Saturday, July 26, 2008

[C] WriteProcessMemory

What does write process memory do? Here is the definition from MSDN:
Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.
And here are the parameters:
BOOL WINAPI WriteProcessMemory(
__in HANDLE hProcess,
__in LPVOID lpBaseAddress,
__in LPCVOID lpBuffer,
__in SIZE_T nSize,
__out SIZE_T *lpNumberOfBytesWritten
);
And defining each parameter:

hProcess [in]

A handle to the process memory to be modified. The handle must have PROCESS_VM_WRITE and PROCESS_VM_OPERATION access to the process.

lpBaseAddress [in]

A pointer to the base address in the specified process to which data is written. Before data transfer occurs, the system verifies that all data in the base address and memory of the specified size is accessible for write access, and if it is not accessible, the function fails.

lpBuffer [in]

A pointer to the buffer that contains data to be written in the address space of the specified process.

nSize [in]

The number of bytes to be written to the specified process.

lpNumberOfBytesWritten [out]

A pointer to a variable that receives the number of bytes transferred into the specified process. This parameter is optional. If lpNumberOfBytesWritten is NULL, the parameter is ignored.



So with that out of the way, I will show you a code snippit to writing memory to minesweeper.

#include "stdio.h"
#include "windows.h"
#include "tlhelp32.h"

int GetPID(LPCSTR ProcessName) //Function for getting the PID (Process ID)
{
HANDLE hProcessSnap;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);

PROCESSENTRY32 pe32;
pe32.cntUsage = 1;
pe32.th32ModuleID = 0;
pe32.th32ParentProcessID = 0;
pe32.dwSize = sizeof(PROCESSENTRY32);

do
{
if (!strcmp(pe32.szExeFile, ProcessName))
{
return pe32.th32ProcessID;
}

}while (Process32Next(hProcessSnap, &pe32));

CloseHandle(hProcessSnap);
return 0;

}

BOOL IsActive( LPCSTR ProcName ) //Function for check if it is running
{
HANDLE hProcSnap;
hProcSnap = CreateToolhelp32Snapshot( TH32CS_SNAPALL, 0 );

PROCESSENTRY32 pe32;

do
{
if( !strcmp( pe32.szExeFile, ProcName ))
{
return TRUE;
}
}while( Process32Next( hProcSnap, &pe32 ));

CloseHandle( hProcSnap );
return 0;
}


int _tmain(int argc, _TCHAR* argv[])
{
if( IsActive( "winmine.exe" )) //Check if its running
{
HANDLE hProc; //Handle to Process
unsigned long PID; //Variable to store the PID
BYTE nop = { 0x90 }; //Buffer to write

PID = GetPID( "winmine.exe" ); //Obtains PID
hProc = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, PID ); //Opens process to get the handle

//Change of 01002ff5 - ff 05 9c 57 00 01 - inc [0100579c]
if( WriteProcessMemory( hProc, ( LPVOID )0x01002ff5, &nop, sizeof( nop ), 0 )) //Changing the opcode to 0x90 (hex for nop)
{
printf( "Time Successfully frozen!\n" );
}
else
{
puts( "Could not write bytes for flags" );
}

getchar();
}
else
{
puts( "MineSweeper not found!" );
getchar();
}
return 0;
}



Questions? Just post or email me.

No comments: