search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

Writing to an address while knowing the base offset. Either via cli, C, or memproc fs and gui tools #182

Closed rlewkowicz closed 2 years ago

rlewkowicz commented 2 years ago

This isn't stack overflow, so in advance if this is out of scope, we can close it and I apologize for the noise.

In an attempt to correlate my understanding of local tools, to that of pci leech I want to modify a memory value in the same way.

I have a memory value that has an instruction of decrement, that I targeted through cheat engine (I know you don't necessarily support game cheating, this is not competitive and I'm not out here ruining anyone's fun)

Process.exe+0x1C4A258 - FF 8B E0050000

I want to nop this via pcileech ( FF 8B E0050000 -> 90 ) . I have used your vmm example to target what I think is the equivalent base address. 

#09: Get module by name 'Process.exe' in 'Process.exe'.
CALL:    VMMDLL_Map_GetModuleFromNameU
SUCCESS: VMMDLL_Map_GetModuleFromNameU
         MODULE_NAME                                 BASE             SIZE     ENTRY
         ======================================================================================
         Process.exe                           64 0000000140000000 1d239000 000000015cdd8020

Given this information, how can I find and write to 0x1C4A258?

ufrisk commented 2 years ago

I don't do cheats, but this is a general question.

Important to know when doing DMA writes is that writes takes place to underlying physical memory. This means that if there are other processes sharing the same module (exe or dll) they'll be affected of the write at the same time. This is unlike writing to a process using normal tools. Usually this isn't a problem if writing to a process with just one instance loaded or if writing to heaps/stacks and such.

To write simply do:

DWORD dwPID = <process_pid>;
QWORD vaModuleBase = 0x0000000140000000;
DWORD dwModuleOffset = 0x1C4A258;
BYTE pbwrite[] = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90};
BOOL fResult = VMMDLL_MemWrite(dwPID, vaModuleBase + dwModuleOffset, pbwrite, 6);
rlewkowicz commented 2 years ago

I'm getting:

Severity    Code    Description Project File    Line    Suppression State
Error   LNK2001 unresolved external symbol VmmWrite vmm_example C:\Repos\leech\MemProcFS\vmm_example\vmmdll_example.obj 1

I added the vmm folder as an additional include in the project settings and included vmm header. to no avail.

Is it supposed to be as simple as calling this function?

ufrisk commented 2 years ago

sorry, my bad, I posted the internal function, correct function is: VMMDLL_MemWrite

rlewkowicz commented 2 years ago

That worked! This is so darn cool. Thanks for everything!