waliedassar

ReadProcessMemory As Anti-Memory Breakpoints

Oct 18th, 2012
1,145
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Simple code that shows how the "ReadProcessMemory" function can be used to defeat memory breakpoints(whether PAGE_GUARD or PAGE_NOACCESS).
  3.  
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #define MemoryBasicVlmInformation 0x3
  7. struct MEMORY_BASIC_VLM_INFORMATION
  8. {
  9.         unsigned long ImageBase;
  10.         unsigned long blah[0x2];
  11.         unsigned long SizeOfImage;
  12. };
  13.  
  14. extern "C"
  15. {
  16.         int __stdcall ZwQueryVirtualMemory(HANDLE,void*,int,void*,int,unsigned long*);
  17. }
  18.  
  19. int main(int argc, char* argv[])
  20. {
  21.         unsigned long out=0;
  22.     MEMORY_BASIC_VLM_INFORMATION MBVI={0};
  23.     unsigned long IB=(unsigned long)GetModuleHandle(0);
  24.     ZwQueryVirtualMemory(GetCurrentProcess(),(void*)IB,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
  25.     unsigned long SizeOfImage=MBVI.SizeOfImage;
  26.     char* p=(char*)VirtualAlloc(0,SizeOfImage,MEM_COMMIT,PAGE_READWRITE);
  27.         //Setting a memory BP any where in the memory image will cause ReadProcessMemory to fail.
  28.     if(ReadProcessMemory((void*)0xFFFFFFFF,(void*)IB,p,SizeOfImage,0))
  29.     {
  30.              MessageBox(0,"Expected behavior","waliedassar",0);
  31.     }
  32.     else
  33.     {
  34.              MessageBox(0,"Memory BP(s) detected","waliedassar",0);
  35.     }
  36.     return 0;
  37. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×