F
Frankooo
Guest
shmem.WriteMemory(0xE2384FF980,5); // where 5 is an int.
// this is my write memory func from my UM.
template<typename T>
bool WriteMemory(UINT_PTR WriteAddress, const T& value) {
return WriteInt(WriteAddress, (DWORD64)&value, sizeof(T));
}
bool WriteInt(UINT_PTR addr, DWORD64 val, SIZE_T Size) {etc...}
typedef struct {
ULONG pid;
UINT_PTR Address;
DWORD64 writeval;
ULONG Size;
} MEMDATA;
and here is my windbg output
DbgPrintEx(0, 0, "%p Pid %u writevalue %p Address %p Size %x\n", WriteInput, WriteInput->pid, WriteInput->writeval, WriteInput->Address, WriteInput->Size);
0000016400030000 Pid 6936 writevalue 0000008B9DBBFB90 Address 000000E2384FF980 Size 4
this is my write memory function.
NTSTATUS WriteMem(MEMDATA* data, PEPROCESS Process)
{
// should work fine.
BYTE* temp = data->writeval;
NTSTATUS Status = STATUS_SUCCESS;
PRKAPC_STATE state;
KeStackAttachProcess((PKPROCESS)Process,&state);
MEMORY_BASIC_INFORMATION info;
// failing here with STATUS_ACCESS_VIOLATION
// <hint down here..>
// and probably is STATUS_ACCESS_VIOLATION which means you've likely passed an invalid or NULL pointer to the routine.
// lets add it just for testing
if (MmIsAddressValid(data->Address)) {
DbgPrintEx(0, 0, "working we have a valid address\n");
Status = ZwQueryVirtualMemory(ZwCurrentProcess(), data->Address, MemoryBasicInformation, &info, sizeof(info), NULL);
if (!NT_SUCCESS(Status)) {
DbgPrintEx(0, 0, "Error ZwQueryVirtualMemory : %p \n", Status);
KeUnstackDetachProcess(&state);
return Status;
}
}
else
{
DbgPrintEx(0, 0, "not working we don't have a valid address\n");
return STATUS_UNSUCCESSFUL;
}
if (((uintptr_t)info.BaseAddress + info.RegionSize) < (data->Address + data->Size))
{
DbgPrintEx(0, 0, "Error [2] if statement\n");
KeUnstackDetachProcess(&state);
return STATUS_INVALID_PARAMETER;
}
if (!(info.State & MEM_COMMIT) || (info.Protect & (PAGE_GUARD | PAGE_NOACCESS)))
{
DbgPrintEx(0, 0, "Error [3] if statement \n");
KeUnstackDetachProcess(&state);
return STATUS_INVALID_PARAMETER;
}
if ((info.Protect & PAGE_EXECUTE_READWRITE) || (info.Protect & PAGE_EXECUTE_WRITECOPY) || (info.Protect & PAGE_READWRITE) || (info.Protect & PAGE_WRITECOPY))
{
DbgPrintEx(0, 0, "Success! [4] if statement \n");
RtlCopyMemory(data->Address, &temp, data->Size);
}
KeUnstackDetachProcess(&state);
DbgPrintEx(0, 0, "Done from WriteMem call...\n");
return STATUS_SUCCESS;
}
however its crashing at
if (MmIsAddressValid(data->Address))
i have read about MmIsAddressValid in msdn and it says it will return TRUE if (no page fault would occur from reading or writing at the given virtual address) . but it crashes with BSOD error status_access_violation even ZwQueryVirtualMemory is giving a bsod for the same reason . so after debugging all that , i want to know how could i make sure that am sending the right address. thanks for any help in advance.
and this is what am trying to write to (from a dummy program)
using namespace std;
int main() {
int varInt(123456);
do {
cout << "Process ID: " << dec << GetCurrentProcessId() << endl;
cout << endl;
cout << "varInt (0x" << hex << uppercase << (uintptr_t)&varInt << ") = " << dec << varInt << endl;
cout << endl;
cout << "Press ENTER to print again." << endl;
getchar();
cout << endl << "---------------------------------------------------" << endl << endl;
} while (true);
return EXIT_SUCCESS;
}
Continue reading...
// this is my write memory func from my UM.
template<typename T>
bool WriteMemory(UINT_PTR WriteAddress, const T& value) {
return WriteInt(WriteAddress, (DWORD64)&value, sizeof(T));
}
bool WriteInt(UINT_PTR addr, DWORD64 val, SIZE_T Size) {etc...}
typedef struct {
ULONG pid;
UINT_PTR Address;
DWORD64 writeval;
ULONG Size;
} MEMDATA;
and here is my windbg output
DbgPrintEx(0, 0, "%p Pid %u writevalue %p Address %p Size %x\n", WriteInput, WriteInput->pid, WriteInput->writeval, WriteInput->Address, WriteInput->Size);
0000016400030000 Pid 6936 writevalue 0000008B9DBBFB90 Address 000000E2384FF980 Size 4
this is my write memory function.
NTSTATUS WriteMem(MEMDATA* data, PEPROCESS Process)
{
// should work fine.
BYTE* temp = data->writeval;
NTSTATUS Status = STATUS_SUCCESS;
PRKAPC_STATE state;
KeStackAttachProcess((PKPROCESS)Process,&state);
MEMORY_BASIC_INFORMATION info;
// failing here with STATUS_ACCESS_VIOLATION
// <hint down here..>
// and probably is STATUS_ACCESS_VIOLATION which means you've likely passed an invalid or NULL pointer to the routine.
// lets add it just for testing
if (MmIsAddressValid(data->Address)) {
DbgPrintEx(0, 0, "working we have a valid address\n");
Status = ZwQueryVirtualMemory(ZwCurrentProcess(), data->Address, MemoryBasicInformation, &info, sizeof(info), NULL);
if (!NT_SUCCESS(Status)) {
DbgPrintEx(0, 0, "Error ZwQueryVirtualMemory : %p \n", Status);
KeUnstackDetachProcess(&state);
return Status;
}
}
else
{
DbgPrintEx(0, 0, "not working we don't have a valid address\n");
return STATUS_UNSUCCESSFUL;
}
if (((uintptr_t)info.BaseAddress + info.RegionSize) < (data->Address + data->Size))
{
DbgPrintEx(0, 0, "Error [2] if statement\n");
KeUnstackDetachProcess(&state);
return STATUS_INVALID_PARAMETER;
}
if (!(info.State & MEM_COMMIT) || (info.Protect & (PAGE_GUARD | PAGE_NOACCESS)))
{
DbgPrintEx(0, 0, "Error [3] if statement \n");
KeUnstackDetachProcess(&state);
return STATUS_INVALID_PARAMETER;
}
if ((info.Protect & PAGE_EXECUTE_READWRITE) || (info.Protect & PAGE_EXECUTE_WRITECOPY) || (info.Protect & PAGE_READWRITE) || (info.Protect & PAGE_WRITECOPY))
{
DbgPrintEx(0, 0, "Success! [4] if statement \n");
RtlCopyMemory(data->Address, &temp, data->Size);
}
KeUnstackDetachProcess(&state);
DbgPrintEx(0, 0, "Done from WriteMem call...\n");
return STATUS_SUCCESS;
}
however its crashing at
if (MmIsAddressValid(data->Address))
i have read about MmIsAddressValid in msdn and it says it will return TRUE if (no page fault would occur from reading or writing at the given virtual address) . but it crashes with BSOD error status_access_violation even ZwQueryVirtualMemory is giving a bsod for the same reason . so after debugging all that , i want to know how could i make sure that am sending the right address. thanks for any help in advance.
and this is what am trying to write to (from a dummy program)
using namespace std;
int main() {
int varInt(123456);
do {
cout << "Process ID: " << dec << GetCurrentProcessId() << endl;
cout << endl;
cout << "varInt (0x" << hex << uppercase << (uintptr_t)&varInt << ") = " << dec << varInt << endl;
cout << endl;
cout << "Press ENTER to print again." << endl;
getchar();
cout << endl << "---------------------------------------------------" << endl << endl;
} while (true);
return EXIT_SUCCESS;
}
Continue reading...