process crashes when I read/write memory with dll injection

1.7k views Asked by At

I wrote a hackme program and I want to hook it and make bruteforce to crack it (with dll injection). the problem is when I'm trying to write or read the memory, the process crashes (its happens to me not only with the hackme program, but every program), although I give myself writing and reading privilleges with VirtualProtect.

  • If I add messagebox to the dll, the messagebox works.

here is the dll that supposed to prevent from the process to print something (with NOPing):

#include "DLL.h"
#include <windows.h>
#include <tlhelp32.h>

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
    switch (reason)
    {
        case DLL_PROCESS_ATTACH:
            DWORD threadId;
            CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&ThreadProc, NULL, 0, &threadId);
            break;

        case DLL_PROCESS_DETACH:
            break;

        case DLL_THREAD_ATTACH:
            break;

        case DLL_THREAD_DETACH:
            break;
    }
    return true;
}

DWORD ThreadProc(LPVOID lpdwThreadParam)
{
    VirtualProtect((LPVOID)0x00417D10, 5, PAGE_EXECUTE_READWRITE, NULL);
    *(char *)0x00417D10 = 0x90;
    *(char *)0x00417D11 = 0x90;
    *(char *)0x00417D12 = 0x90;
    *(char *)0x00417D13 = 0x90;
    *(char *)0x00417D14 = 0x90;
    return 0;
}

here's the information about the address in the process that I'm writing to: http://prntscr.com/2bveja (with IDA)

the dll, the injector and the hackme are compiled for 32bit. I'm using win7 64b.

1

There are 1 answers

0
user3120643 On BEST ANSWER

There were 2 problems:

  1. VirtualProtect can not receive NULL in the last parameter (old privilege). Therefore I gave it pointer to DWORD variable.

  2. I gave the VirtualProtect a permanent address, but it was not good, since in windows 7 the image base changes every execution, so I found out the process image base and added it the offset 0x12d1.

HMODULE hand = GetModuleHandle(L"HackMe.exe"); VirtualProtect((LPVOID)((DWORD)hand + (DWORD)0x12d1), 6, PAGE_EXECUTE_READWRITE, &oldp);