WriteProcessMemory

open IDA,ALT + T The search function WriteProcessMemory(x,x,x,x,x), Enter the body of the function

You can clearly see that there are three functions

NtProtectVirtualMemory(x,x,x,x,x)
NtWriteVirtualMemory(x,x,x,x,x)
NtFlushInstructionCache(x,x,x)

Enter the import table to view the second function ( In fact, all three functions will end up with similar results , But I can only find the third one Zw At the beginning , No, Nt At the beginning )

stay ntdll.dll in

NtWriteVirtualMemory

Search to see NtWriteVirtualMemory function , It's simple , Only four lines

; NtProtectVirtualMemory
mov     eax, 115h        ; Service number 
mov     edx, 7FFE0300h  ; Point to   A function pointer 
call    dword ptr [edx]
retn    14h

Here are two strange things , One is Service number , The other is that 0x7FFE0300
Service number ： A number , Indicates which service to call ( function ), We'll learn more about

0x7FFE0300

• Casually enter a process space
• Find the address you just saw , Get the value in this address
• u Instruction query function

Mainly look at the following two functions

ntdll!KiFastSystemCall:
7c92e4f0 8bd4            mov     edx,esp // preservation esp
7c92e4f2 0f34            sysenter 		 // Quick call 

ntdll!KiIntSystemCall:
7c92e500 8d542408        lea     edx,[esp+8] // preservation esp
7c92e504 cd2e            int     2Eh		 // Break the door 
7c92e506 c3              ret

So how to distinguish whether the system has fast calls ？ Use cpuid Instructions (eax = 1) The query ,eax Parameters are stored in , The result information will be saved to ecx and edx In the register , among edx contain SEP position ( The first 11 position ), Indicate the present CPU Whether quick call is supported

dl register = 0xFF = 0B1111 1111, So it supports fast invocation

ok , The result was really disappointing , You can't see how this function is executed , The depth is not enough now
But this knowledge is enough for us to make some small things

Call system functions manually

#include <windows.h>

__declspec(naked) // Master the whole function by yourself , It's not easy to write half by yourself while others write half 
void MyWriteProcessMemory(
						HANDLE hProcess,
						LPVOID lpBaseAddress,
						LPVOID lpBuffer,
						DWORD nSize,
						LPDWORD lpNumberOfBytesWritten 
){
    
	_asm{
    
		push ebp
		mov ebp, esp
		sub esp, 0x10 // Raise the stack a little , It's OK not to improve 

		push [lpNumberOfBytesWritten]
		push [nSize]
		push [lpBuffer]
		push [lpBaseAddress]
		push [hProcess]  // Push the 5 Parameters 
		push 0 //push eip  It was a call Of , Just align here 
		
		// system call , Just copy 
		mov eax, 0x115
		mov edx, 0x7FFE0300
		call dword ptr[edx]

// add esp, 0x04 //pop eip
// add esp, 0x10 // No stack checking , Omit this one and just quit 
		mov esp, ebp
		pop ebp 	// Remember to balance back 
		retn 0x14 	// The outside is pressed 5 Parameters 
	}
}

int main(){
    
	DWORD val = 0x12345678;
	DWORD write_val = 0x11112222;
	// Get your own process PID
	DWORD curPID = GetCurrentProcessId(); 
	// The following function uses this 
	HANDLE dst_hdl = OpenProcess(PROCESS_ALL_ACCESS, FALSE, curPID); 
	// Self realized WriteProcessMemory
	//WriteProcessMemory(dst_hdl, &val, &write_val, sizeof(val), NULL);// Try it first 
	MyWriteProcessMemory(dst_hdl, &val, &write_val, sizeof(val), NULL);
	// The effect of the two functions is the same 
	printf("%X", val);
	getchar();
	return 0;
}
// Print the results ：11112222

Successful experiment

prevent ： Don't let others hook Find a breakthrough in your own function or breakpoint
Attack ： Bypass others hook Check