Ollydbg - writing code to multiple mem blocks

[Killboy]

I'm currently coding an Olly plugin and it's supposed to read and write code from/to a given range of memory.

While reading 2 sections in the image with just one call to Readmemory works flawlessly, Writememory with the same memory range returns 0 (= Error).

I looked at the plugin manual but it doesnt say anything about restrictions on just one memory block.

I also explicitly set the memory's access to PAGE_EXECUTE_READWRITE although I think Olly does that by default (at least temporarily), but to no avail

Oh, regular WriteProcessMemory works fine...

I just wanted to stick to Olly's APIs as it handles its BPs peroperly etc...

Maybe someone has dealt with that behaviour before and knows some sort of workaround.

Thanks in advance

[What]

Put a breakpoint on WriteProcessMemory and see what Writememory is sending to it, see if it matches, or the only thing else I can thing of is protected memory, Writememory handled an alignment wrong during some part, and the write is going to some memory that wasn't given write priv.

Edited October 1, 2008 by What

[Patrickssj6]

Try to use VirtualProtectEx...it may work.

This is just an example in C#...and not 100% correct.

[DllImport("kernel32.dll")]
		public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,byte[] lpBuffer, UIntPtr nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
		public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);	 const uint PAGE_NOACCESS = 1;
	 const uint PAGE_READONLY = 2;
	 const uint PAGE_READWRITE = 4;
	 const uint PAGE_WRITECOPY = 8;
	 const uint PAGE_EXECUTE = 16;
	 const uint PAGE_EXECUTE_READ = 32;
	 const uint PAGE_EXECUTE_READWRITE = 64;
	 const uint PAGE_EXECUTE_WRITECOPY = 128;
	 const uint PAGE_GUARD = 256;
	 const uint PAGE_NOCACHE = 512;
	 const uint PROCESS_ALL_ACCESS = 0x1F0FFF;public void WriteMem(IntPtr pOffset,byte[] pBytes,UIntPtr pSize)
		{
			uint lpflOldProtect;
			IntPtr lpNumberOfBytesWritten;			VirtualProtectEx(processHandle, pOffset, pSize, PAGE_READWRITE, out lpflOldProtect); //Sets new Protection
			WriteProcessMemory(processHandle, pOffset, pBytes, pSize, out lpNumberOfBytesWritten); //Writes Memory
			VirtualProtectEx(processHandle, pOffset, pSize, lpflOldProtect, out lpflOldProtect); //Restores Original Protection
		}

Sorry if I'm completely useless here...

Edited October 1, 2008 by Patrickssj6

[ChupaChu]

I had similar problem - when running clean olly without any plugins ReadMemory and WriteMemory (oll's APIs) worked correctly, but with standard minimum package of plugins (debug hider, dumper, script support) i was not been able to write anything at all using olly's api.

Instead i had to use WriteProcessMemory - delphi sample:

function WriteMemoryEx(pPtr,pBuf:pointer;dwSize:dword):boolean;
var
dwTemp:dword;
dwProcess:dword;
begin
dwProcess:=Plugingetvalue(VAL_HPROCESS); //VAL_HPROCESS = debugee's hndl
result:=WriteProcessMemory(dwProcess,pPtr,pBuf,dwSize,dwTemp);
end;

I tried tracing the problem once or twice, and if i remember correctly handle of debugee passed on by olly was wrong so every write attempt failed, Reading with same handle worked.. seemd to wierd to me at that time, so i left it alone as i did not need to go to bottom of this.

BR; ChupaChu!

[Killboy]

Hm I already tried doing VirtualProtectEx on the mem range but it didnt make any difference.

Whats weird is that it works if the memory doesnt go across multiple blocks of memory.

If Olly got the handle wrong, it shouldn't work at all, right ?

I'll just use a wrapper like ChupaChu then...

Thanks for the help

[Killboy]

The problem is that Olly tries to restore the old protections. If 2 regions don't have the same protection it returns an error.

I was talking to ap0x and he suggested to deprotect all the regions within the range and then write to the memory at once.

Here's what I've come up with:

bool WriteMem(void * Address, void * Buffer, size_t Size){
HANDLE hProcess;
MEMORY_BASIC_INFORMATION MemInfo;
BYTE * CurAddr;
std::vector<MEMORY_BASIC_INFORMATION> MemBlocks;
DWORD Bytes, OldProt;
bool Failed = false;	hProcess = (HANDLE)Plugingetvalue(VAL_HPROCESS);	CurAddr = (BYTE *)Address;
	while(CurAddr < (BYTE *)Address+Size){
		VirtualQueryEx(hProcess, CurAddr, &MemInfo, sizeof(MemInfo));
		if(!VirtualProtectEx(hProcess, MemInfo.BaseAddress, MemInfo.RegionSize, PAGE_READWRITE, &MemInfo.Protect)){
			Failed = true;
			break;
		}
		MemBlocks.push_back(MemInfo);
		CurAddr = (BYTE *)MemInfo.BaseAddress + MemInfo.RegionSize;
	}	if(!Failed){
		if(!WriteProcessMemory(hProcess, Address, Buffer, Size, &Bytes)){
			Failed = true;
		}
	}	for(int i = 0; i < MemBlocks.size(); i++){
		VirtualProtectEx(hProcess, MemBlocks[i].BaseAddress, MemBlocks[i].RegionSize, MemBlocks[i].Protect, &OldProt);
	}	return !Failed;
}

A vector is a C++ STL container, basically it's a resizable array. It's needed for storing the memory info so I can restore the old protections later.

If you compile this, be sure to add

#include <vector>

to your code.

Edited October 3, 2008 by Killboy

[aker]

I'm currently coding an Olly plugin and it's supposed to read and write code from/to a given range of memory.

While reading 2 sections in the image with just one call to Readmemory works flawlessly, Writememory with the same memory range returns 0 (= Error).

I looked at the plugin manual but it doesnt say anything about restrictions on just one memory block.

I also explicitly set the memory's access to PAGE_EXECUTE_READWRITE although I think Olly does that by default (at least temporarily), but to no avail

Oh, regular WriteProcessMemory works fine...

I just wanted to stick to Olly's APIs as it handles its BPs peroperly etc...

Maybe someone has dealt with that behaviour before and knows some sort of workaround.

Thanks in advance

i have a question, is there vc linkable ollydbg.lib files available:)

when i link plugins with vc, it always prompts me:

Bookmark.obj : error LNK2001: unresolved external symbol _Pluginreadintfromini

Bookmark.obj : error LNK2001: unresolved external symbol _Plugingetvalue

Bookmark.obj : error LNK2001: unresolved external symbol _Addtolist

Bookmark.obj : error LNK2001: unresolved external symbol _Destroysorteddata

Bookmark.obj : error LNK2001: unresolved external symbol _Registerpluginclass

Bookmark.obj : error LNK2001: unresolved external symbol _Createsorteddata

Bookmark.obj : error LNK2001: unresolved external symbol _Painttable

Bookmark.obj : error LNK2001: unresolved external symbol _Deletesorteddata

Bookmark.obj : error LNK2001: unresolved external symbol _Setcpu

Bookmark.obj : error LNK2001: unresolved external symbol _Getsortedbyselection

Bookmark.obj : error LNK2001: unresolved external symbol _Tablefunction

Bookmark.obj : error LNK2001: unresolved external symbol _Pluginsaverecord

Bookmark.obj : error LNK2001: unresolved external symbol _Addsorteddata

Bookmark.obj : error LNK2001: unresolved external symbol _Findsorteddata

Bookmark.obj : error LNK2001: unresolved external symbol _Findname

Bookmark.obj : error LNK2001: unresolved external symbol _Disasm

Bookmark.obj : error LNK2001: unresolved external symbol _Finddecode

Bookmark.obj : error LNK2001: unresolved external symbol _Readmemory

Bookmark.obj : error LNK2001: unresolved external symbol _Findmemory

Bookmark.obj : error LNK2001: unresolved external symbol _Quicktablewindow

Bookmark.obj : error LNK2001: unresolved external symbol _Flash

Bookmark.obj : error LNK2001: unresolved external symbol _Deletesorteddatarange

Bookmark.obj : error LNK2001: unresolved external symbol _Pluginwriteinttoini

Bookmark.obj : error LNK2001: unresolved external symbol _Unregisterpluginclass

Edited December 3, 2008 by aker

[movzxEax]

i have a question, is there vc linkable ollydbg.lib files available:)

I see that u're trying to compile Bookmark plugin (and I'm suppose you'v" got it from oleh website)

Notice that the plugin sdk that comes with the package holds 2 different version of library: one for VC and the other's for BCB (you may choose)

Notice also that the header included can't run under gcc w/o fix

Edited December 3, 2008 by movzxEax