Killboy Posted September 30, 2008 Posted September 30, 2008 I'm currently coding an Olly plugin and it's supposed to read and write code from/to a given range of memory. While reading 2 sections in the image with just one call to Readmemory works flawlessly, Writememory with the same memory range returns 0 (= Error). I looked at the plugin manual but it doesnt say anything about restrictions on just one memory block. I also explicitly set the memory's access to PAGE_EXECUTE_READWRITE although I think Olly does that by default (at least temporarily), but to no avail Oh, regular WriteProcessMemory works fine... I just wanted to stick to Olly's APIs as it handles its BPs peroperly etc... Maybe someone has dealt with that behaviour before and knows some sort of workaround. Thanks in advance
What Posted October 1, 2008 Posted October 1, 2008 (edited) Put a breakpoint on WriteProcessMemory and see what Writememory is sending to it, see if it matches, or the only thing else I can thing of is protected memory, Writememory handled an alignment wrong during some part, and the write is going to some memory that wasn't given write priv. Edited October 1, 2008 by What
Unbekannt1 Posted October 1, 2008 Posted October 1, 2008 (edited) Try to use VirtualProtectEx...it may work.This is just an example in C#...and not 100% correct.[DllImport("kernel32.dll")] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,byte[] lpBuffer, UIntPtr nSize, out IntPtr lpNumberOfBytesWritten);[DllImport("kernel32.dll")] public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); const uint PAGE_NOACCESS = 1; const uint PAGE_READONLY = 2; const uint PAGE_READWRITE = 4; const uint PAGE_WRITECOPY = 8; const uint PAGE_EXECUTE = 16; const uint PAGE_EXECUTE_READ = 32; const uint PAGE_EXECUTE_READWRITE = 64; const uint PAGE_EXECUTE_WRITECOPY = 128; const uint PAGE_GUARD = 256; const uint PAGE_NOCACHE = 512; const uint PROCESS_ALL_ACCESS = 0x1F0FFF;public void WriteMem(IntPtr pOffset,byte[] pBytes,UIntPtr pSize) { uint lpflOldProtect; IntPtr lpNumberOfBytesWritten; VirtualProtectEx(processHandle, pOffset, pSize, PAGE_READWRITE, out lpflOldProtect); //Sets new Protection WriteProcessMemory(processHandle, pOffset, pBytes, pSize, out lpNumberOfBytesWritten); //Writes Memory VirtualProtectEx(processHandle, pOffset, pSize, lpflOldProtect, out lpflOldProtect); //Restores Original Protection }Sorry if I'm completely useless here... Edited October 1, 2008 by Patrickssj6
ChupaChu Posted October 1, 2008 Posted October 1, 2008 I had similar problem - when running clean olly without any plugins ReadMemory and WriteMemory (oll's APIs) worked correctly, but with standard minimum package of plugins (debug hider, dumper, script support) i was not been able to write anything at all using olly's api.Instead i had to use WriteProcessMemory - delphi sample:function WriteMemoryEx(pPtr,pBuf:pointer;dwSize:dword):boolean;vardwTemp:dword;dwProcess:dword;begindwProcess:=Plugingetvalue(VAL_HPROCESS); //VAL_HPROCESS = debugee's hndlresult:=WriteProcessMemory(dwProcess,pPtr,pBuf,dwSize,dwTemp);end;I tried tracing the problem once or twice, and if i remember correctly handle of debugee passed on by olly was wrong so every write attempt failed, Reading with same handle worked.. seemd to wierd to me at that time, so i left it alone as i did not need to go to bottom of this.BR; ChupaChu!
Killboy Posted October 1, 2008 Author Posted October 1, 2008 Hm I already tried doing VirtualProtectEx on the mem range but it didnt make any difference. Whats weird is that it works if the memory doesnt go across multiple blocks of memory. If Olly got the handle wrong, it shouldn't work at all, right ? I'll just use a wrapper like ChupaChu then... Thanks for the help
Killboy Posted October 3, 2008 Author Posted October 3, 2008 (edited) The problem is that Olly tries to restore the old protections. If 2 regions don't have the same protection it returns an error.I was talking to ap0x and he suggested to deprotect all the regions within the range and then write to the memory at once.Here's what I've come up with:bool WriteMem(void * Address, void * Buffer, size_t Size){HANDLE hProcess;MEMORY_BASIC_INFORMATION MemInfo;BYTE * CurAddr;std::vector<MEMORY_BASIC_INFORMATION> MemBlocks;DWORD Bytes, OldProt;bool Failed = false; hProcess = (HANDLE)Plugingetvalue(VAL_HPROCESS); CurAddr = (BYTE *)Address; while(CurAddr < (BYTE *)Address+Size){ VirtualQueryEx(hProcess, CurAddr, &MemInfo, sizeof(MemInfo)); if(!VirtualProtectEx(hProcess, MemInfo.BaseAddress, MemInfo.RegionSize, PAGE_READWRITE, &MemInfo.Protect)){ Failed = true; break; } MemBlocks.push_back(MemInfo); CurAddr = (BYTE *)MemInfo.BaseAddress + MemInfo.RegionSize; } if(!Failed){ if(!WriteProcessMemory(hProcess, Address, Buffer, Size, &Bytes)){ Failed = true; } } for(int i = 0; i < MemBlocks.size(); i++){ VirtualProtectEx(hProcess, MemBlocks[i].BaseAddress, MemBlocks[i].RegionSize, MemBlocks[i].Protect, &OldProt); } return !Failed;}A vector is a C++ STL container, basically it's a resizable array. It's needed for storing the memory info so I can restore the old protections later.If you compile this, be sure to add#include <vector>to your code. Edited October 3, 2008 by Killboy
aker Posted December 3, 2008 Posted December 3, 2008 (edited) I'm currently coding an Olly plugin and it's supposed to read and write code from/to a given range of memory.While reading 2 sections in the image with just one call to Readmemory works flawlessly, Writememory with the same memory range returns 0 (= Error). I looked at the plugin manual but it doesnt say anything about restrictions on just one memory block. I also explicitly set the memory's access to PAGE_EXECUTE_READWRITE although I think Olly does that by default (at least temporarily), but to no avail Oh, regular WriteProcessMemory works fine... I just wanted to stick to Olly's APIs as it handles its BPs peroperly etc... Maybe someone has dealt with that behaviour before and knows some sort of workaround. Thanks in advance i have a question, is there vc linkable ollydbg.lib files available:) when i link plugins with vc, it always prompts me: Bookmark.obj : error LNK2001: unresolved external symbol _Pluginreadintfromini Bookmark.obj : error LNK2001: unresolved external symbol _Plugingetvalue Bookmark.obj : error LNK2001: unresolved external symbol _Addtolist Bookmark.obj : error LNK2001: unresolved external symbol _Destroysorteddata Bookmark.obj : error LNK2001: unresolved external symbol _Registerpluginclass Bookmark.obj : error LNK2001: unresolved external symbol _Createsorteddata Bookmark.obj : error LNK2001: unresolved external symbol _Painttable Bookmark.obj : error LNK2001: unresolved external symbol _Deletesorteddata Bookmark.obj : error LNK2001: unresolved external symbol _Setcpu Bookmark.obj : error LNK2001: unresolved external symbol _Getsortedbyselection Bookmark.obj : error LNK2001: unresolved external symbol _Tablefunction Bookmark.obj : error LNK2001: unresolved external symbol _Pluginsaverecord Bookmark.obj : error LNK2001: unresolved external symbol _Addsorteddata Bookmark.obj : error LNK2001: unresolved external symbol _Findsorteddata Bookmark.obj : error LNK2001: unresolved external symbol _Findname Bookmark.obj : error LNK2001: unresolved external symbol _Disasm Bookmark.obj : error LNK2001: unresolved external symbol _Finddecode Bookmark.obj : error LNK2001: unresolved external symbol _Readmemory Bookmark.obj : error LNK2001: unresolved external symbol _Findmemory Bookmark.obj : error LNK2001: unresolved external symbol _Quicktablewindow Bookmark.obj : error LNK2001: unresolved external symbol _Flash Bookmark.obj : error LNK2001: unresolved external symbol _Deletesorteddatarange Bookmark.obj : error LNK2001: unresolved external symbol _Pluginwriteinttoini Bookmark.obj : error LNK2001: unresolved external symbol _Unregisterpluginclass Edited December 3, 2008 by aker
movzxEax Posted December 3, 2008 Posted December 3, 2008 (edited) i have a question, is there vc linkable ollydbg.lib files available:)I see that u're trying to compile Bookmark plugin (and I'm suppose you'v" got it from oleh website)Notice that the plugin sdk that comes with the package holds 2 different version of library: one for VC and the other's for BCB (you may choose)Notice also that the header included can't run under gcc w/o fix Edited December 3, 2008 by movzxEax
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now