Jump to content
Tuts 4 You

Memory Allocation Problem


StoneHeart

Recommended Posts

Posted

I'm trying to allocate memory on lsass.exe process but it always fail.


Other tools i try like sam password dump works.


 


What could be the problem?


 


Example code i use to allocate memory on that process.



// Enable the debug privilege
if( SetDebugPrivilege() != 0 ) // Get the LSASS pid
dwPid = GetLsassPid(); // Open lsass
hLsassProc = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPid );. // Allocate memory in remote proc
pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT, PAGE_READWRITE );

Result:


 


pRemoteAlloc = NULL


 


GetLastError = 5


 


....


 


I'm using win 7 x86 sp1 and vsc++ 2010


Posted

I assume you checked your return values when setting the debug priviledge.

And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess.

 

You might try this (note changes in BOLD):

 

// Open lsass
hLsassProc = OpenProcess PROCESS_VM_OPERATION, FALSE, dwPid );.// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );

 

If the above doesn't work, then you might try investigating SetDebugPrivilege()

as you are getting :

 

ERROR_ACCESS_DENIED

Access is denied.
5 (0x5)

Good Luck
Posted

you also need admin privileges for this. Simply double-clikcing the .exe or running it in the debugger doesnt suffice.


 


try right click -> run as admin


Posted

 

I assume you checked your return values when setting the debug priviledge.

And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess.

 

You might try this (note changes in BOLD):

 

// Open lsass

hLsassProc = OpenProcess PROCESS_VM_OPERATION, FALSE, dwPid );.

// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );

 

If the above doesn't work, then you might try investigating SetDebugPrivilege()

as you are getting :

 

ERROR_ACCESS_DENIED

Access is denied.

5 (0x5)

Good Luck

 

 

I have tried the bold one before but still no avail =\

 

If i try it on none system process it works.

 

SetDebugPrivilege don't have problem as getlasterror always returns 0.

 

So what could be the problem?

 

Do you have any example which successfully allocate memory on system process?

Posted

 

 

Do you have any example which successfully allocate memory on system process?

Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS

to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see.

 

Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process

that you are trying to OpenProcess.

/*

The following function activates the SeDebugPrivilege for the current process.

First, it accesses current process token by calling OpenProcessToken

with the appropriate rights. Then, it looks up the LUID value associated

with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue.

Finally it activates this privilege through a call to AdjustTokenPrivileges,

passing it a properly filled TOKEN_PRIVILEGES structure.

*/

int LoadSeDebugPrivilege(void)

{

HANDLE hToken=0;

LUID Val;

TOKEN_PRIVILEGES tp;

if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES

| TOKEN_QUERY, &hToken))

return(GetLastError());

if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val))

return(GetLastError());

tp.PrivilegeCount = 1;

tp.Privileges[0].Luid = Val;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if (!AdjustTokenPrivileges(hToken, FALSE, &tp,

sizeof (tp), NULL, NULL))

return(GetLastError());

CloseHandle(hToken);

return 1;

}

BR,

 

CZ

Posted (edited)

can allocate stuff in winlogon.exe here...

GetProcessID function by unknown...

LoadSeDebugPrivilege from CondZero above

system_alloc.rar

Edited by Mr. eXoDia
Posted

Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS

to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see.

 

Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process

that you are trying to OpenProcess.

/*The following function activates the SeDebugPrivilege for the current process. First, it accesses current process token by calling OpenProcessToken with the appropriate rights. Then, it looks up the LUID value associated with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue. Finally it activates this privilege through a call to AdjustTokenPrivileges, passing it a properly filled TOKEN_PRIVILEGES structure.*/int LoadSeDebugPrivilege(void){    HANDLE hToken=0;    LUID Val;    TOKEN_PRIVILEGES tp;    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES		| TOKEN_QUERY, &hToken))        return(GetLastError());    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val))        return(GetLastError());    tp.PrivilegeCount = 1;    tp.Privileges[0].Luid = Val;    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;    if (!AdjustTokenPrivileges(hToken, FALSE, &tp,		sizeof (tp), NULL, NULL))        return(GetLastError());    CloseHandle(hToken);    return 1;}

BR,

 

CZ

 

I think the problem isnt coming form the privilege thingy.

GLE always return 0 even with your sample.

 

can allocate stuff in winlogon.exe here...

GetProcessID function by unknown...

LoadSeDebugPrivilege from CondZero above

 

Ive tested your sample and i didnt work on my win 7 but it does work on win xp (same with my source).

 

...

 

Anyway thanks for the reply :)

Posted

hi,

do you have admin rights? i used win7 (x64) too

Posted

hi,

do you have admin rights? i used win7 (x64) too

 

Tried in many times and also disable uac but still the same.

Maybe my win 7 x86 sp1 got bug or something lol

Posted

strange indeed, I can allocated memory at lsass.exe without problems (using the above code)

Posted

Tried in many times and also disable uac but still the same.

Maybe my win 7 x86 sp1 got bug or something lol

But you didn't answer the question - do you have admin rights? Did you actually elevate to admin first?
  • Like 1
Posted

But you didn't answer the question - do you have admin rights? Did you actually elevate to admin first?

 

Yes!

 

...

 

Nevermind, i've already slove this issues :)

Posted

Nevermind, i've already slove this issues :)

Great, but posts like this are unhelpful. Please describe the solution so that others might learn.

  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...