Debugging Fundamentals Module 5 - Memory (Patreon)

Further Research

• How is it that WriteProcessMemory succeeds in writing to read-only memory?
• WriteProcessMemory failing (Unknown Cheats Forum)
• OpenProcess 
• Process Security and Access Rights 
• CreateProcessW 
• Windows Anti-Debug techniques - OpenProcess filtering 
• ReadProcessMemory 
• WriteProcessMemory 

Lab 5

When launched the debugger will use the CREATE_PROCESS_DEBUG_EVENT to Read/Write the target process memory and alter the “Hello World” string to print “String Hack” instead.

Lab 5 - Exercise

Update the code in the CREATE_PROCESS_DEBUG_EVENT to patch the target and remove the “Hello World” print entirely so that no string is printed.

• Open the target in IDA and use the Strings subview to locate where the “Hello World” string is referenced in the code.
• Notice that the way the string is “printed” to the console is via a call to WriteFile where the file handle is actually a handle to CONOUT$
• Note the address of the call to WriteFile and convert this to a relative virtual address (RVA) by subtracting the target based address 0x400000
• Update the handle_event_create_process code and calculate the WriteFile virtual address using the RVA and the new image base address
• Overwrite the 6 bytes at the call WriteFile address with nop (0x90) instructions
• Test the new debugger and observe no “Hello World” string is printed