Jump to content
Tuts 4 You

Memory Allocation Problem

StoneHeart

By StoneHeart
in Programming and Coding

Recommended Posts

StoneHeart

StoneHeart

Posted
Posted

I'm trying to allocate memory on lsass.exe process but it always fail.


Other tools i try like sam password dump works.


 


What could be the problem?


 


Example code i use to allocate memory on that process.




// Enable the debug privilege

if( SetDebugPrivilege() != 0 )
// Get the LSASS pid

dwPid = GetLsassPid();
// Open lsass

hLsassProc = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPid );.
// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT, PAGE_READWRITE );

Result:


 


pRemoteAlloc = NULL


 


GetLastError = 5


 


....


 


I'm using win 7 x86 sp1 and vsc++ 2010


Link to comment
CondZero

CondZero

Posted
Posted

I assume you checked your return values when setting the debug priviledge.

And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess.

 

You might try this (note changes in BOLD):

 

// Open lsass
hLsassProc = OpenProcess PROCESS_VM_OPERATION, FALSE, dwPid );.// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );

 

If the above doesn't work, then you might try investigating SetDebugPrivilege()

as you are getting :

 

ERROR_ACCESS_DENIED

Access is denied.
5 (0x5)

Good Luck
Link to comment
deepzero

deepzero

Posted
Posted

you also need admin privileges for this. Simply double-clikcing the .exe or running it in the debugger doesnt suffice.


 


try right click -> run as admin


Link to comment
StoneHeart

StoneHeart

Posted
  • Author
Posted

 

I assume you checked your return values when setting the debug priviledge.

And also that you had valid pid and process returned when executing GetLsassPid and OpenProcess.

 

You might try this (note changes in BOLD):

 

// Open lsass

hLsassProc = OpenProcess PROCESS_VM_OPERATION, FALSE, dwPid );.

// Allocate memory in remote proc

pRemoteAlloc = VirtualAllocEx( hLsassProc, NULL, 1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );

 

If the above doesn't work, then you might try investigating SetDebugPrivilege()

as you are getting :

 

ERROR_ACCESS_DENIED

Access is denied.

5 (0x5)

Good Luck

 

 

I have tried the bold one before but still no avail =\

 

If i try it on none system process it works.

 

SetDebugPrivilege don't have problem as getlasterror always returns 0.

 

So what could be the problem?

 

Do you have any example which successfully allocate memory on system process?

Link to comment
CondZero

CondZero

Posted
Posted

 

 

Do you have any example which successfully allocate memory on system process?

Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS

to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see.

 

Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process

that you are trying to OpenProcess.


/*

The following function activates the SeDebugPrivilege for the current process. 

First, it accesses current process token by calling OpenProcessToken 

with the appropriate rights. Then, it looks up the LUID value associated 

with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue. 

Finally it activates this privilege through a call to AdjustTokenPrivileges, 

passing it a properly filled TOKEN_PRIVILEGES structure.

*/

int LoadSeDebugPrivilege(void)

{

    HANDLE hToken=0;

    LUID Val;

    TOKEN_PRIVILEGES tp;



    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES

		| TOKEN_QUERY, &hToken))

        return(GetLastError());



    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val))

        return(GetLastError());



    tp.PrivilegeCount = 1;

    tp.Privileges[0].Luid = Val;

    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;



    if (!AdjustTokenPrivileges(hToken, FALSE, &tp,

		sizeof (tp), NULL, NULL))

        return(GetLastError());



    CloseHandle(hToken);



    return 1;

}




BR,


 


CZ





			
		


		

		
	


	

	





	
Link to comment

	
		
	
	
	

	




	



					
					
					
				

					

					
					





					
					
					
				

					

					
					






	

	

	

		

			

				

	
		StoneHeart
	

				
				
			

		

		

			

				


StoneHeart
			

			

				Posted 
				
			

		

	

	
	

		




	

		

			

				
    
					
						
  • Author
    • 
					
					
					
					
					
				

			

			
		


		

			Posted 
			
			
				
				
			
		

	


	

    

	

		
		

			


Actually, I have not ever tried. But it wouldn't surprise me that there could be something hard coded in the OS


to possibly prevent this. You might try, if you can, debugging your code into the OS API's itself to see.


 


Here is my SetDebugPriviledge(). Keep in mind that you may need to do this remotely for the process


that you are trying to OpenProcess.


/*The following function activates the SeDebugPrivilege for the current process. First, it accesses current process token by calling OpenProcessToken with the appropriate rights. Then, it looks up the LUID value associated with the SE_DEBUG_NAME string defined in winnt.h by calling LookupPrivilegeValue. Finally it activates this privilege through a call to AdjustTokenPrivileges, passing it a properly filled TOKEN_PRIVILEGES structure.*/int LoadSeDebugPrivilege(void){    HANDLE hToken=0;    LUID Val;    TOKEN_PRIVILEGES tp;    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES		| TOKEN_QUERY, &hToken))        return(GetLastError());    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val))        return(GetLastError());    tp.PrivilegeCount = 1;    tp.Privileges[0].Luid = Val;    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;    if (!AdjustTokenPrivileges(hToken, FALSE, &tp,		sizeof (tp), NULL, NULL))        return(GetLastError());    CloseHandle(hToken);    return 1;}


BR,


 


CZ




 


I think the problem isnt coming form the privilege thingy.


GLE always return 0 even with your sample.


 




can allocate stuff in winlogon.exe here...


GetProcessID function by unknown...


LoadSeDebugPrivilege from CondZero above




 


Ive tested your sample and i didnt work on my win 7 but it does work on win xp (same with my source).


 


...


 


Anyway thanks for the reply :)



			
		


		

		
	


	

	





	
Link to comment

	
		
	
	
	

	




	



					
					
					
				

					

					
					





					
					
					
				

					

					
					






	

	

	

		

			

				

	
		StoneHeart
	

				
				
			

		

		

			

				


StoneHeart
			

			

				Posted 
				
			

		

	

	
	

		




	

		

			

				
    
					
						
  • Author
    • 
					
					
					
					
					
				

			

			
		


		

			Posted 
			
			
				
				
			
		

	


	

    

	

		
		

			
hi,
do you have admin rights? i used win7 (x64) too
 
Tried in many times and also disable uac but still the same.
Maybe my win 7 x86 sp1 got bug or something lol



			
		


		

		
	


	

	





	
Link to comment

	
		
	
	
	

	




	



					
					
					
				

					

					
					





					
					
					
				

					

					
					






	

	

	

		

			

				

	
		Peter Ferrie
	

				
				
			

		

		

			

				


Peter Ferrie
			

			

				Posted 
				
			

		

	

	
	

		




	

		

			

				
    
					
					
					
					
					
				

			

			
		


		

			Posted 
			
			
				
				
			
		

	


	

    

	

		
		

			
Tried in many times and also disable uac but still the same.
Maybe my win 7 x86 sp1 got bug or something lol
But you didn't answer the question - do you have admin rights?  Did you actually elevate to admin first?


			
		


		
			

				
					
						

	
	
		

			
				
				

					
						

	
	
    
		
		
			
				
				
  • 
					
						
					
							
								Like
							
							
								1
							
					
						
					
				
    • 
			
		
	


					
				

			
			
			
		

	


					
				
				
    
					
						
						
						
						
												
					
					
  • 
						
					
    • 
				

			

		

		
	


	

	





	
Link to comment

	
		
	
	
	

	




	



					
					
					
				

					

					
					






	

	

	

		

			

				

	
		StoneHeart
	

				
				
			

		

		

			

				


StoneHeart
			

			

				Posted 
				
			

		

	

	
	

		




	

		

			

				
    
					
						
  • Author
    • 
					
					
					
					
					
				

			

			
		


		

			Posted 
			
			
				
				
			
		

	


	

    

	

		
		

			












But you didn't answer the question - do you have admin rights? Did you actually elevate to admin first?


















 






Yes!






 






...






 






Nevermind, i've already slove this issues :)



			
		


		

		
	


	

	





	
Link to comment

	
		
	
	
	

	




	



					
					
					
				

					

					
					





					
					
					
				
			
			



		

	


	
	
	
	
	
		
	

			
				
				



	
	
		

			
				
Create an account or sign in to comment

				
You need to be a member in order to leave a comment

			
	
			

				

					

						
Create an account

						
Sign up for a new account in our community. It's easy!

						
							
						
						Register a new account
					

					

						
Sign in

						
Already have an account? Sign in here.

						Sign In Now
					

				

			

		

	


			
		

	

	
		

			

				
				
                

                




				
			

		

	







	

		
			
				Go to topic listing
			
		
	

	




						


	

		
    
			
				
					
					
  • 
				
			
		

	


					

					


					

				

			

			
		

		
		


	

		×
		

			
				

					
				

			

			

			

			
		

	






	

		×
		

			
    
				
  • Create New...
    •