Code: Select all
https://suck-oold.com/modules.php?name=Forums&file=viewtopic&t=8271
This is the second time I write this thread. The first time I realized in the middle of it that the experiment had failed, and I had to research some more about it. Credits to IceDane who mentioned the existence of "ASLR", which proved to be the issue with the compiler, it seems that VC++ has that setting (/DYNAMICBASE) enabled per default to protect that address space of the applications compiled with it.
The purpose of the experiment was simply to write an application that creates a variable that holds some random value. Then write another application which purpose is to access to address space of the first application process, and read the variable value, output it, write something new to that address, and then output it again.
The reason for the experiment is that we have been talking a lot about address spaces at the university, and I wanted to play around with it some more to get a better hold of it, code wise that is. Another purpose of the experiment is to use this knowledge for my "lifeware" project.
Anyway, the first application, is rather simple
Code: Select all
#include <iostream>
using namespace std;
int var = 1234;
int main()
{
while(1)
{
cout << var << endl;
system("PAUSE");
}
return 0;
}
Code: Select all
#include <windows.h>
#include <iostream>
//The address to read from
#define APP_VAR 0x013E301C
//The PID of the process we are reading from
#define APP_PID 4820
using namespace std;
BOOL EnablePriv(LPCWSTR, HANDLE*);
int main()
{
HANDLE hProcess;
SIZE_T stBytes = 0;
LPCVOID memAddr = 0;
int buff = 0;
int vqRet = 0;
//Open the process specified by PID
hProcess = OpenProcess(
PROCESS_VM_READ |
PROCESS_VM_WRITE |
PROCESS_TERMINATE |
PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION,
FALSE,
APP_PID); //Don't forget to change the PID!
//Enable the SeDebugPrivilege privilege to get full access
//Not needed in this experiment though
//EnablePriv(SE_DEBUG_NAME, &hProcess);
//Check if the process was opened without fail
if(hProcess == NULL)
cout << "ERROR: " << GetLastError() << "\n";
else
{
cout << "Process was opened successfully\n";
//Read memory and output result
if(ReadProcessMemory(hProcess, (LPCVOID)APP_VAR, &buff, sizeof(buff), &stBytes))
cout << "Read " << buff << " from 0x" << hex << APP_VAR << "\n";
else
cout << "ERROR: " << GetLastError() << "\n";
//Set the value that is to be written
buff = 5678;
//Write memory and output result
if(WriteProcessMemory(hProcess, (LPVOID)APP_VAR, &buff, sizeof(buff), &stBytes))
cout << "Wrote " << dec << buff << " to 0x" << hex << APP_VAR << "\n";
else
cout << "ERROR: " << GetLastError() << "\n";
}
//Close the handle for the opened process
CloseHandle(hProcess);
system("PAUSE");
return 0;
}
Anyway, here's that part as well, just in case
Code: Select all
//Change the token privileges for a process
BOOL EnablePriv(LPCWSTR privStr, HANDLE* hProcess)
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tPriv;
if(!OpenProcessToken(hProcess, (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY), &hToken))
return false;
if(!LookupPrivilegeValue(NULL, privStr, &luid))
{
CloseHandle(hToken);
return false;
}
tPriv.PrivilegeCount = 1;
tPriv.Privileges[0].Luid = luid;
tPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
BOOL retVal = AdjustTokenPrivileges(hToken, FALSE, &tPriv, sizeof(tPriv), NULL, NULL);
CloseHandle(hToken);
return retVal;
}
The application that reads and writes to the memory, results in this
And then the "simple" application results in this
Due to the horrible way PHPBB2 handles code, it looks like shit. But if you want to study it, then you can simply copy/paste it.