SHARE
TWEET

ReadProcessMemory As Anti-Memory Breakpoints

waliedassar Oct 18th, 2012 509 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Simple code that shows how the "ReadProcessMemory" function can be used to defeat memory breakpoints(whether PAGE_GUARD or PAGE_NOACCESS).
  3.  
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #define MemoryBasicVlmInformation 0x3
  7. struct MEMORY_BASIC_VLM_INFORMATION
  8. {
  9.         unsigned long ImageBase;
  10.         unsigned long blah[0x2];
  11.         unsigned long SizeOfImage;
  12. };
  13.  
  14. extern "C"
  15. {
  16.         int __stdcall ZwQueryVirtualMemory(HANDLE,void*,int,void*,int,unsigned long*);
  17. }
  18.  
  19. int main(int argc, char* argv[])
  20. {
  21.         unsigned long out=0;
  22.         MEMORY_BASIC_VLM_INFORMATION MBVI={0};
  23.         unsigned long IB=(unsigned long)GetModuleHandle(0);
  24.         ZwQueryVirtualMemory(GetCurrentProcess(),(void*)IB,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
  25.         unsigned long SizeOfImage=MBVI.SizeOfImage;
  26.         char* p=(char*)VirtualAlloc(0,SizeOfImage,MEM_COMMIT,PAGE_READWRITE);
  27.         //Setting a memory BP any where in the memory image will cause ReadProcessMemory to fail.
  28.         if(ReadProcessMemory((void*)0xFFFFFFFF,(void*)IB,p,SizeOfImage,0))
  29.         {
  30.                      MessageBox(0,"Expected behavior","waliedassar",0);
  31.         }
  32.         else
  33.         {
  34.                      MessageBox(0,"Memory BP(s) detected","waliedassar",0);
  35.         }
  36.         return 0;
  37. }
RAW Paste Data
Top