Memory Allocation Problem

[StoneHeart]

I'm trying to allocate memory on lsass.exe process but it always fail.

Other tools i try like sam password dump works.

 

What could be the problem?

 

Example code i use to allocate memory on that process.

// Enable the debug privilege

if( SetDebugPrivilege() != 0 )
// Get the LSASS pid

dwPid = GetLsassPid();
// Open lsass

hLsassProc = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPid );.
// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT, PAGE_READWRITE );

Result:

 

pRemoteAlloc = NULL

 

GetLastError = 5

 

....

 

I'm using win 7 x86 sp1 and vsc++ 2010

[CondZero]

I assume you checked your return values when setting the debug priviledge.

And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess.

 

You might try this (note changes in BOLD):

 

// Open lsass
hLsassProc = OpenProcess(  PROCESS_VM_OPERATION, FALSE, dwPid );.// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );

 

If the above doesn't work, then you might try investigating SetDebugPrivilege()

as you are getting :

 

ERROR_ACCESS_DENIED

Access is denied.
5 (0x5)

Good Luck

[deepzero]

you also need admin privileges for this. Simply double-clikcing the .exe or running it in the debugger doesnt suffice.

 

try right click -> run as admin

[StoneHeart]

 

I assume you checked your return values when setting the debug priviledge.

And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess.

 

You might try this (note changes in BOLD):

 

// Open lsass

hLsassProc = OpenProcess(  PROCESS_VM_OPERATION, FALSE, dwPid );.

// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );

 

If the above doesn't work, then you might try investigating SetDebugPrivilege()

as you are getting :

 

ERROR_ACCESS_DENIED

Access is denied.

5 (0x5)

Good Luck

 

 

I have tried the bold one before but still no avail =\

 

If i try it on none system process it works.

 

SetDebugPrivilege don't have problem as getlasterror always returns 0.

 

So what could be the problem?

 

Do you have any example which successfully allocate memory on system process?

[CondZero]

 

 

Do you have any example which successfully allocate memory on system process?

Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS

to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see.

 

Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process

that you are trying to OpenProcess.

/*

The following function activates the SeDebugPrivilege for the current process.

First, it accesses current process token by calling OpenProcessToken

with the appropriate rights. Then, it looks up the LUID value associated

with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue.

Finally it activates this privilege through a call to AdjustTokenPrivileges,

passing it a properly filled TOKEN_PRIVILEGES structure.

*/

int LoadSeDebugPrivilege(void)

{

HANDLE hToken=0;

LUID Val;

TOKEN_PRIVILEGES tp;

if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES

| TOKEN_QUERY, &hToken))

return(GetLastError());

if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val))

return(GetLastError());

tp.PrivilegeCount = 1;

tp.Privileges[0].Luid = Val;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if (!AdjustTokenPrivileges(hToken, FALSE, &tp,

sizeof (tp), NULL, NULL))

return(GetLastError());

CloseHandle(hToken);

return 1;

}

BR,

 

CZ

[mrexodia]

can allocate stuff in winlogon.exe here...

GetProcessID function by unknown...

LoadSeDebugPrivilege from CondZero above

system_alloc.rar

Edited September 8, 2013 by Mr. eXoDia

[StoneHeart]

Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS

to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see.

 

Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process

that you are trying to OpenProcess.

/*The following function activates the SeDebugPrivilege for the current process. First, it accesses current process token by calling OpenProcessToken with the appropriate rights. Then, it looks up the LUID value associated with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue. Finally it activates this privilege through a call to AdjustTokenPrivileges, passing it a properly filled TOKEN_PRIVILEGES structure.*/int LoadSeDebugPrivilege(void){    HANDLE hToken=0;    LUID Val;    TOKEN_PRIVILEGES tp;    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES		| TOKEN_QUERY, &hToken))        return(GetLastError());    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val))        return(GetLastError());    tp.PrivilegeCount = 1;    tp.Privileges[0].Luid = Val;    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;    if (!AdjustTokenPrivileges(hToken, FALSE, &tp,		sizeof (tp), NULL, NULL))        return(GetLastError());    CloseHandle(hToken);    return 1;}

BR,

 

CZ

 

I think the problem isnt coming form the privilege thingy.

GLE always return 0 even with your sample.

 

can allocate stuff in winlogon.exe here...

GetProcessID function by unknown...

LoadSeDebugPrivilege from CondZero above

 

Ive tested your sample and i didnt work on my win 7 but it does work on win xp (same with my source).

 

...

 

Anyway thanks for the reply

[mrexodia]

hi,

do you have admin rights? i used win7 (x64) too

[StoneHeart]

hi,

do you have admin rights? i used win7 (x64) too

 

Tried in many times and also disable uac but still the same.

Maybe my win 7 x86 sp1 got bug or something lol

[mrexodia]

strange indeed, I can allocated memory at lsass.exe without problems (using the above code)

[Peter Ferrie]

Tried in many times and also disable uac but still the same.

Maybe my win 7 x86 sp1 got bug or something lol

But you didn't answer the question - do you have admin rights? Did you actually elevate to admin first?

[StoneHeart]

But you didn't answer the question - do you have admin rights? Did you actually elevate to admin first?

 

Yes!

 

...

 

Nevermind, i've already slove this issues

[Peter Ferrie]

Nevermind, i've already slove this issues

Great, but posts like this are unhelpful. Please describe the solution so that others might learn.