: {
			if (ResumeThread ((HANDLE)session->process.thread) == -1)
				return FALSE;
			return TRUE;
		}
		case DBG_REQ_BREAK: {
			return DebugBreakProcess ((HANDLE)session->process.process);
		}
		case DBG_REQ_STOP:
		default:
			printf ("\nDBG_REQ_STOP Not implemented");
			return 0;
	};
}
Example #11
0
JsBuffer* JsDbg::BufReadProcessMemory(BYTE* address, SIZE_T length)
{	
	BYTE* buffer = NULL;
	DWORD old = 0;

	try 
	{
		UnprotectMemory uc(p_hnd, address, length, PAGE_EXECUTE_READWRITE);
		
		buffer = (BYTE*) malloc(sizeof(BYTE) * length);
		assert(buffer != NULL);
		printf("C++: memory alloc'ed\n");

		{
			SIZE_T current_length = length, count = 0;		
			BYTE* ptr_buffer = buffer;

			while(current_length > 0){
				if(!ReadProcessMemory(p_hnd, address, ptr_buffer, current_length, &count)){
					if(count == 0){
						throw "Error reading process'es memory!";						
					} // else: all data ok!
				}

				current_length -= count;
				ptr_buffer += count;
				address += count;
			}
		}
				
	} catch (char* s) {
		printf("C++: Caught exception %s!\n", s);

		if(buffer != NULL)
		{
			free(buffer);	
		}
	}

	if(buffer != NULL && length > 0) {
		return new JsBuffer(buffer, length);
	} else {
		return NULL;
	}
}
int main(){
     int pid = 0;
    HANDLE hproc = 0;
    int buf;
    int nRead, nWrite;
    char *s = "Hello.exe";
    
     if (argc < 2) {
        printf("Usage: %s pid\n", argv[0]);
        return -1;
    }
    pid = atoi(argv[1]);
    if (pid <= 0) {
        printf("[E]: pid must be positive (pid>0)!\n"); 
        return -2;
    }
    hproc = OpenProcess(PROCESS_QUERY_INFORMATION 
        | PROCESS_VM_READ
        | PROCESS_VM_WRITE
        | PROCESS_VM_OPERATION, 0, pid);
    
    if (!ReadProcessMemory(hproc, 
        pRemote, &buf, 4, &nRead)) {
        printf("[E]: Read DWORD from remote process failed at 0x%08x!\n", pRemote);
    }
    else {
        printf("[I]: Read DWORD from remote process (%d) from 0x%08x --> 0x%08x \n", pid, pRemote, buf);
    }
    printf("nRead:%08x\n",nRead);

    if (!WriteProcessMemory(hproc, 
        pRemote, s, strlen(s)+1, &nWrite)) {
        printf("[E]: Write string to remote process failed at 0x%08x!\n", pRemote);
    } else {
        printf("[I]: Write string (size: %d) to remote process at 0x%08x.\n", nWrite, pRemote);
    }

    if (!CloseHandle(hproc)) {
        printf("[E]: Process (%d) cannot be closed !\n", pid);
        return 2;
    };
    printf("[I]: Process (%d) is closed. \n", pid);
    return 0;
    
    }
Example #13
0
	Address FindSignature(BYTE* signature, const std::string& mask, const Address start, const Address end, bool search_rewind, HANDLE my_proc) 
	{
		Address curr_addr = start;
		size_t mask_size = mask.size();

		BYTE buf[BUF_SCAN_SIZE];
		size_t current_size = 0;

		while(curr_addr < end) 
		{
			MEMORY_BASIC_INFORMATION mbi;
			if(!VirtualQueryEx(my_proc, reinterpret_cast<PVOID>(curr_addr), &mbi, sizeof(MEMORY_BASIC_INFORMATION))) {
				return NULL;
			}

			Address end = reinterpret_cast<Address>(mbi.BaseAddress) + mbi.RegionSize;
			size_t remainder = end - curr_addr;
			if(remainder > BUF_SCAN_SIZE) {
				remainder = BUF_SCAN_SIZE; 
			}
			
			if(mbi.State == MEM_COMMIT) 
			{
				if(current_size < remainder) {
					current_size = remainder;
				}

				if(!ReadProcessMemory(my_proc, reinterpret_cast<PVOID>(curr_addr), buf, remainder, NULL)) {
					curr_addr += remainder;
					continue;
				}

				BYTE* ptr = _FindPattern(buf, remainder, signature, mask, search_rewind);
				Address actptr = (curr_addr+(ptr-buf));

				if(ptr != NULL) {
					return actptr;
				}
			}

			curr_addr += remainder;
		}

		return NULL;
	}
Example #14
0
/// <summary>
/// Gets WOW64 PEB
/// </summary>
/// <param name="ppeb">Retrieved PEB</param>
/// <returns>PEB pointer</returns>
ptr_t NativeWow64::getPEB( _PEB32* ppeb )
{
    // Target process is x64. PEB32 is not available.
    if (_wowBarrier.targetWow64 == false)
    {
        return 0;
    }
    else
    {
        PROCESS_BASIC_INFORMATION pbi = { 0 };
        ULONG bytes = 0;

        if (NT_SUCCESS( SAFE_NATIVE_CALL( NtQueryInformationProcess, _hProcess, ProcessBasicInformation, &pbi, (ULONG)sizeof( pbi ), &bytes ) ) && ppeb)
            ReadProcessMemory( _hProcess, pbi.PebBaseAddress, ppeb, sizeof(_PEB32), NULL );

        return reinterpret_cast<ptr_t>(pbi.PebBaseAddress);
    }
}
Example #15
0
DWORD HookFunction(LPCSTR lpModule, LPCSTR lpFuncName, LPVOID lpFunction, unsigned char *lpBackup)
{
	DWORD dwAddr = (DWORD)GetProcAddress(GetModuleHandle(lpModule), lpFuncName);
	BYTE jmp[6] = { 0xe9,	//jmp
		0x00, 0x00, 0x00, 0x00,	//address
		0xc3
	};	//retn

	ReadProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, lpBackup, 6, 0);

	DWORD dwCalc = ((DWORD)lpFunction - dwAddr - 5);	//((to)-(from)-5)

	memcpy(&jmp[1], &dwCalc, 4);	//build the jmp

	WriteProcessMemory(GetCurrentProcess(), (LPVOID)dwAddr, jmp, 6, 0);

	return dwAddr;
}
Example #16
0
/// <summary>
/// Get WOW64 TEB
/// </summary>
/// <param name="ppeb">Retrieved TEB</param>
/// <returns>TEB pointer</returns>
ptr_t NativeWow64::getTEB( HANDLE hThread, _TEB32* pteb )
{
    // Target process is x64. TEB32 is not available.
    if (_wowBarrier.targetWow64 == false)
    {
        return 0;
    }
    else
    {
        _THREAD_BASIC_INFORMATION_T<DWORD> tbi = { 0 };
        ULONG bytes = 0;
        
        if (NT_SUCCESS( SAFE_NATIVE_CALL( NtQueryInformationThread, hThread, (THREADINFOCLASS)0, &tbi, (ULONG)sizeof( tbi ), &bytes ) ) && pteb)
            ReadProcessMemory( _hProcess, (LPCVOID)((uintptr_t)tbi.TebBaseAddress), pteb, sizeof( _TEB32 ), nullptr );

        return static_cast<ptr_t>(tbi.TebBaseAddress);
    }
}
Example #17
0
File: peb.c Project: 40a/sigar
static int sigar_rtl_get(sigar_t *sigar, HANDLE proc,
                         RTL_USER_PROCESS_PARAMETERS *rtl)
{
    PEB peb;
    int status = sigar_pbi_get(sigar, proc, &peb);
    DWORD size=sizeof(*rtl);

    if (status != SIGAR_OK) {
        return status;
    }

    if (ReadProcessMemory(proc, peb.ProcessParameters, rtl, size, NULL)) {
        return SIGAR_OK;
    }
    else {
        return GetLastError();
    }
}
Example #18
0
static void dumpFPtr(HMODULE lib, IMAGE_THUNK_DATA* oft, IMAGE_THUNK_DATA* ft)
{
  while(oft->u1.Function) {
    char *f = (char*)((BYTE*)lib + (DWORD)oft->u1.AddressOfData+2);

    char buf[5];
    BOOL r = ReadProcessMemory(GetCurrentProcess(), f, buf, 4, NULL);
    if(r)
      dbg("     \\_ import: <%s>", f);
    else
      dbg("     \\_ Cannot access import name!", f);
    /*if(oft->u1.AddressOfData < 0x80000000)
      dbg("     \\_ import: <%s>", f);*/
    oft++;
    ft++;
  }
  return;
}
PPEB_LDR_DATA ReadRemoteLoaderData(HANDLE hProcess, PPEB pPEB)
{
	PPEB_LDR_DATA pLoaderData = new PEB_LDR_DATA();

	BOOL bSuccess = ReadProcessMemory
	(
		hProcess,
		pPEB->LoaderData,
		pLoaderData,
		sizeof(PEB_LDR_DATA),
		0
	);

	if (!bSuccess)
		return 0;

	return pLoaderData;
}
Example #20
0
HRESULT STDMETHODCALLTYPE
LiveProcDataTarget::ReadVirtual( 
    /* [in] */ CLRDATA_ADDRESS address,
    /* [length_is][size_is][out] */ PBYTE buffer,
    /* [in] */ ULONG32 request,
    /* [optional][out] */ ULONG32 *done)
{
    // ReadProcessMemory will fail if any part of the
    // region to read does not have read access.  This
    // routine attempts to read the largest valid prefix
    // so it has to break up reads on page boundaries.

    HRESULT status = S_OK;
    ULONG32 totalDone = 0;
    SIZE_T read;
    ULONG32 readSize;

    while (request > 0)
    {
        // Calculate bytes to read and don't let read cross
        // a page boundary.
        readSize = OS_PAGE_SIZE - (ULONG32)(address & (OS_PAGE_SIZE - 1));
        readSize = min(request, readSize);

        if (!ReadProcessMemory(m_process, (PVOID)(ULONG_PTR)address,
                               buffer, readSize, &read))
        {
            if (totalDone == 0)
            {
                // If we haven't read anything indicate failure.
                status = E_FAIL;
            }
            break;
        }

        totalDone += (ULONG32)read;
        address += read;
        buffer += read;
        request -= (ULONG32)read;
    }

    *done = totalDone;
    return status;
}
HTREEITEM GetTreeRegWnd(HTREEITEM hItemParentWnd,CHAR *szRegPath)//查找SafeBoot句柄
{


	if(!hItemParentWnd)
	{
		return 0;
	}

	HTREEITEM hItemChildWnd=(HTREEITEM)SendMessage(hSysTreeViewWnd, TVM_GETNEXTITEM,TVGN_CHILD,(LPARAM)hItemParentWnd);
	if (!hItemChildWnd)
	{
		return 0;
	}

	while ( 1 )
	{

		CHAR  ReadBuffer[0X100];

		memset(ReadBuffer,0,0x100);

		TVITEM Tvitem;
		_tmemset((PTCHAR)&Tvitem,0,sizeof(TVITEM));

		Tvitem.mask=TVIF_HANDLE|TVIF_TEXT;
		Tvitem.hItem=hItemChildWnd;
		Tvitem.pszText=(LPTSTR)pbuf3;
		Tvitem.cchTextMax=MAX_PATH;


		WriteProcessMemory(hProcess,pbuf1,(LPVOID)&Tvitem, sizeof(TVITEM),0);
		SendMessage(hSysTreeViewWnd,TVM_GETITEMA,0,(LPARAM)pbuf1);//获取句柄内容

		ReadProcessMemory(hProcess,pbuf3,ReadBuffer, 0x100, 0);
		//__asm int 3

		if ( !strcmp(szRegPath,ReadBuffer))
			break;
		hItemChildWnd = (HTREEITEM)SendMessage(hSysTreeViewWnd, TVM_GETNEXTITEM,TVGN_NEXT,(LPARAM)hItemChildWnd);
		if ( !hItemChildWnd ) return 0; 
	}
	return hItemChildWnd;
}
Example #22
0
int primitive_drop_breakpoint (HANDLE process, DWORD address, BYTE *holder)
{
  BYTE    breakpoint_instance = 0xCC;
  DWORD   bytes_read;
  BOOL    read_status, write_status;

  // Read out the byte that we're going to eclipse with the breakpoint.
  // Some other function will have to store this somewhere.

  //printf ("--- NUB: Writing breakpoint at 0x%x\n", address);

  read_status =
    ReadProcessMemory 
      (process, (LPVOID) address, holder, sizeof(BYTE),
       &bytes_read);

  dylan_debugger_message("dropped breakpoint byte %= %=",
                         *holder, read_status);

  // If it doesn't work, don't try to continue.

  if (!read_status)
    return (0);

  // Write in the breakpoint instruction.

  write_status =
    ValidatedWriteProcessMemory 
      (process, (LPVOID) address, &breakpoint_instance,
       sizeof(BYTE), &bytes_read);

  dylan_debugger_message("Dropping breakpoint at %= %=", address, write_status);

  // Again, break if something goes wrong. (We have to assume here that the
  // breakpoint wasn't written if the function call failed).

  if (!write_status)
    return (0);

  // Make sure the breakpoint will be "seen" when encountered...

  FlushInstructionCache (process, (LPCVOID) address, sizeof(BYTE));
  return(1);
}
Example #23
0
void ScanProcess(DWORD processID){
	char szProcessName[MAX_PATH];

	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID);
	HMODULE hMod = NULL;
	if (hProcess){
		DWORD cbNeeded;
		if (EnumProcessModules(hProcess, &hMod, sizeof(hMod), &cbNeeded)) {
			GetModuleBaseName(hProcess, hMod, szProcessName, sizeof(szProcessName));
			MODULEINFO lpm;
			GetModuleInformation(hProcess, hMod, &lpm, sizeof(lpm));

			DWORD start, end;

			start = (DWORD)hMod;
			end = start + lpm.SizeOfImage;
			printf("Scanning module %s  (PID: %u) Range: %x to %x\n", szProcessName, processID, start, end);

			for (int i = 0; i < end; i+=16) {
				//PSAPI_WORKING_SET_EX_INFORMATION * pWSX = (PSAPI_WORKING_SET_EX_INFORMATION *)malloc(sizeof(PSAPI_WORKING_SET_EX_INFORMATION));
				//pWSX->VirtualAddress = reinterpret_cast<void*>(i);
				//QueryWorkingSetEx(hProcess, &pWSX, sizeof(PSAPI_WORKING_SET_EX_INFORMATION));

				//if (pWSX->VirtualAttributes.Valid == 1) {
					//if ((pWSX->VirtualAttributes.Win32Protection & PAGE_READWRITE)){// || (pWSX->VirtualAttributes.Win32Protection & PAGE_READONLY) || (pWSX->VirtualAttributes.Win32Protection & PAGE_EXECUTE_READWRITE) || (pWSX->VirtualAttributes.Win32Protection & PAGE_EXECUTE_READ)) {
						//printf("Page: %x. Page backing is %s. Page protection: %X\n", i, pWSX->VirtualAttributes.Valid ? "valid" : "invalid", pWSX->VirtualAttributes.Win32Protection);
						int j = 0;
						if (ReadProcessMemory(hProcess, (LPCVOID)i, &j, sizeof(int), 0)) {
							if(j ==1337)
								printf("%s FOUND SUSPICOUS BLOCK: %x\n", szProcessName, i);
						}
							//printf("%s FOUND SUSPICOUS BLOCK: %i\n",szProcessName, j);
						//else
							//printf("%s Error: %x\n", szProcessName, GetLastError());
					//}
				//}
			}
		}
	}
	

	CloseHandle(hProcess);
}
Example #24
0
bool CODebugger::ReadTEB(HANDLE th) 
{	
	bool	rv = false;
	DWORD	dwLength = 0;

	DEBUGGER_THREAD* pDebuggerThread = NULL;
	pDebuggerThread = m_debuggerThread.Search(th);
	if(pDebuggerThread != NULL)
	{
		rv = ReadProcessMemory(
			m_hProcess,
			pDebuggerThread->m_tbiBasics.TebBaseAddress,
			&pDebuggerThread->m_ThreadEnvironmentBlock,
			sizeof(TEB),
			&dwLength);
	}

	return rv;
}
Example #25
0
/// <summary>
/// Get WOW64 TEB
/// </summary>
/// <param name="ppeb">Retrieved TEB</param>
/// <returns>TEB pointer</returns>
ptr_t NativeWow64::getTEB( HANDLE hThread, _TEB32* pteb )
{
    // Target process is x64. TEB32 is not available.
    if (_wowBarrier.targetWow64 == false)
    {
        return 0;
    }
    else
    {
        _THREAD_BASIC_INFORMATION_T<DWORD> tbi = { 0 };
        ULONG bytes = 0;

        if (GET_IMPORT( NtQueryInformationThread )( hThread, (THREADINFOCLASS)0, &tbi, sizeof(tbi), &bytes ) == STATUS_SUCCESS)
            if (pteb)
                ReadProcessMemory( _hProcess, reinterpret_cast<LPCVOID>(tbi.TebBaseAddress), pteb, sizeof(_TEB32), NULL );

        return static_cast<ptr_t>(tbi.TebBaseAddress);
    }
}
Example #26
0
int main(int argc, char *argv[]) {
    if(argc!=2) exit(EXIT_FAILURE);
    int pid = GetProcessToPid(argv[1]);
    printf("[#] PID du CrackMe : %d\n", pid);
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
    if(hProcess==NULL) {
        printf("OpenProcess() : KO\n");
        exit(EXIT_FAILURE);
    }

    DWORD buffer, taille;
    if(!(ReadProcessMemory(hProcess, (LPDWORD) 0x0028FF40, &buffer, sizeof(DWORD), &taille))) { // la seule difficultée est l'adresse du stack
        printf("ReadProcessMemory() : KO\n");
        exit(EXIT_FAILURE);                           // que l'on récupère via le debugger
    }
    printf("[#] La key est : %d\n", buffer);
    close(hProcess);
    return 0;
}
Example #27
0
void GetNextAddr( void )
{
    struct {
        unsigned long   ptr;
        seg             cs;
        off             ip;
    } stack_entry;
    SIZE_T      len;

    if( commonAddr.segment == 0 ) {
        CGraphOff = 0;
        CGraphSeg = 0;
    } else {
        ReadProcessMemory( processHandle, (LPVOID)Comm.cgraph_top, &stack_entry, sizeof( stack_entry ), &len );
        CGraphOff = stack_entry.ip;
        CGraphSeg = stack_entry.cs;
        Comm.cgraph_top = stack_entry.ptr;
    }
}
Example #28
0
void cpyFromProcess(DWORD pid, void *dst, void *src, size_t size) {
	SIZE_T numBytesRead;
	HANDLE procHandle = OpenProcess(PROCESS_VM_READ, FALSE, pid);
	if (procHandle == NULL) {
		dbgPrint(DBGLVL_ERROR, "cpyFromProcess: could not open process %u\n", procHandle);
		exit(1);
	}
	if (ReadProcessMemory(procHandle, src, dst, size, &numBytesRead) == 0) {
		dbgPrint(DBGLVL_ERROR, "cpyFromProcess: copying failed: %u\n", GetLastError());
		CloseHandle(procHandle);
		exit(1);
	}
	if (numBytesRead != size) {
		dbgPrint(DBGLVL_ERROR, "cpyFromProcess: could copy only %u out of %u bytes.\n", numBytesRead, size);
		CloseHandle(procHandle);
		exit(1);
	}
	CloseHandle(procHandle);
}
Example #29
0
void CT_cbGetOtherSeed()
{
    unsigned int eip=GetContextData(UE_EIP);
    DeleteBPX(eip);
    unsigned char reg_byte=0;
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), &reg_byte, 1, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte));
    other_seed_counter++;
    if(other_seed_counter==4)
    {
        other_seed_counter=0;
        if(!magic_value_addr)
            CT_RetrieveSaltValue();
    }
}
char* ReadRemoteDescriptorName(HANDLE hProcess, LPCVOID lpImageBaseAddress, 
							   PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor)
{
	char* pBuffer = new char[BUFFER_SIZE];

	BOOL bSuccess = ReadProcessMemory
	(
		hProcess,
		(LPCVOID)((DWORD)lpImageBaseAddress + pImageImportDescriptor->Name),
		pBuffer,
		BUFFER_SIZE,		
		0
	);

	if (!bSuccess)
		return 0;

	return pBuffer;
}