C
C#17mo ago
TilionDC

✅ WriteProcessMemory With Kernel32.dll

Hi everyone! I am trying to write some data to some memory addresses that isn't owned by the process. So far I can read the data of consecutive memory addresses by using ReadProcessMemory in kernel32.dll but I can't get it to override any existing data. Does anyone have any idea of how I should get it to work? Or is this a feature no longer supported in windows? I can't find any recent topics on the on the interweb.
22 Replies
Buddy
Buddy17mo ago
What are you making?
ero
ero17mo ago
WPM has the same signature as RPM basically Can't really make a mistake there
Unknown User
Unknown User17mo ago
Message Not Public
Sign In & Join Server To View
TilionDC
TilionDCOP17mo ago
Its just a notepad.exe
TilionDC
TilionDCOP17mo ago
TilionDC
TilionDCOP17mo ago
Here is a little view to show it can read the text it just doesn't write anything using System; using System.Diagnostics; using System.Runtime.InteropServices; using System.Text; public class Program { const int PROCESS_ALL_ACCESS = 0x1F0FFF; const int PROCESS_WM_READ = 0x0010; const long adress = 0x027B_76DE2AC0; [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll", SetLastError = true)] static extern bool WriteProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern bool ReadProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead); public static void Main() { Process process = Process.GetProcessesByName("notepad")[0]; IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id); int bytesRead = 0; int bytesWritten = 0; byte[] buffer = new byte[256]; //'Hello World!' takes 12*2 bytes because of Unicode byte[] writebuffer = Encoding.Unicode.GetBytes("Hello World!\0"); // 0x0046A3B8 is the address where I found the string, replace it with what you found ReadProcessMemory((int)processHandle, adress, buffer, buffer.Length, ref bytesRead); WriteProcessMemory((int) processHandle, adress, writebuffer, writebuffer.Length, ref bytesWritten); Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)"); Console.WriteLine(Encoding.Unicode.GetString(writebuffer) + " (" + bytesWritten.ToString() + "bytes)"); } } This is the code Full disclosure, i found it on a blog I posted the code I used. Do you have any idea why it doesn't change?
ero
ero17mo ago
string allocation is much more difficult than just writing some bytes
TilionDC
TilionDCOP17mo ago
I found another thing. When using ollydbg I saw i only have R permission to that memory
TilionDC
TilionDCOP17mo ago
Is there anything I could do to give the process write access?
ero
ero17mo ago
well obviously you specifically called OpenProcess with only PROCESS_WM_READ
TilionDC
TilionDCOP17mo ago
Oh. im stupid
ero
ero17mo ago
you don't need OpenProcess at all not usually anyway
TilionDC
TilionDCOP17mo ago
Hey it works now! Thank you so much
ero
ero17mo ago
but the wpm call will never do exactly what you want there is a string of a different length allocated in that place you shouldn't just overwrite it
TilionDC
TilionDCOP17mo ago
How should I do it? This was mostly a test though. To see what if I could get it to work. Now I need to find an application for this new superpower
ero
ero17mo ago
not at all writing strings is not something trivial
TilionDC
TilionDCOP17mo ago
Perhaps not for any sustainable development. But I was mostly just playing around. Is there any major risks in doing this?
Buddy
Buddy17mo ago
Does WM_SETTEXT / WM_GETTEXT not work anymore for notepad?
ero
ero17mo ago
if you write a string larger than the buffer allocated in that place, the app will crash
TilionDC
TilionDCOP17mo ago
So I tried writing over the text field here in discord but it didn't work. I guess I just overwrote some cached variable. I could read the text in the text window though. Anyways how do i mark this as solved?
ero
ero17mo ago
$close
MODiX
MODiX17mo ago
Use the /close command to mark a forum thread as answered
Want results from more Discord servers?
Add your server