Log in

View Full Version : Question about VirtualProtect


dive2code
June 30th, 2005, 09:04
Hi all,

It is possible to change the page flag of DLL by using virtualprotect on winxp+sp1?

I found a similar question on this forum - http://www.woodmann.net/forum/showthread.php?t=1764

but I didn't see any proper stuff.

thanx in advance.

blabberer
June 30th, 2005, 10:31
page flag of dll ??
dll that is loaded in your process ??
dll that is loaded in remote process ??

for first case use VirtualProtect()
for second case use VirtualprotectEx()

use VirtualQuery() or VirtualQueryEx() according to need before hand to get the struct MEMORY_BASIC_INFORMATION filled for use in
virtualprotect

for using virtualQueryEx you would need a hProcess
use OpenProcess()

now for lpAddress use GetModuleHandle() or if you are using LoadLibrary
use the return

its a loaded question there are many various possibilities and combinations
and paths to be taken

btw get platform sdk from ms or atleast get the old win32.hlp
before hand
almost all these questions are answered there

like this

The VirtualProtect function changes the access protection on a region of committed pages in the virtual address space of the calling process. This function differs from VirtualProtectEx,
which changes the access protection of any process.

BOOL VirtualProtect(

LPVOID lpAddress, // address of region of committed pages
DWORD dwSize, // size of the region
DWORD flNewProtect, // desired access protection
PDWORD lpflOldProtect // address of variable to get old protection
);

btw debuggers work they can place break points
so your question is meaningless if you think a little bit
imagine if changing access protections is not possible
how the hell a debugger can place a breakpoint in a dll that is loaded by the debugee ??
magic ??

dive2code
July 2nd, 2005, 03:33
thanx blabberer,

I tried as u mentioned, but it was failed

This is what I tested a lame codes.

Code:
EnumProcesses(pPids = Pids, sizeof(Pids), &RetPidsSize)
...
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, *pPids);
...
EnumProcessModules(hProcess, pMods = Mods, sizeof(Mods), &ReqModsSize);
...
GetMappedFileName(hProcess, lpv, ImageName, _s(ImageName));
...

if(strstr(ImageName, "target.dll" != NULL )
{
if(!ReadProcessMemory(hProcess, lpv, item, sizeof(item), NULL))
printf("\n page read failed \n";

if(!VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect))
printf("\n page flag change failed \n";

if(!WriteProcessMemory(hProcess, lpv, &magicCodes, sizeof(magicCodes), NULL))
printf("\n patch failed \n";
}

CloseHandle();


ReadProcessMemory worked, but VirtualProtect returns FAIL.

So the WriteProcessMemory failed, too.

In case of trying exe type, all APIs returned TRUE.

I'm confused

TQN
July 2nd, 2005, 04:44
Use VirtualProtectEx for hProcess, VirtualProtect only uses with current processs.