✅ WriteProcessMemory With Kernel32.dll
Hi everyone!
I am trying to write some data to some memory addresses that isn't owned by the process.
So far I can read the data of consecutive memory addresses by using ReadProcessMemory in kernel32.dll but I can't get it to override any existing data.
Does anyone have any idea of how I should get it to work? Or is this a feature no longer supported in windows? I can't find any recent topics on the on the interweb.
22 Replies
What are you making?
WPM has the same signature as RPM basically
Can't really make a mistake there
Unknown User•17mo ago
Message Not Public
Sign In & Join Server To View
Its just a notepad.exe
Here is a little view to show it can read the text
it just doesn't write anything
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class Program
{
const int PROCESS_ALL_ACCESS = 0x1F0FFF;
const int PROCESS_WM_READ = 0x0010;
const long adress = 0x027B_76DE2AC0;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
public static void Main()
{
Process process = Process.GetProcessesByName("notepad")[0];
IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
int bytesRead = 0;
int bytesWritten = 0;
byte[] buffer = new byte[256]; //'Hello World!' takes 12*2 bytes because of Unicode
byte[] writebuffer = Encoding.Unicode.GetBytes("Hello World!\0");
// 0x0046A3B8 is the address where I found the string, replace it with what you found
ReadProcessMemory((int)processHandle, adress, buffer, buffer.Length, ref bytesRead);
WriteProcessMemory((int) processHandle, adress, writebuffer, writebuffer.Length, ref bytesWritten);
Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)");
Console.WriteLine(Encoding.Unicode.GetString(writebuffer) + " (" + bytesWritten.ToString() + "bytes)");
}
}
This is the code
Full disclosure, i found it on a blog
I posted the code I used. Do you have any idea why it doesn't change?string allocation is much more difficult than just writing some bytes
I found another thing.
When using ollydbg I saw i only have R permission to that memory
Is there anything I could do to give the process write access?
well obviously
you specifically called
OpenProcess with only PROCESS_WM_READOh. im stupid
you don't need
OpenProcess at all
not usually anywayHey it works now!
Thank you so much
but the wpm call will never do exactly what you want
there is a string of a different length allocated in that place
you shouldn't just overwrite it
How should I do it? This was mostly a test though. To see what if I could get it to work. Now I need to find an application for this new superpower
not at all
writing strings is not something trivial
Perhaps not for any sustainable development. But I was mostly just playing around. Is there any major risks in doing this?
Does WM_SETTEXT / WM_GETTEXT not work anymore for notepad?
if you write a string larger than the buffer allocated in that place, the app will crash
So I tried writing over the text field here in discord but it didn't work. I guess I just overwrote some cached variable. I could read the text in the text window though.
Anyways how do i mark this as solved?
$close
Use the
/close command to mark a forum thread as answered