修改内存区域-返回0xCC VC ++ [英] Modifying region of memory - returns 0xCC VC++

问题描述

我正在修改在dll中编译的可执行代码的某些部分.但是我修改的整个段中固定地址的单个字节无法更改，甚至无法读取.

I am modifying some sections of an executable code compiled in a dll. But a single byte at a fixed address from the entire segment that I am modifying can't be changed, not even read.

代码很简单:

SEGMENT_DATA segInfo = getSegmentInfo(mHandle, segmentName);

if (segInfo.inFileSegmentAddr == 0) return false;

DWORD mOlProtection;
DWORD mOlProtection_1;

if (segInfo.architecture != MY_ARCH) {
    printf(" Not the same architecture!\n");
    return 0;
}

if(VirtualProtect((LPVOID)segInfo.segmentAddr, segInfo.segmentSize, PAGE_EXECUTE_READWRITE, &mOlProtection)==0) return false;
DWORD i=0;
for (size_t k = 0; k < segInfo.segmentSize; k++) {
    BYTE *lpByteValue = (BYTE*)(segInfo.segmentAddr + k);

    BYTE temp = *lpByteValue;
    *lpByteValue = temp ^ lDecryptionKey[i];
    i++;
    i %= decryptionKeyLength;
}

if(VirtualProtect((LPVOID)segInfo.segmentAddr, segInfo.segmentSize, mOlProtection, &mOlProtection_1)==0) return false;

观察:

1. 在修改内存之前，我使用 PAGE_EXECUTE_READWRITE 标志取消保护"该区域.
2. Visual Studio中的内存视图"清楚地向我显示了该特定地址的值.甚至更奇怪的是，第二次我从调试器手动修改了该值，我的代码也能够更改该值.
示例代码中的
3. temp 变量包含值 0xCC
4. 从字面上看，该字节是其他数百个字节中唯一不变的一个字节.这是内存视图"中唯一标记为黑色的字节(其余均为红色，因为它们已更改)
5. Dll是在Debug/x86中编译的./MTd标志设置.没有随机地址(/DYNAMICBASE:否，/FIXED:否).否整个程序优化.
6. 未修改的字节不是变量.因此它不能被未初始化".它实际上是一个非常重要的字节:它是指令操作码.一切都在那个字节上崩溃了.
7. 解密例程(XOR代码)对错误没有影响.我进入代码，并在 temp 达到 xor 之前查看它的值.这意味着永远不会使用解密密钥，因此不会导致问题.
8. 虚拟保护成功.

1. Before I modify the memory, I "unprotect" the region with PAGE_EXECUTE_READWRITE flag.
2. Memory View in visual studio clearly shows me the value at that particular address. Even weirder is that in the second I modify the value manually from the debugger, my code is also able to change that value.
3. temp variable in the example code contains the value 0xCC
4. This byte is literally the only one unchanged in a sea of hundred other bytes. It is the only byte marked black in Memory View (the rest are red because they were changed)
5. Dll is compiled in Debug/x86 . /MTd flag set. No random address (/DYNAMICBASE : NO , /FIXED: NO). No Whole program optimization.
6. The unmodified byte IS NOT a variable. So it can't be "uninitialized". It is actually a very important byte: it is the instruction opcode. Everything crashes on that byte.
7. The decryption routine (XOR code) has no effect on the error. I step into the code and look at temp's value before it reaches the xor. This means the decryption key is never used and therefore it can't cause the problem.
8. Virtual protect succeeds.

快照:

Visual Studio可以读取地址

Visual studio can read the address

无法读取程序内部的字节

Can't read byte inside program

我知道不是单个地址上的字节值引起了问题(因为我发现其他具有相同值的字节已被成功处理).也许该字节仍处于受保护"状态?

I know it's not the value of the byte at that single address that is causing problems (because I found other bytes with the same value that were processed successfully). Perhaps the byte is still "protected"?

为什么会这样?

推荐答案

您可以很好地处理 Software Breakpoints 的非常常见的情况.实际上，通过将要断点的指令替换为断点指令来设置软件断点.

You could very well deal with a very common scenario of Software Breakpoints. Software breakpoints are in fact set by replacing the instruction to be breakpointed with a breakpoint instruction.

断点指令存在于大多数CPU中，通常与最短指令一样短，因此x86(0xCC，INT 3)上只有 1个字节.

The breakpoint instruction is present in most CPUs, and usually as short as the shortest instruction, so only one byte on x86 (0xCC, INT 3).

由于我不知道您的源代码中是否有任何断点，所以我只能假设这是您的问题.

As I don't know if there are any breakpoints at all in your source I can only assume that this is your problem.

这篇关于修改内存区域-返回0xCC VC ++的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！