Jump to content
Tuts 4 You

Memory's page protection method? With VirtualProtect


Viloresi

Recommended Posts

Posted (edited)

Hello, I'm trying to change the protection flag of an address in memory, it is set to EXECUTE_READ (probably) and I'm trying to change it to EXECUTE_READWRITE to run my hooked function , I've injected a dll inside the process and created a new thread then I'm trying to use VirtualProtect to change it, but VirtualProtect keeps failing and the protection doesn't change .... it's like it has been disabled (but only on certaing pages, since If I try to VirtualAlloc a new page, I'm able to change to modify the protections of it) 

:/, I've tried to check if the VirtualProtect has been hooked but it's not, how is it possible that they made the VirtualProtect to not work without actually hooking it or changing some opcodes inside the kernel32.VirtualProtect function?

Also how can I use the NtVirtualProtectMemory function without the use of VirtualProtect or VirtualProtectEx ? this stuff is all undocumented, so it's hard to find something on the internet

Edited by Viloresi
Posted

for the undocumented stuff look at the reactos source code, its all there, documented

have you aligned the address right ? and whats the error code from the virtualprotect call (use GetLastError.. ).. usually that sheds a light on things... is the memory actually also committed (try reading from it perhaps?)

Posted
23 minutes ago, evlncrn8 said:

for the undocumented stuff look at the reactos source code, its all there, documented

have you aligned the address right ? and whats the error code from the virtualprotect call (use GetLastError.. ).. usually that sheds a light on things... is the memory actually also committed (try reading from it perhaps?)

(Thanks for the reply, you are right btw I didn't gave much infos about it:)

The address is aligned correctly since I've tried the same code on a unprotected executable that I made, and it works fine... also the memory is protected, since it's a game and the ReadProcessMemory is detected and I get banned if I use it, that's why I had to inject a dll (even before all the threads start), the memory is committed, also the opcode I'm trying to hook is the one that stores the player position coordinates on their respective addresses. (I'm able to read it without problems, the only problem is when I'm trying to write it, because It's readonly)

I didn't use the getlasterror :/ but for what I knew VirtualProtect returns non-zero if it fails, aniway it will take me sometime to give another try for that.

 

Posted

 

Update

 

It gives error 87 (a parameter is not correct) ,

btw I'm sure all the parameters are correct ... there is a protection somehow that's disabling it on some pages (btw I've tried to virtual protect some other memory pages of this process and it works fine).

 

Posted

sounds like anti cheat i guess, though no hook is odd, unless its doing smth like checking the callee address, if its within the game space, it'd allow.. otherwise.. deny.. something like that..

can you paste a snippet of your virtualprotect code ?

Posted
// this piece of code is taken from the function that I use to place a jmp

DWORD dwOldProtect;

if (!::VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect))  // The parameters i'm giving are ( Address = (BYTE*)ammoAddy     --------------  lenght  = 15 )
     {
         VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect);   // yes I do it a second time just to be 100% that the error comes from here
         ErrorExit(TEXT("VirtualProtect"));
         MessageBox(0, "fail query", "MessageBox caption", MB_OK);
         

     };

 

 

PlaceJMP((BYTE*)ammoAddy, (DWORD64)InfiniteAmmo, 15); // the ammoAddy is returned correctly, I've checked that it's the correct address that point at the exact location

 

Entire function that I use to place the jmp (if you're interested )

 

Spoiler

 

void PlaceJMP(BYTE *Address, DWORD64 jumpTo, DWORD64 length = 5)
{
     DWORD dwOldProtect, dwBkup;
     DWORD64 dwRelAddr;
     MessageBox(0, "Provo virtual protect", "MessageBox caption", MB_OK);
     //give that address read and write permissions and store the old permissions at oldProtection
     if (!::VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect))
     {
         VirtualProtect(Address, length, PAGE_EXECUTE_READWRITE, &dwOldProtect);
         ErrorExit(TEXT("VirtualProtect"));
         MessageBox(0, "fail query", "MessageBox caption", MB_OK);
         

     };
     
     MessageBox(0, "Virtual protect completato", "MessageBox caption", MB_OK);
     // Calculate the "distance" we're gonna have to jump - the size of the JMP instruction
     dwRelAddr = (DWORD64) (jumpTo - (DWORD64) Address) - 5;    
     MessageBox(0, "Provo scrittura address", "MessageBox caption", MB_OK);
     // Write the JMP opcode @ our jump position...
     *Address = 0xFF;
     //memcpy(&Address, jumpTo, 6);
     // Write the offset to where we're gonna jump
     //The instruction will then become JMP ff002123 for example
     //*((DWORD64 *)(Address + 0x1)) = dwRelAddr; 
     *(Address + 0x1) = 0x25;
     *(Address + 0x2) = 0x00;
     *(Address + 0x3) = 0x00;
     *(Address + 0x4) = 0x00;
     *(Address + 0x5) = 0x00;
     *((ULONG_PTR *)(Address + 0x6)) = (ULONG_PTR)jumpTo;
     MessageBox(0, "Provo secondo virtualprotect", "MessageBox caption", MB_OK);
     // Restore the default permissions
     VirtualProtect(Address, length, dwOldProtect, &dwBkup);
     MessageBox(0, "Secondo virtualprotect completo", "MessageBox caption", MB_OK);
}

 

 

 

P.s.: If you Want the ErrorExit Function I've taken it from MSDN https://msdn.microsoft.com/en-us/library/windows/desktop/ms680582(v=vs.85).aspx

Posted

try it with the length as the page size (0x1000) ... if that doesnt work something odd is going on

Posted
5 hours ago, evlncrn8 said:

try it with the length as the page size (0x1000) ... if that doesnt work something odd is going on

I've tested with 0x1000 as the lenght for the virtualquery... it didn't work tough 

 

( tried PlaceJMP((BYTE*)ammoAddy, (DWORD64)InfiniteAmmo, 0x1000); )

Posted

hmm and if you do a virtualquery on it what happens ?

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...