Advertisement
waliedassar

ReadProcessMemory As Anti-Memory Breakpoints

Oct 18th, 2012
1,911
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.22 KB | None | 0 0
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. //Simple code that shows how the "ReadProcessMemory" function can be used to defeat memory breakpoints(whether PAGE_GUARD or PAGE_NOACCESS).
  3.  
  4. #include "stdafx.h"
  5. #include "windows.h"
  6. #define MemoryBasicVlmInformation 0x3
  7. struct MEMORY_BASIC_VLM_INFORMATION
  8. {
  9.         unsigned long ImageBase;
  10.         unsigned long blah[0x2];
  11.         unsigned long SizeOfImage;
  12. };
  13.  
  14. extern "C"
  15. {
  16.         int __stdcall ZwQueryVirtualMemory(HANDLE,void*,int,void*,int,unsigned long*);
  17. }
  18.  
  19. int main(int argc, char* argv[])
  20. {
  21.         unsigned long out=0;
  22.     MEMORY_BASIC_VLM_INFORMATION MBVI={0};
  23.     unsigned long IB=(unsigned long)GetModuleHandle(0);
  24.     ZwQueryVirtualMemory(GetCurrentProcess(),(void*)IB,MemoryBasicVlmInformation,&MBVI,sizeof(MBVI),&out);
  25.     unsigned long SizeOfImage=MBVI.SizeOfImage;
  26.     char* p=(char*)VirtualAlloc(0,SizeOfImage,MEM_COMMIT,PAGE_READWRITE);
  27.         //Setting a memory BP any where in the memory image will cause ReadProcessMemory to fail.
  28.     if(ReadProcessMemory((void*)0xFFFFFFFF,(void*)IB,p,SizeOfImage,0))
  29.     {
  30.              MessageBox(0,"Expected behavior","waliedassar",0);
  31.     }
  32.     else
  33.     {
  34.              MessageBox(0,"Memory BP(s) detected","waliedassar",0);
  35.     }
  36.     return 0;
  37. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement