Author Topic: Accessing Process Memory After Hooking  (Read 882 times)

0 Members and 1 Guest are viewing this topic.

mesengr

  • Relentless Teamkiller
  • **
  • Posts: 51
    • View Profile
Accessing Process Memory After Hooking
« on: March 17, 2009, 07:51:10 am »
After I hook a certain function/interface in a process (e.g., vietcong.exe), I want to access its memory. I know the address of the memory I wish to access. I can obviously create a pointer that points to that address, and dereference it.

But is this safe? There are potential multi-threading issues. Should I use memcpy() or ReadProcessMemory() or ??? What other options are there?

Subsky

  • Insane Joker
  • ****
  • Posts: 504
  • Subskii
    • View Profile
Re: Accessing Process Memory After Hooking
« Reply #1 on: March 28, 2009, 06:00:01 am »
If the application wasn't originally designed to be multi-threaded; it's a bit difficult.

Once you have your client pointer to some structure; set a hardware write breakpoint on the address and wait for a hit.

In the original applications code you'd then have to use detour hook(s) or similiar to request a lock using synchronization primitive(s) on it before the write(s)- write then unlock.

In your own code you then test for the lock.

This is pretty secure provided that you don't overwrite any pointer values back into the structure or change important information like array lengths etc (if that where the case, you'd need to detour hook as described above every point in the original application that read the start of the structure!).

MrMedic

  • MasstKer
  • ********
  • Posts: 8900
  • programmer/dev/software engineer
    • View Profile
Re: Accessing Process Memory After Hooking
« Reply #2 on: March 28, 2009, 10:35:13 pm »
it wont be safe untill you set it up correctly there is an easier way ...


 jump out , to your function ( copy of the origional ) and if its uses registers eax eg , then simply store it in a variable then add offsets ( eg [eax+7e] // player name .....etc to what you want , this way it will never change , remember to restore the jump after your done or youl hit hradba problems.
« Last Edit: March 28, 2009, 10:41:10 pm by MrMedic »
EnCoded Message: i3iy9yl8kr2xf3g2Txs3pr6ye3ya7jg5ty2z

https://www.youtube.com/watch?v=62_7-AYfdkQ
you need a paypal account for the private versions.

Website:
http://bit.ly/medic101

Teamspeak 3: 85.236.101.5:10157