1

This is my program which searching through the memory of a process with the process id and returns the memory offset for each mach it finds.

When I run the exe by double click I see the expected output. But I wanted to use this exe from command line by 

nameoffile.exe >> output.txt

From command line but this makes a blank file and 

nameoffile.exe

From command line also gives no output

#include <iostream>
#include <vector>
#include <string>
#include <windows.h>
#include <algorithm>
#include <iterator>
template <class InIter1, class InIter2, class OutIter>
void find_all(unsigned char *base, InIter1 buf_start, InIter1 buf_end, InIter2 pat_start, InIter2 pat_end, OutIter res) {
    for (InIter1 pos = buf_start;
        buf_end!=(pos=std::search(pos, buf_end, pat_start, pat_end));
        ++pos)
    {
        *res++ = base+(pos-buf_start);
    }

}

template <class outIter>
void find_locs(HANDLE process, std::string const &pattern, outIter output) {

    unsigned char *p = NULL;
    MEMORY_BASIC_INFORMATION info;

    for ( p = NULL;
        VirtualQueryEx(process, p, &info, sizeof(info)) == sizeof(info);
        p += info.RegionSize ) 
    {
        std::vector<char> buffer;
        std::vector<char>::iterator pos;

        if (info.State == MEM_COMMIT && 
            (info.Type == MEM_MAPPED || info.Type == MEM_PRIVATE)) 
        {
            SIZE_T bytes_read;
            buffer.resize(info.RegionSize);
            ReadProcessMemory(process, p, &buffer[0], info.RegionSize, &bytes_read);
            buffer.resize(bytes_read);
            find_all(p, buffer.begin(), buffer.end(), pattern.begin(), pattern.end(), output);
        }
    }
}

int main() {

    std::ofstream outputFile("output.txt");
    outputFile << "lol";
    int pid = 448;
    std::string pattern = "Book of Summoning";

    HANDLE process = OpenProcess( 
        PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 
        false,
        pid);

    if (process == NULL) std::cout << "error opening process\n";
    else
    {
             find_locs(process, pattern,
            std::ostream_iterator<void *>(std::cout, "\n"));
    }
    system("PAUSE");
    return 0;
}
user1397417
  • 708
  • 4
  • 11
  • 34
  • Do you see the "Press any key to continue"? Your program could use some error handling, you expect it to work flawless. Especially the use of a hardcoded pid makes me wonder how this works. – nvoigt Feb 12 '14 at 06:18
  • i do see the press any key to continue. from console or from normal opeinging. I just dont know why i dont see the output from console but i do from opening normally. – user1397417 Feb 12 '14 at 06:23
  • Debug it. Put a cout as first thing in your code. Do you see that? – nvoigt Feb 12 '14 at 06:24
  • ok i added some debug flow, now i get an output of "error opening process" when i run the exe from the debug folder. but running it from the debugger in VS always gives a successful run of OpenProcess. why would that be? – user1397417 Feb 12 '14 at 06:42
  • Print to std::cout, use redirects to capture the output, or the 'tee' command. – Elliott Frisch Feb 12 '14 at 06:42
  • Could it be that your Visual Studio is running with admin privileges and your console application if started outside is not? – nvoigt Feb 12 '14 at 06:46
  • What output do you get when you start with ctrl+f5? – harper Feb 12 '14 at 06:47
  • i tried running as admin also, still the openprocess fails – user1397417 Feb 12 '14 at 06:48
  • ctrl f5 from VS gives me 5 lines of memory locations separated by newlines. which i double checked with winhex and they are correct. but the openproccess fails outside of VS – user1397417 Feb 12 '14 at 06:50
  • i tried making a shortcut and setting the start in dir to the same as VS uses but still fails on the openprocess – user1397417 Feb 12 '14 at 06:52
  • also tried deploying the project with a windows installer and still fails on openprocess – user1397417 Feb 12 '14 at 06:52
  • You might want to call [`GetLastError()`](http://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx) to see what the actual issue with `OpenProcess` is – Andreas Fester Feb 12 '14 at 06:53
  • getlasterror returns "5" – user1397417 Feb 12 '14 at 06:55
  • Does enabling the SeDebugPrivilege help? See: http://stackoverflow.com/questions/2932461/windows-vista-win7-privilege-problem-sedebugprivilege-openprocess – Christopher Oicles Feb 12 '14 at 07:07
  • that made the exe in the debug folder work when i open it and it worked when i ran from console but when i tried the command to send output to text file the text file is still blank... :( – user1397417 Feb 12 '14 at 07:22
  • does my main function need to return something? – user1397417 Feb 12 '14 at 07:28
  • no nevermind, its working but for some reason really slow at finishing writting to the text file – user1397417 Feb 12 '14 at 07:31

1 Answers1

0

Your OpenProcess fails because it's not running as administrator with proper debug permissions. Make sure you run as admin and set SeDebugPrivelage:

bool SetDebugPrivilege(bool Enable)
{
    HANDLE hToken{ nullptr };
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
        return false;

    TOKEN_PRIVILEGES TokenPrivileges{};
    TokenPrivileges.PrivilegeCount = 1;
    TokenPrivileges.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0;

    if (!LookupPrivilegeValueA(nullptr, "SeDebugPrivilege", &TokenPrivileges.Privileges[0].Luid))
    {
        CloseHandle(hToken);
        return false;
    }

    if (!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr))
    {
        CloseHandle(hToken);
        return false;
    }

    CloseHandle(hToken);

    return true;
}
GuidedHacking
  • 3,628
  • 1
  • 9
  • 59