• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 273
  • Last Modified:

WriteProcessMemory access error in sp2

Hi,
I am trying to write into allocated memory of another process but WriteProcessMemory() failes with error code 5 (access error). The code example works fine on NT and XP SP1. I tired to change my own process privilege SE_DEBUG_NAME but it still fails. The process I am writting to runs on the same PC and was started by me. Any idea which part of XP SP2 security is blocking me and how to get around it?
//********************* Change my own process privilege ****************************
t1 = GetTokenInformation(TokenHandleOwn, TokenPrivileges, NULL, 0, &dwSize);
PTOKEN_PRIVILEGES   pPriv = NULL;
      char buf[526];
      CString privbuffer;

if(dwSize > 0)
{
      pPriv = (PTOKEN_PRIVILEGES )malloc(dwSize);
        t1 = GetTokenInformation(TokenHandleOwn, TokenPrivileges, pPriv, dwSize, &dwSize);
      tt = GetLastError();

      LUID mluid;
      for (int i = 0; i < pPriv->PrivilegeCount; i++)
      {
            mluid.HighPart = pPriv->Privileges[i].Luid.HighPart;
            mluid.LowPart = pPriv->Privileges[i].Luid.LowPart;
            t1 = LookupPrivilegeName(NULL,&mluid,buf,&dwSize);
            if(t1)
            {
                  privbuffer.Format("Priv: Val %d-'%s'; Att: %d",mluid.LowPart,buf,pPriv->Privileges[i].Attributes);
                  //AfxMessageBox(privbuffer);
            }
            else
            ;//      AfxMessageBox("Error");
      }
      privbuffer.Format("# of priv: %d",pPriv->PrivilegeCount);
       AfxMessageBox(privbuffer);
       TOKEN_PRIVILEGES tp;    /* token provileges */
       TOKEN_PRIVILEGES oldtp;    /* old token privileges */
      DWORD    dwSize1 = sizeof (TOKEN_PRIVILEGES);          
      LUID     luid;
      for (i = 0; i < pPriv->PrivilegeCount; i++)
      {
            pPriv->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
      }
       t1 = AdjustTokenPrivileges (TokenHandleOwn, FALSE, pPriv, NULL,NULL, NULL);
}

//**************** Write to process ***********************************************
      m_hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_PID);
      if (m_hProcess == NULL)
      {
                  message.Format("OpenProcess ID(%d) failed: %d\n",m_PID, GetLastError());
                  AfxMessageBox(message,MB_OK|MB_ICONEXCLAMATION);
                  return;
      }
      else
      {
            pLibRemote = (PDWORD)VirtualAllocEx(m_hProcess, NULL, 1024,MEM_COMMIT,PAGE_READWRITE );
                  if (pLibRemote != NULL)
                  {
                        p = WriteString( m_hProcess, pLibRemote, "12345",5, NULL );

                        p = WriteProcessMemory( m_hProcess, pLibRemote, "12345",5, NULL );
                        if(!p)
                        {
                              privbuffer.Format("Could not write, error: %d",GetLastError());
                              AfxMessageBox(privbuffer);
                        }
                        else
                        {
                              privbuffer.Format("Memory written to: 0x%x",(DWORD)pLibRemote);
                              AfxMessageBox(privbuffer);
                        }
                  }
      }
Regard VV
0
vojtechvarga
Asked:
vojtechvarga
  • 4
1 Solution
 
DanRollinsCommented:
What is
    WriteString( ... );
?

One thing to try is ratchet-down the requested access rights in the OpenProcess() call.  It's possible that SP2 allows you to open for PROCESS_ALL_ACCESS without complaint, but then catches naughty processes only when they try the WriteProcessMemeory call.

I'll see if I can reproduce the problem...

-- Dan
0
 
DanRollinsCommented:
My quick test (no monkeying around with tokens...)
#include <windows.h>

void main()
{
      int m_PID= 3068;   // a running instance of Notepad.Exe
      LPVOID pLibRemote= 0;
      HANDLE m_hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, m_PID);
      if (m_hProcess == NULL) {
            return;
      }
      else {
            pLibRemote= VirtualAllocEx(m_hProcess, NULL, 1024,MEM_COMMIT,PAGE_READWRITE );
            if (pLibRemote != NULL) {
                  BOOL fRet= WriteProcessMemory( m_hProcess, pLibRemote, "12345",5, NULL );
                  if( fRet ) {
                        ::MessageBox(0,"it worked", 0,0);
                        return;
                  }
            }
      }
}


This succeeded (fRet was 1).  I am running WinXp Sp2.

-- Dan
0
 
vojtechvargaAuthor Commented:
Hi,
Thanks for helping. I did the same think and it still did not work on my PC. I then tried a different PC with SP2 where I know I have full Administrator rights and it worked fine. So it lies somewhere on rights. I will try to find out what I am missing on my first PC as soon as I get some time.
0
 
DanRollinsCommented:
You might look to any anti-virus settings on that problem box.   IMO, Norton Antivirus (just an an example) will make sweeping changes to policy settings *by default* and think that it is doing you a favor.
0
 
DanRollinsCommented:
I believe that my forst comment helped to narrow down the possibilities and my second is a PAQworthy suggestion.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now