0

I've been having issues writing process memory, viewing sources online I've tried to compile the way Cheat Engine does it.

BOOLEAN fWriteProcessMemory(ULONG PID, PEPROCESS PEProcess, PVOID Address, ULONG Size, PVOID Buffer)
{
    PEPROCESS selectedprocess = PEProcess;
    KAPC_STATE apc_state;
    NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;

    if (selectedprocess == NULL)
    {
        if (!NT_SUCCESS(PsLookupProcessByProcessId((PVOID)(UINT_PTR)PID, &selectedprocess)))
            return FALSE;
    }

    UINT_PTR temp = (UINT_PTR)Address;

    RtlZeroMemory(&apc_state, sizeof(apc_state));

    KeAttachProcess((PEPROCESS)selectedprocess);

    char* target;
    char* source;
    unsigned int i;

    target = Address;
    source = Buffer;

    for (i = 0; i<Size; i++)
    {
        target[i] = source[i];
    }
    ntStatus = STATUS_SUCCESS;

    KeDetachProcess();

    return NT_SUCCESS(ntStatus);
}

Though issues were risen upon calling it which was causing a BSOD every time target[i] = source[i];

It may be that I was inputting incorrect 'Address'/'Size'/'Buffer' yet here is my configuration:

fWriteProcessMemory(GlobalProcessID, GlobalProcessPE, (PVOID)(*(ULONG*)pBuf), sizeof(ULDat), (PVOID)ULDat)

Having ULDat as the memory to be written (ULONG), pBuf which is Irp->AssociatedIrp.SystemBuffer as the memory address to be written to.

Any help would be appreciated, thank you.

Johnaudi
  • 257
  • 1
  • 23
  • 1
    Where is the source buffer in the memory - is it kernel allocated memory, or is it within your process? In other words - where did ULDat come from? And what is its type. You said it is ULONG but you convert it to PVOID, that's weird. If it is a variable that holds ULONG, you should pass a pointer (PVOID)&ULDat instead of just (PVOID)ULDat – Wapac Feb 09 '16 at 08:23
  • It's a variable stored in the driver: ULONG ULDat = 6969UL (don't laugh :) ) - Whilst writing the memory it is using KeAttach so technically within the process, no? I'll give it a shot with &ULDat, thank you for the help though – Johnaudi Feb 09 '16 at 08:36

1 Answers1

2

if ULDat = 6969 then (PVOID)ULDat is a pointer to a memory location address 6969 (or 0x1b39 hexa), then in your loop, source[i] is trying to pick a char from address (0x1b39 + i), which is why it BSODs.

So yes, use &ULDat there, that's the solution.

Wapac
  • 4,058
  • 2
  • 20
  • 33