✅ WriteProcessMemory With Kernel32.dll
Hi everyone!
I am trying to write some data to some memory addresses that isn't owned by the process.
So far I can read the data of consecutive memory addresses by using ReadProcessMemory in kernel32.dll but I can't get it to override any existing data.
Does anyone have any idea of how I should get it to work? Or is this a feature no longer supported in windows? I can't find any recent topics on the on the interweb.
22 Replies
What are you making?
WPM has the same signature as RPM basically
Can't really make a mistake there
Unknown User•16mo ago
Message Not Public
Sign In & Join Server To View
Its just a notepad.exe
Here is a little view to show it can read the text
it just doesn't write anything
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
public class Program
{
const int PROCESS_ALL_ACCESS = 0x1F0FFF;
const int PROCESS_WM_READ = 0x0010;
const long adress = 0x027B_76DE2AC0;
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead);
public static void Main()
{
Process process = Process.GetProcessesByName("notepad")[0];
IntPtr processHandle = OpenProcess(PROCESS_WM_READ, false, process.Id);
int bytesRead = 0;
int bytesWritten = 0;
byte[] buffer = new byte[256]; //'Hello World!' takes 12*2 bytes because of Unicode
byte[] writebuffer = Encoding.Unicode.GetBytes("Hello World!\0");
// 0x0046A3B8 is the address where I found the string, replace it with what you found
ReadProcessMemory((int)processHandle, adress, buffer, buffer.Length, ref bytesRead);
WriteProcessMemory((int) processHandle, adress, writebuffer, writebuffer.Length, ref bytesWritten);
Console.WriteLine(Encoding.Unicode.GetString(buffer) + " (" + bytesRead.ToString() + "bytes)");
Console.WriteLine(Encoding.Unicode.GetString(writebuffer) + " (" + bytesWritten.ToString() + "bytes)");
}
}
This is the code
Full disclosure, i found it on a blog
I posted the code I used. Do you have any idea why it doesn't change?string allocation is much more difficult than just writing some bytes
I found another thing.
When using ollydbg I saw i only have R permission to that memory
Is there anything I could do to give the process write access?
well obviously
you specifically called
OpenProcess
with only PROCESS_WM_READ
Oh. im stupid
you don't need
OpenProcess
at all
not usually anywayHey it works now!
Thank you so much
but the wpm call will never do exactly what you want
there is a string of a different length allocated in that place
you shouldn't just overwrite it
How should I do it? This was mostly a test though. To see what if I could get it to work. Now I need to find an application for this new superpower
not at all
writing strings is not something trivial
Perhaps not for any sustainable development. But I was mostly just playing around. Is there any major risks in doing this?
Does WM_SETTEXT / WM_GETTEXT not work anymore for notepad?
if you write a string larger than the buffer allocated in that place, the app will crash
So I tried writing over the text field here in discord but it didn't work. I guess I just overwrote some cached variable. I could read the text in the text window though.
Anyways how do i mark this as solved?
$close
Use the
/close
command to mark a forum thread as answered