View previous topic :: View next topic |
Author |
Message |
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Wed May 27, 2015 1:37 am Post subject: VirtualAllocEx fails when passing address (.net) |
|
|
VirtualAllocEx fails with "Access denied" Win32exception when I pass a 64bit address. Works fine when passing 32bit and also without passing an address at all.
Code: | <DllImport("kernel32.dll", SetLastError:=True)> _
Public Shared Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flAllocationType As MemoryAllocationFlags, ByVal flProtect As MemoryProtectionFlags) As IntPtr
End Function
Dim ptr As IntPtr = VirtualAllocEx(_MainProcess, New IntPtr(Address), size, allocationFlags, protectionFlags)
If (ptr = IntPtr.Zero) Then
Throw New Win32Exception(Marshal.GetLastWin32Error())
End If
Return ptr
|
Address = 64bit address (Int64) = Fails with access denied
Address = 32bit address (int32) = Success
Address = 0 (New Intptr()) = Success
Compiled as 64bit of course. Everything works fine, writing and reading from the process. However just VirtualAllocEx fails.
I cannot allocate memory in 64bit memory. Without passing an address it returns me allocated memory in 32bit memory of the 64bit process (Means the allocated memory is in range 0 - 0x7FFFFFFF but I need allocated memory beyond 0x7FFFFFFF)
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25295 Location: The netherlands
|
Posted: Wed May 27, 2015 3:24 am Post subject: |
|
|
is the target process also compiled as 64 bit? And it's not running in a compat mode resulting all allocs to stay below 0xffffffff (there actually is such pe flag)
is lpAddress dividable by 0x10000 (65536)?
edit:i don't know vb, but why New IntPtr(Address) and not just Address? The address is not a call by reference
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Wed May 27, 2015 4:24 am Post subject: |
|
|
The target process is course 64bit. I've tried with multiple 64 bit games but it always failed.
Yes the address is dividable by 0x10000. For example when I pass 0x80000000 it fails.
Because the win api declaration requires a IntPtr as type. And the variable Address is a type long. By using New IntPtr(Address) I declare a new variable of type IntPtr with that value.
https://msdn.microsoft.com/en-us/library/system.intptr%28v=vs.110%29.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
//edit: Interesting. The MSDN says: "If the value of the lpAddress parameter is NULL, specifying MEM_COMMIT without MEM_RESERVE causes the function to BOTH reserve and commit the memory" so I changed the allocationflag to be MEM_RESERVE and now I got the error code 487 instead of 5.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Thu Jun 04, 2015 12:12 pm Post subject: |
|
|
That's virtualalloc but not virtualallocex.
//edit: Is there ANY way to prevent the process overwriting injected code without setting the protection to no acess (it should still be execute/read/write).
I've epxerienced that when searching for free memory and writing my code to that area. Some games overwrite the code when they create new code on their own.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri Jun 05, 2015 12:14 am Post subject: |
|
|
Hatschi wrote: | That's virtualalloc but not virtualallocex.
//edit: Is there ANY way to prevent the process overwriting injected code without setting the protection to no acess (it should still be execute/read/write).
I've epxerienced that when searching for free memory and writing my code to that area. Some games overwrite the code when they create new code on their own. |
Determine how the game is obtaining the address to use and prevent it from happening. Assuming that they are using their own memory allocator they wont see that the range of memory you created was allocated already so they may just assume its free and overwrite it. So you may need to hook onto their allocation method and block it from using your memory region.
_________________
- Retired. |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Fri Jun 05, 2015 2:58 am Post subject: |
|
|
But how does VirtualAllocEx work? Because regions created with virtualallocex never gets overwritten.
But when I search for empty space on my own and write my bytes into this area there is a slightly chance that its get overwritten.
Isn't there a way to do exactly what virtualallocex does but manually?
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri Jun 05, 2015 2:22 pm Post subject: |
|
|
Hatschi wrote: | But how does VirtualAllocEx work? Because regions created with virtualallocex never gets overwritten.
But when I search for empty space on my own and write my bytes into this area there is a slightly chance that its get overwritten.
Isn't there a way to do exactly what virtualallocex does but manually? |
The game itself is not going to use VirtualAllocEx to allocate memory inside of itself. It is going to use other means of memory creation. You are going to have to look into what it uses to determine why it is assuming your region is free and clear to use when it is not.
From how it sounds, it sounds like their memory allocator keeps track of what is created/deleted internally. Given that you are using an external API to allocate the memory, they assume it is free since their allocation has not seen that address itself so it just reuses it.
_________________
- Retired. |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Fri Jun 05, 2015 2:29 pm Post subject: |
|
|
I'm sorry you misunderstood me. I wanted to know how the winapi VirtualAllocEx works and if there is a way to do EXACTLY the same this API does but manually?
Can I commit a memory region in another process without using virtualallocex?
|
|
Back to top |
|
|
Stylo Grandmaster Cheater Supreme Reputation: 3
Joined: 16 May 2007 Posts: 1073 Location: Israel
|
Posted: Sat Jun 06, 2015 10:43 am Post subject: |
|
|
Yes, by calling ZwAllocateVirtualMemory (the troll answer).
now, VirtualAlloc eventually requesting from kernel to allocate memory for the current process, so you cannot manually allocate memory from user land.
and unfortunately, all memory allocations go through ZwAllocateVirtualMemory in user mode of course.
_________________
Stylo |
|
Back to top |
|
|
Hatschi Master Cheater Reputation: 2
Joined: 28 Jan 2010 Posts: 327
|
Posted: Sat Jun 06, 2015 11:26 am Post subject: |
|
|
I guessed so. But thanks for your answer
|
|
Back to top |
|
|
|