ReadProcessMemory As Anti-Memory Breakpoints

1. //http://waleedassar.blogspot.com (@waleedassar)
2. //Simple code that shows how the "ReadProcessMemory" function can be used to defeat memory breakpoints(whether PAGE_GUARD or PAGE_NOACCESS).
3.  
4. #include "stdafx.h"
5. #include "windows.h"
6. #define MemoryBasicVlmInformation 0x3
7. struct MEMORY_BASIC_VLM_INFORMATION
8. {
9.         unsigned long ImageBase;
10.         unsigned long blah[0x2];
11.         unsigned long SizeOfImage;
12. };
13.  
14. extern "C"
15. {
16.         int __stdcall ZwQueryVirtualMemory(HANDLE,void*,int,void*,int,unsigned long*);
17. }
18.  
19. int main(int argc, char* argv[])
20. {
21.         unsigned long out=0;
22.     MEMORY_BASIC_VLM_INFORMATION MBVI={0};
23.     unsigned long IB=(unsigned long)GetModuleHandle(0);
24.     ZwQueryVirtualMemory(GetCurrentProcess(),(void*)IB,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
25.     unsigned long SizeOfImage=MBVI.SizeOfImage;
26.     char* p=(char*)VirtualAlloc(0,SizeOfImage,MEM_COMMIT,PAGE_READWRITE);
27.         //Setting a memory BP any where in the memory image will cause ReadProcessMemory to fail.
28.     if(ReadProcessMemory((void*)0xFFFFFFFF,(void*)IB,p,SizeOfImage,0))
29.     {
30.              MessageBox(0,"Expected behavior","waliedassar",0);
31.     }
32.     else
33.     {
34.              MessageBox(0,"Memory BP(s) detected","waliedassar",0);
35.     }
36.     return 0;
37. }